The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Wednesday, July 16, 2008
When the order was made that Google provide Viacom with its raw user logs (a move which significantly compromised user privacy), I wrote that the court could have ordered that the information be anonymised. (Canadian Privacy Law Blog: Commentary on the YouTube / Viacom order)
I don't think I can take any credit for this next move, but I'm sure the loud outcry has had an influence: Google and Viacom have agreed to anonymise the data using a one-way function so that the actual IP addresses cannot be reverse-engineered and Viacom has agreed to not even try. The stipulation filed with the court is here. Extract:
IT IS HEREBY STIPULATED AND AGREED, by and between the undersigned counsel of record:
1. Substituted Values: When producing data from the Logging Database pursuant to the Order, Defendants shall substitute values while preserving uniqueness for entries in the following fields: User ID, IP Address and Visitor ID. The parties shall agree as promptly as feasible on a specific protocol to govern this substitution whereby each unique value contained in these fields shall be assigned a correlative unique substituted value, and preexisting interdependencies shall be retained in the version of the data produced. Defendants shall promptly (no later than 7 business days after execution of this Stipulation) provide a proposed protocol for this substitution. Defendants agree to reasonably consult with Plaintiffs’ consultant if necessary to reach agreement on the protocol.
2. Non-Circumvention: The parties agree that they shall not engage in any efforts to circumvent the encryption utilized pursuant to Paragraph 1 this Stipulation. This Paragraph does not limit in any way any party’s rights under Paragraph 8 below.
For background, see all posts tagged: Viacom v Google. Also, the Ontario Privacy Commissioner applauds this move: CNW Group | OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER/ONTARIO | Commissioner Cavoukian Applauds Agreement Protecting YouTube Users' Privacy
Friday, July 11, 2008
More commentary on the Viacom v. Google/YouTube case, this time from MIT's Technology review:
Technology Review: Privacy protections disappear with a judge's order
Privacy protections disappear with a judge's order
By Associated Press
NEW YORK (AP) _ Credit card companies know what you've bought. Phone companies know whom you've called. Electronic toll services know where you've gone. Internet search companies know what you've sought.
It might be reassuring, then, that companies have largely pledged to safeguard these repositories of data about you.
But a recent federal court ruling ordering the disclosure of YouTube viewership records underscores the reality that even the most benevolent company can only do so much to guard your digital life: All their protections can vanish with one stroke of a judge's pen.
"Companies have a tremendous amount of very sensitive data on their customers, and while a company itself may treat that responsibly ... if the court orders it be turned over, there's not a lot that the company that holds the data can do," said Jennifer Urban, a law professor at the University of Southern California.
In the past, court orders and subpoenas have generally been targeted at records on specific individuals. With YouTube, it's far more sweeping, covering all users regardless of whether they have anything to do with the copyright infringement that Viacom Inc., in a $1 billion lawsuit, accuses Google Inc.'s popular video-sharing site of enabling.
It's a scenario privacy activists have long warned about.
"What we're seeing is (that) the theoretical is becoming real world," said Lauren Weinstein, a veteran computer scientist. "The more data you've got, the more data that's going to be there as an attractive kind of treasure chest (for) outside parties."
U.S. District Judge Louis L. Stanton dismissed privacy arguments as speculative.
Last week, Stanton authorized full access to the YouTube logs -- which few users even realize exist -- after Viacom and other copyright holders argued that they needed the data to prove that their copyright-protected videos for such programs as Comedy Central's "The Daily Show with Jon Stewart" are more heavily watched than amateur clips.
"This decision makes it absolutely clear that everywhere we go online, we leave tracks, and every piece of information we access online leaves some sort of record," Urban said. "As consumers, we should all be aware of the fact that this sensitive information is being collected about us."
Mark Rasch, a former Justice Department official who is now with FTI Consulting Inc., said the ruling could open the floodgates for additional disclosures.
Though lawyers have known to seek such data for years, Rasch said, judges initially hesitant about authorizing their release may look to Stanton's ruling for affirmation, even though U.S. District Court rulings do not officially set precedence.
The YouTube database includes information on when each video gets played. Attached to each entry is each viewer's unique login ID and the Internet Protocol, or IP, address for that viewer's computer -- identifiers that, while seemingly anonymous, can often be traced to specific individuals, or at least their employers or hometowns.
Elsewhere, search engines such as Google and Yahoo Inc. keep more than a year of records on your search requests, from which one can learn of your diseases, fetishes and innermost thoughts. E-mail services are another source of personal records, as are electronic health repositories and Web-based word processing, spreadsheets and calendars.
One can reassemble your whereabouts based on where you've used credit cards, made cell phone calls or paid tolls or subway fares electronically. One can track your spending habits through loyalty cards that many retail chains offer in exchange for discounts.
Though companies do have legitimate reasons for keeping data -- they can help improve services or protect parties in billing disputes, for instance -- there's disagreement on how long a company truly needs the information.
The shorter the retention, the less tempting it is for lawyers to turn to the keepers of data in lawsuits, privacy activists say.
With some exceptions in banking, health care and other regulated industries, requests are routinely granted.
Service providers regularly comply with subpoenas seeking the identities of users who write negatively about specific companies, at most warning them first so they can challenge the disclosure themselves. The music and movie industries also have been aggressive about tracking individual users suspected of illegally downloading their works.
Law enforcement authorities also turn to the records to help solve crimes.
The U.S. Justice Department had previously subpoenaed the major search engines for lists of search requests made by their users as part of a case involving online pornography. Yahoo, Microsoft Corp.'s MSN and Time Warner Inc.'s AOL all complied with parts of the legal demand, but Google fought it and ultimately got the requirement narrowed.
In the YouTube case, Viacom largely got the data it wanted.
Google has said it would work with Viacom on trying to ensure anonymity, and Viacom has pledged not to use the data to identify individual users to sue. The YouTube logs will also likely be subject to a confidentiality order.
But privacy advocates warn that there's no guarantee that future litigants will be as restrained or that data released to lawyers won't inadvertently become public -- through their inclusion as an attachment in a court filing, for instance.
And retailers, government agencies and others are regularly announcing that personal information, stored without adequate safeguards, is being stolen by hackers or lost with laptops or portable storage drives.
"You just never know," said Steve Jones, an Internet expert at the University of Illinois at Chicago. "There are some circumstances under which what seems to be private information is going to be shared with a third party, and the court says it's OK to do that."
Copyright Technology Review 2008.
Thursday, July 10, 2008
It is not often that a columnist for a major national newpaper calls a federal court judge a moron, but that's just what Michael Arrington on the Washtington Post website calls Judge Stanton, referring to Viacom v. Google/YouTube. See: Judge Protects YouTube's Source Code, Throws Users To The Wolves - washingtonpost.com.
Hot off the presses: The Information and Privacy Commissioner of Ontario has written to Google calling for Google to appeal the recent Viacom v. Google disclosure order:
CNW Group OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER/ONTARIO Privacy Commissioner Ann Cavoukian urges Google to appeal YouTube ruling
Privacy Commissioner Ann Cavoukian urges Google to appeal YouTube ruling
TORONTO, July 10 /CNW/ - Ontario Information and Privacy Commissioner Ann Cavoukian is urging Google to appeal the recent ruling of U.S. District Court Judge Louis Stanton, requiring the disclosure of YouTube users' information to Viacom. YouTube, a popular website, is owned by Google.
In a letter to Sergey Brin, Google's President of Technology, the Commissioner emphasized her deep concerns about the privacy implications of the ruling, which she was asked to outline earlier this week on Canada AM.
Commissioner Cavoukian said "I was astounded to learn that Google had been ordered to disclose certain YouTube information, which includes users' login IDs and IP addresses, for use in Viacom's copyright infringement lawsuit against YouTube." The Commissioner felt that Judge Stanton had "failed to consider that user login IDs and video viewing habits can reveal a great deal of sensitive personal information."
In response to suggestions that the data be "anonymized" before its release to Viacom's legal counsel, the Commissioner noted that it is possible to re-identify individuals by linking their data with publicly available personal information, such as that found in telephone directories. "Simply stripping certain data fields from a database is not sufficient to safeguard the privacy of individuals" warned the Commissioner.
Despite the Judge's associated protection order which attempts to limit the authorized uses of YouTube users' information by Viacom, this does not eliminate the Commissioner's concerns. Companies simply cannot guarantee that information, once obtained, will not be subject to unauthorized use or disclosure. "Witness the example of identity theft" she noted. "The majority of instances of identity theft result from insider abuse."
"While I have sympathy for the rights of intellectual property holders, businesses should not rely on the surveillance of consumers to protect their copyright interests. It is not acceptable to allow copyright enforcement to come at the expense of users' privacy."
The full text of the letter to Google may be found on the Commissioner's website at www.ipc.on.ca in the What's New section.
Tuesday, July 08, 2008
I had the chance yesterday to read the decision in Viacom International v. YouTube (previously: Canadian Privacy Law Blog: Judge orders that YouTube hand over viewer records). The request and the order are appalling from a privacy point of view, in my humble opinion.
It appears clear from the decision that Viacom, et al. were ostensibly not looking for information about users of Google Video and YouTube, but this will certainly be the side-effect. In the preliminary motion, Viacom was seeking a number of orders from the court to help it build its billion dollar case for copyright infringement against the video sites. Because the vast majority of the content is uploaded by users, Viacom is going after YouTube on the basis that they assist and encourage the violation of copyright by users and are therefore responsible financially for it. The reason put forward by Viacom for seeking the full user logs was to compare the viewership (aka hits) of allegedly pirated content against viewership of non-pirated materials. If they can show that allegedly pirated content is more popular, the reasoning goes, they can show that YouTube has a financial interest in allowing pirated content on the site.
Google attempted to argue to the Court that handing over the raw logs would be intrusive of privacy for the sites' users. Unfortunately for the users, the Court didn't put much weight in these arguments as it referred to Google's past positions that IP addresses cannot identify individuals:
Defendants argue that the data should not be disclosed because of the users’ privacy concerns, saying that “Plaintiffs would likely be able to determine the viewing and video uploading habits of YouTube’s users based on the user’s login ID and the user’s IP address” (Do Decl. ¶ 16).
But defendants cite no authority barring them from disclosing such information in civil discovery proceedings, and their privacy concerns are speculative. Defendants do not refute that the “login ID is an anonymous pseudonym that users create for themselves when they sign up with YouTube” which without more “cannot identify specific individuals” (Pls.’ Reply 44), and Google has elsewhere stated:We . . . are strong supporters of the idea that data protection laws should apply to any data that could identify you. The reality is though that in most cases, an IP address without additional information cannot.
Google Software Engineer Alma Whitten, Are IP addresses personal?, GOOGLE PUBLIC POLICY BLOG (Feb. 22, 2008), http://googlepublicpolicy.blogspot.com/2008/02/are-ip-addresses-personal.html (Wilkens Decl. Ex. M).
So why does Viacom need the full logs? Because they need to try to determine unique viewership of the content. They need a way to distinguish one viewer from another.
Do they need full IP addresses? I don't think so. While we are talking about terabytes of data, it would be trivial to run all the logs through a software routine that would use a "one way hash" to make each IP address unique while not disclosing the IP address itself.
Why the big deal? While Viacom obtained the information for one purpose (to build its case against YouTube), it may be able to use the information for other purposes. At least in Canada, that would be covered by the implied undertaking rule that would require court permission before using it for any other purpose. But the bigger deal is the chilling effect on viewers. Casual web surfers may know that somewhere their digital footprints are being recorded, but they don't spend a lot of time thinking about it. This case should make internet users think carefully about where they are surfing, what they are viewing and the fact that once personal information is recorded and retained, it will be available for all kinds of secondary uses. Some of these secondary uses, such as litigation or criminal investigations, are beyond their control and there is no opt-out. The Viacom order includes the personal information of innocent viewers who were only viewing public domain or properly licensed content. Those logs include my IP addresses, which includes information about what I've viewed and what my kids have viewed. I'm sure that it includes your IP address too.
What to do? If you are an online service provider, don't create logs. If you create logs, don't keep them. It's that simple. (If you are about to be served with a subpoena, don't delete them. It's too late and you'll be hit with accusations of spoliation.) If you are an internet user, look into Tor.
Thursday, July 03, 2008
This is some pretty scary stuff. Not only has Viacom (shame on Viacom) demanded that Google hand over the records of all users who viewed certain YouTube videos (yup, viewed not uploaded) but a Judge has actually ordered this. Perhaps not surprisingly, Google's argument that IP addresses are not personal information has been used against its arguments that handing over this information would be unduly intrusive of personal privacy. See: Judge Orders YouTube to Give All User Histories to Viacom Threat Level from Wired.com.
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.