The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar

Archives

Links

Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by groups.yahoo.com

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Tuesday, August 26, 2008

Privacy? We Got Over It. 

Yesterday's Wall Street Journal had an interesting Op/Ed on privacy, highlighting contemporary expectations of privacy.

Information Age - WSJ.com

Privacy? We Got Over It.

August 25, 2008; Page A11

In 1988, Congress banned video stores from disclosing the titles of films that people rent. The issue arose because in the battle to block Robert Bork from the Supreme Court, someone leaked his video rentals.

Fast-forward to this summer, and a federal judge hearing a $1 billion copyright complaint by Viacom ordered YouTube to turn over online records about which computer addresses were used to watch which videos on the site. The judge dismissed privacy concerns as "speculative." How quickly our expectations of privacy have changed.

Privacy advocates objected that with access to Internet protocol addresses, it would be possible to track who watched what. Hundreds of millions of people have watched videos on YouTube since its founding in 2005 -- indeed, by one estimate, virtually everyone who uses the Web has watched a video on the site. This makes it surprising that there was such little public outcry about this potential loss of privacy. Google, which owns YouTube, has complied with the judge's order by using encryption to hide individual records, but it is indeed "speculative" how much people would object to disclosing this online behavior.

This incident is a telling moment. We seem to be following the advice of Scott McNealy, chairman of Sun Microsystems, who in 1999 said, "You have zero privacy anyway. Get over it." And the observation by Oracle CEO Larry Ellison: "The privacy you're concerned about is largely an illusion. All you have to give up is your illusions, not any of your privacy."

These comments could be dismissed as technology executives trying to minimize complaints about technology. But whatever we say about how much we value privacy, a close look at our actual behavior suggests we have gotten over it. A recent study by AOL of privacy in Britain found that 84% of people said they would not disclose details about their income online, but in fact 89% of them willingly did.

Amazon closely records our taste in books, Gmail scans our emails to deliver relevant ads, and electronic tolls track where we drive. Profiles on MySpace and Facebook are accessible, forever. The disclosure that Judge Bork liked to rent British comedies seems quaint in comparison.

Records about us are no longer kept in scattered manila files in dusty cabinets, but digitally, which means in permanent records that can be combined with other records to paint a full picture of our tastes and habits. Information held by different retailers, insurers and government agencies can be mined to create constantly updated files more complete than the most tenacious intelligence report on a suspected criminal a generation ago.

Privacy advocates do their jobs by reminding us of these risks, but our choices all seem to be in the direction of trading away privacy. The fantastic power and convenience of digital life has led us to change what we consider private in ways that we can only begin to understand.

Indeed, our expectations of privacy have changed radically over time. Stanford law professor Lawrence Friedman in his recent book, "Guarding Life's Dark Secrets," documents the total lack of privacy expectations through the medieval period, when people lived together with no option for privacy, to a period of privacy for some people and some purposes as part of what he calls the "Victorian compromise." Propriety was defined through social norms focused on reputation, which included significant freedom for otherwise scandalous behavior if it was done carefully, in private.

"If the nineteenth century was a world of privacy and prudery, a world of closed doors and drawn blinds," Mr. Friedman writes, "then the world of the twenty-first century is the world of the one-way mirror, the world of the all-seeing eye."

We now seem happy to trust companies with our information for benefits such as one-click buying and online searches for personally relevant results. In a digital world where it is possible to know more than ever about everything, including one another, the new vice may be the flip side of privacy -- concealing information about ourselves of legitimate value to others.

In the physical world, surveillance cameras, satellites and bio-recognition systems have redefined privacy expectations. We have learned that "privacy can be very dangerous," as federal appeals judge Richard Posner has observed. "Obviously if you're a terrorist, privacy is enormously important. So the more we think of privacy as endangering us, that will reinforce these commercial incentives to surrender privacy."

Privacy remains a virtue, or at least we still say it does. But the balance has been tipped by other values, such as transparency, a free flow of information and physical security. We're in the early stages of adapting to more digital and visible lives, with privacy expectations better defined by what we do than by what we say.

Labels: , , , ,

Friday, July 11, 2008

Privacy protections disappear with a judge's order 

More commentary on the Viacom v. Google/YouTube case, this time from MIT's Technology review:

Technology Review: Privacy protections disappear with a judge's order

Privacy protections disappear with a judge's order

By Associated Press

NEW YORK (AP) _ Credit card companies know what you've bought. Phone companies know whom you've called. Electronic toll services know where you've gone. Internet search companies know what you've sought.

It might be reassuring, then, that companies have largely pledged to safeguard these repositories of data about you.

But a recent federal court ruling ordering the disclosure of YouTube viewership records underscores the reality that even the most benevolent company can only do so much to guard your digital life: All their protections can vanish with one stroke of a judge's pen.

"Companies have a tremendous amount of very sensitive data on their customers, and while a company itself may treat that responsibly ... if the court orders it be turned over, there's not a lot that the company that holds the data can do," said Jennifer Urban, a law professor at the University of Southern California.

In the past, court orders and subpoenas have generally been targeted at records on specific individuals. With YouTube, it's far more sweeping, covering all users regardless of whether they have anything to do with the copyright infringement that Viacom Inc., in a $1 billion lawsuit, accuses Google Inc.'s popular video-sharing site of enabling.

It's a scenario privacy activists have long warned about.

"What we're seeing is (that) the theoretical is becoming real world," said Lauren Weinstein, a veteran computer scientist. "The more data you've got, the more data that's going to be there as an attractive kind of treasure chest (for) outside parties."

U.S. District Judge Louis L. Stanton dismissed privacy arguments as speculative.

Last week, Stanton authorized full access to the YouTube logs -- which few users even realize exist -- after Viacom and other copyright holders argued that they needed the data to prove that their copyright-protected videos for such programs as Comedy Central's "The Daily Show with Jon Stewart" are more heavily watched than amateur clips.

"This decision makes it absolutely clear that everywhere we go online, we leave tracks, and every piece of information we access online leaves some sort of record," Urban said. "As consumers, we should all be aware of the fact that this sensitive information is being collected about us."

Mark Rasch, a former Justice Department official who is now with FTI Consulting Inc., said the ruling could open the floodgates for additional disclosures.

Though lawyers have known to seek such data for years, Rasch said, judges initially hesitant about authorizing their release may look to Stanton's ruling for affirmation, even though U.S. District Court rulings do not officially set precedence.

The YouTube database includes information on when each video gets played. Attached to each entry is each viewer's unique login ID and the Internet Protocol, or IP, address for that viewer's computer -- identifiers that, while seemingly anonymous, can often be traced to specific individuals, or at least their employers or hometowns.

Elsewhere, search engines such as Google and Yahoo Inc. keep more than a year of records on your search requests, from which one can learn of your diseases, fetishes and innermost thoughts. E-mail services are another source of personal records, as are electronic health repositories and Web-based word processing, spreadsheets and calendars.

One can reassemble your whereabouts based on where you've used credit cards, made cell phone calls or paid tolls or subway fares electronically. One can track your spending habits through loyalty cards that many retail chains offer in exchange for discounts.

Though companies do have legitimate reasons for keeping data -- they can help improve services or protect parties in billing disputes, for instance -- there's disagreement on how long a company truly needs the information.

The shorter the retention, the less tempting it is for lawyers to turn to the keepers of data in lawsuits, privacy activists say.

With some exceptions in banking, health care and other regulated industries, requests are routinely granted.

Service providers regularly comply with subpoenas seeking the identities of users who write negatively about specific companies, at most warning them first so they can challenge the disclosure themselves. The music and movie industries also have been aggressive about tracking individual users suspected of illegally downloading their works.

Law enforcement authorities also turn to the records to help solve crimes.

The U.S. Justice Department had previously subpoenaed the major search engines for lists of search requests made by their users as part of a case involving online pornography. Yahoo, Microsoft Corp.'s MSN and Time Warner Inc.'s AOL all complied with parts of the legal demand, but Google fought it and ultimately got the requirement narrowed.

In the YouTube case, Viacom largely got the data it wanted.

Google has said it would work with Viacom on trying to ensure anonymity, and Viacom has pledged not to use the data to identify individual users to sue. The YouTube logs will also likely be subject to a confidentiality order.

But privacy advocates warn that there's no guarantee that future litigants will be as restrained or that data released to lawyers won't inadvertently become public -- through their inclusion as an attachment in a court filing, for instance.

And retailers, government agencies and others are regularly announcing that personal information, stored without adequate safeguards, is being stolen by hackers or lost with laptops or portable storage drives.

"You just never know," said Steve Jones, an Internet expert at the University of Illinois at Chicago. "There are some circumstances under which what seems to be private information is going to be shared with a third party, and the court says it's OK to do that."

Copyright Technology Review 2008.

Labels: , , , , , , ,

Saturday, November 03, 2007

AOL to permit opting out of targeted ads 

Apparently, AOL is going to permit users to opt out of online targeted advertising. See: AOL's 'Do Not Track' Effect - eMarketer.

Labels: ,

Monday, November 20, 2006

Privacy: The Problem That Won't Go Away 

Information Week is always a good source of privacy reporting and today they've posted a really good article on the changing face of privacy and how companies need to adjust. The article is about eight printed pages long, but here are the topics covered:

Privacy: The Problem That Won't Go Away - Your privacy mistakes can easily become everyone's business. Here's how to keep your company--and your career--out of the spotlight
  • It's A Strategy, Not Just A Policy
  • Privacy Laws Will Change—Often
  • You Can Excel--Don't Just Avoid Screwups
  • All Data Is Sensitive
  • Retain The Right Data, For The Right Time
  • Helping Can Hurt You--Even With The Feds
  • Partners Can Be Your Biggest Problem
  • Technology Can Create New Problems
  • One Privacy Approach Can't Cover All

They've also posted two great sidebars: Technology To The Rescue: From anonymizers to network monitors to identity management sysems, there's a host of privacy-enhancing products and strategies available and Privacy File: 10 Events That Impacted The IT Landscape - Here's a quick scan of recent events, which have roiled the privacy waters at AOL, at the FBI, and in Europe.

Read it, learn it, live it.

Labels: , ,

Sunday, October 22, 2006

Search Engine Privacy Standard Proposed 

Virante, an internet marketing company, has made an interesting proposal to protect the privacy of search engine users. It suggests that users should be able to opt out of having their search tracked by IP address or cookie by appending "#privacy" to the search query. Here's the release from Virante:

Press Release - Search Engine Privacy Standard Proposed To Protect Users:

New website proposes a new search standard, #privacy, to protect user privacy when performing search engine queries.

/24-7PressRelease/ - DURHAM, NC, October 22, 2006 - With recent data leaks at AOL, governments seeking information from Google on its users, and no simple user privacy solutions available, a standard for empowering user search privacy has finally been proposed. PoundPrivacy.org is spearheading a search privacy revolution with its proposed #privacy standard. Our proposal is that the #privacy flag could be added to the end of searches by users to tell the search engine 'don't track this query.' In response, the search engine should not track the user by IP address or cookie, and the query should not be made public in keyword tools. The website carefully addresses the one exception to this capability - queries in which a crime is likely being committed (like the solicitation of child pornography) should be excluded from the #privacy flag.

PoundPrivacy.org contains an open letter addressed to the major four search engines - Google, Yahoo, Microsoft, and Ask - requesting that they adopt the #privacy standard. Additionally, the site offers ideas on ways individuals who agree with the standard can support the campaign, including blogging about it, linking to poundprivacy.org, and sending out emails to friends.

About Virante, Inc.

Virante, Inc., is a leading internet marketing solution provider. For more information please visit Virante Web Marketing Solutions or contact us at Email Virante, (919) 459-1088, 1-800-650-0820.

Also check out www.poundprivacy.org.

UPDATE: Adam over at Emergent Chaos thinks this is a silly idea and I must say I agree with just about everything he says, other than the bit about the goat. I'm sure they're not that expensive.

Emergent Chaos: A Very Silly Idea: #privacy, and poundprivacy.org:

"This is silly on a number of levels:

  1. It propagates the simplistic 'opt-in/opt-out' thinking that the US marketing industry has been promulgating for decades. Look where that thinking has taken us.
  2. It defaults all queries to opt-in, implied by absence of an opt-out. Privacy should be a default, and the 'right' way to implement this would be with #trackthis.
  3. It will be prone to user error (typos) and forgetting. It offers no way to say, set a privacy cookie. Even Doubleclick does that.
  4. Implementation is left as an exercise for the search engines, who are supposed to both magically not track your queries, and magically track them if you might be violating a law. (I say magically because I have some understanding of how web logs actually work.)
  5. For some remarkable reason, no search engine has actually bothered to comment on the proposal. Certainly, no one has accepted it yet. So why am I blogging about it?
  6. Really, this idea is one level above an idea I had at the pub last night. Unfortunately, as it turns out, goats are expensive, and probably won't walk on treadmills. It's a good thing I sobered up before setting up a web site."

Labels: , , , ,

Thursday, September 28, 2006

AOL members sue over release of search data 

No surprise here. AOL's relase of members' search data has led to litigation: PC World - AOL Members Sue Over Search Data Release.

Labels: ,

Monday, August 21, 2006

Job losses in wake of AOL search data breach 

Sunday, August 20, 2006

World Privacy Forum files FTC complaint against AOL 

First of all, apologies for the extremely light writing as of late. I was at the Canadian Bar Association's annual get-together in St. John's, Newfoundland last week, followed by a week of vacation in Toronto with one of my sons. Things will be back to normal in about a week. Unless there's a huge pile of work to catch up on, which may be the case.

Back to the business of this blog ....

The World Privacy Forum has filed a complaint (PDF) with the US Federal Trade Commission over AOL's disclosure of slightly de-identified search data to researchers:

World Privacy Forum Files FTC Complaint About AOL Data Releases

The World Privacy Forum filed a complaint today with the Federal Trade Commission regarding AOL's multiple releases of portions of its users' search query histories. The complaint discusses AOL search query releases from 2004 and 2006. The complaint alleges that the data release was intentional, and due to significant identifiability issues of the data subjects, that the releases are harming some AOL customers, and that AOL customers did not know their search histories would be made available to the public. The World Privacy Forum urges consumers to take precautions when using search engines. For more see the complaint (PDF). Also see the World Privacy Forum Search Engine Privacy Tips.

Via ComputerWorld: Privacy watchdog says AOL violated its own policy.

Labels: ,

Sunday, August 13, 2006

Zimmer's thoughts on the AOL search data release 

Michael Zimmer has spent some time in the last little while thinking about the recent AOL release of search data, a portion of which can be traced back to individuals. Check out some of his insightful posts:

Labels: ,

Friday, August 11, 2006

AOL blunder revives debate over data retention law 

The AOL search data blunder (see below) has revived discussion and interest in an American law that was proposed after the earlier fight with the Department of Justice over search data:

AOL gaffe draws Capitol Hill rebuke CNET News.com

Rep. Ed Markey, a Massachusetts Democrat, said Wednesday that AOL's disclosure of the search habits of more than 650,000 of its users demonstrates that new laws are necessary. AOL has apologized for the disclosure.

"We must stop companies from unnecessarily storing the building blocks of American citizens' private lives," Markey said.

Markey's proposal, called the Eliminate Warehousing of Consumer Internet Data Act (EWOCID), was introduced in February after Google's courtroom tussle over search records with the U.S. Department of Justice.

Republicans have kept it bottled up in a House of Representatives subcommittee ever since, but a Markey representative said Wednesday that he hoped "this most recent breach will light a fire under the GOP leadership."

Labels: , ,

Wednesday, August 09, 2006

Users identifiable by AOL search data 

An intrepid reporter from the New York Times has provided a vivid illustration that the supposedly de-identified search data released by AOL is not really anonymous.

A Face Is Exposed for AOL Searcher No. 4417749 - New York Times

Buried in a list of 20 million Web search queries collected by AOL and recently released on the Internet is user No. 4417749. The number was assigned by the company to protect the searcher’s anonymity, but it was not much of a shield.

No. 4417749 conducted hundreds of searches over a three-month period on topics ranging from “numb fingers” to “60 single men” to “dog that urinates on everything.”

And search by search, click by click, the identity of AOL user No. 4417749 became easier to discern. There are queries for “landscapers in Lilburn, Ga,” several people with the last name Arnold and “homes sold in shadow lake subdivision gwinnett county georgia.”

It did not take much investigating to follow that data trail to Thelma Arnold, a 62-year-old widow who lives in Lilburn, Ga., frequently researches her friends’ medical ailments and loves her three dogs. “Those are my searches,” she said, after a reporter read part of the list to her.

What this really illustrates is the risk posed by simply keeping data around. AOL says they keep the data for a month and this particular database was used internally for research to optimize the AOL service. The usual risk to consider is that the data will illicitly go out the back door, but in this case it went out the front door.

Now the cat's out of the bag: Someone has put the database online, allowing you to search the searches (http://www.aolsearchdatabase.com/). Many of the searches reveal sad details about the users and browsing is creepily voyeuristic. Now Thelma's data is out there, along with searches of over six hundred thousand others.

Thanks to Michael Geist for the link.

Labels: ,

Monday, August 07, 2006

AOL gives loads of users' search histories to researchers 

It really wasn't that long ago that Google, AOL, Yahoo! and MSN were in the privacy crosshairs over the potential release of user search records to the US Federal Government. (See: The Canadian Privacy Law Blog: US DOJ has subpoenaed Google's search records.) In that saga, the US Department of Justice subpoenaed Google's search records as part of a lawsuit to which Google was not a party. The search giant resisted and privacy advocates were upset to learn that MSN, Yahoo! and AOL handed over reams of supposedely anonymized customer information.

Now, Wired and others are reporting that AOL has handed over three months of search activity of 350,000 AOL users to researchers. The 400MB of data has been pulled off the web, but is already out there. Wired's 27B Stroke 6 blog quotes an EFF lawyer who believes this is a violation of the US Electronic Communications Privacy Act, the statutory damages for which probably add up to $658,000,000. Read more about it at 27B Stroke 6: AOL 's $658 Million Privacy Breach?

It appears that though the information isn't linked to IP addresses or user names, the data does show the sequence of searches from individual users and, in some cases, the user can be identified by searching for themselves.

Update: AP has a good report on this that features how this sort of release can disclose very intimate personal information even if user names are replaced with numeric identifiers:

AOL: Searches by 650K people got out - Yahoo! News:

"Although AOL had substituted numeric IDs for the subscribers' real user names, the company acknowledged the search queries themselves may contain personally identifiable data.

For example, many users type their names to find out whether sites have dirt on them and then separately search for online mentions of their phone, credit card or Social Security numbers. A few days later, they may search for pizzerias in their neighborhoods, revealing their locations, or for prescription drug prices, revealing their medical conditions. All those separate searches would be linked to the same numeric ID.

'Search query data can contain the sum total of our work, interests, associations, desires, dreams, fantasies and even darkest fears,' said Lauren Weinstein, a privacy advocate.

The company apologized for the disclosure.

'This was a screw up, and we're angry and upset about it,' AOL spokesman Andrew Weinstein said. 'It was an innocent enough attempt to reach out to the academic community with new research tools, but it was obviously not appropriately vetted, and if it had been, it would have been stopped in an instant.'"

See also: AOL Removes Search Data on Group of Web Users - New York Times.

Labels: , ,

Saturday, February 04, 2006

Queries about search queries answered 

With all the fuss about search engines and what they know about users, Declan McCullagh of CNET has asked some probing questions of Google, Yahoo!, MSN and AOL. The answers are interesting: FAQ: When Google is not your friend Tech News on ZDNet.

Technorati tags: :: :: :: :: :: :: :: :: :: :: ::

Labels: , , , , ,

Thursday, January 19, 2006

Other search engines handed over data to US DOJ 

I blogged earlier today that the US Department of Justice subpoenaed a huge amount of data on search requsts from Google. Google said no and is challenging the request in court (see: The Canadian Privacy Law Blog: US DOJ has subpoenaed Google's search records). It now turns out that the other major search engines handed over the data. See: Boing Boing: DoJ search requests: Google said no; Yahoo, AOL, MSN yes.

Technorati tags: :: :: :: ::

Labels: , , ,

Saturday, August 27, 2005

AOL and E-Trade offer login tokens to users 

The title of this recent Washington Post article is another example of the overuse of the term "identity theft": A New Key to Fighting Identity Theft. The article is not about assuming someone's identity and getting credit in their name, but it is interesting nevertheless ...

Both America Online and E-Trade are offering their users an additional level of login security by using RSA's number generating tokens for a two-factor authentication.

"That number acts as an extra, one-time password by matching up with an identical number generated at the same time by a computer at AOL or E-Trade's offices. Both the token and the computer had their clocks synchronized at birth, ensuring that each would generate matching random six-digit numbers at the same intervals.

The idea here is to ensure that password theft has no value. Each six-digit number's utility expires once it's used, but without it a regular user name and password alone won't log a customer in."

This is obviously a good thing, though it won't do a lot for real identity theft and we could end up with a whole mess of these things on our keychains.

Labels: , ,

Friday, August 19, 2005

No reasonable expectation of privacy in Internet subscriber information 

InternetCases.com has a summary of a recent American decision in which the Court found that AOL subscribers have no reasonable expectation of privacy with respect to their identities. AOL disclosed a subscriber's identity to police without a warrant and the subscriber sued:

InternetCases.com: No reasonable expectation of privacy in Internet subscriber information:

"...First, by signing up for service, a subscriber knowingly discloses information to the ISP, which is accessed and used by the ISP to provide services. Second, AOL's terms of service provided that AOL would release subscriber information 'in special cases such as a physical threat to [its customer] or others.' Such a provision was especially relevant given the underlying facts of this case. Third, the Electronic Communications Privacy Act, 18 U.S.C. ss 2510 et seq. provides that subscriber information can be divulged in situations where the risk of physical injury justifies its release..."

Labels: ,

Wednesday, August 17, 2005

Jail sentence for personal info theft 

A former AOL employee has been sentenced to a year and three months in jail for stealing screen names and e-mail addresses from the company and selling them to spammers. More details here: AOL Worker Who Stole E-Mail List Sentenced - Yahoo! News.

Labels: ,

Friday, March 18, 2005

AOL's EULA: Fear, confusion and a fanatical devotion to legalese ... 

The editorial staff of the Harvard Crimson have produced an opinion piece related to the AOL Instant Messenger privacy fuss. Though the focus is on jargon-laden EULAs (end-user license agreements), privacy notices have may of the same characteristics:

The Harvard Crimson Online :: Opinion:

"You've Got Jargon: AOL’s two main weapons are fear, confusion, and a fanatical devotion to legalese

By THE CRIMSON STAFF

We do it without a moment’s thought. We click the box and accept the “terms” without pause. What are the actual terms? No one really knows—and, more often than not, no one really cares. But perhaps we should pay more attention to the content of these curious provisos—these End-User License Agreements (EULAs) that accompany most any piece of software. If the new changes to the terms of service of one of America Online (AOL) Inc.’s most popular applications are any indication, it’s easy to pull a fast one on unassuming customers without any real accountability. In their current, indecipherable form, however, it’s safe to assume that people will continue to “agree” to these terms without thinking. It is essential that EULAs be more up-front and comprehensible; they should be written in “plain English” to avoid any underhanded policies that might require signing away one’s soul—inadvertently.

The changes in question affect something very dear to almost any Harvard student, and increasingly almost any person who owns a personal computer, cell phone, or other trendy technological device that allows for epistolary e-interaction. And it stirs paranoia in anyone who generally enjoys the world of impersonal, anti-social online banter. That is, it affects the users of the ubiquitous AOL Instant Messenger (AIM).

AOL’s new terms, affecting anyone who downloaded AIM after Feb. 4, 2004 as well as anyone planning to update the program in the future, explain that, “by posting content on an AIM Product, you grant AOL, its parent, affiliates, subsidiaries, assigns, agents and licensees the irrevocable, perpetual, worldwide right to reproduce, display, perform, distribute, adapt and promote this content in any medium. You waive any right to privacy.” Frightening words, indeed....."

Labels: ,

Monday, March 14, 2005

AOL goes back to the drafting board on its AIM Privacy Policy 

CNET News is reporting that AOL is planning to redraft its "inartfully drafted" privacy statement to clarify that they do not require users to waive their rights to privacy. Or, depending upon whom you believe, to back off from their original plan to have users waive their rights to privacy.

AOL clarifies IM privacy guarantee | CNET News.com:

"America Online said late Monday that it plans to revise its user agreement in response to concerns that instant messages sent through the company's service could be monitored.

The new policy for AOL Instant Messenger, or AIM, will stress that the company does not eavesdrop on customer's conversations except in unusual circumstances such as a court order, an AOL spokesman said..."

I bet there's a room full of lawyers busily redrafting the policy while I write this.

As a more than casual observer of privacy incidents and damage control, it will be interesting to see what the blogsphere will have to say about this. Many, I am sure, will be waiting for the final re-draft before cutting AOL any slack. My next prediction: The mainstream media will pick up on the original story for tomorrow's papers. To AOL's distress, I predict that many will not cover the proposed re-draft, resulting in more adverse publicity and greater damage control efforts.

Labels: ,

Rob Hyndman wades into the AOL debate 

Fellow Canadian blogger and technology lawyer, Rob Hyndman, is quoted in eWeek discussing the AOL Terms of Service that have caused such a stir recently. I have to say that I agree with his observations about how easy it is to draft something heavily in favour of your client which may not be entirely appropriate given the circumstances. Read his contributions here:

AOL: AIM Conversations Are Safe:

"....Rob Hyndman, a technology lawyer based in Ontario, pointed out that the terms of service covers the entire AIM product and does not explicitly exclude instant messaging.

'I think the AOLs of the world don't take the impact their TOS [terms of service] have on users seriously enough, generally because they have market power and the customer doesn't,' Hyndman told eWEEK.com, arguing that the AIM terms of service appears all-encompassing."

Labels: ,

Experiment: Tracking an anticipated privacy backlash 

This is just an experiment. I predicted in an earlier post that the mainstream media will likely pick up on the AOL Instant Messenger Terms of Use controversey that is ripping through the geek scene and the blogosphere (See: PIPEDA and Canadian Privacy Law: AOL makes users waive privacy and purports to own users' instant messages). I may be wrong, but I'm going to do an experiment. I'll try to stay on top of the story to see if the ordinary media pick up on it, if there is a backlash and to see how AOL handles it.

At the moment, the story is mostly confined to the Slashdot, FARK and blog scene. Google News search is showing at least nine stories on the sites it regularly spiders:

AOL Instant messenger users `waive right to privacy
PC Pro, UK - 25 minutes ago
AOL has raised some eyebrows - to say the least - over licence changes to its AIM instant messaging service. Under the revised terms ...

AOL's Terms of Service Update for AIM Raises Eyebrows
eWeek - Mar 12, 2005
America Online, Inc. has quietly updated the terms of service for its AIM instant messaging application, making several changes ...

N0 privacy 4 u, LOL!!!!!
Houston Chronicle - Mar 12, 2005

By DWIGHT SILVERMAN. . . . .by posting Content on an AIM Product, you grant AOL, its parent, affiliates, subsidiaries, assigns, agents ...

America Online updated TOS raises Privacy Issues
TechWhack, India - 9 hours ago
America Online quietly updated their terms of usage of the AOL Instant Messenger which included many changes big enough to upset privacy advocates. ...

AOL's TOS Change Sparks PR Crisis
WebProNews, KY - 21 hours ago
The blogosphere is buzzing this morning over a major privacy change to AOL Instant Messenger's ... The change is sparking outrage because of this quote... ...

No More Privacy For AOL Instant Messenger Users
Gear Live, WA - Mar 12, 2005
At a time when privacy on the Internet is of the utmost importance to many people, AOL has added a new provision to their AIM Terms of Service contract. ...

AIM's New Terms Of Service
Slashdot - Mar 11, 2005
acaben writes "AOL has posted new terms of service for AIM, that include the right for AOL to use anything and everything you send through AIM in any way they ...

AOL kills AIM privacy
p2pnet.net, Canada - 12 hours ago
p2pnet.net News:- You no longer have any right to privacy if you use America Online's AIM software downloaded on or after February 5 last year. ...

AOL's TOS Update for AIM hackles privacy advocates
GameSHOUT - Mar 12, 2005
The revamped terms of service, which apply only to users who downloaded the free AIM software on or after Feb. 5, 2004, gives AOL ...


AOL is already feeling the heat. The author of the Houston Chronicle Techblog, Dwight Silverman, had a bit of a back and forth with AOL over the topic:

HoustonChronicle.com - AOL explains its privacy policy:

"America Online spokesman Andrew Weinstein responded to a request for more information about AOL Instant Messenger's terms of service, which I wrote about Saturday after spotting it on Slashdot.

The terms would appear to indicate that anything generated using AIM is fair game for AOL to use, which would mean private IM communications are not so private.

But Weinstein said that's not the case.

The clause in question specifically refers to something an AIM user might post in a public forum, Weinstein says. He writes:

The related section of the Terms of Service is called "Content You Post" and, as such, logically and legally it relates only to content a user posts in a public area of the service.

If a user posts content in a public area of the service, like a chat room, message board, or other public forum, that information may be used by AOL for other purposes. One example of this might be a user who posts a "Rate a Buddy" photo and thus allows AIM to post it for other AIM users to vote on it. Another might be AOL taking an excerpt from a message board posting on a current news issue and highlighting it in a different area of the service.

....

Update: Looks like Weinstein spent his Sunday afternoon hittin' the phones & e-mail, trying to put out this fire. His comments have shown up in several other places, including Steve Rubel's MicroPersuasion blog. Note that a Rubel reader responds there, and remains dubious:

Andrew I'm glad you posted here but what you are saying makes no sense. By using AIM it is implied I agree to the TOS. The TOS specifically state:
1) I waive my rights to privacy.
2) AOL can make money off of the content.

Content is defined as: Content - Information, software, games, communications, photos, video, graphics, music, sound and other materials provided by or through the AOL Services.

Communications includes email, does it not?"

This issue is already causing some problems for AOL. I'll keep you posted on where it goes next ...

Labels: , , ,

Saturday, March 12, 2005

AOL makes users waive privacy and purports to own users' instant messages  

It pays to read the fine print. AOL's Instant Messenger software (AIM) is one of the more popoular IM platforms. Privacy Digest just pointed a reference to AIM's new Terms of Service, which purport to give AOL a blanket right to do whatever they want with users' private messages and require the user to waive all rights to privacy with respect to those messages.

AIM Terms of Service:

"...Although you or the owner of the Content retain ownership of all right, title and interest in Content that you post to any AIM Product, AOL owns all right, title and interest in any compilation, collective work or other derivative work created by AOL using or incorporating this Content. In addition, by posting Content on an AIM Product, you grant AOL, its parent, affiliates, subsidiaries, assigns, agents and licensees the irrevocable, perpetual, worldwide right to reproduce, display, perform, distribute, adapt and promote this Content in any medium. You waive any right to privacy. You waive any right to inspect or approve uses of the Content or to be compensated for any such uses...."

This is exactly the sort of thing that will backfire on a company. It was posted to Slashdot early yesterday (Slashdot | AIM's New Terms Of Service) and it is getting pretty wide coverage. The above terms will make people think that AOL is a proxy for "big brother" or that it is heavy handed or both. I don't think it'll be long before it gets to the conventional media (it's already referred to in the Houston Chronicle Techblog: HoustonChronicle.com - N0 privacy 4 u, LOL!!!!!), which will threaten AOL's proposed move into VOIP services. "If they eavesdrop on my instant messages, can I trust them with my phone calls?."

It'll be interesting to see how this plays out.

Labels: ,

Wednesday, June 23, 2004

Article: US Charges AOL Worker Sold Customer List for Spam 

Most security folks will tell you that violations of privacy are often an inside job. Further evidence:

Yahoo! News - US Charges AOL Worker Sold Customer List for Spam:

"Jason Smathers of Harpers Ferry, West Virginia, has been charged with stealing a list of 92 million AOL customer screen names and selling them to Internet marketer Sean Dunaway of Las Vegas, said David Kelley, the U.S. attorney for the Southern District of New York in a statement. "

Editorial cartoon

Labels: , ,

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs