Just posted on Slaw:

Slaw: Log retention initiatives

I wrote two weeks ago about privacy issues related to the log files that are created and retained by internet companies. The moral of that story was that there is a significant amount of information that is collected in these logs and when they are retained and collated, they can reveal a lot of personal information. I concluded by saying:

I don’t think it’s too far fetched to think of a day when it will become standard for all investigations involving the internet to include a warrant served on Google or Yahoo! or Microsoft for all logs related to a particular user or IP address or both.

In Canada, many may remember "lawful access", which was the subject of a number of consultations beginning in 2002. The consultation backgrounder and FAQ solicited comment on preservation orders (here) but the topic was not addressed when the Liberal government introduced the Modernization of Investigative Techniques Act (MITA). I am sure that preservation orders remain on the wish lists for law enforcement in Canada, but they're not here yet.

Europe has taken a different path. In 2006, the European Union adopted Directive 2006/24/EC entitled "on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks". The Directive is meant to harmonize the retention rules of the members of the European Union. It requires that member states adopt rules or legislation to make it mandatory for communications providers to retain certain log-type data for at least six to twelve months. From the "Subject Matter and Scope" clause of the Directive:

1. This Directive aims to harmonise Member States' provisions concerning the obligations of the providers of publicly available electronic communications services or of public communications networks with respect to the retention of certain data which are generated or processed by them, in order to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law.

The Directive goes beyond web communications and includes e-mail, telephone, VOIP and mobile phones. The sort of data that has to be collected and retained is that which identifies the source of the communication, the destination of the communication, the device that was used to make the communication and the "user ID" (defined to mean "a unique identifier allocated to persons when they subscribe to or register with an Internet access service or Internet communications service"). The Directive makes is plain that communications providers are not to retain the content of the communication (Article 5(2)).

While the Directive is aimed at saving information so that it can be obtained after the fact in connection with investigations, the debate over data retention in the United States has mainly focused on what has been reported to be informal and secret arrangements made by the National Security Agency and various telephone companies to save telephone calling information. This story was broken by USA Today: USATODAY.com - NSA has massive database of Americans' phone calls.

In addition, US criminal law permits law enforcement to make a written request for the preservation of records for 90 days (renewable for a further 90 days) (US CODE: Title 18, s. 2703(f)):

(f) Requirement To Preserve Evidence.—

(1) In general.— A provider of wire or electronic communication services or a remote computing service, upon the request of a governmental entity, shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process.

(2) Period of retention.— Records referred to in paragraph (1) shall be retained for a period of 90 days, which shall be extended for an additional 90-day period upon a renewed request by the governmental entity.

More recently, the Bush Administration has been pushing for broader retention requirements: FBI, politicos renew push for ISP data retention laws | Politics and Law - CNET News.

This posting has presented a brief snapshot of some legal initiatives that affect internet log retention in a selection of countries. It does not seem likely to me that the debate is over; we will likely see EU-type proposals put forward in both Canada and the US in the coming years.

Labels: google, ip address, privacy, retention

In the past two weeks, the New York Times reported that Microsoft has made a minor concession with European privacy authorities about how long it retains its log files. A committee of European privacy regulators had asked that these logs be kept for only six months. Microsoft's response? Eighteen months.Yahoo used to keep them for thirteen months and just announced it will cut retention to 90 days. Google keeps them for nine.

The privacy implictions of these innocuous log files have been underestimated, particularly when you think about the fulsome picture of your private life that companies like Google may be assembling about you. The information in an ordinary web-server log usually contains the just a tid-bit of information. One "hit" on a website may look like this (but all on one line):

127.0.0.1 - frank 
[10/Oct/2000:13:55:36 -0700] 
"GET /apache_pb.gif HTTP/1.0" 200 2326 
"http://www.example.com/start.html" 
"Mozilla/4.08 [en] (Win98; I ;Nav)" 

The first bundle of numbers is the IP address of the computer that requested a particular web-page. "Frank" refers to a userid, which is usually not eabled. The next field is the date" Following that, and usually preceded by "GET" is the command your web-browser sent to the server. The next bits are the status code returned by the server and then the size of the entity requested. Next is something called a "referer" (mis-spelled) , followed by details about your browser.

Since many people often share the same IP address (it could be one IP for an entire company or just a group of people in a house using the same internet connection), some have argued it is not personal information and a log-file doesn't contain personal information. The problem is that even if an IP address is not directly connected to one individual, one can do some easy analysis to make the connections. After AOL released supposedly de-identified search logs to researchers, an intrepid reporter was able to track down at least one of the users who had some very personal health-related searches in the logs (see: Users identifiable by AOL search data).

What's additionally troubling from a privacy point of view is that the large inernet companies, like Google, Yahoo and Microsoft, don't just have your search queries. Increasingly, they have a huge trove of data sources in their logs.

Take Google, for example. Google has their famous Google search. They also have GMail, Google Analytics, Google AdSense, Google Documents, Google Toolbar and more. Each time you "hit" one of their sites, you're in their logs. Most internet users hit Google's logs dozens of times a day and on many of those occasions aren't even aware that they're using a Google service. Google has what is probably the most popular and widely used network of online advertising: AdSense. Each time you go to a website that features Google's ads, your computer sends a request to Google's servers and that "hit" goes into their logs, along with the information about what site you were visiting, when you visited and what ad was served. If you click on the ad, even more information is collected and logged. But even if you don't visit a site with Google's ads, there's a very good chance that the webmaster is using Google Analytics to find out about useage of his or her site. (Full disclosure: I use Google Analytics for my site at www.privacylawyer.ca.) I should also note that Yahoo! and MSN also have advertising networks, which collect the same sort of information.What this means is that Google, Yahoo and Microsoft register in their logs a significant portion of your usage of the internet.

And if you have a Google, Yahoo! or MSN account, that hit can be connected to your account details, includig your name.

I don't think it's too far fetched to think of a day when it will become standard for all investigations involving the internet to inlcude a warrant served on Google or Yahoo! or Microsoft for all logs related to a particular user or IP address or both.

Next week, I'll discuss efforts being made by governments and law enforcement to make log rentention mandatory.

Labels: google, health information, ip address, privacy, retention

This recent case was brought to my attention today: R. v. Ward, 2008 ONCJ 355 (CanLII). The decision is a ruling on a charter motion on whether evidence in a child pornography investigation should be admissible after the police obtained the identity of an internet user from an ISP without a warrant. Acting on a pretty solid tip from Germany, police identified three IP addresses that were associated with dealing with child pornography. Instead of getting a warrant, the police when to the ISP, Bell Sympatico, and got the name and address of the subscriber associated with the IP address. (I have no doubt that the tip would be enough to get a warrant.)

Justice Lalande distinguished this case from R. v. Kwok, by pointing out that the user agreement with Bell Sympatico reduces if not destroys any reasonable expecation of privacy that the user may have. In order for a warrantless search to be reasonable, there has to be no reasonable expecation of privacy.

Some may recall the hubbub in 2006 when Bell Sympatico changed its terms of use, which many thought was a harbinger of the revival of lawful access. The ISP denied it and Bell media relations types said they’d only hand over customer information with “court ordered warrants” though the terms of use purport to permit disclosure “upon request” from a government.

In this case, the conclusion seems to be that the customer has an expectation of privacy in their name and address unless the ISP has actively taken steps to remove it. Interesting.

For a flashback to 2006, check out

• Bell warns customers about privacy loss with lawful access
• CTV.ca Sympatico's customers warned of privacy loss.
• More fallout from Sympatico privacy upset
• globeandmail.com : Jack Kapica on who's watching your surfing

Labels: ip address, law enforcement, lawful access, lawful authority, privacy, warrants

Google has just announced that they are cutting their log retention period in half: from 18 monts to 9 months.

From the Official Google Blog:

Official Google Blog: Another step to protect user privacy

Today, we're announcing a new logs retention policy: we'll anonymize IP addresses on our server logs after 9 months. We're significantly shortening our previous 18-month retention policy to address regulatory concerns and to take another step to improve privacy for our users.

Back in March 2007, Google became the first leading search engine to announce a policy to anonymize our search server logs in the interests of privacy. And many others in the industry quickly followed our lead. Although that was good for privacy, it was a difficult decision because the routine server log data we collect has always been a critical ingredient of innovation. We have published a series of blog posts explaining how we use logs data for the benefit of our users: to make improvements to search quality, improve security, fight fraud and reduce spam.

Over the last two years, policymakers and regulators -- especially in Europe and the U.S. -- have continued to ask us (and others in the industry) to explain and justify this shortened logs retention policy. We responded by open letter to explain how we were trying to strike the right balance between sometimes conflicting factors like privacy, security, and innovation. Some in the community of EU data protection regulators continued to be skeptical of the legitimacy of logs retention and demanded detailed justifications for this retention. Many of these privacy leaders also highlighted the risks of litigants using court-ordered discovery to gain access to logs, as in the recent Viacom suit.

Today, we are filing this response (PDF file) to the EU privacy regulators. Since we announced our original logs anonymization policy, we have had literally hundreds of discussions with data protection officials, government leaders and privacy advocates around the world to explain our privacy practices and to work together to develop ways to improve privacy. When we began anonymizing after 18 months, we knew it meant sacrifices in future innovations in all of these areas. We believed further reducing the period before anonymizing would degrade the utility of the data too much and outweigh the incremental privacy benefit for users.

We didn't stop working on this computer science problem, though. The problem is difficult to solve because the characteristics of the data that make it useful to prevent fraud, for example, are the very characteristics that also introduce some privacy risk. After months of work our engineers developed methods for preserving more of the data's utility while also anonymizing IP addresses sooner. We haven't sorted out all of the implementation details, and we may not be able to use precisely the same methods for anonymizing as we do after 18 months, but we are committed to making it work.

While we're glad that this will bring some additional improvement in privacy, we're also concerned about the potential loss of security, quality, and innovation that may result from having less data. As the period prior to anonymization gets shorter, the added privacy benefits are less significant and the utility lost from the data grows. So, it's difficult to find the perfect equilibrium between privacy on the one hand, and other factors, such as innovation and security, on the other. Technology will certainly evolve, and we will always be working on ways to improve privacy for our users, seeking new innovations, and also finding the right balance between the benefits of data and advancement of privacy.

Labels: google, ip address, privacy, retention

When the order was made that Google provide Viacom with its raw user logs (a move which significantly compromised user privacy), I wrote that the court could have ordered that the information be anonymised. (Canadian Privacy Law Blog: Commentary on the YouTube / Viacom order)

I don't think I can take any credit for this next move, but I'm sure the loud outcry has had an influence: Google and Viacom have agreed to anonymise the data using a one-way function so that the actual IP addresses cannot be reverse-engineered and Viacom has agreed to not even try. The stipulation filed with the court is here. Extract:

IT IS HEREBY STIPULATED AND AGREED, by and between the undersigned counsel of record:

1. Substituted Values: When producing data from the Logging Database pursuant to the Order, Defendants shall substitute values while preserving uniqueness for entries in the following fields: User ID, IP Address and Visitor ID. The parties shall agree as promptly as feasible on a specific protocol to govern this substitution whereby each unique value contained in these fields shall be assigned a correlative unique substituted value, and preexisting interdependencies shall be retained in the version of the data produced. Defendants shall promptly (no later than 7 business days after execution of this Stipulation) provide a proposed protocol for this substitution. Defendants agree to reasonably consult with Plaintiffs’ consultant if necessary to reach agreement on the protocol.

2. Non-Circumvention: The parties agree that they shall not engage in any efforts to circumvent the encryption utilized pursuant to Paragraph 1 this Stipulation. This Paragraph does not limit in any way any party’s rights under Paragraph 8 below.

For background, see all posts tagged: Viacom v Google. Also, the Ontario Privacy Commissioner applauds this move: CNW Group | OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER/ONTARIO | Commissioner Cavoukian Applauds Agreement Protecting YouTube Users' Privacy

Labels: google, ip address, litigation, privacy, Viacom v Google

I had the chance yesterday to read the decision in Viacom International v. YouTube (previously: Canadian Privacy Law Blog: Judge orders that YouTube hand over viewer records). The request and the order are appalling from a privacy point of view, in my humble opinion.

It appears clear from the decision that Viacom, et al. were ostensibly not looking for information about users of Google Video and YouTube, but this will certainly be the side-effect. In the preliminary motion, Viacom was seeking a number of orders from the court to help it build its billion dollar case for copyright infringement against the video sites. Because the vast majority of the content is uploaded by users, Viacom is going after YouTube on the basis that they assist and encourage the violation of copyright by users and are therefore responsible financially for it. The reason put forward by Viacom for seeking the full user logs was to compare the viewership (aka hits) of allegedly pirated content against viewership of non-pirated materials. If they can show that allegedly pirated content is more popular, the reasoning goes, they can show that YouTube has a financial interest in allowing pirated content on the site.

Google attempted to argue to the Court that handing over the raw logs would be intrusive of privacy for the sites' users. Unfortunately for the users, the Court didn't put much weight in these arguments as it referred to Google's past positions that IP addresses cannot identify individuals:

Defendants argue that the data should not be disclosed because of the users’ privacy concerns, saying that “Plaintiffs would likely be able to determine the viewing and video uploading habits of YouTube’s users based on the user’s login ID and the user’s IP address” (Do Decl. ¶ 16).

But defendants cite no authority barring them from disclosing such information in civil discovery proceedings, and their privacy concerns are speculative. Defendants do not refute that the “login ID is an anonymous pseudonym that users create for themselves when they sign up with YouTube” which without more “cannot identify specific individuals” (Pls.’ Reply 44), and Google has elsewhere stated:

We . . . are strong supporters of the idea that data protection laws should apply to any data that could identify you. The reality is though that in most cases, an IP address without additional information cannot.

Google Software Engineer Alma Whitten, Are IP addresses personal?, GOOGLE PUBLIC POLICY BLOG (Feb. 22, 2008), http://googlepublicpolicy.blogspot.com/2008/02/are-ip-addresses-personal.html (Wilkens Decl. Ex. M).

So why does Viacom need the full logs? Because they need to try to determine unique viewership of the content. They need a way to distinguish one viewer from another.

Do they need full IP addresses? I don't think so. While we are talking about terabytes of data, it would be trivial to run all the logs through a software routine that would use a "one way hash" to make each IP address unique while not disclosing the IP address itself.

Why the big deal? While Viacom obtained the information for one purpose (to build its case against YouTube), it may be able to use the information for other purposes. At least in Canada, that would be covered by the implied undertaking rule that would require court permission before using it for any other purpose. But the bigger deal is the chilling effect on viewers. Casual web surfers may know that somewhere their digital footprints are being recorded, but they don't spend a lot of time thinking about it. This case should make internet users think carefully about where they are surfing, what they are viewing and the fact that once personal information is recorded and retained, it will be available for all kinds of secondary uses. Some of these secondary uses, such as litigation or criminal investigations, are beyond their control and there is no opt-out. The Viacom order includes the personal information of innocent viewers who were only viewing public domain or properly licensed content. Those logs include my IP addresses, which includes information about what I've viewed and what my kids have viewed. I'm sure that it includes your IP address too.

What to do? If you are an online service provider, don't create logs. If you create logs, don't keep them. It's that simple. (If you are about to be served with a subpoena, don't delete them. It's too late and you'll be hit with accusations of spoliation.) If you are an internet user, look into Tor.

Labels: google, ip address, litigation, privacy, Viacom v Google

Some interesting news from the courts of New Jersey. The New Jersey Supreme Court has ruled that law enforcement need warrant or subpoena to get information about internet users. This goes against jurisprudence from the US Supreme Court, but may be the beginning of a trend (fingers crossed). The court based the decision on a user's expectation of privacy, which is probably a realistic statement of internet users' expectations.

N.J. justices call e-privacy surfers' right- NJ.com

... The unanimous seven-member court held that police do have the right to seek a user's private information when investigating a crime involving a computer, but must follow legal procedures. The court said authorities do not have to warn a suspect that they have a grand jury subpoena to obtain the information.

Writing for the court, Chief Justice Stuart Rabner said: "We now hold that citizens have a reasonable expectation of privacy protected by Article I ... of the New Jersey Constitution, in the subscriber information they provide to Internet service providers -- just as New Jersey citizens have a privacy interest in their bank records stored by banks and telephone billing records kept by phone companies."

Barber said most people use the internet like a phone, making personal -- sometimes sensitive -- transactions that they don't believe the police will be able to access.

"This decision reflects the reality of how ordinary people normally use the internet," he said. "'It's very nice to have the court recognize that expectation is reasonable."

The court ruled in the case of Shirley Reid of Lower Township, Cape May County, who was charged with second-degree computer theft for hacking into her employer's computer system from her home computer. Township police obtained her identity from Comcast by using a municipal court subpoena. The Supreme Court held that law enforcement had the right to investigate her but should have used a grand jury subpoena.

A state Superior Court in Cape May Court House suppressed the evidence based on the use of the wrong subpoena, and a state appeals court upheld the action when the Cape May County Prosecutor's Office appealed.

Reid was investigated after her employer, Jersey Diesel of Lower Township, was notified by a business supplier in 2004 that someone had accessed and changed both the multi-digit numbers that make up the company's IP address and password and had created a non-existent shipping address. When the owner, Timothy Wilson, asked Comcast for the IP address of the person who made the changes, the internet provider declined to comply without a subpoena.

Wilson suspected that Reid, an employee who had been on disability leave, could have made the changes. On the day the changes were made, Reid had returned to work, argued with Wilson and left.

When the police obtained a municipal court subpoena and served it on Comcast, the internet provider identified Reid, her address and telephone number, type of service provided, e-mail address, IP numbers, account number and method of payment. In 2005, a Cape May grand jury returned an indictment charging Reid with computer theft.

Lee Tien, an attorney for the Electronic Frontier Foundation, said the decision is an important ruling on the state constitution. ...

Labels: ip address, privacy, warrants

The trial of an accused trader in child pornography has brought the question of warrantless disclosure of ISP subscriber information to the national media's attention. It is understood to be the first time a superior court will consider whether basic subscriber information disclosed by an ISP without a warrant violates the Charter. The decision on this question is expected tomorrow. Stay tuned ...

The National Post, the Globe & Mail and the Toronto Sun discuss the issue:

The Globe & Mail - Wednesday, April 09

A precedent on Internet privacy in the making

Christie Blatchford

An Ontario Superior Court judge may rule as early as tomorrow in a precedent-setting Internet privacy case that could significantly set back how police conduct probes into online child pornography.

At issue is basic "subscriber information" from an Internet service provider, or ISP, which in this particular case was obtained under search warrant by Toronto police in an investigation that ultimately saw Robert Norman Smith, a Toronto actor once featured in popular Alexander Keith's beer commercials, charged with two counts of possessing child pornography and one of making it available.

Mr. Smith, 41, has pleaded not guilty.

But because the decision will be a first for superior courts in Canada, and because such decisions are binding upon the lower courts, the ruling will have broad impact.

Usually, police are able to obtain subscriber information - this is the customer's name and address - from Internet providers with what's called a simple "law enforcement request" made under the federal Personal Information Protection and Electronic Documents Act, commonly called PIPEDA.

While this legislation, which was phased in over several years beginning in 2000, sharply restricts the use and dissemination of personal information in commercial contexts, it also explicitly allows for the disclosure of customer name-and-address information to police.

But in this case, the provider, Bell Canada, refused to hand over the subscriber information, so the police resorted to getting it with a judicially approved search warrant.

On the first full day of trial yesterday before Superior Court Justice Robert Clark, Mr. Smith's lawyer, Cindy Wasser, argued that "people must have the expectation of privacy in their Internet use and they must have the right to challenge" search warrants that force ISPs to hand over their names and addresses to police.

"You can't just say this case is about child pornography," Ms. Wasser told the judge. "It's about the Internet and how we all use it and our expectation of privacy."

She is seeking legal standing for Mr. Smith to challenge the warrant; only if successful will she actually be able to challenge the validity of the warrant itself.

But if Judge Clark agrees that Mr. Smith had a reasonable expectation of privacy and grants him standing, it would mean police forces across the country, who daily obtain subscriber information under PIPEDA requests, would have to revert to the old, labour-intensive system of seeking search warrants every time they want customer information from ISPs.

Additionally, search warrants are problematic for police probing Internet crimes simply because they are more time-consuming.

Crown prosecutor Allison Dellandrea argued that because every Internet user automatically "broadcasts his IP [Internet protocol] address to potentially millions of people" every time he signs on, and because ISPs typically warn users in service agreements that their identities may be disclosed, there can be no expectation of privacy.

Furthermore, Ms. Dellandrea said that just because a commercial enterprise, such as Bell or another ISP, or even the drafters of PIPEDA, deem a block of information to be "private" doesn't mean it is private in a Charter-protected sense.

"That's quite different from what the Constitution says is privacy deserving of protection," she said.

Section 8 of the Canadian Charter of Rights and Freedoms protects people from unreasonable search and seizure, but defines privacy as "a biographical core of personal information" that tends to reveal "intimate details of the lifestyle and personal choices of the individual." Only then is the Charter protection engaged.

What was disclosed by Bell Canada to police in Mr. Smith's case was simply his name and address, information that is often readily available online or from phone books.

But Ms. Wasser argued that in combination with what the police already had learned from their investigation about his alleged use of child pornography, that minimal information was neither as benign nor innocuous as it seemed.

She urged the judge to consider not only what information the police received, but how they used it.

The Toronto investigation began in the fall of 2005, with police developing a system of searching that allowed them to view IP addresses of people sharing or making available certain child-pornography files.

Using a publicly available database, investigators were then able to determine which providers owned the IP addresses.

On Nov. 22, under one search warrant, they got the name and address information from Bell that led them to Mr. Smith, and in February the next year, under another warrant, they conducted a search of his north Toronto home.

At the time of his arrest that day, police alleged they found on his computer more than 1,000 electronic files, including movies and pictures, of children as young as 1 engaged in sexual activity.

Judge Clark said he may have a decision by tomorrow, but that the case will go ahead regardless.

From the National Post:

Television beer pitchman at centre of pornography, privacy battle

Shannon Kari, National Post

Published: Wednesday, April 09, 2008

The trial of a former television pitchman could be a precedent-setting case in deciding the privacy rights of Internet subscribers who are the subject of a criminal investigation.

Robert Smith is on trial in Ontario Superior Court on one charge of possession of child pornography and one charge of making child pornography available.

The actor was featured in commercials for Alexander Keith's beer as a character with a thick Scottish accent, until his arrest in February 2006.

Toronto police arrested Mr. Smith after an investigation into distribution of child pornography on Internet-based file sharing networks.

After discovering a specific Internet protocol address and learning it belonged to a Bell Canada customer, police executed a search warrant to obtain the subscriber information from the Internet Service Provider (ISP).

Mr. Smith is arguing there were not reasonable grounds for the first warrant to be issued or for a second one to be executed at his home.

The Crown responded that Mr. Smith has no right to challenge the warrant executed against Bell because there are no privacy rights in Internet subscriber information.

In a 2005 civil case about the downloading of music from file-sharing networks, the Federal Court of Appeal found there were privacy rights in this data and they could not be disclosed without a court order.

The prosecution of Mr. Smith is believed to be the first time a Superior Court in Canada has been asked to decide whether police are required to obtain a search warrant to get subscriber information in a criminal case and whether a defendant can challenge the warrant.

Some Internet providers voluntarily disclose this information to police in child pornography cases, but not in other criminal investigations.

A provincial court judge in Ontario ruled earlier this year that there are privacy rights in subscriber information, which includes the name, address, account and e-mail address of a customer (the Crown has appealed this ruling).

Crown attorney Allison Dellandrea argued yesterday it is simply "customer information" that police are seeking. "It doesn't matter what police do with it," said Ms. Dellandrea.

When police have subscriber information and an IP address, they can find "deeply personal" data related to an individual's Internet use and it should be possible to challenge whether the warrant was obtained lawfully, argued defence lawyer Cindy Wasser.

"You can't just say this case is about child pornography. This case is about the Internet, how we use it and the expectation of privacy," said Ms. Wasser.

From the Toronto Sun:

TorontoSun.com - Toronto And GTA- Actor disputes warrant in porn case

The Toronto comic actor who once portrayed the fanatical Scot in the Alexander Keith's beer commercials has launched an unprecedented constitutional challenge of the search warrant that led to his child porn charges.

Lawyer Cindy Wasser, who represents actor Robert Norman Smith, argued yesterday that her client's privacy rights were violated when his Internet service provider, Bell Canada, gave his name and address to Toronto Police when they presented a search warrant.

Internet users have an expectation of privacy and they don't have to list their names or addresses, Wasser said.

It is be -lieved to be the first Ontario Superior Court challenge of a warrant in which a service provider gave a subscriber's name and address.

Justice Robert Clark may give a ruling as early as tomorrow in the judge-alone trial.

The judge appeared to disagree with Wasser, saying, "The nature of the information is pivotal here. You're not discovering biographical information. You're getting the most minimal information, the person's identity and address."

Clark said he was balancing the accused's privacy rights versus "effective law enforcement."

Crown attorney Allison Dellandrea said the information provided "isn't deserving of constitutional protection."

Smith, 42, was charged with two counts of possession of child pornography and one count of making available child pornography after police searched his home computer two years ago.

He lost his job as soon as he was charged and the popular ads were pulled off the air.

Labels: ip address, lawful authority, privacy, warrants

There's been a lot of debate over whether PIPEDA permits a commercial entity, such as an ISP, to provide certain identifying information to law enforcement without a warrant. Most of the debate centers around section 7(3)(c.1) of PIPEDA, which reads:

(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province;

Some are of the view that "lawful authority" means a lawful investigation and that an organization is able to disclose certain information without consent under PIPEDA. Some take the erroneous view that PIPEDA actually authorizes the disclosure, which is not the case at all. This error is compounded by law enforcement who refer to "PIPEDA letters" demanding information from internet service providers in connection with child exploitation investigations.

The Ontario Court of Justice, in an unpublished decision that I understand is under appeal, recently considered the impact of a request by law enforcement for ISP subscriber information. In R. v. Kwok, police officers went online and convinced an unidentified person to provide child pornography to the undercover officer. Using usual techniques, the cops determined the IP address of the suspect and sent a letter to the ISP requesting the billing information associated with the account. The officer testified that he had not read PIPEDA, but understood from an e-mail from the RCMP Commissioner that PIPEDA authorizes such disclosures and these letters should be used to facilitate access to information. Prior to PIPEDA, the officer testified, they routinely sought warrants for this sort of information. The letter used in this case, not surprisingly, cited PIPEDA. The ISP provided the information and an arrest was subsequently made.

The defendant made an application to have the evidence thrown out as it was unlawfully obtained and the Court agreed. The Court held that even if PIPEDA permits access to this information by law enforcement, it is contrary to the Charter for the police to obtain it in this manner.

From Paragraph 35 of the decision:

"The subscriber, in this case, in my view, and based on my reading of the authorities, has an expectation of privacy in respect of this personal information [name and address]. The investigation of these types of crimes is essential and important, but there must always be the proper balancing of the procedures used by the police and the right of citizens to be free from unreasonable search and seizure. Shortcuts, such as set out in s. 7(3)(c) of PIPEDA in the circumstances of this case must be used with great caution, given the notions of freedom and democracy we come to expect in our community. In my view, the police should have procured a warrant to obtain the subscriber information, that is the name and address of the Applicant, in this case, as I have found the name and address is information from which intimate personal details of lifestyle and choices can be obtained. I therefore find there has been a s. 8 violation."

The copy of the decision that I've obtained (R. v. Kwok) is marked "draft" and I haven't been able to find it online. I understand it is under appeal and hopefully the Court of Appeal can clarify what s. 7(3)(c) actually means and whether companies can provide the police with customer information without a warrant. I also hope that the Court will clarify that PIPEDA does not give anyone -- agents of the state in particular -- increased access to personal information, but the reverse.

Note: I've blogged about this topic on a number of occasions. For some background, see http://www.privacylawyer.ca/blog/labels/warrants.html.

Labels: ip address, law enforcement, lawful authority, privacy, warrants

This is an interesting development.

In 2003, the Privacy Commissioner of Canada released a finding that strongly suggested that an IP address is "personal information" for the purposes of PIPEDA (Commissioner's Findings - PIPEDA Case Summary #25: A broadcaster accused of collecting personal information via Web site - November 20, 2001 - Privacy Commissioner of Canada). Now the European Union is taking a similar position.

This determination has implications for a range of businesses that operate websites, but particularly affects companies like Google, Yahoo! and the like.

Wired News - AP News - EU Official: IP Is Personal

By AOIFE WHITE

AP Business Writer

BRUSSELS, Belgium (AP) -- IP addresses, string of numbers that identify computers on the Internet, should generally be regarded as personal information, the head of the European Union's group of data privacy regulators said Monday.

Germany's data protection commissioner, Peter Scharr, leads the EU group preparing a report on how well the privacy policies of Internet search engines operated by Google Inc., Yahoo Inc., Microsoft Corp. and others comply with EU privacy law.

He told a European Parliament hearing on online data protection that when someone is identified by an IP, or Internet protocol, address "then it has to be regarded as personal data."

His view differs from that of Google, which insists an IP address merely identifies the location of a computer, not who the individual user is - something strictly true but which does not recognize that many people regularly use the same computer terminal and IP address.

Scharr acknowledged that IP addresses for a computer may not always be personal or linked to an individual. For example, some computers in Internet cafes or offices are used by several people.

But these exceptions have not stopped the emergence of a host of "whois" Internet sites that apply the general rule that typing in an IP address will generate a name for the person or company linked to it.

Treating IP addresses as personal information would have implications for how search engines record data.

Google led the pack by being the first last year to cut the time it stored search information to 18 months. It also reduced the time limit on the cookies that collect information on how people use the Internet from a default of 30 years to an automatic expiration in two years.

But a privacy advocate at the nonprofit Electronic Privacy Information Center, or EPIC, said it was "absurd" for Google to claim that stripping out the last two figures from the stored IP address made the address impossible to identify by making it one of 256 possible configurations.

"It's one of the things that make computer people giggle," EPIC executive director Marc Rotenberg told The Associated Press. "The more the companies know about you, the more commercial value is obtained."

Google's global privacy counsel, Peter Fleischer, however, said Google collects IP addresses to give customers a more accurate service because it knows what part of the world a search result comes from and what language they use - and that was not enough to identify an individual user.

"If someone taps in 'football' you get different results in London than in New York," he said.

He said the way Google stores IP addresses meant one of them forms part of a crowd, giving valuable information on general trends without infringing on an individual's privacy.

Google says it needs to store search queries and gather information on online activity to improve its search results and to provide advertisers with correct billing information that shows that genuine users are clicking on online ads.

Internet 'click fraud' can be tracked down by showing that the same IP address is jumping repeatedly to the same ad. Advertisers pay for each time a different person views the ad, so dozens of views by the same person can rack up costs without giving the company the publicity it wanted.

Microsoft does not record the IP address that identifies an individual computer when it logs search terms. Its Internet strategy relies on users logging into the Passport network that is linked to its popular Hotmail and Messenger services.

The company's European Internet policy director, Thomas Myrup Kristensen, described the move as part of Microsoft's commitment to privacy.

"In terms of the impact on user privacy, complete and irreversible anonymity is the most important point here - more impactful than whether the data is retained for 13 versus 18 versus 24 months," he said.

But neither of the search engines received a pat on the back from Spain's data protection regulator, Artemi Rallo Lombarte, who criticized them for not trying to make their privacy policies accessible to normal people.

Their privacy policies "could very well be considered virtual or fictional ... because search engines do not sufficiently emphasize their own privacy policies on their home pages, nor are they accessible to users," he said, describing the policies as "complex and unintelligible to users."

Labels: europe, google, ip address, privacy

Over the last week, there's been a huge fuss in the media and among bloggers about the consultation that was initiated by the Department of Public Safety over an apparent revival of "lawful access" in Canada. Two things really seemed to catch the attention of commentators: first, the suggestion that the government is again contemplating a system of warrantless access to personal information and, second, that the consultation was taking place in secret. I first heard about it from Michael Geist, who deserves a lot of credit for making it well-known (Public Safety Canada Quietly Launches Lawful Access Consultation). Since then it has been widely reported on in the media and among bloggers.

So what is the fuss about? I hope I can provide some background and context for some of the discussion that is taking place.

Canadian law enforcement and national security agencies are looking for a quick and easy way to obtain access to the names, phone numbers, IP addresses, etc of customers of Canadian telecommunications service providers. (Quick and easy, in this context, means without the delay and paperwork involved in applying to a judge for a search warrant.) This information is sought in a number of contexts, including in the very beginning of investigations or as part of "intelligence gathering." It is also sought, at times, when there is insufficient evidence to connect an individual to a crime so that a judge would not issue a warrant. (Which raises the question: Why should the police be able to require the information without oversight in circumstances where a judge says that the Charter of Rights and Freedoms doesn't permit them to require the information?)

So why shouldn't telecommunications service providers, being good citizens, hand over this information when asked by the police or by national security agents? Simply put, because it is illegal for them to do so. Since 2001, Canadian telecommunications service providers have been subject to the Personal Information Protection and Electronic Documents Act (aka "PIPEDA"). PIPEDA requires the consent of the individual for all collection, use and disclosure of personal information, subject to a number of exceptions. "Personal information" includes any information about an identifiable individual. If it is information and it's about an identifiable individual (either alone or in combination with information that it accompanies), it's "personal information". This would include my name, my address, my phone number, the IP address of my computer, etc.

Some might say that's public information, because my name and phone number may be in a phone book. Interesting point, but that doesn't remove the protections to the information if it is in the hands of my TSP. If the police get it from the phone book, then they can do what they want with it. But if they want to get it from my TSP, then it is personal information and the TSP can't disclose it unless a "consent exception" applies. (See s. 7(1)(d), 7(2)(c.1) and 7(3)(h.1) of PIPEDA and, very importantly, the Regulations Specifying Publicly Available Information (SOR/2001-7)).

The police (who are not bound by PIPEDA) may be within their rights to ask for the information, but TSPs (who are bound by PIPEDA are not able to hand it over without consent unless a PIPEDA consent exception applies. Section 7 contains many consent exceptions, some of which might apply in the circumstances described in the consultation document put out by Public Safety Canada:

"Some [telecommunications] companies provide this information voluntarily, while others require a warrant before providing any information, regardless of its nature or the nature of the situation. If the custodian of the information is not cooperative when a request for such information is made, law enforcement agencies may have no means to compel the production of information pertaining to the customer. This poses a problem in some contexts. For example, law enforcement agencies may require the information for non-investigatory purposes (e.g., to locate next-of-kin in emergency situations) or because they are at the early stages of an investigation. The availability of such building-block information is often the difference between the start and finish of an investigation."

Under PIPEDA, TSPs can likely disclose information about a customer in an emergency. Section 7(3)(e) permits a disclosure without consent if the disclosure is:

(e) made to a person who needs the information because of an emergency that threatens the life, health or security of an individual and, if the individual whom the information is about is alive, the organization informs that individual in writing without delay of the disclosure;

What it doesn't permit is disclosures to law enforcement unless they have a warrant. In this context, s. 7(3)(c.1) is the subject of a bit of debate. This reads:

7(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...

(c) required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records;

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province;

It must be noted that these provisions are permissive, meaning that they allow the TSP to disclose the information in these circumstances without offending PIPEDA. Nothing in the above requires a TSP to disclose the information. Any compulsion has to come from another statute or rule of law. Section 7(3)(c) says if they have a warrant, the TSP can hand it over. (The obligation comes from the warrant, not PIPEDA.) There is authority from the Ontario Courts that an investigation does not create the "lawful authority" to obtain the information. "Lawful access" is an effort to change the law to have an investigation constitute "lawful authority". Or just remove the "lawful authority" requirement altogether.

What is also very interesting from the consultation document is that many TSPs currently hand over the information when asked by law enforcement (worth quoting again):

"Some [telecommunications] companies provide this information voluntarily, while others require a warrant before providing any information, regardless of its nature or the nature of the situation. If the custodian of the information is not cooperative when a request for such information is made, law enforcement agencies may have no means to compel the production of information pertaining to the customer. This poses a problem in some contexts. For example, law enforcement agencies may require the information for non-investigatory purposes (e.g., to locate next-of-kin in emergency situations) or because they are at the early stages of an investigation. The availability of such building-block information is often the difference between the start and finish of an investigation."

I have it on reliable authority from within the industry that most internet service providers will provide a customer's full name and billing address when given an IP address. It doesn't seem to be because they think they legally can, but because they have succumbed to pressure from law enforcement who take a position that not providing the information puts them in league with child molesters and terrorists.

The fact remains, and must be borne in mind, that if a person's life or safety is in jeopardy, the TSP can disclose information without consent. This would include the ticking bomb scenario, a child being abused, etc. In exigent circumstances, the police always have access to the expedited telewarrant procedures in the Criminal Code. There isn't an exception in PIPEDA, the Criminal Code or the Charter for compelled disclosures of personal information absent lawful authority.

Labels: health information, ip address, law enforcement, lawful access, lawful authority, national security, privacy, warrants

The lawful access consultation information is now online on the Public Safety Canada website.

(It refers to telecommunications service providers who are "not cooperative", which should read who "choose not to violate the law respecting the privacy of subscriber information.)

Public Safety Canada :: Home :: Programs :: National security :: Policy advice and support

Customer Name and Address Information Consultation

Public Safety Canada and Industry Canada are seeking current views and/or new issues associated with the question of accessing customer name and address in the modern telecommunications world. We are consulting with a range of stakeholders, such as the police, industry representatives, civil liberties groups as well as other groups interested in privacy and victim of crimes issues. If you and/or your organization would like to provide input on any or all of the issues identified in the posted consultation document, please submit written comments, by October 12th, 2007 to:

Customer Name and Address Consultation

Public Safety Canada

16C, 269 Laurier Avenue West

Ottawa , ON, Canada K1A 0P8

Email: cna-consultations@ps-sp.gc.ca

Modern telecommunications and computer networks such as the Internet are a great source of economic and social benefits, but they can also be used in the planning, coordination, financing and perpetration of crimes and threats to public safety and the national security of Canada. By extension, the rapidly evolving nature of these technologies can pose a significant challenge to law enforcement and national security officials who are entrusted with combating these threats, and who employ lawful access to communications and information to do so.

The principles and powers of lawful access must be exercised in a manner consistent with the rights and freedoms guaranteed in the Canadian Charter of Rights and Freedoms and while adapting to the rapid pace of technological change.

The consultation process

Public Safety Canada, in collaboration with Industry Canada, is presently examining how to address the challenges faced by police, the Canadian Security Intelligence Service (CSIS) and the Competition Bureau when seeking timely access to basic CNA information in a modern telecommunications milieu. This question was previously considered by stakeholders in broader consultation processes on lawful access issues held in 2002 and 2005.

The purpose of this consultation is to provide a range of stakeholders - including police and industry representatives and groups interested in privacy and victims of crime issues - with an opportunity to identify their current views on possible approaches to updating Canada’s lawful access provisions as they relate to law enforcement and national security officials’ need to gain access to CNA information in the course of their duties. The possible scope of CNA information to be obtained is later identified, but it should be noted from the outset that it would not, in any formulation, include the content of communications or the Web sites an individual visited while online.

The objectives of this process are to maintain lawful access for law enforcement and national security agencies in the face of new technologies while preserving and protecting the privacy and other rights and freedoms of all people in Canada. In striving to attain these goals, it is essential to ensure that the competitiveness of Canadian industry is taken into account and that the solutions adopted do not place an unreasonable burden on the Canadian public.

Current context

Timely access to CNA information is an important tool used by law enforcement and national security agencies to fulfil their public safety mandates. This type of information can be vital in the context of investigations of online criminal activity, such as child exploitation.

Law enforcement agencies have been experiencing difficulties in consistently obtaining basic CNA information from telecommunications service providers (TSPs). In the absence of explicit legislation, a variety of practices exists among TSPs with respect to the release of basic customer information, e.g., name, address, telephone number, or their Internet equivalents. Some companies provide this information voluntarily, while others require a warrant before providing any information, regardless of its nature or the nature of the situation. If the custodian of the information is not cooperative when a request for such information is made, law enforcement agencies may have no means to compel the production of information pertaining to the customer. This poses a problem in some contexts. For example, law enforcement agencies may require the information for non-investigatory purposes (e.g., to locate next-of-kin in emergency situations) or because they are at the early stages of an investigation. The availability of such building-block information is often the difference between the start and finish of an investigation.

CNA information

In the context of options under consideration by Public Safety Canada and its partner departments and agencies, CNA information refers to basic identifiers that would assist law enforcement and national security agencies to determine the identity of a telecommunications service subscriber, if this information was necessary to the performance of their duties.

The scope of CNA information obtained could include the following basic identifiers associated with a particular subscriber:

• name;
• address(es);
• ten-digit telephone numbers (wireline and wireless);
• Cell phone identifiers, e.g., one or more of several unique identifiers associated with a subscriber to a particular telecommunications service (mobile identification number or MIN; electronic serial number or ESN; international mobile equipment or IMEI number; international mobile subscriber identity or IMSI number; subscriber identity module card number of SIM Card Number);
• e-mail address(es);
• IP address; and/or,
• Local Service Provider Identifier, i.e., identification of the TSP that owns the telephone number or IP address used by a specific customer.

Possible model

Options based on an administrative model are being considered closely by officials.

Possible safeguards

Further to input received during 2002 and 2005 consultations, a number of safeguards could be included under a possible administrative model requiring the release of limited basic CNA information to law enforcement and national security agencies upon request. These could include:

• clear limitations on what customer information could be obtained upon request;
• limiting the number of employees who would have access to CNA;
• requiring that individuals with access be designated by senior officials within their organizations;
• limiting requests to those made for the purpose of performing an official duty or function;
• requiring that requests be made in writing, except in exceptional circumstances;
• requiring that designated officials provide associated information with their request, e.g., identification of a specific date and time for a request relating to an IP address;
• requiring designated officials to record their status as such when making a request, as well as the duty or function for which a particular request is made;
• limiting the use of any information obtained to the agency that obtained it for the purpose for which the information was obtained, or for a use consistent with that purpose, unless permission is granted by the individual to whom it relates;
• requiring regular internal audits by agency heads to ensure that any requests for CNA information are being made in accordance with the protocols and safeguards in place;
• reporting to responsible ministers on the result of any internal audits;
• provision of any audit results to the Privacy Commissioner of Canada, the Security Intelligence Review Committee, or provincial privacy commissioners, as appropriate; or
• provision for the Privacy Commissioner and SIRC to conduct audits related to the release of CNA information.

Under no option being examined would TSPs be compelled to track the actions of customers or to collect information about them in the absence of necessary court authorizations governing such activity in Canada, nor would law enforcement or national security agencies be permitted to obtain the content of a customer’s communications without such authorizations.

Conclusion

Officials plan to meet with a range of interested parties in September, 2007 to discuss the issues raised in this paper.

Labels: ip address, law enforcement, lawful access, national security, privacy, surveillance, warrants

The CBC has a lengthy piece on the quiet consultation I referred to the other day (Canadian Privacy Law Blog: Public Safety Canada Quietly Launches Lawful Access Consultation):

Government moving to access personal info, sparking privacy fears

Government agencies are moving to gain access to telephone and internet customers' personal information without first getting a court order, according to a document obtained by CBCNews.ca that is raising privacy issues.

Public Safety Canada and Industry Canada have begun a consultation on how law enforcement and national security agencies can gain lawful access to customers' information. The information would include names, addresses, land and cellphone numbers, as well as additional mobile phone identification, such as a device serial number and a subscriber identity module (SIM) card number.

The consultation also seeks input on access to e-mail addresses and IP addresses. An IP address is a number that can be used to identify a computer's location.

The document says the objective of the consultation is to provide law enforcement and national security agencies with the ability to obtain the information while protecting the privacy of Canadians.

The document says that under current processes, enforcement agencies have been experiencing difficulties in gaining the information from telecommunications service providers, some of which have been demanding a court-issued warrant before turning over the data.

"If the custodian of the information is not co-operative when a request for such information is made, law enforcement agencies may have no means to compel the production of information pertaining to the customer," the document says. "This poses a problem in some contexts."

It says enforcement agencies may need the information for matters other than probes, such as informing next-of-kin of emergency situations, or because they are at the early stages of an investigation.

"The availability of such building-block information is often the difference between the start and finish of an investigation," according to the document.

Privacy advocates, however, expressed displeasure over both the content and the process of the consultation.

Criticizes short consultation time

Michael Geist, chair of internet and e-commerce law at the University of Ottawa, said the process is not being conducted publicly as two previous consultations have been, in 2002 and in 2005.

The consultation has not been published in the Canada Gazette, where such documents are normally publicized, or on the agencies' websites.

Interested parties have been given until Sept. 27 to submit their comments, which is a short consultation time, Geist said. Several organizations and individuals contacted by CBCNews.ca only received their documents this week.

More pointedly, a number of parties that took part in the previous consultations, including privacy and civil liberty advocates — and even some telecommunication service providers — have not been made aware of the discussion, he said.

"It's really disturbing particularly in light of the fact that they've had two prior consultations on lawful access in the past, so it's not as if they don't know the parties that are engaged on this issue," Geist said.

Officials with the Canadian Civil Liberties Association were not aware of the consultation.

All about appearances?

Jacqueline Michelis, an Ottawa-based spokeswoman at Bell Canada Inc., the country's largest telecommunications provider, said the company was aware of the consultation but would not comment further. Rogers Communications Inc. and Telus Corp., the country's next biggest providers, did not have immediate comment.

Geist said the other problem with the consultation is that it appears as if the government agencies have already made up their minds on how to proceed and are simply conducting it for appearances' sake.

"The fear is that law enforcement knows what it would like to do — it would like to be able to obtain this information without court oversight — and so it has pulled together this consultation in the hope that they can use that to say they have consulted, and here are the safeguards that the consultation thought was appropriate."

Denies document secrecy

Mélisa Leclerc, a spokeswoman for Public Safety Minister Stockwell Day, said the government was not trying to keep the consultation secret and would post the document on the internet on Thursday. The deadline for submissions would also be extended, although no decision on a date has been made yet.

Colin McKay, a spokesman for the privacy commissioner of Canada, said the government agencies have not yet proven that accessing information without a court order is necessary. The commissioner will be making a submission to the consultation on that matter.

"We'd like to see some proof that this is a necessary step because at the moment there is provision in privacy law if necessary and if presented with a legal authority to do it, in most cases that's a court order," McKay said. "That gives Canadians some level of protection."

The Information Technology Association of Canada, which will also be making a submission, agreed and said it would like to see details on instances where telecommunication providers have refused to co-operate with authorities.

"This is about transposing to new technology the same kind of law enforcement we used to have on wire-line phone networks," said Bernard Courtois, president and chief executive officer of ITAC. "Conversely, just because you're going to do law enforcement on new technology people should not lose any of their privacy protection or rights in terms of the nature of investigation."

Canada's move is in contrast to one by the United States, where last week a federal judge overturned a part of the Patriot Act that allowed the Federal Bureau of Investigation to secretly obtain personal records about customers from internet providers, phone companies, banks, libraries and other businesses without a court's permission.

Speaking on the phone from Paris, Peter Fleischer, global privacy counsel for internet search giant Google Inc., told CBCNews.ca that even in the security-conscious United States, courts have moved to curtail excessive attempts by the government at extracting personal information.

A year and a half ago, the Department of Justice obtained a warrant demanding Google turn over users' personal information as part of an investigation into the effectiveness of anti-pornography software that was being tested. Google refused and a judge ending up siding with the company.

"The order we had from the U.S. Department of Justice was a valid legal order under the U.S. legal system, but even then it was excessive and infringed privacy, and was curtailed by a U.S. court when we challenged it," Fleischer said.

Companies operating in Canada, and their customers, should have the same rights here, he said.

"There should be judicial authorization and a valid legal process before a government should be able to compel companies to hand over information about their users."

Ironically, Google on Wednesday came under fire from Privacy Commissioner Jennifer Stoddart for its Street View web photo application. The commissioner said many of the images used by the application could break Canada's privacy laws.

Fleischer would not comment on the matter, but said he would address it when he visits Canada later this month.

Labels: google, google street view, ip address, law enforcement, lawful access, libraries, patriot act, privacy, street view, surveillance, warrants

Michael Geist writes that Public Safety Canada has quietly begun a secret, quiet quasi-pubilc consultation on lawful access. Apparently, Public Safety asked Michael not to write about it.

Apparently, telecommunications service providers are inconsistent about handing over customer information in the absence of judicial authorization. I understand from other sources that, with only two exceptions, all large Canadian ISPs provide account information to law enforcement when presented with an IP address. This is likely based on a misinterpretation of PIPEDA or due to pressure from law enforcement.

This is a significant development. Canadians and businesses with an interest in the line between law enforcement and commercial enterprises should make their thoughts known, even if they haven't been invited to do so. See: Michael Geist - Public Safety Canada Quietly Launches Lawful Access Consultation.

For some related blogging, see: It's not your job to police your customers, The ISP Privacy Pledge, and Ontario court considers "lawful authority" under PIPEDA.

Labels: ip address, law enforcement, lawful access, lawful authority, privacy, surveillance, warrants

Straight from Google's official blog:

Official Google Blog: Why does Google remember information about searches? 5/11/2007 11:21:00 AM Posted by Peter Fleischer, Global Privacy Counsel

We recently announced a new policy to anonymize our server logs after 18–24 months. We’re the only leading search company to have taken this step publicly. We believe it’s an important part of our commitment to respect user privacy while balancing a number of important factors.

In developing this policy, we spoke with various privacy advocates, regulators and others about how long they think the period should be. There is a wide spectrum of views on this – some think data should be preserved for longer, others think it should be anonymized almost immediately. We spent a great deal of time sorting this out and thought we’d explain some of the things that prompted us to decide on 18-24 months.

Three factors were critical. One was maintaining our ability to continue to improve the quality of our search services. Another was to protect our systems and our users from fraud and abuse. The third was complying—and anticipating compliance—with possible data retention requirements. Here’s a bit more about each of these:

• Improve our services: Search companies like Google are constantly trying to improve the quality of their search services. Analyzing logs data is an important tool to help our engineers refine search quality and build helpful new services. Take the example of Google Spell Checker. Google’s spell checking software automatically looks at your query and checks to see if you are using the most common version of a word’s spelling. If it calculates that you’re likely to generate more relevant search results with an alternative spelling, it will ask “Did you mean: (more common spelling)?” We can offer this service by looking at spelling corrections that people do or do not click on. Similarly, with logs, we can improve our search results: if we know that people are clicking on the #1 result we’re doing something right, and if they’re hitting next page or reformulating their query, we’re doing something wrong. The ability of a search company to continue to improve its services is essential, and represents a normal and expected use of such data.
• Maintain security and prevent fraud and abuse: It is standard among Internet companies to retain server logs with IP addresses as one of an array of tools to protect the system from security attacks. For example, our computers can analyze logging patterns in order to identify, investigate and defend against malicious access and exploitation attempts. Data protection laws around the world require Internet companies to maintain adequate security measures to protect the personal data of their users. Immediate deletion of IP addresses from our logs would make our systems more vulnerable to security attacks, putting the personal data of our users at greater risk. Historical logs information can also be a useful tool to help us detect and prevent phishing, scripting attacks, and spam, including query click spam and ads click spam.
• Comply with legal obligations to retain data: Search companies like Google are also subject to laws that sometimes conflict with data protection regulations, like data retention for law enforcement purposes. For example, Google may be subject to the EU Data Retention Directive, which was passed last year, in the wake of the Madrid and London terrorist bombings, to help law enforcement in the investigation and prosecution of “serious crime”. The Directive requires all EU Member States to pass data retention laws by 2009 with retention for periods between 6 and 24 months. Since these laws do not yet exist, and are only now being proposed and debated, it is too early to know the final retention time periods, the jurisdictional impact, and the scope of applicability. It's therefore too early to state whether such laws would apply to particular Google services, and if so, which ones. In the U.S., the Department of Justice and others have similarly called for 24-month data retention laws.

At the same time, regulators in other parts of governments have argued for shorter retention periods, reflecting the conflicts in every country between privacy and data protection objectives on the one hand, and law enforcement objectives on the other. Companies like Google are trying to be responsible corporate citizens, and sometimes we are told to do different things by different government entities, or to follow conflicting legal obligations. It's hard enough to get different government entities to talk to each other inside one country. When you multiply this by all the countries where Google must comply with the laws, the potential conflicts are enormous. Nonetheless, Google is committed to providing its users around the world with one consistent high level of data protection.

It’s also worth reiterating that we do not ask our users for their names, address, or phone numbers to use most of our services. For those who want to see what their logs history looks like, we offer transparent access via a Google Account to their own personal Web History.

Finally, we maintain rigorous internal controls of our logs database. We look forward to an ongoing discussion with privacy stakeholders around the world as we pursue a common goal of improving privacy protections for everyone on the Internet.

Labels: google, ip address, privacy, retention

According to Computer Business Review online, three advocacy groups, including EPIC, have made represenations to the Federal Trade Commission to block Google's acquisition of DoubleClick on consumer privacy grounds. See: Google-DoubleClick deal under privacy fire - CBRonline.com.

CBR also thinks this is a good time for Google to get its privacy ducks in a row:

Our View

While the privacy groups' goals are noble, the arguments in their complaint as they relate to the acquisition itself are rather weak, and we can't help but think that DoubleClick deal is just being seized as an opportunity to pressure Google into adopting better privacy practices.

Google is already big enough, and its privacy practices sufficiently slanted away from the end user, that it could use privacy reform whether it gets to buy DoubleClick or not.

A commitment to "anonymize" search data after two years storage is as good as no commitment at all. The company will still know which IP address and cookie has searched for what terms for the last two years.

What is needed from Google is a method by which users can opt out of having their queries logged, period. DoubleClick has had an opt-out feature for years. Google could simply lay an opt-out cookie on users' machines, and refuse to log any queries associated with that cookie.

This would very likely make the privacy criticisms go away.

The Financial Times has some further info on how Google is proposing to respond to this:

FT.com / Home UK / UK - Google promises to tackle fears over privacy

Google promises to tackle fears over privacy

By Richard Waters

Published: April 22 2007 22:24 | Last updated: April 22 2007 22:24

Google is developing technology to try to appease critics who complain that its proposed acquisition of DoubleClick will lead to an erosion of online privacy, according to Eric Schmidt, its chief executive.

Speaking in an interview, he also promised changes in the internet company’s policies, saying Google would do whatever was necessary to quell a rising tide of complaints about lack of privacy that began with news of its planned $3.1bn acquisition 10 days ago.

“At the end of the day, people will be happy,” said Mr Schmidt. “That’s because they have to be,” or Google would lose both users and advertisers and its business would be at risk, he said.

Fears have been stoked by the potential for Google to build up a detailed picture of someone’s behaviour by combining its records of web searches with the information from DoubleClick’s “cookies”, the software it places on users’ machines to track which sites they visit.

As the company that “serves”, or delivers, the majority of banner ads seen by web users, DoubleClick’s reach within its market is on a par with that of Google in the search business.

Mr Schmidt said Google was working on a way of handling “cookies” that would reduce concerns about the practice. The technology has long been controversial, because many internet users do not realise their surfing habits are tracked. Google has bowed to those concerns by not using cookies, though it has said it would change its policy after the DoubleClick acquisition.

“We have technology in that area that can make it much better,” Mr Schmidt said, though he refused to give details of the technique ahead of the company’s discussions with regulators.

Besides privacy groups, the DoubleClick deal has also stirred unease among advertisers and other online media companies over the competitive advantage Google would gain from the vast amount of information it would have about their businesses.

Mr Schmidt last week said that Google would consider arrangements to deal with those fears, such as keeping apart data about advertisers and media owners contained in Google and DoubleClick’s systems.

While stoking fears about loss of privacy, greater use of personal data collected online could have benefits, from enhancing the personalisation of services to helping fight terrorism, the Google chief executive said.

“These are the conflicts of our age,” he added. “We’re trying to find the right balance.”

Labels: doubleclick, google, ip address, privacy

The recent high-profile arrest of an St. Thomas, Ontario man allegedly busted abusing a child online has revived the discussion related to lawful access (or the Modernization of Investigative Techniques Act). While nobody can question the horror of child abuse, the debate over expanding police powers and privacy rights is a legitimate debate that needs to take place.

I found it interesting to learn that ISPs in Canada regularly disclose information about subscribers without search warrants, as discussed in the Canoe.ca article:

CANOE Money: Sectors - Police hope ISPs will do more to help in fighting child exploitation:

Tom Copeland, head of the Canadian Association of Internet Providers, said in most cases ISPs will co-operate if presented with a search warrant or a so-called letter of authority, but acknowledged it's not always the case.

"It's going to be a management decision by each and every ISP but I think the trend, especially when it comes to child exploitation, is to co-operate with law enforcement - subject to them providing some basic lawful authorization," he said.

The industry - which is made up of between 300 to 400 ISPs nationwide - has worked with law enforcement agencies to come up a letter of authority, a form that police can fill out and fax to ISPs to get information. It was developed after coming to a consensus that needing to obtain a search warrant was impractical for a number of reasons.

I have never seen one of these, so I am making an assumption that these are meant to invoke section 7(3)(c.1) of PIPEDA:

(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province;

I also found it interesting that some are of the view that name and address (combined with the individual's IP address) are categorically non-sensitive and perhaps are not personal information:

"The notion that a search warrant is needed for simply a customer's name and address is a little bit far-reaching, it's really overkill based on what Canada's privacy laws dictate," Copeland said.

"There is a general naivety about what Canada's privacy laws will and won't allow us to do, what information is to be kept private subject to more rigorous requests by law enforcement, versus what a reasonable person would expect to be private or not private."

He said a customer's name and address - which can usually be found in the phone book or in an online database - wouldn't normally be considered personal or private information, and often that's all police need.

Labels: ip address, lawful access, lawful authority, privacy

Virante, an internet marketing company, has made an interesting proposal to protect the privacy of search engine users. It suggests that users should be able to opt out of having their search tracked by IP address or cookie by appending "#privacy" to the search query. Here's the release from Virante:

Press Release - Search Engine Privacy Standard Proposed To Protect Users:

New website proposes a new search standard, #privacy, to protect user privacy when performing search engine queries.

/24-7PressRelease/ - DURHAM, NC, October 22, 2006 - With recent data leaks at AOL, governments seeking information from Google on its users, and no simple user privacy solutions available, a standard for empowering user search privacy has finally been proposed. PoundPrivacy.org is spearheading a search privacy revolution with its proposed #privacy standard. Our proposal is that the #privacy flag could be added to the end of searches by users to tell the search engine 'don't track this query.' In response, the search engine should not track the user by IP address or cookie, and the query should not be made public in keyword tools. The website carefully addresses the one exception to this capability - queries in which a crime is likely being committed (like the solicitation of child pornography) should be excluded from the #privacy flag.

PoundPrivacy.org contains an open letter addressed to the major four search engines - Google, Yahoo, Microsoft, and Ask - requesting that they adopt the #privacy standard. Additionally, the site offers ideas on ways individuals who agree with the standard can support the campaign, including blogging about it, linking to poundprivacy.org, and sending out emails to friends.

About Virante, Inc.

Virante, Inc., is a leading internet marketing solution provider. For more information please visit Virante Web Marketing Solutions or contact us at Email Virante, (919) 459-1088, 1-800-650-0820.

Also check out www.poundprivacy.org.

UPDATE: Adam over at Emergent Chaos thinks this is a silly idea and I must say I agree with just about everything he says, other than the bit about the goat. I'm sure they're not that expensive.

Emergent Chaos: A Very Silly Idea: #privacy, and poundprivacy.org:

"This is silly on a number of levels:

1. It propagates the simplistic 'opt-in/opt-out' thinking that the US marketing industry has been promulgating for decades. Look where that thinking has taken us.
2. It defaults all queries to opt-in, implied by absence of an opt-out. Privacy should be a default, and the 'right' way to implement this would be with #trackthis.
3. It will be prone to user error (typos) and forgetting. It offers no way to say, set a privacy cookie. Even Doubleclick does that.
4. Implementation is left as an exercise for the search engines, who are supposed to both magically not track your queries, and magically track them if you might be violating a law. (I say magically because I have some understanding of how web logs actually work.)
5. For some remarkable reason, no search engine has actually bothered to comment on the proposal. Certainly, no one has accepted it yet. So why am I blogging about it?
6. Really, this idea is one level above an idea I had at the pub last night. Unfortunately, as it turns out, goats are expensive, and probably won't walk on treadmills. It's a good thing I sobered up before setting up a web site."

Labels: aol, doubleclick, google, ip address, privacy

Those worried about the internet surfing footprints they leave on their PC have a new ally in Browzar, which is an internet browser that doesn't keep a cache, save cookies or use "autocomplete". And it is less than 300k and doesn't require any installation.

I did a little googling ... I mean I used the Google® internet search engine ... looking for more info and found a recent blog posting by Scott Hanselman, who did some looking under the hood of Browzar. According to this post browzar works in tandem with Internet Explorer and deletes image files after they are written to the cache by IE. And not all files are actually deleted. This causes two problems: The first is the file that isn't deleted and the second is that the users' tracks are still on the PC, but have just been deleted (and can therefore be undeleted).

And, of course, you also have to worry about the ability of the visited sites to track you down by your IP address.

Labels: google, ip address, privacy

Among the ten commandments of protecting consumer privacy is the admonition "don't keep it." It appears that search engine ixquick is following that commandment:

Ixquick.com eliminates 'Big Brother'

First search engine to stop recording privacy details

HAARLEM, The Netherlands, June 27, 2006

As personal privacy concerns create growing alarm about the freedom of the Internet, the Ixquick metasearch engine (www.ixquick.com) has taken a pioneering step: starting today, Ixquick will permanently delete all personal search details gleaned from its users from the log files.

"This new feature of our search engine ensures both optimal privacy protection and maximum search performance for our customers, since they will be able to search using the 11 best search engines without their personal data being recorded," says Ixquick spokesman Alex van Eesteren.

As digital technology increasingly pervades our world, more and more personal details are being stored electronically, many of them by search engines. While you are searching the internet, these engines register the time of your searches, the terms you used, the sites you visited and your IP address. In many cases this IP address makes it possible to trace the computer, and in turn the household, that carried out the search.

These personal details are often retained for long periods by search engines and are of interest to commercial parties, governments and even criminals. "Many search engines openly use this data for commercial purposes. It seems only to be a question of time before the data gets misused," alleges Van Eesteren. "Therefore we have decided to permanently delete all personal search records. If the data is not stored, users privacy can't be breached".

Ixquick's Meta Search feature enables the user to simultaneously search 11 of the best search engines. However, Ixquick does not share the user's personal data with these individual search engines in any circumstances. In addition, as of this week, Ixquick will delete the users' IP addresses and 'unique user IDs' from its own 'Log Files'.

"Therefore, any user can use Ixquick.com to search in a combination of the best search engines secure in the knowledge that they can enjoy complete protection of their privacy," continues Mr. van Eesteren.

For more information, please visit www.ixquick.com.

This makes sense in so many ways: First, they save cash since they don't have to store the information. Second, they don't have to worry about a privacy breach. Third, they won't get dragged into a fight over customer information. Finally, it'll excite privacy-concerned web surfers without alientating the others.

Via michaelzimmer.org.

Labels: ip address, privacy, retention

From GameSpot (via the always interesting Video Game Law Blog):

Japanese MMOG suffers privacy leak - News at GameSpot

Game Garden warns that e-mail addresses and game logs of hundreds of thousands of Xenepic Online players may have been compromised.

By Walt Wyman, GameSpot

Posted Jun 28, 2006 11:41 am PT

Game Garden, an online game developer and provider, announced today that personal user information from Xenepic Online, a free massively multiplayer online role-playing game for PCs, was inadvertently compromised. Game Garden manages the server on behalf of NHN Japan Corporation, the game's provider.

The information was mistakenly stored on an open download server, potentially allowing anyone to access it using certain exploits. Data for 297,805 users was put at risk, including their game-server usernames and passwords, e-mail addresses, and game log files, which contain information on items purchased and chat history.

However, it seems that no payment information, such as credit card information, was among the compromised data. In a press release, Game Garden apologized to Xenepic users for the security failure and pledged to "further consolidate internal management to prevent similar incidents in the future."

Labels: incident, ip address, privacy, retention