The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Sunday, July 20, 2008
The local Halifax paper is running an AP story about the tough choices that custodians of personal information are sometimes called upon to make. After a young girl went missing, the police showed up at the public library demanding to take the public access computers that the girl had apparently used to communicate on MySpace. The librarian stood her ground and demanded that the police get a warrant. They did. Here's the full story:
Nova Scotia News - TheChronicleHerald.ca
Police raid on library offers privacy dilemma
By JOHN CURRAN The Associated Press
Sun. Jul 20 - 5:19 AM
RANDOLPH, Vt. — Children’s librarian Judith Flint was getting ready for the monthly book discussion group for eight and nine-year-olds on Love That Dog when police showed up.
They weren’t kidding around: Five state police detectives wanted to seize Kimball Public Library’s public access computers as they frantically searched for a 12-year-old girl, acting on a tip that she sometimes used the terminals.
Flint demanded a search warrant, touching off a confrontation that pitted the privacy rights of library patrons against the rights of police on official business.
"It’s one of the most difficult situations a library can face," said Deborah Caldwell-Stone, deputy director of intellectual freedom issues for the American Library Association.
Investigators obtained a warrant about eight hours later, but the June 26 standoff in the 105-year-old, red brick library on Main Street frustrated police and had fellow librarians cheering Flint.
"What I observed when I came in were a bunch of very tall men encircling a very small woman," said the library’s director, Amy Grasmick, who held fast to the need for a warrant after coming to the rescue of the 4-foot-10 Flint.
Library records and patron privacy have been hot topics since the passage of the U.S. Patriot Act after the Sept. 11, 2001, terror attacks.
Library advocates have accused the government of using the anti-terrorism law to find out, without proper judicial oversight or after-the-fact reviews, what people research in libraries.
But the investigation of Brooke Bennett’s disappearance wasn’t a Patriot Act case.
"We had to balance out the fact that we had information that we thought was true that Brooke Bennett used those computers to communicate on her MySpace account," said Col. James Baker, director of the Vermont State Police.
"We had to balance that out with protecting the civil liberties of everybody else, and this was not an easy decision to make."
Brooke, from Braintree, vanished the day before the June 26 confrontation in the children’s section of the tiny library.
Investigators went to the library chasing a lead that she had used the computers there to arrange a rendezvous.
Brooke was found dead July 2.
An uncle, convicted sex offender Michael Jacques, has since been charged with kidnapping her.
Authorities say Jacques had gotten into her MySpace account and altered postings to make investigators believe she had run off with someone she met online.
Flint was firm in her confrontation with the police.
"The lead detective said to me that they need to take the public computers and I said ‘OK, show me your warrant and that will be that,’ " said Flint, 56. "He did say he didn’t need any paper.
"I said ‘You do.’ He said ‘I’m just trying to save a 12-year-old girl,’ and I told him ‘Show me the paper.’"
Cybersecurity expert Fred H. Cate, a law professor at Indiana University, said the librarians acted appropriately.
"If you’ve told all your patrons ‘We won’t hand over your records unless we’re ordered to by a court,’ and then you turn them over voluntarily, you’re liable for anything that goes wrong," he said.
Saturday, June 28, 2008
The American Library Association has always been a reasoned and reasonable voice for privacy in libraries and the wider community. I was interested to learn they are doing a panel tomorrow at their annual get-together in Anaheim, California entitled "Privacy: Is it time for a revolution":
Protecting reader privacy and confidentiality has long been an integral part of the mission of ALA and its members. Should it continue to be a priority? In an age when people increasingly use social networking to expose intimate life details, does privacy still matter to information seekers? Does anyone care if their library records and online searches are being tracked? If they don't, why should they? A panel of thought leaders from the information economy including author Cory Doctorow, Wired senior writer Dan Roth, and Privacy Rights Clearinghouse director Beth Givens will debate the importance of privacy and what's at stake if the persistent erosion of privacy continues unchecked. Join us for a provocative examination of a librarian's role in the future of privacy.
In looking into the session, I happened upon the following outrageous story out of Cleveland.
Lakewood library aggressive on checking computer users for porn- cleveland.comI think this is the first time I've ever heard such sentiments from a library professional, who usually advocate computers in libraries as often the sole source of internet access for those without the resources to purchase their own. Should only those who can afford privacy have access to it?
... Every 15 minutes, a staff member takes a stroll around the center to make sure library patrons are not looking at pornography, engaging in illegal gambling or visiting other questionable Web sites.
Now the library, which recently opened a new technology center, might expand its monitoring policy by using free software, called virtual network computing, that allows librarians to remotely monitor what a patron is viewing on a computer screen.
Warren has been an avid supporter of keeping an eye on the public access computers since the library first offered the Internet to patrons in 1995.
"If you need privacy, you should get your own computer," Warren said.
Warren's views on privacy for library computer users clash with those of the American Library Association, the oldest and largest library organization in the United States.
The association recommends that a library set a comprehensive, written Internet policy, distribute the policy widely and then respect the privacy of patrons.
Update: Notes from the session are up at: The Shifted Librarian » ALA2008 Privacy Revolution Panel and Loose Cannon Librarian » Privacy Panel ALA 2008.
Thursday, September 13, 2007
The CBC has a lengthy piece on the quiet consultation I referred to the other day (Canadian Privacy Law Blog: Public Safety Canada Quietly Launches Lawful Access Consultation):
Government moving to access personal info, sparking privacy fears
Government agencies are moving to gain access to telephone and internet customers' personal information without first getting a court order, according to a document obtained by CBCNews.ca that is raising privacy issues.
Public Safety Canada and Industry Canada have begun a consultation on how law enforcement and national security agencies can gain lawful access to customers' information. The information would include names, addresses, land and cellphone numbers, as well as additional mobile phone identification, such as a device serial number and a subscriber identity module (SIM) card number.
The consultation also seeks input on access to e-mail addresses and IP addresses. An IP address is a number that can be used to identify a computer's location.
The document says the objective of the consultation is to provide law enforcement and national security agencies with the ability to obtain the information while protecting the privacy of Canadians.
The document says that under current processes, enforcement agencies have been experiencing difficulties in gaining the information from telecommunications service providers, some of which have been demanding a court-issued warrant before turning over the data.
"If the custodian of the information is not co-operative when a request for such information is made, law enforcement agencies may have no means to compel the production of information pertaining to the customer," the document says. "This poses a problem in some contexts."
It says enforcement agencies may need the information for matters other than probes, such as informing next-of-kin of emergency situations, or because they are at the early stages of an investigation.
"The availability of such building-block information is often the difference between the start and finish of an investigation," according to the document.
Privacy advocates, however, expressed displeasure over both the content and the process of the consultation.
Criticizes short consultation time
Michael Geist, chair of internet and e-commerce law at the University of Ottawa, said the process is not being conducted publicly as two previous consultations have been, in 2002 and in 2005.
The consultation has not been published in the Canada Gazette, where such documents are normally publicized, or on the agencies' websites.
Interested parties have been given until Sept. 27 to submit their comments, which is a short consultation time, Geist said. Several organizations and individuals contacted by CBCNews.ca only received their documents this week.
More pointedly, a number of parties that took part in the previous consultations, including privacy and civil liberty advocates — and even some telecommunication service providers — have not been made aware of the discussion, he said.
"It's really disturbing particularly in light of the fact that they've had two prior consultations on lawful access in the past, so it's not as if they don't know the parties that are engaged on this issue," Geist said.
Officials with the Canadian Civil Liberties Association were not aware of the consultation.
All about appearances?
Jacqueline Michelis, an Ottawa-based spokeswoman at Bell Canada Inc., the country's largest telecommunications provider, said the company was aware of the consultation but would not comment further. Rogers Communications Inc. and Telus Corp., the country's next biggest providers, did not have immediate comment.
Geist said the other problem with the consultation is that it appears as if the government agencies have already made up their minds on how to proceed and are simply conducting it for appearances' sake.
"The fear is that law enforcement knows what it would like to do — it would like to be able to obtain this information without court oversight — and so it has pulled together this consultation in the hope that they can use that to say they have consulted, and here are the safeguards that the consultation thought was appropriate."
Denies document secrecy
Mélisa Leclerc, a spokeswoman for Public Safety Minister Stockwell Day, said the government was not trying to keep the consultation secret and would post the document on the internet on Thursday. The deadline for submissions would also be extended, although no decision on a date has been made yet.
Colin McKay, a spokesman for the privacy commissioner of Canada, said the government agencies have not yet proven that accessing information without a court order is necessary. The commissioner will be making a submission to the consultation on that matter.
"We'd like to see some proof that this is a necessary step because at the moment there is provision in privacy law if necessary and if presented with a legal authority to do it, in most cases that's a court order," McKay said. "That gives Canadians some level of protection."
The Information Technology Association of Canada, which will also be making a submission, agreed and said it would like to see details on instances where telecommunication providers have refused to co-operate with authorities.
"This is about transposing to new technology the same kind of law enforcement we used to have on wire-line phone networks," said Bernard Courtois, president and chief executive officer of ITAC. "Conversely, just because you're going to do law enforcement on new technology people should not lose any of their privacy protection or rights in terms of the nature of investigation."
Canada's move is in contrast to one by the United States, where last week a federal judge overturned a part of the Patriot Act that allowed the Federal Bureau of Investigation to secretly obtain personal records about customers from internet providers, phone companies, banks, libraries and other businesses without a court's permission.
Speaking on the phone from Paris, Peter Fleischer, global privacy counsel for internet search giant Google Inc., told CBCNews.ca that even in the security-conscious United States, courts have moved to curtail excessive attempts by the government at extracting personal information.
A year and a half ago, the Department of Justice obtained a warrant demanding Google turn over users' personal information as part of an investigation into the effectiveness of anti-pornography software that was being tested. Google refused and a judge ending up siding with the company.
"The order we had from the U.S. Department of Justice was a valid legal order under the U.S. legal system, but even then it was excessive and infringed privacy, and was curtailed by a U.S. court when we challenged it," Fleischer said.
Companies operating in Canada, and their customers, should have the same rights here, he said.
"There should be judicial authorization and a valid legal process before a government should be able to compel companies to hand over information about their users."
Ironically, Google on Wednesday came under fire from Privacy Commissioner Jennifer Stoddart for its Street View web photo application. The commissioner said many of the images used by the application could break Canada's privacy laws.
Fleischer would not comment on the matter, but said he would address it when he visits Canada later this month.
Thursday, March 15, 2007
Seven Days, the Vermont alternative web weekly is running a preview of a presentation to be given by Peter Chase and George Christian later this month. Both are librarians who were on the receiving end of national security letters under the USA Patriot Act and fought them with the assistance of the ACLU.If I get my hands on the presentation materials, I'll post them here.
Seven Days: Librarians, No Longer Gagged, Detail Patriot Act Abuses
WINDSOR, CT — In September 2003, then-U.S. Attorney General John Ashcroft ridiculed the American Library Association for its “breathless reports and baseless hysteria” about a USA PATRIOT Act provision that allows FBI agents to search library records without a warrant. Until he left office in early 2005, Ashcroft repeatedly denied that the feds were snooping into Americans’ reading habits and computer activities.
In July 2005, Peter Chase and George Christian discovered firsthand that Ashcroft was lying. They couldn’t tell anyone, though — not friends, co-workers or family members — even as Congress debated the Patriot Act’s reauthorization.
Christian is executive director of the Library Connection, a nonprofit consortium in Windsor, Connecticut. Chase is president of the group’s executive committee and director of one of its 27 member libraries. An eight-month gag order prevented them from disclosing that they’d received a “national security letter” from the FBI seeking confidential library computer records.
“We were shocked,” Chase recalls. “None of us had ever heard of a national security letter before.”
Chase and Christian, along with fellow committee members Barbara Bailey and Janet Nocek, decided to fight the warrantless search. Though the librarians were never told why the FBI wanted their files, a federal prosecutor later disclosed that it was a matter of “domestic surveillance.”
The Connecticut librarians have since been released from their gag order. On March 20, they’ll speak at the University of Vermont about how they fought the Patriot Act — and won. Civil libertarians say their case is a chilling example of the threats to privacy rights in the post-9/11 era.
“My initial twinge in opposing [the FBI] was that I was aiding and abetting a catastrophe,” recalls Christian. “But right away, I could glean that they weren’t worried that someone was going to cause a catastrophic event tomorrow.” The letter, he notes, was dated two months earlier, and the records the FBI wanted were six months old. In Connecticut, as in 47 other states, library records are protected by law.
Vermont’s own protections for library records aren’t as strong as those in other states, notes Trina Magi, who chairs Vermont’s Intellectual Freedom Committee. Though library records are exempt from the open-records law, she says, nothing explicitly prevents librarians from disclosing them. Moreover, last year’s Patriot Act reauthorization did nothing to alleviate librarians’ concerns.
“What people read at libraries is confidential,” Chase argues. “People should feel free to come to the library and look up whatever information they need, without thinking that Big Brother is looking over their shoulder.”
In August 2005, the Connecticut librarians sued the federal government, with help from the ACLU. Initially, they were collectively known as “John Doe.” However, because of sloppy redacting of court records by government attorneys, Christian’s and Chase’s identities were made public, and reporters soon came calling.
Even after the librarians’ names were known, the gag order still barred them from discussing their case. Those restrictions reached absurd proportions. When the government asserted that the librarians’ presence in federal court in Bridgeport raised a “national security issue,” they had to watch the proceedings on closed-circuit TV from a locked courtroom in Hartford. When an appeal was heard in federal court in Manhattan, the librarians were allowed to attend but were prohibited from entering the courtroom together, sitting together, speaking to each other, or making eye contact with their attorneys.
Tellingly, the librarians were released from the document request and gag order shortly after the Patriot Act was reauthorized in March 2006. Once the government dropped its appeal, the librarians lost their legal standing to challenge the statute’s constitutionality.
Today, Christian is troubled by how many Americans have apparently complied with NSL requests. “I’m trying to figure out in my mind how 30,000 NSLs can be issued each year,” he says, “and in five years only two people have said, ‘I don’t think so.’”
Peter Chase and George Christian give a lecture titled "Gagged by the Government: Two Librarians Tell How They Resisted the USA PATRIOT Act." Tuesday, March 20, 3:30-5 p.m. Bailey Howe Library, University of Vermont. Free. Info, 656-5723.
Tuesday, September 05, 2006
Thursday, January 12, 2006
In the wake of the (ultimately false) report that the federales had visited a student becuase he requested Mao's Little Red Book (See: The Canadian Privacy Law Blog: Borrow the wrong book and get it personally delivered by the feds; and then The Canadian Privacy Law Blog: Story about feds visiting after request for Mao book is a hoax), the UMass Dartmouth and Penn libraries are trying to reassure patrons that their records are safe. In fact, they say that once you return the book you've checked out, the title is no longer connected to your borrowers' record. Check out the Daily Pennsylvanian: Checking out Mao? No need to worry.
Wednesday, December 28, 2005
Mary Minnow, at the Library Law Blog has recently posted about a service called Library Elf. This service plugs into your local library's computer system so you can see what books you have checked out, when they are due back and what is the status of any holds you have. In using the system, Mary has found that you can see other patrons' records. She isn't happy about that.
See: LibraryLaw Blog: "This card is viewed by other accounts" - an update on the Library Elf and your privacy and LibraryLaw Blog: Breaking Discovery - Library Elf blasts a giant hole through privacy - and why I terminated my account.
Sunday, December 18, 2005
One of the problems with widespread monitoring is the huge incidence of "false positives". This example from the University of Massachusetts is instructive and a bit chilling to those who have commented upon it.
A senior at UMass Dartmouth was doing a research paper on communism in a class on fascism and totalitarianism. As part of his research, he requested a copy of Chairman Mao's Little Red Book using the interlibrary loans system. (Why a major univeristy library does not have its own copy of the book raises completely different questions.) Instead of the book, he received a visit from officials from the Department of Homeland Security. The agents told the students that the book is on a "watch list". Actually, the agents brought the book with them, but did not leave it with him.
Privacy advocates aren't generally pleased with any watching of what people read, but the chilling effect of this is significant. The professor who teaches the class has decided against teaching a planned class on terrorism because he does not want to put his students at risk of this sort of surveillance and profiling.
Read the coverage here: Agents' visit chills UMass Dartmouth senior: 12/ 17/ 2005, Student Gets Surprise From Mao's Book. Some comment here: Gardistan in Vision: Political censorship in Bush's USA, The Dark Wraith Forums: Special Report: Feds Question Student for Requesting Book of Mao Tse-Tung Quotations, Villa Beausoleil: Fascism comes to New Bedford, David Farrar: Book Monitoring.
UPDATE: There is speculation at Boing Boing that this story is a hoax. Boing Boing: DHS agents visit student over Little Red Book - HOAX DEBATE. As I hear more, I'll post here.
Friday, July 01, 2005
The Alberta Information and Privacy Commissioner has concluded that a local library did not have authority to install keylogging software on an employee's computer:
Commissioner finds that Parkland Regional Library had no authority to collect personal information using keystroke logging software:
"The Parkland Regional Library installed keystroke logging software on the computer of an information technology employee, unknown to the employee. The employee complained that this collection was not permitted under the Freedom of Information and Protection of Privacy Act (the 'Act'), and that the collected information had not been adequately protected by the Parkland Library.
The Parkland Library relied on section 33(c) of the Act, which permits collection of information that relates directly to and is necessary for an operating program or activity of a public body. It argued that the collected information was necessary to manage the employee, based on concerns about his productivity, and his use of his working time.
The Commissioner found that the Parkland Library did not have the authority under section 33 of the Act to collect the Applicant's personal information that it collected through keystroke logging and noted that less-intrusive means were available for collecting information needed for managing the employee. However, the Commissioner did not accept the Applicant's argument that the collected information had not been adequately protected."
Friday, May 20, 2005
In my experience, librarians are among the most strident proponents of patron privacy. So it comes as a surprise to hear that a library in Chicago has paid a biometrics company forty thousand dollars to install fingerprint scanners for each of their public use internet terminals. For the full story, see: Chicago Tribune | Library card? Check. Fingerprint? Really?
Friday, November 26, 2004
I had a nice e-mail exchange with Mary Minow, author of the LibraryLaw Blog, about privacy and patron records. She has posted the good bits on her great blog and it is available here: LibraryLaw Blog: Does Canadian law protect library patron records?. I highly recommend adding her to your blogroll, especially if you are interested in privacy aspects of libraries.
Wednesday, November 03, 2004
Last week, I gave a presentation to a group of directors of public libraries in Nova Scotia. Library staff are regularly called upon to consider privacy issues, particularly in connection with public use internet stations. Police regularly ask for information related to who was using a particular terminal at a particular time, often in connection with threats made or other allegedely illegal conduct. In addition, some libraries are contemplating offering reading suggestions based on reader preferences, a form of "data mining".
PIPEDA applies in Nova Scotia and public libraries are not, by and large, engaged in commercial activities. While they were interested in PIPEDA, most of the discussion related to privacy best practices they can adopt to meet the growing expectation of their users. The presentation is available here: Privacy and Public Libraries
Sunday, January 25, 2004
ACLU and California Library Association Launches Campaign to Take Action Against the Patriot Act and Restore Constitutional Rights - Most of my comments and musings here are about private sector privacy in Canada, but I just felt compelled to link to a new privacy-related ad from the US ACLU:
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.