I was invited to co-chair and present at the Canadian Institute's "Meeting Your Privacy Obligations" conference in Toronto. My presentation was specifically about managing privacy in the workplace, which is below if you're interested.

Here's a link if Google Docs aren't giving you due respect: Managing Privacy in Employee Relations

I have to say it was one of the best conferences of its kind that I've been to recently. The stellar speakers included Federal Privacy Commissioner Jennifer Stoddart, Alberta Information and Privacy Commissioner Frank Work and fellow bloggers Brian Bowman and Dan Michaluk. (Note: If you're reading my blog, you'll find theirs to be equally interesting and useful. So after you've read all my postings, head over there ...)

Labels: employment, facebook, media-mention, presentations, privacy, vanity, workplace

I reported last month that the Information and Privacy Commissioner has issued a report on the proposal to dramatically increase video surveillance on public transit in Toronto. (Canadian Privacy Law Blog: Ontario Commissioner releases detailed report on TTC surveillance cameras)

InterGovWorld.com has an extensive article on the Commissioner's suggestion that reversible faceblurring technology may make the system more palatable. I spoke with the author, Rosie Lombardi, at length on the topic who has done a good job of summing up my take on the topic:

More privacy-boosting technology begets more video surveillance

... A point that's often overlooked is that privacy legislation is ultimately about feelings, says David TS Fraser, a privacy lawyer at Halifax-based law firm McInnes Cooper. "Although the legislation is written in a way that talks about personally identifiable information and identity theft, it's ultimately designed to protect people's sensibilities about unwanted intrusions," he says.

PET technology may not be enough to address those sensibilities unless the rules governing the use of surveillance are stated. "While the technology may do a good job of limiting the actual intrusions, I'm not sure it does much to address people's feelings about being watched. Unless the policies and procedures around surveillance are clearly communicated, it won't diminish that visceral feeling of unease about being spied upon."

Fear of the unknown is at the core. "If you see a cop at a corner, you can tell from his uniform who he is, what he's looking at, and if you've aroused his suspicions," he says. "But a camera is completely faceless. You don't know who's watching and how the information captured is used - will it wind up on late-night television?"

He notes a significant number of videos in these shows displaying people caught in embarrassing situations come out of Britain, where an extensive network of cameras in public places is rousing a public backlash. Cavoukian noted in her report that U.K. camera operators have caught entertaining themselves by zooming in on attractive women. "If you're going to outsource surveillance to a bunch of badly-paid guys locked in dark rooms, they're going to see more bums than bombs," agrees Fraser.

He concedes that automating the enforcement of policies and procedures around surveillance with PET technology rather than relying on fallible human operators to refrain from misusing the information offers some comfort. But he warns this may have the unintended effect of increasing video surveillance. "Unfortunately, this stuff makes it more acceptable to put video cameras all over the place, and by making it better and safer with less intrusive technology, it may ironically lead to more surveillance."

Labels: media-mention, ontario, privacy, surveillance, vanity, video surveillance

I was interviewed some time ago for a feature article in the Toronto Star on privacy issues associated with loyalty cards. These products are very popular in Canada, with Air Miles and Shopper's Drug Mart's Optimum card leading the way. Many of these programs have the potential to collect a vast amount of shopping data, but most of the companies interviewed by Paul Brent didn't really seem to care about collecting the sort of detailed individual data that most assume is being collected.

TheStar.com - Travel - Big Brother is watching, but he doesn't seem to care

If you've ever hesitated when handing over that loyalty card at the liquor store or the pharmacy wondering, "just who is looking at what I'm buying?" you might take some comfort in the answer: Likely nobody.

In theory, marketers have the power to drill down into the digital minefield of a consumer's spending and determine their buying preferences for everything from their favourite wine to their brand of shampoo.

However, the reality is that retailers and service companies are too busy to care what we do, except in large numbers.

"It is not as if you are getting mail from a glasswares manufacturer saying: `We notice that you drink a lot of beer,'" says Ed Strapagiel, executive vice-president of Kubas Consultants. "For the most part, retailers have not over-exploited this data. The power is there to use, but they haven't really gone after it."

The reluctance of merchants to dig deeper into the consumer treasure trove of information makes some sense, however, he adds. "Many of these retailers that we are talking about – Loblaws, Canadian Tire, Shoppers Drug Mart ... they are not direct marketers. If the whole basis of your business is driving business to your store, you are not going to use direct marketing."

Consumers, for their part, realize they are giving up some of their privacy but appear willing to pay that price for the benefits that come from loyalty programs.

"It's actually never bothered me," says Tracy, waiting outside a Shoppers Drug Mart with her dog while her husband shops inside. She has been a devoted Air Miles collector for a decade and flew her mother from Sault Ste. Marie to Toronto on points.

A buyer for a local theatre company, she regularly uses the Internet for private and work purchases, and says she keeps a "close eye" on her credit cards and bank accounts electronically. Her husband agrees the benefits of collecting reward miles outweigh any privacy fears – "even though they are probably tracking our every move," he jokes.

But consumers should be aware they are entering into an agreement with loyalty companies when they take a membership card. The price for those "free" perks, such as travel rewards or discounts on purchases, is that you agree to allow marketers to take an electronic peek into your shopping basket.

"There are a whole bunch of programs where people choose to give up some privacy for convenience," says David Fraser, a privacy lawyer with the Halifax firm of McInnes Cooper.

"It doesn't bother me," says Zan Harriott, who had just purchased a greeting card and lottery tickets at Shoppers and swiped her Optimum points card.

A member of the loyalty program since it started, she says she regularly collects rewards from the card.

Launched in 2000, the Optimum program has 8.2 million members, making it one of the country's largest.

Fraser has not heard of any Canadian marketers abusing the data they obtain from loyalty programs. "In my experience, the companies that run loyalty programs are really quite diligent about privacy issues."

When it comes to privacy and loyalty programs, many consumers are surprised that information is being collected for marketing purposes, while others expect someone in a nameless data centre is noting every last tube of toothpaste.

The reality is somewhere in the middle.

Fraser notes that Air Miles was the subject of a consumer complaint a few years ago, but the federal Privacy Commissioner found the marketer was not amassing the detailed shopping information "a lot of people would have expected them to be collecting."

That fear of just how much information is being gathered acts as a brake on the expansion of loyalty plans. "If you don't tell customers what is going on, they assume the worst," Fraser says.

As the country's biggest loyalty marketer, reaching two-thirds of Canadian households (there are 9 million "collector" households), Air Miles is sensitive to the issue of privacy.

"Not just for us but across the Canadian marketplace, privacy is a pretty significant public policy issue," says Mitchell Merowitz, vice-president of corporate affairs and chief privacy officer for the Air Miles reward program.

The fact that Air Miles has been the most popular loyalty program in the country since 2001 shows that most Canadians are not too worried about leaving a digital record of their purchasing habits.

Information collected by Air Miles is gathered on a household basis and is not product-specific. A successful swipe of the card tells the company the date, value and store a purchase was made.

"The information that you see on your summary statement is the information that we collect," Merowitz says.

Related stuff: Canadian Privacy Law Blog: Air Miles should be about data mining, not mass appeal, Canadian Privacy Law Blog: Article: Loyalty cards plus legwork can track beef buying, and the finding of the Privacy Commissioner of Canada referred to is on the PIAC website at http://www.piac.ca/privacy/loyalty_management_group_canada_inc/.

Labels: loyalty cards, media-mention, privacy, retail, vanity

I was interviewed some time ago for a Globe & Mail article on workplace surveillance, which appeared yesterday. The piece discusses keystroke loggers, access cards and video surveillance. See: globeandmail.com: Smile, Big Brother's watching.

Labels: media-mention, privacy, surveillance, vanity, video surveillance, workplace

Today marks the fourth anniversary of the Canadian Privacy Law Blog. Four years ago, on January 2, 2004, I put fingers to keyboard and joined the interesting conversation that was beginning to take shape on the internet among veteran bloggers and I'm glad I did. (Welcome to the Canadian Privacy Law blog.) According to Blogger, this will be my 2740th post to the blog.

Forgive me if I get a bit melancholic and wistful as I look back on the past four years, but it has been a very eventful one for me and for the world of privacy. And both are related, I think. (I mean the changes in the world of privacy have influenced me, not the other way around.)

The day before my first posting, the Personal Information Protection and Electronic Documents Act ("PIPEDA") came fully into force for all commercial activities in Canada. That day, the Personal Information Protection Acts of British Columbia and Alberta came into force, but were not declared to be "substantially similar" to PIPEDA until ten months later (Alberta and British Columbia privacy laws declared to be substantially similar.) Also on the legislative front, Ontario passed the Personal Health Information Protection Act and it became law in May, 2004 (Ontario's Personal Health Information Protection Act receives royal assent.) Perhaps as importantly, it was declared substantially similar on November 28, 2005. (PHIPA declared substantially similar.)

Much attention has been paid to the continuing erosion of privacy rights in the United States and Canada. In 2004, the Information and Privacy Commissioner of British Columbia brought the USA Patriot Act under scrutiny. (U.S. Patriot Act worries Privacy Commissioner and BC Information and Privacy Commissioner releases his report: Patriot Act contravenes BC privacy laws.) In response, British Columbia, Alberta and Nova Scotia have passed laws or amendments to existing laws to closely regulate the export of personal information outside of Canada. In the US, the USA Patriot Act has been subject to many judicial challenges with some success.

Perhaps the area that has been most visible to laypeople is the growing trend of requiring companies to report data breaches. California led the way and now more than thirty US states have such requirements. We haven't seen it in Canada (except in PHIPA in Ontario) but advocates are calling for such a requirement in Canada's privacy laws of general application. Coming clean has led to the public disclosure of a number of huge breaches, including Cardsystems, TJX/Winners, Department of Veterans Affairs and the UK Revenue and Customs Service. Whether we see a change in Canadian law has yet to be seen. Despite the huge publicity given to these breaches, business built on personal information -- such as Facebook -- thrive.

On the professional front, I've been very fortunate to have been invited to speak on the topic of privacy on more occasions than I can estimate. Highlights have been speaking at the Canadian Bar Association general meeting in Winnipeg in 2005, Canadian IT Law Association for the past few years and innumerable professional organizations. The blog has also led to innumerable media interviews and some amazing awards (I'd like to thank the academy. And my blog ... and An honour to even be considered.)

Perhaps more satisfying is that I've been fortunate to have met (in some cases, in the flesh) and to have been inspired by some great fellow legal bloggers. This list includes Connie Crosby, Rob Hyndman, David Canton, Michael Geist, Michael Fitzgibbon and the amazing Slawyers.

To my readers, thank you very much for taking the time to drop by. I hope it has been informative and useful. Please pass along any suggestions or your thoughts, either in the comments to my posts or via e-mail at david.fraser@mcinnescooper.com.

Birthday cake graphic used under a creative commons license from K. Pierce.

Labels: alberta, bc, facebook, health information, media-mention, patriot act, pipa, privacy, social networking, vanity

On New Year's Eve, Steve Matthews published his Clawbie awards for Canadian Legal Blogs. I was honoured to be a runner-up in the practitioner support category:

Clawbies.ca

2) Best Practitioner Support Blog - Garry Wise - Year-in and year-out, Garry is one committed law blogger. He offers his opinions on almost everything, and if you do a Google search for Toronto lawyer you’ll see how blogging benefits the online exposure of his practice. If you didn’t read his Starting a law firm post back in February, please do. Garry Wise consistently offers great vision to a lot of solos across the country. Runner ups: David Fraser’s Canadian Privacy Law Blog, Hull & Hull’s Toronto Estate Law Blog

Steve has been a big promoter of this blog and I'm grateful to have gotten to know him over the past years. Check out the full listing and support your local legal blogger!

Labels: google, media-mention, privacy, vanity

Today I had the privilege of speaking at the annual professional development event of the Nova Scotia Criminal Lawyers Association, in association with the Nova Scotia Barristers' Society. The theme of the conference was very privacy-centric: Listening, Snooping and Searching: What's Right, What's Wrong.

I was also privileged to speak alongside S/Sgt Al Langille of the RCMP's integrated technology crime unit. He is a thirty-year veteran of law enforcement, including fifteen in technology crimes and computer forensics. A great guy and very privacy conscious.

My presentation, for those who may be interested, is here: http://docs.google.com/Presentation?id=ddpx56cg_48hcdnqv.

Labels: google, law enforcement, lawful access, lawful authority, media-mention, presentations, privacy, vanity, warrants

The Canadian federal government is planning to table legislation in Parliament today to add additional offenses to the criminal code to deal with activities that are precursors to identity theft.

I was interviewed earlier today by CTV Newsnet on the topic (on Google Video):

Here is the media release:

Government of Canada Introduces Legislation to Tackle Identity Theft

GOVERNMENT OF CANADA INTRODUCES LEGISLATION TO TACKLE IDENTITY THEFT

OTTAWA, November 21, 2007 – Minister of Justice and Attorney General of Canada, the Honourable Rob Nicholson, P.C., Q.C., M.P. for Niagara Falls, today introduced legislation to help combat identity theft, which has been identified as a fast-growing problem throughout North America.

“This Government is following through on its commitment to give police the tools they need to better protect Canadians by stopping identity theft activity before the damage is done,” said Minister Nicholson. “I have tabled legislation that will make it an offence to obtain, possess or traffic in other people's identity information if it is to be used to commit a crime.”

The misuse of another person's identity information, generally referred to as identity fraud, is covered by current offences in the Criminal Code , such as personation and forgery. But the preparatory steps of collecting, possessing and trafficking in identity information are generally not captured by existing offences. The proposed legislation would create three new offences directly targeting aspects of the identity theft problem, all subject to five-year maximum sentences:

• obtaining or possessing identity information with intent to use it to commit certain crimes;
• trafficking in identity information with knowledge of or recklessness as to its intended use in the commission of certain crime; and
• unlawfully possessing and trafficking in government-issued identity documents.

Additional Criminal Code amendments would create new offences of fraudulently redirecting or causing redirection of a person's mail, possessing a counterfeit Canada Post mail key and possessing instruments for copying credit card information, in addition to the existing offence of possessing instruments for forging credit cards.

Moreover, a new power would also be added permitting the court to order, as part of a sentence, that an offender be required to pay restitution to a victim of identity theft or identity fraud where the victim has incurred expenses related to rehabilitating their identity, such as the cost of replacement cards and documents and costs in relation to correcting their credit history.

“Our Government understands that new and rapidly evolving technologies have made identity theft a widespread criminal activity that often involves organized crime,” added Minister Nicholson. “This is an issue that is harming Canada 's families, seniors and businesses. We are therefore taking action to tackle this serious problem.”

This legislative proposal is one in a new series of tackling community crime bills the Government of Canada will be introducing in this new session of Parliament. This series is in addition to the comprehensive Tackling Violent Crime Act that aims to better protect youth from sexual predators, protect society from dangerous offenders, get serious with drug impaired drivers and toughen sentencing and bail for those who commit serious gun crimes.

In addition to its plan to protect Canadians against identity theft, the Government of Canada has:

• introduced a National Anti-Drug Strategy, including legislation that would provide mandatory jail time for serious drug crimes;
• tabled legislation to strengthen the Youth Criminal Justice Act ; and announced a comprehensive review of this Act in 2008;
• invested in crime prevention community projects across Canada that target youth;
• passed legislation to increase penalties for those convicted of street racing; and
• passed legislation to end conditional sentences for serious crimes such as personal injury offences.

An online version of the legislation will be available at www.parl.gc.ca.

Here is additional coverage from CTV:

CTV.ca Tory legislation to target identity theft

Tory legislation to target identity theft

Updated Wed. Nov. 21 2007 11:58 AM ET

CTV.ca News Staff

The federal Conservatives will introduce legislation today aimed at charging people accused of identity theft even before stolen information is used to commit a crime.

Currently, the law makes it illegal to misuse someone's personal information to create false identification or for other fraudulent purposes.

However, it is not against the law to collect, possess or traffic another person's identity information.

The Tories want to amend the Criminal Code to make it an offence to possess someone's personal identifying information with the intent of selling it or using it to commit fraud.

"I think there's always a challenge in proving intent but we have a number of offences in our Criminal Code where intent is an important portion of proving the charge," David Fraser, a lawyer that specializes in privacy issues, told CTV.ca.

"You can do that by looking at the totality of the circumstances -- you don't necessarily have to look directly into the head of the accused."

In 2006, almost 8,000 victims reported losses of $16 million to PhoneBusters, the Canadian Anti-fraud Call Centre.

"There are probably even more who don't report it... (and) there isn't mandatory reporting from the banks or the credit bureaus who might be the first to hear about it," said Fraser.

He said the Tory initiative will give law enforcement an additional tool to help them deal with identity theft offences.

However, Fraser said attention should also be given to ensuring that businesses properly secure personal information in the first place.

"That's one of the places where information often gets into the hands of identity thieves," he said.

"Another part of it might be simply to make it a little more challenging in order for credit granters to extend credit to individuals."

Consumers can also take practical steps to protect their information by regularly checking bank statements and shredding personal documents, said Fraser.

The identity theft legislation is the latest in a flurry of anti-crime initiatives the Tories have announced this week.

On Tuesday, the Harper government introduced new legislation proposing mandatory sentencing for individuals convicted of serious drug-related crimes.

Federal Justice Minister Robert Nicholson said the new bill is designed to impose tough sentences on Canadians profiting from organized crime and violence.

If passed, Bill C-2 will impose the first mandatory sentences under the Controlled Drugs and Substances Act for people convicted of drug-related crimes.

On Monday, the Tories proposed changes to the Youth Criminal Justice Act.

The key proponents of their proposal are:

• Tougher sentences
• Allowing for pre-trial detention
• Allow courts to consider deterrence and denunciation as objectives of youth sentences

Labels: google, identity theft, media-mention, privacy, vanity

I was recently invited to contribute an article to the IEEE Security & Privacy magazine on the Canadian response to the USA Patriot Act. Here's the abstract:

The Canadian Response to the USA Patriot Act

Since the attacks of September 11, 2001, US authorities have spent untold millions of dollars guarding their frontiers to regulate what gets into the country. On the other side of the border, many Canadian jurisdictions have turned their thoughts to regulating what information flows southward into the US. This isn't out of concern about terrorism but rather about the US response to it.

Citation: David Fraser, "The Canadian Response to the USA Patriot Act," IEEE Security and Privacy, vol. 5, no. 5, pp. 66-68, Sept/Oct, 2007

I think I reserved the right to publish the article on the blog after the publication by IEEE, but I'll have to track down that release .... stay tuned.

Labels: media-mention, patriot act, privacy, vanity

I found out that tomorrow's Definitely Not the Opera is "all privacy, all the time".

Here's the synopsis from the website:

Definitely Not the Opera

Broadcast time: Saturdays at 1:00 p.m. (1:30 NT) on CBC Radio One

On the street, on stage or behind the scenes, DNTO takes listeners on a fast paced trip through the cultural landscape of Canada and around the world. Definitely Not the Opera is the ideal audio guide to the fast-changing world of popular culture. It's your tip sheet to what's hot, what to watch, who to listen to and what's going on.

This Week on DNTO!

Every breath you take… every move you make… DNTO will be watching you. ‘Cause this week, we’re looking at privacy, and asking the question – how far will you go to protect it?

From 1-2

To begin, Sook-Yin hits the streets to see what kind of bribe it take to get strangers to give up their deeply personal information.

Nick Purdon struggles to rid himself of that ancient violation of his mailbox’s privacy… junk mail.

So maybe the question isn’t so much how far you’ll go to protect your privacy… but why you should bother. Halifax-based lawyer and privacy expert David Fraser will come by to explain how your privacy is at risk in everyday situations… like turning on your computer at work.

Then it’s over to paranoid contributor Clare Lawlor, who has formed a special bond with her shredder.

Musicians put their private lives on the stage… so how do they maintain their privacy? Sook-Yin will chat with Neverending White Lights, and they’ll play us a tune live in studio.

And we’ll head south of the border to hear from funnyman John Wing with his take on privacy.

Plus tunes from the New Pornographers, Chris Walla, Crowded House and Hawksley Workman.

From 2-3

Sook-Yin pays a visit to Canadian science-fiction icon Robert J. Sawyer, who maintains that our notion of “privacy” might be a bit overrated… but to get to know Robert a little better, she’ll start by paying a visit to his garbage.

We’ll ask Robert to stick around for this week’s edition of Parlour Games.

Sook-Yin takes her mic back to the streets to find out how you’ve invaded the privacy of others. We willingly surrender a lot of our privacy online these days… but is it worth it? DNTO’s Wab Kinew looks into it.

Comedian Fraser Young loves the GPS chip. Privacy… not so much. He’ll explain why.

And Sook-Yin will talk with artist Hasan Elahi, who’s taken a unique approach to privacy… by making his every move public.

All that, and music from Immaculate Machine, Metric, the Russian Futurists, George Michael,and Prince.

DNTO airs Saturday afternoons across Canada at 1:00 p.m. (1:30 in Newfoundland) on CBC Radio One.

You can also catch the show on Sirius Satellite Radio channel 137 - Saturdays at 11:00 a.m. and 9:00 p.m.

And if you're in Chicago or Seattle, you can catch us on public radio... we're on WBEZ in Chicago Sunday at midnight, and on KXOT in Seattle Saturday at 9:00 a.m.

Plus, if you can't catch us on the air, download our weekly podcast of highlights from DNTO!

DNTO's theme music is "Bentley's Gonna Sort You Out" by Bentley Rhythm Ace.

UPDATE: My interview wasn't on the post-show podcast, but if you're interested, here's an MP3 of the interview (2931Kb).

Labels: media-mention, podcast, privacy, vanity

On Saturday, tune into CBC Radio One's Definitely Not the Opera, where they are doing a segment on privacy. I'm meeting the host, Sook-Yin Lee, on Friday for an interview to be broadcast Saturday afternoon.

Labels: media-mention, privacy, vanity

Not much of a privacy angle here, but I thought I'd post it nevertheless.

I was interviewed yesterday by the CBC to talk generally about issues related to defamation and Facebook, after it was reported that Facebook has shut down a group that falsely accused a Nova Scotia university of using dogs for scientific experiments.

Here's the video:

Labels: facebook, media-mention, privacy, social networking, vanity

Labels: media-mention, privacy, retention, vanity

I was interviewed about this on a Montreal radio station on Friday. It's an interesting issue, because information is not being collected:

Toilet cam working even when it doesn't

Toilet cam working even when it doesn't

Mall customer outraged but landlord says dummy is effective

MICHELLE LALONDE, The Gazette

Published: Friday, August 03

Yes, that's a real surveillance camera on the ceiling of the men's washroom off the food court of Les Cours Mont Royal - but don't worry, it's not operating.

That reassurance was not good enough for at least one Montreal businessman who was outraged to see a video camera in a public bathroom at the downtown Montreal mall.

The camera is inside a protective dome and appears to be pointed toward the washroom's common area, where the urinals are. As of yesterday, there were no signs explaining what the camera is for or whether it is on.

When the man asked a maintenance person about the camera, he was told it wasn't actually functioning but was there to discourage certain activities.

"If the video surveillance is not functional, what assurances do we have that it will not be in the future?"the man wrote in a complaint to mall owners Soltron Realty Inc., which he forwarded to The Gazette on the condition his name not be published.

"If it is functional," the letter continued, "who is watching, is the information secure and will we find our pictures on the Internet? ... I find the use of surveillance camera (real or fake) inside a washroom to be absolutely unethical, immoral and most likely illegal." Unless the camera is removed within 10 days, the man said, he will lodge a complaint with Quebec's privacy commission.

A spokesperson for Soltron said the camera was installed in the washroom several years ago to discourage "sexual misconduct and drug use." Carmela Amorosa, marketing director for Soltron, said the company realized it was illegal to place an operating camera in a public bathroom, but felt some action was necessary.

"It is working," Amorosa said. "Now we don't have these problems. We are doing this to protect our customers from this sort of behaviour in the bathroom." But the case raises questions about the right to privacy and video surveillance, said sources in Quebec's Justice Department, as well as federal and provincial agencies that safeguard privacy.

"People are right to be concerned about being monitored," said Colin McKay, of the federal Office of the Privacy Commissioner.

"The case is interesting because they are not technically collecting information, they are just giving that impression. But perception for a lot of people is a legitimate concern. If they are doing it as a deterrent, they should make that clear." Luc Fortin, an aide to Benot Pelletier, the cabinet minister responsible for Quebec's privacy commission, said it is unclear whether a complaint about camera surveillance in a public washroom would be heard by the Privacy Commission or the Human Rights Commission.

"If it is a question of voyeurism, that would clearly be a case for the Human Rights Commission, but if the camera is being used to gather information and set up a file about a specific person, it would be something we would deal with," Fortin said.

"It's not technically illegal" to install video cameras in public bathrooms, "but companies that do it certainly risk complaints," said Robert Sylvestre of the Quebec Human Rights Commission.

Several court cases have resulted in jurisprudence and a set of principles about video surveillance in public places, he said.

"One of those principles is that the operator of the camera should be able to show that other methods have been tried and failed before they resorted to this."

Labels: media-mention, privacy, quebec, surveillance, vanity, video surveillance

With the no-fly list coming online in the last twenty-four hours, I haven't heard of any instances of people being excluded from flying on the first day. It will be interesting to see how it all shakes out.

I spoke with Chris Lambie of the Chronicle Herald yesterday morning and he spent part of the afternoon at the airport seeing how it went on. Here's his article:

Smooth lift-off for no-fly list - TheChronicleHerald.ca

Airline passengers seemed keen on heightened security

By CHRIS LAMBIE Staff Reporter

The federal no-fly list caused no problems Monday at Halifax Stanfield International Airport.

Passengers seemed keen on the idea of a list meant to screen out anyone who poses a potential threat to aviation security.

"As long as my name’s not on it, I’m happy," Mike Moir said as he waited for a flight back to Ontario.

"If the people are bad, I don’t want them on my plane."

The 67-year-old Hamilton, Ont., man was in Nova Scotia to work as an official for last weekend’s national canoe team trials on Lake Banook in Dartmouth.

The only dilemma he can see with the scheme to flag potentially dangerous flyers is if an innocent person has the same name as someone on the list.

"How many Smiths are there in the world?" Mr. Moir said. "If they just pick everybody with the same name, it could be a problem."

Still, he thinks the list is a necessity.

"With all the terrorism going on in this world nowadays, it’s a good measure."

Dawson Wentzell and his wife, Bethany, were waiting with their toy poodle, Bailey, to board a plane for Edmonton.

The list could prompt lawsuits against the federal government if people lose money because they couldn’t board flights due to name mix-ups, Ms. Wentzell said.

"If someone is delayed from work and this is the reason why, someone is going to get sued," she said.

They didn’t even think about the new security measure before checking in for their flight to Nova Scotia.

"We got up at 5 a.m. and believe me my mind wasn’t on lists," she said.

The couple from Daniel’s Harbour, N.L., wasn’t on the no-fly list and neither was their dog.

"God help us if he was," Ms. Wentzell said. "We’d really be in trouble then."

The no-fly list didn’t cause any problems at the facility, said airport spokesman Peter Spurway.

"If you didn’t know it was on, you wouldn’t know it was on," he said. "It has not made a single impact on our operations today or the operations of our partners in the airline business. I checked around a couple of times and it’s just been chugging along."

But David Fraser, a privacy lawyer in Halifax, won’t be surprised to hear from clients who suddenly discover their names are on the no-fly list.

"We’re likely to hear people are going to have some difficulty in Canada simply because of the way that these sorts of lists have to be structured in order to catch or include in them people with non-English or French names that have to be transliterated or made into English equivalents, and some of them can be common names," Mr. Fraser said. "So there’s probably a fair amount of wiggle room in the way that they match against peoples’ names."

The Specified Persons List, announced last fall, includes the name, birth date and gender of anyone who might pose an immediate threat to aviation security. Airlines that fly into and out of Canada must check the names of their passengers against the list.

"There’s really the opportunity that a whole bunch of people who aren’t actually on the list, just people who have similar names and similar birthdates and other identifying characteristics (as those) on the list," Mr. Fraser said.

"I think that there’s a good chance that people will be not allowed to fly based on that sort of confusion."

Travellers only find out their name is on the list when they try to check in and get a boarding card.

"Vacation plans can be ruined," Mr. Fraser said. "There’s no real accountability at that end for the real sort of negative impact that inclusion on this list might have."

Ottawa has refused to release the number of people on the list.

"There’s always a very delicate balance when you’re dealing with national security issues, Mr. Fraser said. "It’s a delicate balance between openness and necessary secrecy. I think the whole process needs to be done in sunlight.

"Everything related to the process of the inclusion criteria and how it’s actually applied and recourse that individuals might have to get off the list really needs to be completely open and transparent and subject to significant scrutiny.

"We are talking about a potential infringement on an individual’s constitutional right to travel within Canada and also the right to leave Canada. It’s right there in the charter that you have those rights. And many of those rights, in a country as large as Canada, can only be exercised by air travel."

Imam Jamal Badawi, professor emeritus of religious studies at Saint Mary’s University, said Muslims, including himself, often have problems flying in the United States, where a similar list is already in place.

"I’ve heard of many horror stories where a child, for example, five years old, they say, ‘No, his name matches the potential terrorist to look for,’ and still they have to go through the clearance (process)," Mr. Badawi said.

The Canadian Council on American-Islamic Relations has called on Ottawa to scrap the no-fly list until it fixes fundamental flaws in the program.

"Some people suspect that the lists made here in Canada may not totally be homegrown," Mr. Badawi said. "It’s quite possible also that, because of the co-operation between the intelligence agencies in both countries, that some of the names on the watch list in the U.S. might end up here on our lists in Canada."

That could make some Canadian Muslims reluctant to fly, he said.

"It’s part of the very unfortunate trend in the post 9-11 era that, in the name of security, there is a great deal of encroachment on privacy, a great deal of encroachment on civil liberties," Mr. Badawi said.

He doubts the list will make flying safer.

"Anybody intent on wrongdoing, they probably will find some other way of carrying out their plans," Mr. Badawi said. "But even if there is some slight improvement in security, what is the price? The worst scenario, really, is that democratic countries would move toward totalitarian regimes in the name of security."

Labels: air travel, airlines, media-mention, national security, no-fly list, privacy, vanity

I spoke with Briony Smith of IT Business about the recent Privacy International report that put Google at the bottom of their study on the privacy practices of online businesses. She also spoke with Phillipa Lawson and Richard Rosenberg.

Here's a bit:

IT Business: The public life of Google's private data

David T.S. Fraser, a privacy lawyer with the Halifax-based McInnes-Cooper, is unsurprised that Google is coming under fire. Said Fraser: “This is probably inevitable because of their size and the diversity of their business interests: e-mail, social networking, search, classified ads, Google Documents.”

There are also no overarching privacy laws, comparable to PIPEDA, in the United States, according to the Vancouver-based Richard Rosenberg, president of the British Columbia Freedom of Information and Privacy Association.

Lawford said that Google’s business seems to be set up to cull the maximum amount of information about its users, and that he wouldn’t be at all surprised to find that Google was farming out profiled information to outside parties. Proving this can be difficult, according to Lawford. “Following the information through the chain can be hard,” he said.

Fraser suggests that Google’s privacy policies be made much more transparent, and that it tells its users as well just how long their information will be retained for (which, in North America, is indefinitely, according to Rosenberg).

One minor correction: Google has recently announced their retention schedule for their log information, but it still is likely beyond what's reasonably necessary (Canadian Privacy Law Blog: Why does Google remember information about searches?).

Labels: bc, google, media-mention, privacy, retention, vanity

Nova Scotia's Personal Information International Disclosure Protection Act has kept a pretty low profile as of late, but the Halifax Chronicle Herald has devoted a quarter page in its technology supplement to the legislation. It includes a fair amount of content provided by yours truly, but may have the effect of making Nova Scotians more aware of this important development.

Click on the image to download the article in PDF format.

Labels: media-mention, nova scotia, patriot act, piidpa, privacy, vanity

I was interviewed today for Global National's most recent report on privacy problems at the Canada Revenue Agency (our IRS, for my American readers). Since earlier reports on misdirected tax information, many more people have come out to report they have also been the unwitting recipients of information about other taxpayers. See: Taxman moves to protect privacy and also note the many comments in which others relate receiving others' personal information.

I think you can get the video of the feature here: http://video.canada.com/VideoContent.aspx?13750&vc=1&popup=1, but it seems hit and miss to me.

Labels: breach notification, cra, media-mention, privacy, privacy act, public sector, vanity

A Halifax resident was more than slightly surprised when he went to the Canada Revenue Agency to pick up his requested notice of assessment. While the notice was conspicuously absent from the envelope, he did find a raft of information about ten complete strangers. Apparently, the CRA stuffed the wrong envelopes and handed over confidential and sensitive information to the wrong person.

When the individual who received the information was not satisfied with the CRA's reaction, he called the other taxpayers and went to the media. The story is on the front page of the Halifax Chronicle Herald.

To make matters worse, the notice of assessment was mailed but nobody knows who to.

CTV is doing a piece for the supper hour news here in Halifax, for which I was interviewed earlier today. They are hoping to get some comment from the unshuffled Minister responsible for CRA.

From today's paper:

More than he wanted to know

Government mistakenly mails other people’s tax papers to Whites Lake man

By JOHN GILLIS Staff Reporter

Andrew Doiron of Whites Lake just wanted to find out his RRSP contribution limit for the year. But what he got was a raft of personal information about 10 strangers from as far away as British Columbia.

The Canada Revenue Agency is now investigating how the confidential tax documents landed in Mr. Doiron’s mailbox and where the information he requested ended up.

"It looks like somebody just picked a handful of paper off a printer and just slipped it in an envelope with my (address) page on top," Mr. Doiron said Wednesday. "But of course they didn’t put my papers in there."

The confusion began Dec. 20 when Mr. Doiron went to the Canada Revenue Agency’s Halifax office in person to ask for a copy of his notice of assessment. He was told he had to call a toll-free number to ask for the document. Staff let him use a phone in the building.

Mr. Doiron was surprised Tuesday when he found an envelope from the agency in his mailbox, and it contained about 35 pages. The documents bore the names, addresses, social insurance numbers, income, marital status and other personal information for 10 other people. His own notice of assessment was not included.

He immediately called a toll-free Canada Revenue Agency number again but said it was tough to persuade the person who answered to let him speak to a supervisor. When he finally did, he said he was asked to mail the documents back to the agency and advised he could claim the price of the postage stamp on his tax return next year.

Mr. Doiron also called as many of the people whose tax information he’d been sent as possible.

One, Sandra Ambersley of Brampton, Ont., told CTV she was very concerned about what might have happened if someone had wanted to use that information.

"I was totally shocked yesterday when I received a call from Halifax, this man saying that he’d received all my personal information," she said Wednesday.

Mr. Doiron noted that on the same online telephone directory he used to find people’s telephone numbers, there was an ad pointing to a Capital One credit card application that required only an address and a social insurance number.

He personally returned all the strangers’ documents to the Halifax office Wednesday.

Mr. Doiron said he felt he did not get a serious response from the agency until after he began contacting the media.

Jack Lee, acting director of the Nova Scotia office, called to apologize and had a copy of the notice of assessment Mr. Doiron requested sent to him. It arrived safely.

The notice had been mailed previously, but not to him.

"Mine’s out there somewhere, floating around," Mr. Doiron said. "I hope somebody threw it away."

Canada Revenue Agency spokesman Roy Jamieson said security is the No. 1 priority for the service, but mistakes happen.

"We’re certainly scrambling to try and piece together what took place," he said. "There’s quite an active and quite an intense investigation going on right now."

He said a call to a toll-free number could be answered at any one of a number of call centres across the country, depending in part on the nature of the request. A requested document could be printed at the appropriate location and mailed from there.

The agency sends about 90 million pieces of mail per year and it’s rare that something gets mixed up, he said.

"To be misdirected in the magnitude of this case, it’s certainly unusual," Mr. Jamieson said.

He said the agency will contact all of the people whose documents were involved and will keep Mr. Doiron abreast of its investigation into the mix-up.

"There’s no question that any kind of breach of security and compromising of an individual’s privacy and confidentiality is our most significant issue in this agency," Mr. Jamieson said.

Mr. Doiron has little confidence that anything will change.

"My gut feeling is, this is government, nothing’s going to happen," he said.

Update: From CTV:

Canada Revenue investigates botched mailout

The Canada Revenue Agency is scrambling to restore public trust and has launched an internal investigation after confidential information on several Canadians was sent to a Halifax-area man.

Documents that Andy Doiron of White's Lake, N.S., were mistakenly sent include social insurance numbers, income, addresses and the marital status of 10 Canadians, including some from as far west as Edmonton.

Doiron said he called most of the people to tell them what happened, and returned the documents to Revenue Canada.

With the trust of Canadians potentially on the line and tax time just around the corner, the agency is promising tough action if necessary.

Revenue Canada spokesperson Roy Jamieson called the incident a rare case of misdirected mail, but admitted somebody in the department made a mistake.

"Certainly if we identify breaches of policy process and procedure, there are disciplinary measures that can be taken and I expect they will be looked at quite seriously," he told CTV Atlantic.

Federal Minister of National Revenue Carol Skelton said she was "disturbed" by the security breach.

"The instant that I found out about it we had launched an investigation," she told CTV News in Saskatoon. "I really can't say much more about it than that. The incident is being looked into."

The agency is still trying to determine which one of five locations was responsible for the botched mail out.

David Fraser, a legal expert in security matters, told CTV Halifax that if such information were to fall in the wrong hands, it could easily be used to commit fraud.

"There really does need to be something done in order to make sure the trust is always there. Accidents happen but so often trust is won or lost in the aftermath of how they decide to deal with it," he said.

Sandra Ambersley of Brampton, Ont. was one of the people Dorion called.

"I was totally shocked when I received the call (on Tuesday) from Halifax," Ambersley told CTV Toronto.

"This man (was) telling me that he received all my personal information. As a joke he did say 'I could duplicate you right now.'"

The confusion began when Doiron called the revenue agency on Dec. 20 requesting a copy of his notice of assessment.

On Tuesday, an envelope from the agency arrived in his mailbox, containing over 30 pages of documents with all the information. His own assessment wasn't included.

Doiron said he immediately called the toll-free Canada Revenue Agency number again and he was asked to mail the documents immediately.

With a report from CTV Atlantic reporter Marc Patrone.

Labels: bc, incident, media-mention, privacy, privacy act, public sector, vanity

What a pleasant surprise to discover that The Canadian Privacy Law Blog has won the first ever CLawBie award for "Best Practitioner Support Blog"!

The CLawBies are a creation of Steve Matthews of Vancouver, BC. Had he not been forced to disqualify his own Vancouver Law Librarian Blog, he would have been in the running in the ultra-competitive Law Librarian Blog Award.

2006 CLawBies - Canada Law Blog Awards

2) Best Practitioner Support Blog - No question on this one. If you track privacy law in Canada, you read David Fraser's Canadian Privacy Law Blog. David must also be Canada's most dedicated blogger. His work is as close to exhaustive as a blog can deliver. And did I mention David's selection as a 2006 Outstanding Young Canadian? Runner ups: eLegal Canton, Alan Gahtan’s Technology and Internet Law Blog

It is very humbling to be included in such esteemed company and also gratifying that, through my blog, I've gotten to know many of my fellow nominees. This blog is coming up on its fifth birthday next week and I'm looking forward to what 2007 brings.

Thanks, Steve.

Labels: media-mention, privacy, vanity

This morning, Toby Keeping of IronSentry and I gave a presentation on business and legal risks of e-mail and other electronic information at the Westin in Halifax. The Chronicle Herald is running a story on the topic, based interviews with Toby and me. Check it out: The ChronicleHerald.ca - E-mail issues causing headaches: Firms search for security in electronic age. E-mail me for a copy of the presentation.

Labels: information breaches, media-mention, presentations, privacy, vanity

I was interviewed yesterday by a reporter from the Regina Leader Post about privacy and open courtrooms. The issue has come to the fore in the province of Saskatchewan as a result of the trial of a former football player who is charged with aggravated sexual assault. He is alleged to have had unprotected sex with a number of women without revealing that he is HIV positive.

Vanity quote:

Smith case takes another step :

While proceedings in Canada's court system are usually open to the public and media, exceptions -- while rare -- are certainly not unheard of, said David T.S. Fraser, a Nova Scotia lawyer who specializes in Canadian privacy law.

'The rights in our charter are not absolute,' he said. 'They're all subject to reasonable limitations that are compatible with the democratic and generally open society, and that's the sort of question the judge has to ask and answer.'

Fraser said there is a very strong precedent to close courts in particular circumstances. In addition to cases involving confidential medical information, public access to trials is most often restricted in cases that involve victims of sexual assault, children and national security issues.

Privacy Public+Health Criminal+Law Saskatchewan Vanity

Labels: health information, information breaches, media-mention, vanity

As blogged about here last week, a reporter for MacLean's Magazine recently purchased the phone records of the Canadian Privacy Commissioner to prove the point that huge amounts of personal information are available for sale online (The Canadian Privacy Law Blog: MacLean's cover story on privacy and information brokers). It was a pretty effective illustration.

Now, the CRTC wants to know how it happened:

Halifax Live - CRTC Directs Three Phone Companies Investigate Privacy Breach Exposed by A National Magazine:

The Canadian Radio-television and Telecommunications Commission (CRTC) is calling the country's phone companies onto the carpet over revelations in Maclean's magazine that U.S. databrokers are selling the home and cellphone records of Canadian consumers.

In a terse letter dated Nov. 18, the telecommunications regulator demands that three phone companies immediately launch internal investigations into how the magazine was able to obtain the phone records of Canada's privacy commissioner, and another customer, via a Tennessee-based online service.

The companies have been given a strict 10-day deadline to report back to the commission with a host of information, including descriptions of the safeguards that were in place when the breaches occurred, explanations of how the companies verify customer identity and new measures being taken to improve security.

The phone carriers have had little to say publicly about what steps are being taken to tighten internal security. But, in response to the Maclean's cover story, Bell Canada did issue a press release in which the company provided assurances that its customers' privacy was considered a priority and in the case of the Maclean's magazine ability to breach security, the information was obtained through "subterfuge and misrepresentation" acording to Bell's press release.

The Bell press releases continues, "This problem has affected others in our industry, both in Canada and the U.S. The Company is continuing to investigate whether there are any legal actions, either criminal or civil, that Bell or others in the industry, or government agencies can take to stop these fraudulent practices and protect consumers."

Labels: information breaches, media-mention, vanity

I wrote about a month ago about a relatively new website, DontDateHimGirl.com, that allows women to share their stories of cheating boyfriends and husbands. These are apparently to serve as a warning to others. It's a veritable rogues' gallery on the site. (See: The Canadian Privacy Law Blog: On website, women identify cheaters.)

CanWest News Service has run a feature about the site in many of its papers today. I spoke with the reporter on Friday and the article is an interesting read. Unfortunately, it is available only to subscribers to the Canada.com network and the individual newspapers, but the bit about the legal aspect of the site is below:

The men profiled on the site would probably agree. At present, a number of them are attempting to launch a class-action lawsuit against the site.

But Ms. Joseph, who created the online database with legal counsel, believes she is protected by U.S. law.

According to a privacy lawyer from Halifax, that may not be the case in Canada.

“If the person’s reputation is in Canada, and they are in Canada, and likely the person who posted the information is in Canada, there’s more than enough connection for Canadian defamation law to apply,” says David T.S. Fraser, chairman of the Privacy Practice Group at McInnes Cooper. But he hastens to add the statements aren’t considered defamatory if they’re true.

“If you’re a slug,” says Mr. Fraser, “it’s only appropriate people know you’re a slug.”

Labels: information breaches, media-mention, vanity

A short while ago, I was interviewed for an article in Legion Magazine, a Canadian publication for veterans and active armed forces personnel, about access to medical records. If you're interested, you can read it online here: Legion Magazine: Access to medical records.

Labels: information breaches, media-mention, vanity

The most recent edition of the Canadian Bar Association's The National Magazine is running an article on Canadian legal bloggers. The article features interviews with the authors of this blog, and the fantastic blogs of Rob Hyndman, Michael Fitzgibbon ("Thoughts from a Management Lawyer") and Sander Gelsing ("Now Why Didn't I Think of That?").

Blogging the spotlight

"They’re transforming the delivery of news and putting mass media outlets on the run. They’re changing the rules of publishing to favour the sole practitioner over the big corporation. They’re blogs, and they have the potential to reshape how lawyers communicate with clients and with each other.

Labels: cba, information breaches, media-mention, vanity

I just attended the meeting of the Canadian Bar Association Privacy Law Subsection (this year in sunny Winnpeg), where part of the discussion concerned the review of PIPEDA that will take place in 2006. I spoke with a lawyer from the Office of the Privacy Commissioner to suggest that PIPEDA be amended to require notice to the Commissioner when someone takes a complaint to the Federal Court. (I gather that the Aeroports de Montreal decision caught the Commissioner unawares. See my comment at "Focus on Privacy - PIPEDA and the Unionized Workplace").

Lo and behold, I was informed that the rules of the Federal Court are being amended to require such notice (see the Canada Gazette notice at http://canadagazette.gc.ca/partI/2004/20040731/html/regle2-e.html to require service of the application on the Commissioner.

Canada Gazette: "As a result of the enactment of the Personal Information Protection and Electronic Documents Act, Rule 304(1)(c) is amended by section 16 to stipulate that every application to the Federal Court for review of a matter that is the subject of a complaint shall be served on the Privacy Commissioner within the time period prescribed in Rule 304. "

Anyone wanting to comment has sixty days from July 31, 2004 to do so.

Labels: information breaches, media-mention, vanity