It's official, the Prime Minister is proroguing parliament until the beginning of March: CBC News - Politics - PM seeks Parliament shutdown until March. (Never mind that they've been on vacation since November.)

This means that a number of privacy-affecting bills are being forced into a coma. The list includes:

• Bill C-27 - Electronic Commerce Protection Act (Second Reading in the Senate and Referred to Committee on December 15, 2009) (aka Anti-spam Act);
• Bill C-46 - Investigative Powers for the 21st Century Act (Referred to Committee on October 27, 2009);
• Bill C-47 - Technical Assistance for Law Enforcement in the 21st Century Act (Referred to Committee on October 29, 2009);

The media is also reporting that, in the meantime, Harper plans to fill five vacant senate seats, which will give the Conservatives the majority they need to ensure safe passage of their legislation.

Labels: lawful access, pipeda review, privacy, spam

The Industry Minister tabled the Electronic Commerce Protection Act (ECPA) in Parliament at the end of last week. Here's the government's press release and backgrounder:

Industry Canada Site - Government of Canada Protects Canadians with the Electronic Commerce Protection Act

Government of Canada Protects Canadians with the Electronic Commerce Protection Act OTTAWA, April 24, 2009 — The Honourable Tony Clement, Minister of Industry, today announced that the Government of Canada is delivering on its commitment to protect consumers and businesses from the most dangerous and damaging forms of spam. The government has introduced legislation in Parliament that aims to boost confidence in online commerce by protecting the privacy and personal security concerns that are associated with spam, counterfeit websites and spyware.

The proposed Electronic Commerce Protection Act (ECPA) will deter the most dangerous forms of spam, such as identity theft, phishing and spyware, from occurring in Canada and will help drive spammers out of Canada.

“Our government knows how damaging spam can be to Canadians and Canadian businesses and that is why we are cracking down on Internet fraud and other forms of malicious activities,” said Minister Clement. “With this landmark legislation, our government will help protect consumers from Internet spam and related threats and boost confidence in the electronic marketplace.”

Spam and related online threats are a real concern to all Internet users as they can lead to the theft of personal data, such as credit card information (identity theft), online fraud involving counterfeit websites (phishing), the collection of personal information through illicit access to computer systems (spyware), and false or misleading representations in the online marketplace. The proposed legislation would also treat unsolicited text messages, or “cellphone spam,” as “unsolicited commercial electronic messages.”

This bill would allow businesses and consumers to take civil action against anyone who violates the ECPA. The Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau and the Office of the Privacy Commissioner will be given the power to share information and evidence with their counterparts in other countries who enforce similar laws internationally, so that violators beyond our borders cannot use Canada as a spam safe haven. The proposed ECPA would allow the CRTC and the Competition Bureau to charge offenders with administrative monetary penalties of up to $1 million for individuals, and $10 million for all other offenders.

Under the new legislation, Industry Canada will act as a “national coordinating body” in order to increase consumer and business awareness and education, to further coordinate work with the private sector in support of voluntary guidelines, and to conduct research and intelligence gathering.

As part of the proposed ECPA, new legislative measures would complement the federal government's previous efforts to address spam and related online threats.

In introducing this legislative proposal, the Government of Canada wishes to thank Senators Donald Oliver and Yoine Goldstein for their efforts to help address this issue. The bill also addresses the legislative recommendations of the Task Force on Spam. The Government of Canada, Canadian business and Canadian consumers owe a debt of thanks to Senators Oliver and Goldstein and to the Task Force for their contributions to the protection of electronic commerce and the online economy.

--------------------------------------------------------------------------------

April 24, 2009

Backgrounder

Government of Canada Introduces the Electronic Commerce Protection Act On April 24, 2009, the Government of Canada introduced anti-spam legislation, entitled the Electronic Commerce Protection Act (ECPA). In doing so, the government is delivering on a key commitment made by Prime Minister Harper to Canadians and Canadian businesses in September 2008.

This bill addresses the legislative recommendations of the Task Force on Spam, which brought together industry, consumers and academic experts to design a comprehensive package of measures to combat threats to the online economy.

The intention of the proposed legislation is to deter the most dangerous and damaging forms of spam from occurring in Canada and to help to drive spammers out of Canada.

The government studied successful legislative models in other countries and, based on their experiences, has developed a focused plan to address spam and related threats. By tabling legislation now, the government is able to address the latest technology and online threats.

This bill proposes a private right of action, modelled on U.S. legislation, which would allow businesses and consumers to take civil action against anyone who violates the ECPA. The proposed ECPA's technology-neutral approach allows all forms of commercial electronic messages to be treated the same way. This means that the proposed bill would also address unsolicited text messages, or “cellphone spam,” as a form of “unsolicited commercial electronic message.”

The bill would establish a clear regulatory enforcement regime consistent with international best practices and a multi-faceted approach to enforcement that protects consumers and empowers the private sector to take action against spammers.

An important component of the proposed ECPA is the enforcement regime whereby the Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau and the Office of the Privacy Commissioner would be given the authority to share information and evidence with their counterparts who enforce similar laws internationally, in order to pursue violators beyond our borders.

The proposed ECPA would enable the CRTC to impose administrative monetary penalties (AMPS) of up to $1 million for individuals and $10 million in all other cases. The Competition Bureau would use a similar AMPS regime already provided for in the Competition Act,and the Office of the Privacy Commissioner would use its existing tools and enforcement framework to enforce the provisions of this legislation. The bill also proposes that the Privacy Commissioner's powers to cooperate and exchange information with her counterparts be expanded, in respect of the Personal Information Protection and Electronic Documents Act.

Consultations show support from consumers, Internet service providers, marketers, businesses, educators, the financial sector, legal and consumer groups, and enforcement agencies.

Under the proposed ECPA, Industry Canada would act as a “national coordinating body” in order to expand awareness and education of consumers, network operators and small businesses, coordinate work with the private sector, and conduct research and intelligence gathering.

The government also intends to create a Spam Reporting Centre that would receive reports of spam and related threats allowing it to collect evidence and gather intelligence to assist the three enforcement agencies (the CRTC, the Competition Bureau and the Office of the Privacy Commissioner).

Businesses will benefit from improved protection against harm to the network and from consumers' strengthened confidence in the online marketplace.

The Internet has become the primary platform for online commerce and general communications. The online marketplace represents a major segment of Canada's economy, with $62.7 billion in sales in 2007. Worldwide, electronic commerce is projected to exceed $8.75 trillion in 2009.

At the same time, there has been an enormous increase in the vulnerabilities and threats to the Internet and online commerce. Spam now makes up over 80 percent of global email traffic, imposing huge costs on businesses and consumers.

Labels: privacy, spam

Facebook has just won a multi-multi-million dollar judgment against a Montreal residet under the American CAN-SPAM Act after the individual was accused of sending millions of unsolicited commercial e-mails to Facebook users. The company will never see most of the cash, but Facebook has said they'll go after all they can.

Hopefully, this will be a strong, visible deterrent.

See: The Associated Press: Facebook wins $873M judgment against spammer.

Labels: facebook, privacy, social networking, spam

According to Computerworld, a US Appeals Court has upheld the eight year setence for the theft of billions of e-mail addresses from Acxiom: Appeals court: Stiff prison sentence in Acxiom data theft case stands. It's worth noting that the convictions were under the federal hacking staute and not theft of information simpliciter.

Labels: fraud, privacy, spam

I've had one of my e-mail addresses for almost ten years, but there appears to be a demand for email addresses that'll only last ten minutes.

Enter 10 Minute Mail.

Have you ever signed up for a service that required a "validation address", though they promised they'd never use it to send you junk? Woe betide the person who uses their most favourite, ten-year address for such a purpose. Use one that'll only last long enough to suit the purpose. From the site:

Welcome to 10 Minute Mail.

By clicking on the link below, you will be given a temporary e-mail address. Any e-mails sent to that address will show up automatically on the web page. You can read them, click on links, and even reply to them. The e-mail address will expire after 10 minutes.

Why would you use this? Maybe you want to sign up for a site which requires that you provide an e-mail address to send a validation e-mail to. And maybe you don't want to give up your real e-mail address and end up on a bunch of spam lists. This is nice and disposable. And it's free. Enjoy!

Get my 10 Minute Mail e-mail address.

When I launched 10minutemail.com, tons of forum admins decried the idea. They screamed that it would let spammers on to their forums, and that they wouldn't sell e-mail lists to spammers, etc...

A month goes by, and let's see what we have. My server used to get around 200-300 e-mail a day. In the past week it averaged 20,000-30,000 e-mail a day. Virtually all of those were to old (expired) 10minutemail.com accounts. Presumably virtually all spam.

30,000 a day!? This proves that the average person simply CAN'T trust a random site or forum with their real e-mail address. Are there some forums/sites that are trustworthy? Sure! Does the average net user have any ability to tell with certainty if a given site or forum will sell their e-mail address or spam them direction? Unfortunately not.

This drives home the importance of the service.

In order to save my server from the crushing spam, I've swapped out the e-mail domain to fificorp.com, and then fificorp.net, and will continue to swap out the e-mail domain on a regular basis. This will serve two purposes. One, it will save my server from dying under the flood of spam. Two, it will keep admins who block registrations by domain on their toes at least once a month.

One important thing to note ... In some cases you may want an address that lasts longer. For example, if you forget your password to a service, they'll often e-mail it to the address on file. With 10minutemail, you're outta luck. For those sites where longevity may matter, try the Fake Name Generator. They'll supply an e-mail address that you can read as long as you bookmark it.

Labels: privacy, spam

Alec Saunders, at saunderslog.com is a little upset about receiving some unsolicited e-mail from the liberal party and Bill Graham (How to Stop the Liberal Party of Canada From Spamming You -- Alec Saunders .LOG):

Hypocrites that they are, by spamming me with Liberal propaganda, they’ve violated their own privacy policy. Their hypocrisy is further amplified by the fact that what they’ve done contradicts the Personal Information Protection and Electronic Documents Act, section 4.2.4 which states:

When personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified prior to use. Unless the new purpose is required by law, the consent of the individual is required before information can be used for that purpose.

And here, of course, is the irony. It was a Liberal Government which introduced the Personal Information Protection and Electronic Documents Act.

Whether this is a violation of PIPEDA depends upon whether that law applies at all. PIPEDA only regulates the collection, use and disclosure of personal information in the course of commercial activities (and information about employees of federal works, undetakings and businesses). This generally excludes non-profits, like political parties. Some activities are deemed to be commercial, like the sale or trade of personal information by a non-profit organization.

It's arguable that PIPEDA wouldn't apply in the case of political spam, unless one organization has traded the e-mail address with another. But if it bugs you enough, complain to the Privacy Commissioner and see if she agrees...

Labels: information breaches, privacy, spam

From the Associated Press, via Yahoo! News:

FBI Raid Shuts Down Suspected Spammer - Yahoo! News:

"WEST BLOOMFIELD, Mich. - A man described as one of the nation's leading senders of spam says an FBI raid on his home office has halted his e-mail operation.

Warrants unsealed last week show that a September raid on Alan M. Ralsky's home in a Detroit suburb included the seizure of financial records, computers and disks.

'We're out of business at this point in time,' Ralsky said. 'They didn't shut us down. They took all our equipment, which had the effect of shutting us down.'

Terry Berg, the top deputy in the Detroit U.S. attorney's office, declined to comment.

Ralsky, 60, has said that he has 150 million or more e-mail addresses, and he has been a target of anti-spam efforts for years.

Verizon Communications Inc. sued him in 2001, saying he shut down its networks with millions of e-mail solicitations. He settled, promising not to send spam on its networks.

A federal law that took effect last year bans use of misleading subject lines and the sending of commercial e-mail messages that appear to be from friends. It also bans use of multiple e-mail addresses or domain names to hide senders' identities."

Labels: information breaches, law enforcement, spam

Today's New York Times has an interesting and slightly amusing article about a computer glitch on the Spamalot (the Broadway musical) website that may have exposed more than 31,000 to alottaspam.

The New York Times > Theater > News & Features > What to Expect of 'Spamalot'? A Lot of Spam:

"'Spamalot' fans who signed up for a newsletter on the Broadway musical's official Web site may end up getting, well, spammed a lot. 'Movin' Out' devotees may have the same problem. A security glitch - now fixed - exposed the names and postal and e-mail addresses of more than 31,000 people to savvy computer users.

Up until Thursday evening, when a reporter from The New York Times pointed out the problem to the Web sites' developer, visiting a specific address on the shows' sites produced a long page with mailing-list data. The security hole was not obvious to casual Web surfers because the address was buried in the site's code. But it could have been discovered by someone deliberately seeking the list data, or by a kind of program used by spammers to scour the Web for new e-mail addresses to bombard.

Both montypythonsspamalot.com, where 19,000 people had signed up for a newsletter, and movinoutonbroadway.com, where 14,000 had, were built by Mark Stevenson, a designer in Croton-on-Hudson, N.Y...."

I'm not sure if this qualifies as an incident as the article only refers to the glitch's potential to expose addresses. I suppose the site maintainer would be able to look at their logs to find out if the page with all the names was ever viewed.

So many privacy incidents are caused by simple human error, whcih I expect is the cause of this one. I'm on the board of an industry association that recenly allowed the local economic development agency to send an e-mail to its members announcing a very specific event. Unfortunately, someone thought that using a "distribution list" in Outlook would shield all the addresses. Not quite. Every single address was in the "To:" field. So far nobody has complained, but I expect we'll hear more of it. One minor misunderstanding of the technology and it had the potential to upset quite a few people.

Thanks to Rob Hyndman for reminding me about the article. I saw it very early this morning but forgot to bookmark it for later blogging.

Labels: information breaches, spam

The first felony conviction for spamming in the United States has been onverturned, CNN is reporting: CNN.com - Judge dismisses spam conviction - Mar 2, 2005:

"LEESBURG, Virginia (AP) -- A judge dismissed a felony spamming conviction that had been called one of the first of its kind, saying he found no 'rational basis' for the verdict and wondering if jurors were confused by technical evidence...."

Labels: information breaches, spam

Michael Geist, of the University of Ottawa and member of the federal SPAM Task Force, has instigated the first finding of the Office of the Privacy Commissioner related to spam. Not only is it the first decision of its kind, it also concludes that business e-mail addresses are not included in the so-called "business card exception" to the definition of "personal information" and that the harvesting of e-mail addresses from an organization's website does not allow the use of the consent exception that applies to "publicly available information".

The "business card exception" relies on the definition of "personal information" under s. 2 of PIPEDA:

"personal information" means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization."

The Assistant Privacy Commissioner, in the written finding to Professor Geist, concludes that because business e-mail addresses are not listed in the definition, they are not excluded from the definition.

The "publicly available information" exception is contained in s. 7 of PIPEDA:

Collection without knowledge or consent
7. (1) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may collect personal information without the knowledge or consent of the individual only if

...

(d) the information is publicly available and is specified by the regulations.

Use without knowledge or consent
(2) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may, without the knowledge or consent of the individual, use personal information only if

(c.1) it is publicly available and is specified by the regulations;

The key provision in this case is contained in the regulation that stipulates that one can only use "publicly available information" for the purposes for which it was made available to the public in the first place:

(b) personal information including the name, title, address and telephone number of an individual that appears in a professional or business directory, listing or notice, that is available to the public, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the directory, listing or notice;

In this case, the Assistant Commissioner concluded that Professor Geist's e-mail address was posted on the University of Ottawa website to further the interests of the University. This purpose did not include receiving solicitations to buy sports tickets.

I will be interested to see if Professor Geist will take this matter to the Federal Court to provide us a more definitive conclusion on these important points.

See, also, a very good article on this incident at the Toronto Star: Football club broke email privacy rules.

Labels: information breaches, privacy, spam

Most security folks will tell you that violations of privacy are often an inside job. Further evidence:

Labels: aol, information breaches, spam