Canadian Privacy Law Blog

It's an honour to be nominated: Top 25 Most Influential Lawyers in Canada 2013 Survey

2013-05-21T20:10:00.001-03:00

Somehow, I've been nominated by Canadian Lawyer Magazine for inclusion in their annual Top 25 Most Influential Lawyers in Canada. It is truly an honour, particularly when I look at the other nominees. My category includes Michael Geist and other categories include my law partner Jack Innes QC and Professor Wayne MacKay of Dalhousie Law School. I was also delighted to see Fred Headon of Air Canada and my law school classmate, Kristi Taylor on the list.

The full list of nominees and the survey is here if you want to check it out and perhaps share your views: Top 25 Most Influential Lawyers in Canada 2013 Survey.

The Canadian government is likely the greatest threat to the privacy of Canadians

2013-05-14T14:06:00.001-03:00

In case there was any doubt, the Canadian government is likely the greatest threat to the privacy of Canadians. Michael Geist does a great job in summing up the issue in one of his latest columns.

Michael Geist - Your Information is Not Secure: Thousands of Government Privacy Breaches Point to Need for Reform:
As Canadians focused last week on the aftermath of the Boston Marathon bombing and the RCMP arrests of two men accused of plotting to attack Via Rail, the largest sustained series of privacy breaches in Canadian history was uncovered but attracted only limited attention. Canadians have faced high profile data breaches in the past - Winners/HomeSense and the CIBC were both at the centre of serious breaches several years ago - but last week, the federal government revealed that it may represent the biggest risk to the privacy of millions of Canadians as some government departments have suffered breaches virtually every 48 hours.
The revelations came as a result of questions from NDP MP Charlie Angus, who sought information on data, information or privacy breaches in all government departments from 2002 to 2012. The resulting documentation is stunning in its breadth.
Virtually every major government department has sustained breaches, with the majority occurring over the past five years (many did not retain records dating back to 2002). In numerous instances, the Privacy Commissioner of Canada was not advised of the breach.
Some of the most vulnerable departments are those that host the most sensitive information. For example, Citizenship and Immigration Canada suffered 161 breaches in 2012 - more than three per week - affecting hundreds of people. The department only disclosed the breaches to the Privacy Commissioner of Canada on five occasions.
Human Resources and Skills Development Canada famously suffered a massive breach last year - 588,384 individuals were affected - but less well known is that the department has had thousands of other breaches over the past few years. In 2007, a breach affected 28,651 people, yet the Privacy Commissioner of Canada was not informed and the department is unsure of whether the breach resulted in criminal activity.
Virtually no department has been immune to security breaches with nearly 100,000 individuals affected by breaches at Agriculture and Agri-Food Canada since 2008, almost 5,000 individuals hit at Fisheries Canada with no reporting to the Privacy Commissioner of Canada, and just under 200 breaches at the RCMP affecting an unknown number of people.
If a similar situation occurred involving a major Canadian bank, retailer, or telecom company, there would be an immediate outcry for tougher rules on mandatory disclosure of security breaches. Yet the federal government plays by different rules, with no liability and no legal requirements to disclose the breaches.
Successive federal privacy commissioners have urged the government to reform the badly outdated Privacy Act to at least hold government to the same privacy standard that it expects from the private sector. But those calls for reform have been repeatedly ignored.
Most recently, Privacy Commissioner of Canada Jennifer Stoddart identified twelve seemingly uncontroversial reforms, including strengthening annual reporting requirements by government departments, introducing a provision for proper security safeguards for the protection of personal information, and creating legislated security breach notification requirements. None of the recommendations have been implemented.
In fact, Canadian privacy failures dot the legislative landscape. Bill C-12, the Canadian private sector privacy bill intended to implement reforms that date back to hearings conducted in 2006 lies dormant in the House of Commons. A review of the private sector privacy law that was required by law in 2011 has seemingly been forgotten. Anti-spam legislation passed in 2010 and touted as a key part of the government's cybercrime strategy is stuck as Industry Minister Christian Paradis dithers on the applicable regulations.
No institution has greater access to the personal information of Canadians than the federal government. The public entrusts it to keep their information secure and to take all appropriate action should a security breach occur. The latest revelations indicate that the failure to live up to that trust is spread across virtually all government departments and to the political leaders that have failed to introduce much-needed legislative privacy safeguards.
Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at mgeist@uottawa.ca or online at www.michaelgeist.ca.

Nova Scotia anti-cyberbullying bill is on the fast track

2013-05-06T18:42:00.001-03:00

It really would appear that the new Nova Scotia anti-cyberbullying bill is on the fast-track (or is being jammed through the legislature). It was introduced on April 25, debated on April 26, then sent to committee. It's been on the Law Amendments Committee agenda on May 2, 3, and 6.

Some are speculating that it'll be passed and proclaimed within a few days.

Here's the official status of the Bill: Status of Bills / Bills, Statutes, Regulations / Proceedings / The Nova Scotia Legislature.

Reddit revises its privacy policy and invites comments in reddit style

2013-05-03T07:12:00.001-03:00

The social news site, reddit.com, has revised its privacy policy. Though the new policy doesn't go into effect until May 15, 2013, the site has invited redditors to comment on it in true reddit style. Thousands of comments have been submitted and the author of the policy, Lauren Gelman, has been responding to the comments and making revisions in response.

Check out the discussion: reddit's privacy policy has been rewritten from the ground up - come check it out : blog.

As a privacy lawyer, I found the discussion to be very interesting, since you don't often get such a direct understanding of how different people approach these documents.

I want better and more targeted ads

2013-04-27T17:27:00.001-03:00

Perhaps not surprisingly, I spend a lot of time thinking about privacy. I also spend a lot of time thinking about personalization, particularly in online services. When I lived in a village of 500 people in the '90s, I had a personal relationship with the owner of the grocery store, the pharmacy and the general store. They knew what I liked and what I bought. They would often tell me when they were getting in some product that I might like or would even ask me if there was something they could order in for me. They understood their customers and my service could be appropriately personalized.

The internet allows you to massively scale this idea, but much "personalization" of advertising too often misses the mark. Or creeps people out. But it doesn't have to.

If you look at the sort of advertising that often appears on Facebook, you're sometimes left scratching your head. If Facebook knows so much about me, why are the ads so ill-targeted or based on gross demographic assumptions? Ask any woman in her late thirties or forties: their Facebook ad column is full of advertisements for weight loss products and the other sort of junk that appears in Glamour magazine. Some are relevant to many in that demographic, but not to all. Poorly personalized ads are worse than the clutter of untargeted ads since they tend to perturb people. Well-targeted ads are more like information. And this is the information age.

A number of months ago, I was looking for a very good, durable backpack that I could use to schlep my technology and paper-based detritus to and from work that would not look too sporty or out of place in a business environment. I did a lot of searching online and browsing online vendors. It didn't take long before most of the ads I saw were about backpacks and briefcases. I finally bought one that I'm happy with, but for weeks afterwards most of my ads were for backpacks. I wanted to tell them that I'd bought a backpack, I was happy with it and they should move on to anticipating my other needs.

I am really looking forward to better targeted ads, especially location-aware advertising. I will not hesitate to share my location in real-time with an advertising company that I can trust to deliver value to me in exchange for understanding me better. If I am meandering up Spring Garden Road in Halifax with time to spare, I'd appreciate it if my phone let me know that Dugger's menswear is having a sale or a reminder that I'm due for a free coffee at Starbucks with my next check-in on Foursquare. It would be cool to get a notice that I'm within fifty feet of a store where I have in-store credit to spend (and, by the way, they have that widget I was looking for).

If online retailers are really eating the lunches of brick and mortar operations, targeted and location-aware advertising has the possibility of resetting the balance. Online, buying something is a few clicks away, but when I'm travelling in real space I am simply more receptive to serendipity and the possibility of impulse purchases. And if my device knows I'm in a retail district, or outside my usual geography, even moreso.

I travel a lot for work and that's where location-aware information could be the silver bullet of convenience with no intrusion. I use TripIt to organize all the details of my travel. It would be great if, along with my itinerary, it would provide me a list of Thai and Indian restaurants near my hotel (because I like 'em) and offer to make a reservation. Better yet would be something social, such as a list of restaurants and stores my friends like in that city. I would be delighted to tell the nice folks at TripIt all sorts of info about what I like when I travel if it would use that info to serve me better. Until then, I'm triangulating among Google Places, FourSquare, Untappd and Yelp. All of them are getting better, but aren't quite there yet.

But the day will come, and I'm actually looking forward to it.

Analysis of the Nova Scotia Anti-Cyberbullying legislation

2013-04-27T14:19:00.000-03:00

As I blogged yesterday, the Nova Scotia provincial government has tabled a bill in the provincial legislature to address cyberbullying. The Bill, dubbed the Cyber-safety Act, does a number of notable things. Notably, it is not limited to protecting minors from cyberbullying and is equally available to adult and child victims.

It must be borne in mind that the Bill has only just been tabled, so it may be amended as it works its way though the legislature and its committees.

It the Bill, cyberbullying is defined:

(b) "cyberbullying" means any electronic communication through the use of technology including, without limiting the generality of the foregoing, computers, other electronic devices, social networks, text messaging, instant messaging, websites and electronic mail, typically repeated or with continuing effect, that is intended or ought reasonably be expected to cause fear, intimidation, humiliation, distress or other damage or harm to another person's health, emotional well-being, self-esteem or reputation, and includes assisting or encouraging such communication in any way;

Interestingly, the Bill deems some parents to be cyberbullies themselves if they don't do enough to prevent their minor children from engaging in cyberbullying:

(2) For the purpose of this Act, w here a person who is a minor engages in an activity that is cyberbullying and a parent of the person

(a) knows of the activity;

(b) knows or ought reasonably to expect the activity to cause fear, intimidation, humiliation, distress or other damage or harm to another person's health, emotional well-being, self-esteem or reputation; and

(c) fails to take steps to prevent the activity from continuing,

the parent engages in cyberbullying.

Cyberbullying Protection Orders

First of all, the Bill creates "cyberbullying protection orders", which are orders issued by the courts to require an individual to cease activities that will be prescribed in the order. The order can be broad or narrow, and the bill gives the courts wide latitude:

9 (1) A protection order may include any of the following provisions that the justice considers necessary or advisable for the protection of the subject:

(a) a provision prohibiting the respondent from engaging in cyberbullying;

(b) a provision restricting or prohibiting the respondent from, directly or indirectly, communicating with or contacting the subject or a specified person;

(c) a provision restricting or prohibiting the respondent from, directly or indirectly, communicating about the subject or a specified person;

(d) a provision prohibiting or restricting the respondent from using a specified or any means of electronic communication;

(e) an order confiscating, for a specified period or permanently, any electronic device capable of connecting to an Internet Protocol address associated with the respondent or used by the respondent for cyberbullying;

(f) an order requiring the respondent to discontinue receiving service from an Internet service provider;

(g) any other provision that the justice considers necessary or advisable for the protection of the subject.

One thing that I find very interesting -- and disappointing -- is that if the victim is a minor, he or she cannot seek such an order him or herself. His or her parents have to seek the order on their behalf. One would think that at least older teenagers should be able to help themselves, even if their parents don't want to get involved.

A new tort of cyberbullying

Next, the Bill creates a brand-new tort of cyberbullying, which gives a victim of cyberbullying the right to sue in the civil courts for damages. This part is pretty short on details, so I expect the provincial government is leaving it to the courts to sort out.

21 A person who subjects another person to cyberbullying commits a tort against that person.

22 (1) In an action for cyberbullying, the Court may

(a) award damages to the plaintiff, including general, special, aggravated and punitive damages;

(b) issue an injunction on such terms and with such conditions as the Court determines appropriate in the circumstances; and

(c) make any other order that the Court considers just and reasonable in the circumstances.

(2) In awarding damages in an action for cyberbullying, the Court shall have regard to all of the circumstances of the case, including

(a) any particular vulnerabilities of the plaintiff;

(b) all aspects of the conduct of the defendant; and

(c) the nature of any existing relationship between the plaintiff and the defendant.

In addition, the Bill makes the parents of a minor cyberbully jointly and severally liable for all the damages unless the parents are able to show due diligence. It is understandable that the government would include this provision, since young cyberbullies likely do not have any assets of their own (making a civil lawsuit futile) and to perhaps dip into the homeowners or renters insurance policies that parents may have.

(3) Where the defendant is a minor, a parent of the defendant is jointly and severally liable for any damages awarded to the plaintiff unless the parent satisfies the Court that the parent was exercising reasonable supervision over the defendant at the time the defendant engaged in the activity that caused the loss or damage and made reasonable efforts to prevent or discourage the defendant from engaging in the kind of activity that resulted in the loss or damage.

(4) For the purpose of subsection (3), in determining whether a parent exercised reasonable supervision over the defendant at the time the defendant engaged in the activity that caused the loss or damage or made reasonable efforts to prevent or discourage the defendant from engaging in the kind of activity that resulted in the loss or damage, the Court may consider

(a) the age of the defendant;

(b) the prior conduct of the defendant;

(c) the physical and mental capacity of the defendant;

(d) any psychological or other medical disorders of the defendant;

(e) whether the defendant used an electronic device supplied by the parent, for the activity;

(f) any conditions imposed by the parent on the use by the defendant of an electronic device;

(g) whether the defendant was under the direct supervision of the parent at the time when the defendant engaged in the activity;

(h) in the event that the defendant was not under the direct supervision of the parent at the time at the time when the defendant engaged in the activity, whether the parent acted unreasonably in failing to make reasonable arrangements for the supervision of the defendant; and

(i) any other matter that the Court considers relevant.

The tort of cyberbullying would be in addition to any other causes of action that might be brought to bear, including defamation and intentional infliction of emotional distress.

Powers given to the Director of Public Safety

The provincial government has promised, as part of this legislation, to create a specialized unit to combat cyberbullying. This is being done as amendments to the existing Safer Communities and Neighbourhoods Act. This Act has generally been used to deal with crackhouses and the like, but an additional part allows for the designation of "Directors of Public Safety" who will have particular powers to investigate and respond to cyberbullying. (To show how this Act is amended by the bill, I've created a Google doc that shows the proposed changes.)

The Director is given the power to investigate cyberbullying and can seek the assistance of the courts to unmask anonymous miscreants. Once identified, the Director can make an application to the court for a cyberbullying prevention order. The prevention orders are very similar to the protection orders outlined above (I'm not sure why it is duplicated in the Safer Communities and Neighbourhoods Act and the Cyber-safety Act).

It is an offense to defy such an order when issued.

Amendments to the Education Act

The Bill also proposes amendments to the existing Education Act. First of all, it adds the promotion and encouragement of safe and respectful electronic communications to the mandate of the school system. But more importantly, it gives school principals explicit jurisdiction over outside of school activities that are disruptive to the school environment:

122 Where a student enrolled in a public school engages in

(a) disruptive behaviour or severely disruptive behaviour on school grounds, on property immediately adjacent to school grounds, at a school-sponsored or school-related activity, function or program whether on or off school grounds, at a school bus stop or on a school bus; or

(b) severely disruptive behaviour at a location, activity, function or program that is off school grounds and is not school-sponsored or school-related, if the behaviour significantly disrupts the learning climate of the school,

the principal, or the person in charge of the school, may take appropriate action as specified in the Provincial school code of conduct policy including suspending the student for a period of not more than five school days.

My overall impression

Overall, I think this legislation is an important step. Up until this Bill was tabled, most of the discussion of the issue recently has focused on possible amendments to the Criminal Code. Based on what I've seen reported about the Rehtaeh Parsons case points to a serious failing on the part of the criminal justice system (and the mental health system), not the criminal law. But in any event, the phenomenon of cyberbullying is a very complicated one, and one that cannot be fixed or even properly addressed by the criminal law alone. This bill specifically puts a degree of responsibility in the school system and provides the means to establish a group of specialists who have appropriate tools to investigate and respond to cyberbullying. Finally, it gives victims and their parents the ability to proceed through the civil justice system for the harm of cyberbullying. Of course, much depends on how this is implemented and I'm sure many here in Nova Scotia will be paying close attention to that.

Government of Nova Scotia introduces anti-cyberbullying bill

2013-04-25T14:01:00.001-03:00

The Government of Nova Scotia today tabled Bill 61 to create the Cyber-safety Act. In response to high-profile cyberbullying incidents in the province, some of which have had tragic outcomes, the Bill seeks to do a number of things, including:

Providing for protective orders in cases of cyberbullying
Creating a free-standing tort of cyberbullying, for which a young cyberbully's parents are jointly and severally responsible unless they can prove they exercised reasonable supervision
Creates cyber-bullying prevention orders

I haven't had a chance to review it clause by clause, but I expect I'll have some comments to add later.

(Added 2013-04-27) To see the "in place" amendments to the Safer Communities and Neighbourhoods Act, I've created a redlined Google Doc.

Newfoundland lays charges against health district employees for record snooping

2013-04-25T12:03:00.001-03:00

Charges have been laid in Newfoundland against two individuals employed by separate health districts related to inappropriate and unauthorized access to patient information. I have to say I'm happy to see how seriously many privacy regulators take these sorts of intrusive and unjustified invasions of individual privacy. I'm also happy to see that they are "former employees".

VOCM.COM|Charges Laid in Hospital Privacy Breaches | Article.
The Information and Privacy Commissioner says two people have been charged with offences under the Personal Health Information Act. Two former employees at Eastern Health and Western Health have been charged.
The two individuals are alleged to have improperly accessed the personal health information of a number of patients. The charges are the result of two separate investigations by staff of the Office of the Information and Privacy Commissioner stemming from complaints received in 2012. Both health authorities alerted Commissioner Ed Ring about the privacy breaches when they were discovered. Patients affected by the breaches were contacted by Eastern and Western Health. Audits of electronic medical records were conducted by the boards, and the two separate investigations by the commissioner's staff confirmed that charges are warranted under the Personal Health Information Act. The first appearance involving the former worker at Eastern Health is May 3 in St. John's, and the former employee at Western Health will make a first appearance on May 28 in Corner Brook.

Parliamentary Committee releases report on Canadian privacy laws and social media

2013-04-24T15:13:00.001-03:00

The House of Commons Standing Committee on Access to Information, Privacy and Ethics has just released its report on Canadian privacy laws and social media: House of Commons Committees - ETHI (41-1) - Privacy and Social Media - Report.

The Report contains a number of recommendations, including the following:

Recommendation 1 - The Committee recommends that the Privacy Commissioner of Canada establish guidelines directed at social media and data management companies to help them develop practices that fully comply with PIPEDA, particularly accountability and openness.

Recommendation 2 - The Committee recommends that the Privacy Commissioner of Canada establish guidelines directed at social media and data management companies to help them develop policies, agreements and contracts that are drafted in clear, accessible language that facilitates meaningful and ongoing consent.

Recommendation 3 - The Committee recommends that the Privacy Commissioner of Canada establish guidelines directed at social media and data management companies to help them put in place mechanisms that ensure individuals have access to any personal information that those companies may hold about them, that limit how long those companies hold on to that information and that facilitate the deletion of such information.

Recommendation 4 - The Committee recommends that the Government of Canada and social media companies continue to provide support to organizations that provide education and training on digital activities and privacy.

Recommendation 5 - The Committee urges social media companies to play a larger role in promoting safe and active online activities that protect the privacy and personal information of individuals, particularly in regard to vulnerable
groups such as children and young persons.

Recommendation 6 - The Committee recommends that the Government of Canada and social media companies continue to provide support to organizations dedicated to educating and promoting awareness to children, their parents and teachers to protect their personal information and privacy online.

Recommendation 7 - The Committee recommends that the Government of Canada continue to provide support to digital literacy programs.

The NDP members of the Committee also added the following recommendations:

Recommendation 1: New Democrats recommend that the government grant enforcement powers to the Privacy Commissioner such as order making powers and the authority to impose administrative monetary penalties.
Recommendation 2: New Democrats recommend that the government require all organizations to report data breaches or losses to the Privacy Commissioner where a reasonable person would find that the breach or loss presents any risk of harm to the individuals affected.
Recommendation 3: New Democrats recommend that the government modernize Canadian privacy laws to measure up to privacy protections in comparable democracies and to ensure that the personal information of Canadians is well protected in the digital age.
Recommendation 4: New Democrats recommend that the government review Schedule 1 of PIPEDA to clarify that express consent should generally be sought for disclosure of personal information to third parties and that this is especially necessary where such disclosure is a requirement of an end-user license agreement.
Recommendation 5: New Democrats recommend that privacy issues constitute an essential part of a comprehensive digital economy strategy for Canada.
Recommendation 6: New Democrats recommend that the government consider reviewing PIPEDA and corresponding regulations to encourage organizations to implement the practice of privacy by design.
Recommendation 7: New Democrats recommend that PIPEDA, corresponding regulations, and any relevant statutes be amended to encourage organizations to implement Do Not Track functions.
Recommendation 8: New Democrats recommend that the government continue to study ways in which to best protect the personal information of children online while encouraging that they too benefit from the social, cultural, and democratic benefits of the online world.
Recommendation 9: New Democrats recommend that the government conduct a study on the privacy policy known as the “right to be forgotten” and report back to Parliament.

Edit: The first version of this posting inadvertently only showed the NDP recommendations. Sorry. Fixed that.

Statistics on Federal Government data breaches are staggering

2013-04-23T21:16:00.001-03:00

According to documents filed in Parliament in response to a request for information filed by the opposition, the Federal Government has experienced thousands of data breaches over the past decade, affecting the personal information of hundreds of thousands of Canadians. And the vast majority were not reported to the affected individuals.

Government data breached thousands of times in last decade, documents say
OTTAWA — The federal government has seen more than 3,000 data and privacy breaches over the past 10 years, breaches that have affected more than 725,350 Canadians, according to documents tabled in Parliament on Tuesday.
The responses from departments, given to the New Democrats in response to an order paper question, also show that less than 13 per cent of all breaches have been reported, including a handful from the Department of Fisheries and Oceans that affected more than 4,400 individuals.
“There may be issues where Canadians have been put at risk and they haven’t been informed,” said NDP critic Charlie Angus, who submitted the written question. “As a standard, we should involve the privacy commissioner when Canadians’ privacy is breached.”
The list, however, is not a complete accounting of breaches, suggesting that there the number of breaches may be higher than reported. For instance, the Canada Revenue Agency didn’t provide any numbers, saying that a search of the hard copy records of breaches would be too cumbersome to be completed.
The list also turned up at least three instances where the data loss led to criminal activity, including one at the Public Service Commission in the 2007-2008 fiscal year that led to the termination of a contract with the recycling firm JC Fiber. Another data loss at the Department of Finance ended with one worker being charged with breach of trust.
The Department of Foreign Affairs, according to the documents, has 11 ongoing investigations into data breaches that affect at least 42 individuals.
The tabling of the figures prompted the government to release a statement signed by three cabinet ministers, including two whose departments have either come under scrutiny for losing the information of Canadians: Veterans Affairs Minister Steven Blaney, and Human Resources Minister Diane Finley.
“Our Government takes the privacy of Canadians very seriously, especially the critical importance of the proper handling of sensitive personal information,” Treasury Board President Tony Clement said in the statement.
“We will continue to work closely with the Office of the Privacy Commissioner to ensure that the privacy of Canadians is protected.”
Finley’s department has been dealing with fallout from two data breaches. In one incident, the department lost a portable hard drive with the personal information of about 583,000 Canada Student Loan recipients, including their social insurance numbers. In a second incident, a lawyer on loan to HRSDC from the Department of Justice lost a USB key with personal information about more than 5,000 employment insurance recipients.
Both have prompted investigations by the privacy commissioner, Jennifer Stoddardt, who was notified of both incidents.
“This came out of the massive data breach at HRSDC and the fact they spent a number of months keeping it quiet while they searched for it,” Angus said. “Now we see we’ve got well over 3,000 breaches.”
“What we’re seeing here is this about covering the rear-ends of ministers trying to keep their jobs,” Angus said.

Nunavut privacy commissioner to receive expanded powers to investigate privacy complaints

2013-04-22T09:20:00.001-03:00

Following the passage of Bill 38, An Act to Amend the Access to Information and Protection of Privacy Act, the Information and Privacy Commissioner will be given new powers investigate privacy breaches when the bill is proclaimed into force this spring.

You should not be faulted for wondering why this was not a power given to the Commissioner in the first place, but it's not unique. Nova Scotia's Review Officer appointed under the Freedom of Information and Protection of Privacy Act was only recently given such powers.

For more details, see: NunatsiaqOnline 2013-04-19: NEWS: Nunavut information and privacy czar to get more powers.

No more virtual strip-searches for Canadian travelers

2013-04-17T11:21:00.001-03:00

The Canadian Press and the CBC are reporting that the virtual strip-search machines installed in Canadian airports will have their software upgraded so that passengers will no longer have their nude images presented to screeners. Instead, the technology will project a stick figure with highlights of possible hidden objects. See: 'Naked' airport scans switching to stick figure images - New Brunswick - CBC News.

I expect that passengers who remain concerned about either radiation exposure or the residual intrusion can ask for a manual pat-down. That's what I'll continue to do: if they're going to invade my personal space, I want to look the person in the eye while he does it.

New blog with tips, tricks, gadgets, hacks, miscellany and legal geekery

2013-04-15T12:15:00.000-03:00

Pardon the interruption ... normal privacy-related posting will continue after this brief promotional message ...

I recently attended the American Bar Association's annual TechShow in Chicago. The highlight was the annual "60 Tools in 60 Minutes" in which four hard-core geeky lawyers shared their top tips and tools in rapid-fire succession.

Having now seen the 60 Tools show up close and personal, I've been inspired to share some of my own tips, tricks, gadgets, hacks and other micellany that might be of interest to lawyers and other professionals who like efficiency and technology. Without any further ado: Stuff Dave Likes.

I've already put up a few posts:

I am acutely aware that readers of the Canadian Privacy Law Blog are here to read about privacy and not legal geekery, so I will not be cross-posting unless there really is a crossover. However, if you're into legal geekery please drop by Stuff Dave Likes from time to time. And if there's stuff you like too, let me know about it.

Investment regulator loses portable storage device containing personal info on 52,000 Canadians

2013-04-13T08:36:00.001-03:00

The Investment Industry Regulatory Organization of Canada, the agency that regulates Canada's investment industry, has announced that a portable storage device has been lost containing the personal information of 52,000 individuals.

Their statement says it was an "isolated incident", which it may well be within their organization but it certainly is happening a lot across all industries. Given the publicity surrounding some very high-profile breaches in Canada, it is puzzling that people are still putting sensitive information on portable storage devices.

From the Toronto Star: Investment regulator “regrets” loss of clients’ personal info | Toronto Star.

Missing HRSDC hard drive also contained sensitive investigation reports

2013-04-10T07:27:00.001-03:00

The Ottawa Citizen is reporting that the hard drive that went missing from HRSDC not only contained files on five hundred thousand student loan applicants, but also contained sensitive investigation reports and corporate business plans.

This story isn't getting any better: Missing hard drive included business plans, financial information and investigative reports on applicants, emails suggest.

It's not your job to collect or retain customer information for the cops

2013-03-27T19:57:00.000-03:00

Let me preface this post by saying good on Telus for challenging the police for attempting to use a general warrant to get text messages instead of a wiretap order in the R v Telus case released by the Supreme Court of Canada (and summarized in Canadian Privacy Law Blog: Supreme Court of Canada says that wiretap order is required to obtain text messages).

However, I can't help but wonder why Telus chooses to keep text messages for thirty days when other telcos do not. The Court noted:

[6] When Telus subscribers send a text message, the transmission of that message takes place in the following sequence. It is first transmitted to the nearest cell tower, then to Telus’ transmission infrastructure, then to the cell tower nearest to the recipient, and finally to the recipient’s phone. If the recipient’s phone is turned off or is out of range of a cell tower, the text message will temporarily pause in Telus’ transmission infrastructure for up to five days. After five days, Telus stops trying to deliver the message and deletes it without notifying the sender.
[7] Unlike most telecommunications service providers, Telus routinely makes electronic copies of all the text messages sent or received by its subscribers and stores them on a computer database for a period of 30 days. Text messages that are sent by a Telus subscriber are copied to the computer database during the transmission process at the point in time when the text message enters Telus’ transmission infrastructure. Text messages received by a Telus subscriber are copied to the computer database when the Telus subscriber’s phone receives the message. In many instances, this system results in text messages being copied to the computer database before the recipient’s phone has received the text message and/or before the intended recipient has read the text message.

It obviously isn't material to the Court's decision, but I wonder why.

Actors in the private sector, such as internet service providers, often collect and retain information that may be useful for law enforcement or as part of private litigation. You may recall from the Privacy Commissioner's investigation of Nexopia that the kid-focused social networking site retained information indefinitely, at least in part, in case the police asked for it. In my view, that's not ok. It's not a service provider's job to police its customers, nor is it its job to deputize themselves as agents of the state.

So what should service providers to do? Here are my thoughts (and comments are welcome):

Don't collect personal information that you don't need just because it could be useful, particularly if it could be useful to law enforcement or to private litigants. Even if you think you may be required to collect it later, that's no justification to collect it now.
Don't keep personal information around any longer than you actually need it. If you are asked for personal information by law enforcement or private litigants, it is much easier to say you don't have it than to go to court to resist providing it (see below).
Don't offer law enforcement unsolicited access to personal information just because you see something suspicious. Unless you come across evidence of fraud against your organization or compelling evidence of a serious crime, it is not your job to hand over reams of information to law enforcement.
PIPEDA does allow you to disclose personal information to law enforcement on your own initiative under section 7(3) of the law:
(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...
(d) made on the initiative of the organization to an investigative body, a government institution or a part of a government institution and the organization
(i) has reasonable grounds to believe that the information relates to a breach of an agreement or a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, or
(ii) suspects that the information relates to national security, the defence of Canada or the conduct of international affairs;
If asked by law enforcement for personal information that is in your custody, don't hand it over without a warrant. This is the diciest situation and PIPEDA offers a bit of guidance. Under section 7(3), you are permitted to disclose personal information without consent in the following circumstances:
(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...
(c) required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records;
(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that
(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,
(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or
(iii) the disclosure is requested for the purpose of administering any law of Canada or a province;
It must be noted that these provisions are permissive, meaning that they allow you to disclose the information in these circumstances without offending PIPEDA. Nothing in the above require you to disclose the information. Any compulsion has to come from another statute or rule of law. So, if asked, preserve the information and ask that they return with a warrant. If they have probable cause and a reasonable basis to compel the information, they'll be back.
If you are served with a subpoena for personal information about a customer, you should immediately notify the customer. If you aren't able to, you should resist the disclosure. A subpoena is not a search warrant. In most jurisdictions, any lawyer representing any litigant can print out a subpoena and go to the court to get a fancy looking stamp on it. All a subpoena means is that you are required to attend at court with the information to have a judge make the final call. There may be no basis for the demand for information and your organization should avoid any situation where it has provided personal information that it was not legally required to hand over. When the internet service providers in the recent file sharing case resisted disclosure and took the matter to court, they emerged as staunch defenders of their users' privacy. That's certainly better than the alternatives.

Supreme Court of Canada says that wiretap order is required to obtain text messages

2013-03-27T14:30:00.001-03:00

The Supreme Court of Canada released its decision this morning in the case of R. v. TELUS Communications Co., 2013 SCC 16.

The question the court had to answer was whether the police should be required to get an interception order under the Criminal Code to obtain the contents of text messages being sent and received by a customer of TELUS Communications. The answer was yes.

TELUS Communications, for reasons that are unclear to me, keeps all customer text messages for thirty days. The police sought from TELUS copies of all text messages sent and received by one of their customers, on a daily, rolling basis. So each day, the telco would have to hand over the text messages from the preceding 24 hours.

Instead of getting an interception order under the Criminal Code, the police used a residual, catch-all provision for a “general warrant”, which is usually only available if there is no other applicable form of order to obtain the information. The majority of the Supreme Court of Canada determined that, notwithstanding that the text messages were provided after the fact and from a cache, it amounted to an interception of private communications and an interception order – with its higher burden on the cops – should be applicable. There are some strong dissents, including from the Chief Justice, which are worth looking at.

Here is the headnote:

Criminal law — Interception of communications — General warrant — Telecommunications company employing unique process for transmitting text messages resulting in messages stored on their computer database for brief period of time — General warrant requiring telecommunications company to produce all text messages sent and received by two subscribers on prospective, daily basis — Whether general warrant power in s. 487.01 of Criminal Code can authorize prospective production of future text messages from service provider’s computer — Whether investigative technique authorized by general warrant in this case is an interception requiring authorization under Part VI of Criminal Code — Whether general warrant may properly issue where substance of investigative technique, if not its precise form, is addressed by existing legislative provision — Criminal Code, R.S.C. 1985, c. C‑46, ss. 487.01.
Unlike most telecommunications service providers, TELUS Communications Company routinely makes electronic copies of all the text messages sent or received by its subscribers and stores them on a computer database for a brief period of time. The police in this case obtained a general warrant and related assistance order under ss. 487.01 and 487.02 of the Criminal Code requiring Telus to provide the police with copies of any stored text messages sent or received by two Telus subscribers. The relevant part of the warrant required Telus to produce any messages sent or received during a two‑week period on a daily basis. Telus applied to quash the general warrant arguing that the prospective, daily acquisition of text messages from their computer database constitutes an interception of private communications and therefore requires authorization under the wiretap authorization provisions in Part VI of the Code. The application was dismissed. The focus of the appeal is on whether the general warrant power can authorize the prospective production of future text messages from a service provider’s computer.
Held (McLachlin C.J. and Cromwell J. dissenting): The appeal should be allowed and the general warrant and related assistance order should be quashed.
Per LeBel, Fish and Abella JJ.: Part VI of the Criminal Code provides a comprehensive scheme for “wiretap authorizations” for the interception of private communications. The purpose of Part VI is to restrict the ability of the police to obtain and disclose private communications.
Telus employs a unique process for transmitting text messages that results in the messages being stored on their computer database for a brief period of time. In considering whether the prospective, daily production of future text messages stored in Telus’ computer falls within Part VI, we must take the overall objective of Part VI into account.
Text messaging is, in essence, an electronic conversation. Technical differences inherent in new technology should not determine the scope of protection afforded to private communications. The only practical difference between text messaging and traditional voice communications is the transmission process. This distinction should not take text messages outside the protection to which private communications are entitled under Part VI.
Section 487.01 of the Code, the general warrant provision, was enacted in 1993 as part of a series of amendments to the Code in Bill C‑109, S.C. 1993, c. 40. It authorizes a judge to issue a general warrant permitting a peace officer to “use any device or investigative technique or procedure or do anything described in the warrant that would, if not authorized, constitute an unreasonable search or seizure”. Notably, s. 487.01(1)(c) stipulates that the general warrant power is residual and resort to it is precluded where judicial approval for the proposed technique, procedure or device or the “doing of the thing” is available under the Code or another federal statute.
Section 487.01(1)(c) should be broadly construed to ensure that the general warrant is not used presumptively to prevent the circumvention of the more specific or rigorous pre‑authorization requirements for warrants, such as those found in Part VI. To decide whether s. 487.01(1)(c) applies, namely, whether another provision would provide for the authorization sought in this case, requires interpreting the word “intercept” in Part VI. “Intercept” is used throughout Part VI with reference to the intercept of private communications. This means that in interpreting “intercept a private communication”, we must consider the broad scope of Part VI and its application across a number of technological platforms, as well as its objective of protecting individual privacy interests in communications by imposing particularly rigorous safeguards. The interpretation should not be dictated by the technology used to transmit such communications, like the computer used in this case, but by what was intended to be protected under Part VI. It should also be informed by the rights enshrined in s. 8 of the Charter, which in turn must remain aligned with technological developments.
A technical approach to “intercept” would essentially render Part VI irrelevant to the protection of the right to privacy in new, electronic and text‑based communications technologies, which generate and store copies of private communications as part of the transmission process. A narrow definition is also inconsistent with the language and purpose of Part VI in offering broad protection for private communications from unauthorized interference by the state.
The interpretation of “intercept a private communication” must, therefore, focus on the acquisition of informational content and the individual’s expectation of privacy at the time the communication was made. To the extent that there may be any temporal element inherent in the technical meaning of intercept, it should not trump Parliament’s intention in Part VI to protect an individual’s right to privacy in his or her communications. The use of the word “intercept” implies that the private communication is acquired in the course of the communication process. The process encompasses all activities of the service provider which are required for, or incidental to, the provision of the communications service. Acquiring the substance of a private communication from a computer maintained by a telecommunications service provider would, as a result, be included in that process.
Text messages are private communications and, even if they are stored on a service provider’s computer, their prospective production requires authorization under Part VI of the Code. If Telus did not maintain its computer database, there is no doubt that the police would be required to obtain an authorization under Part VI to secure the prospective, and in this case continuous, production of text messages. Most service providers do not routinely copy text messages to a computer database as part of their transmission service. Accordingly, if the police wanted to target an individual who used a different service provider, they would have no option but to obtain wiretap authorizations under Part VI to compel the prospective and continuous production of their text messages. This creates a manifest unfairness to individuals who are unlikely to realize that their choice of telecommunications service provider can dramatically affect their privacy. The technical differences inherent in Telus’ transmission of text messages should not deprive Telus subscribers of the protection of the Code that every other Canadian is entitled to.
The general warrant in this case was invalid because the police had failed to satisfy the requirement under s. 487.01(1)(c) of the Code that a general warrant could not be issued if another provision in the Code is available to authorize the technique used by police. Since the warrant purports to authorize the interception of private communications, and since Part VI is the scheme that authorizes the interception of private communications, a general warrant was not available.
Per Moldaver and Karakatsanis JJ.: There is agreement with Abella J. that the police are entitled to a general warrant only where they can show that “no other provision” of the Criminal Code or any other Act of Parliament would provide for the investigative technique, including a substantively equivalent technique, for which authorization is sought. The investigative technique in this case was substantively equivalent to an intercept. The general warrant is thus invalid. Resolution of whether what occurred in this case was or was not, strictly speaking, an “intercept” within the meaning of s. 183 of the Code is unnecessary. A narrower decision guards against unforeseen and potentially far‑reaching consequences in this complex area of the law.
The result is driven by the failure of the authorities to establish the requirement in s. 487.01(1)(c) that there be “no other provision” that would provide for the search. This provision ensures that the general warrant is used sparingly as a warrant of limited resort. In creating the general warrant, Parliament did not erase every other search authorization from the Code and leave it to judges to devise general warrants on an ad hoc basis as they deem fit. Courts must therefore be careful to fill a legislative lacuna only where Parliament has actually failed to anticipate a particular search authorization. The “no other provision” requirement must be interpreted so as to afford the police the flexibility Parliament contemplated in creating the general warrant, while safeguarding against its misuse. There is a need for heightened judicial scrutiny where Parliament has provided an authorization for an investigative technique that is substantively equivalent to what the police seek but requires more onerous pre-conditions. Thus, the test under s. 487.01(1)(c) must consider the investigative technique that the police seek to utilize with an eye to its actual substance and not merely its formal trappings.
The approach to the “no other provision” requirement accepts a measure of uncertainty by tasking judges with the job of inquiring into the substance of purportedly “new” investigative techniques. When uncertainty exists, the police would do well to err on the side of caution. General warrants may not be used as a means to circumvent other authorization provisions that are available but contain more onerous pre-conditions. Judges faced with an application where the investigative technique, though not identical, comes close in substance to an investigative technique covered by another provision for which more rigorous standards apply should therefore proceed with extra caution. Where careful scrutiny establishes that a proposed investigative technique, although similar, has substantive differences from an existing technique, judges may grant the general warrant, mindful of their obligation under s. 487.01(3) to impose terms and conditions that reflect the nature of the privacy interest at stake.
A literal construction of s. 487.01(1)(c) must be rejected. Such an approach strips the provision of any meaning and renders it all but valueless. Legislative history confirms that general warrants were to play a modest role, affording the police a constitutionally sound path for investigative techniques that Parliament has not addressed. Ensuring that general warrants are confined to their limited role is the true purpose of s. 487.01(1)(c). While the “best interest” requirement in s. 487.01(1)(b) serves to prevent misuse of the general warrant, this provision should not be interpreted as swallowing the distinct analytical question that the “no other provision” test asks. A purposive approach to s. 487.01(1)(c) has nothing to do with investigative necessity. Under the “no other provision” test, the police are not asked to show why an alternative authorization would not work on the facts of a particular case, but rather why it is substantively different from what Parliament has already provided.
In this case, the general warrant is invalid because the investigative technique it authorized was substantively equivalent to an intercept. What the police did — securing prospective authorization for the delivery of future private communications on a continual, if not continuous, basis over a sustained period of time — was substantively equivalent to what they would have done pursuant to a Part VI authorization. It was thus, at a minimum, tantamount to an intercept. Though there is no evidence to suggest that the police acted other than in good faith, the police failed to meet their burden to show that the impugned technique was substantively different from an intercept. On the facts here, the general warrant served only to provide a means to avoid the rigours of Part VI. The police could and should have sought a Part VI authorization.
Per McLachlin C.J. and Cromwell J. (dissenting): The question of whether what the police did under this general warrant is an interception of a private communication is one of statutory interpretation. When the text of the statutory provisions is read in its full context, it is clear that the general warrant does not authorize an interception that requires a Part VI authorization. While there is no doubt that the text message is a private communication and that text messages here were intercepted by Telus by means of an electro-magnetic, acoustic, mechanical or other device, the police in this case, did not intercept those messages when Telus turned over to them copies of sent and received messages previously intercepted by Telus and stored in its databases. Therefore, the investigative technique authorized by the general warrant in this case was not an interception of private communication.
Fundamental to both the purpose and to the scheme of the wiretap provisions is the distinction between the interception of private communications and the disclosure, use or retention of private communications that have been intercepted. The purpose, text and scheme of Part VI show that the disclosure, use or retention of intercepted private communications is distinct from the act of interception itself. That is, if disclosure or use of a private communication were an interception of it, there would be no need to create the distinct disclosure or use offence. Similarly, the exemptions from criminal liability show that Parliament distinguished between interception on one hand and retention, use and disclosure on the other.
In this case, it is not disputed that Telus was intercepting text messages when it copied them for its own systems administration purposes. However, it is also agreed that Telus lawfully intercepted private communications. Under the general warrant, the police sought disclosure from Telus of information that it had already lawfully intercepted. The general warrant did not require Telus to intercept communications, but to provide copies of communications that it had previously intercepted for its own lawful purposes. As the scheme of the legislation makes clear, disclosure or use of a lawfully intercepted communication is not an interception. It is inconsistent with the fundamental distinction made by the legislation to conclude that the police were intercepting private communications when Telus provided them with copies of previously intercepted and stored text messages. The distinction in the statute between interception and disclosure cannot be dismissed as a mere “technical difference”. The distinction is fundamental to the scheme of the provisions. When Telus turns over to the police the copies of the communications that it has previously intercepted, Telus is disclosing the communications, not intercepting them again. This disclosure by Telus from its databases cannot be an interception by the police.
Acquiring the content of a previously intercepted and stored communication cannot be an interception because that broad reading is inconsistent with the clear distinction between interception and disclosure in the provisions. Applied broadly, this interpretation of “acquire” would extend the scope of investigative techniques which require wiretap authorizations far beyond anything ever previously contemplated. Further, introducing a temporal aspect of interception would confuse the act of interception with the nature of its authorization. Interception is a technique, a way of acquiring the substance of a private communication. It could not be that exactly the same technique, which acquires information in exactly the same form may be either a seizure of stored material or an interception, depending on the point in time at which the technique is authorized.
The general warrant is not one of limited resort that should be used sparingly. On the contrary, as numerous authorities have acknowledged, the provision is cast in wide terms. Therefore, it is not accepted as an imperative that s. 487.01 must be interpreted with a view to heavily restricting its use. The focus of the inquiry is on two matters (in addition of course to reasonable grounds to believe that an offence has been committed and that information concerning the offence will be obtained): is authorization for the “technique, procedure or device to be used or the thing to be done” provided for in any other federal statute and is it in the best interests of the administration of justice to authorize it to be done? Section 487.01(1)(c) provides that a general warrant may issue if “there is no other provision . . . that would provide for a warrant, authorization or order permitting the technique, procedure or device to be used or the thing to be done”. The words “technique”, “procedure”, “device to be used” and “thing to be done” all are concerned with what the police want to do, not why they want to do it. This paragraph does not require issuing judges to consider whether other techniques are similar or allow access to the same evidence; it simply asks if the same technique can be authorized by another provision. This is not simply a narrow, literal interpretation of s. 487.01. Rather, it is an interpretation that reflects its purpose of conferring a broad judicial discretion to authorize the police to “use any device or investigative technique or procedure or do any thing”, provided of course that the judge is satisfied that it is in the best interests of the administration of justice to do so, having due regard to the importance of the constitutional right to be free of unreasonable searches and seizures. However, courts should not authorize anything the police seek to do simply because it is not authorized elsewhere. The judicial discretion to issue the warrant must give full effect to the protection of reasonable expectations of privacy as set out under s. 8 of the Charter.
There is no support in the text or the purpose of s. 487.01(1)(c), or in the jurisprudence, for building into it a “substantive equivalency” test. The paragraph asks a simple question: Does federal legislation provide for “a warrant, authorization or order permitting the technique, procedure or device to be used or the thing to be done”? Where this threshold is met, the judge is entitled to consider granting the requested authorization. The further question of whether the authorization ought to be granted is not the focus of this paragraph of the section. Rather, whether a general warrant ought to issue is properly considered under s. 487.01(1)(b), which asks whether authorizing the warrant would be in the best interests of the administration of justice. This approach is not only supported by the text, purpose and jurisprudence, but the application of a “substantive equivalency” test creates unnecessary uncertainty and distracts the issuing judge from the question of whether the technique sought to be authorized is inconsistent with the right to be free from unreasonable searches and seizures. Predictability and clarity in the law are particularly important in the area of judicial pre-authorization of searches. The primary objective of pre-authorization is not to identify unreasonable searches after the fact, but to ensure that unreasonable searches are not conducted. The requirements for pre-authorization should be as clear as possible to ensure that Charter rights are fully protected.
The technique sought to be authorized here is not the substantive equivalent of a wiretap authorization. On the facts of this case, a wiretap authorization alone would not allow the police to obtain the information that Telus was required to provide under the general warrant. Three separate authorizations would be required in order to provide the police with the means to access the information provided to them under the general warrant. Therefore, even if one were to accept reading into s. 487.01(1)(c) a “substantive equivalency” test, neither the facts nor the law would support its application in this case.
The police did not seek a general warrant in this case as a way to avoid the rigours of Part VI. The general warrant achieved the legitimate aims of the police investigation in a much more convenient and cost-effective manner than any other provision would have allowed. There is no evidence of “misuse” of s. 487.01. The effective and practical police investigation by a relatively small municipal police force was fully respectful of the privacy interests of the targets of the investigation and other Telus subscribers.

Microsoft releases first "transparency report" with stats on law enforcement user data requests

2013-03-22T17:52:00.001-03:00

Following the lead of Google, Twitter and Facebook, Microsoft has released its first "Transparency report" which provides some visibility into the number of law enforcement requests for user data it receives and what its policies are regarding the disclosure of such data: 2012 Law Enforcement Requests Report. Well done, Microsoft.

Now let's see some Canadian telcos follow suit.

Government's data management practices are badly broken

2013-03-21T07:10:00.001-03:00

I've written in the last little while about how we need to put the government under the same level of scrutiny that has been given to the private sector, especially in light of the nature of the relationship citizens have with the government. It's nice to see others share that view.

Tyler Morgenstern has a guest blog over at OpenMedia.ca that's well worth reading: What the media is missing: Government privacy breaches | OpenMedia.ca:

... Over the past several months, we’ve seen time and again that this government’s data management practices are badly broken. Yet it continues to pursue a policy agenda that erodes legislated privacy protections at every turn, opening up new deficiencies and vulnerabilities.
This mismatch between privacy-invasive policies and privacy-deficient practices puts all Canadians at risk of fraud, identity theft, and other privacy-related crimes. As Jesse Brown recently pointed out in a series of blog posts for Maclean’s, what the Canadian government needs isn’t necessarily more information; it’s better, more secure, and more accountable ways of managing the information they already have.[11]
We’re long overdue for a serious discussion about what kind of solutions should be in play across government. And even more importantly, we need to think long and hard about what kind of policies, regulations, best practices, and accountability mechanisms are needed to ensure that those solutions put the privacy of Canadians first.

Class action against LinkedIn for password breach dismissed for lack of harm

2013-03-16T08:15:00.001-03:00

Earlier this month, a US district court judge dismissed a $5 million class action lawsuit brought against LinkedIn related to the breach of its password database. (Here's the decision [PDF].) The plaintiffs claimed that LinkedIn failed to use industry-standard best practices to secure passwords (hashes and salts) and also argued that LinkedIn Premium members paid for but didn't get a premium level of security.

What is most interesting about this case is how typical it is for many privacy-related class actions. Some security snafu results in a password database being compromised, so the service provider has to notify users and rest passwords. Seldom are they associated with actual misuse that causes actual harm to the user, other than some angst and the bother of having to reset passwords. But the most important thing is that there is no actual, discernable harm to the user. No out of pocket costs and no detected fraud against the user.

Negligence law, under which most of these claims are founded, is based on a breach of a legal duty that results in harm. If you have no harm, you have no negligence -- at least in law. So in this case, counsel for the plaintiffs argued that this was actually a breach of contract based on the LinkedIn terms of use. The argument was that premium members contracted for premium security. The judge dismissed this argument saying that premium members were promised the same security as free members. However, in contract cases, the court said that the degree of harm suffered by the plaintiff is relevant:

... in cases where the alleged wrong stems from allegations about insufficient performance or how a product functions, courts have required plaintiffs to allege “something more” than “overpaying for a ‘defective’ product.” Plaintiffs do not argue that they did not receive security services; rather, they argue the security services were defective in some way, as evinced by the 2012 hacking incident. This is not the case where consumers paid for a product, and the product they received was different from the one as advertised on the product’s packaging. Because Plaintiffs take issue with the way in which LinkedIn performed the security services, they must alleged “something more” than pure economic harm. This “something more” could be a harm that occurred as a result of the deficient security services and security breach, such as, for example, theft of their personally identifiable information. [citations omitted]

The court also dismissed the argument that the harm suffered by the plaintiff was a risk of future harm. This argument suggests that the password breach meant that the plaintiff was now at risk of identity theft or other financial fraud, and this is a harm in and of itself. The Court said:

C. Increased Risk of Future Theory
Plaintiff Wright offers an additional theory of injury-in-fact to support her claim of standing. She contends that, as a result of the 2012 hacking incident and the posting of her password on the Internet, there is now an increased risk of future harm. The Court finds that standing on this ground has not been met because these allegations have not been alleged in the FAC. Plaintiff Wright merely alleges that her LinkedIn password was “publically posted on the Internet on June 6, 2012.” In doing so, Plaintiff Wright fails to show how this amounts to a legally cognizable injury, such as, for example, identify theft or theft of her personally identifiable information.

This case highlights an important characteristic of most data breaches that aren't directly linked to financial harm: it is difficult to show any kind of harm that the courts will consider compensating. That doesn't mean that the right facts will show up one day to permit a court to open the door, but for now privacy class actions are likely to be more of a nuisance to the defendant than a clear path to compensation for putative plaintiffs.

For more background, see: Infosecurity - LinkedIn's $5M class-action data breach lawsuit dismissed.

US federal district court judge rules National Security Letters are unconstitutional

2013-03-15T20:24:00.001-03:00

The Electronic Frontier Foundation is reporting that a US Federal District Court judge in San Francisco has ruled that National Security Letters are unconstitutional as a violation of the First Amendment of the US Constitution and the separation of powers. The Judge's order has been stayed for 90 days to permit the federal government time to appeal.

National Security Letters (NSLs) are a form of administrative subpoena that can be issued by a senior official of the FBI, which requires the recipient to provide non-content or transactional information and is usually accompanied by a gag order.

According to EFF's media release, Judge Susan Illston ordered that the FBI stop issuing NSLs and cease enforcing the gag provision in this or any other case.

From the EFF: National Security Letters Are Unconstitutional, Federal Judge Rules | Electronic Frontier Foundation

A copy of the Judge's decision is available here, also on the EFF website.

Canadian government's new standard on privacy and web analytics

2013-03-14T06:53:00.001-03:00

The CBC is reporting on the Canadian Government's relatively new Standard on Privacy and Web Analytics, which was launched earlier this year. The Treasury Board standard came into effect, but government departments are being given time to adjust contracts with outside providers of website analytic services.
The key provisions related to privacy are set out in Appendix and and Section 3.2 of Appendix A sets out the requirements that government departments must impose on third party service providers:

3.2 That contract must, at a minimum, contain provisions meeting the requirements as set out below.

a. A definition of "personal information" as meaning information collected or generated in the performance of the contract about an individual, including the types of information specifically described in the Privacy Act and also including information that may be linked or is linkable to an individual such as the website visitor's IP address.
b. A requirement that the third party appoint an officer within the organization to act as representative for all matters related to personal information and that the name and contact information for this third-party contact be provided to the government institution within 10 days of the awarding of the contract.
c. A requirement that the third party provide all of its employees, contractors and subcontractors with information on their privacy obligations when dealing with personal information disclosed or transmitted in relation to the work being performed under the contract or subcontract (the "work").
d. A requirement that the third party depersonalize the IP address prior to its storage in order that the full IP address cannot be reconstituted. This must be done through irrevocable truncation of the last octet of the IP address or through some other methodology that offers comparable privacy protection and has been approved by the Chief Information Officer Branch of the Treasury Board of Canada Secretariat.
e. A requirement that the third party not link, or attempt to link, the IP address or some unique identifier associated with a digital marker with the identity of the individual computer user.
f. A requirement that the depersonalized IP address, along with other data disclosed to the third party for Web analytics, be used only in accordance with the work, and that no subsequent uses or reuses of such data for any other purpose be allowed without the institution's express prior written authorization.
g. A requirement that the third party not disclose or transfer the depersonalized IP address or any other data disclosed to it except in accordance with the work, with the express prior written authorization of the institution, or if required to do so by law.
h. A requirement that the third party use only first-party cookies.
i. A requirement that the third party be prohibited from using techniques such as, but not limited to, interlinking, cross-referencing, data mining or data matching from multiple sources on the personal information collected in relation to the work, unless expressly pre-authorized to do so, in writing, by the government institution.
j. A requirement that the third party have security in place for the personal and depersonalized information that is at least commensurate with the Policy on Government Security.
k. A requirement that the third party safeguard the depersonalized IP address and other information disclosed in relation to the work, and that this information be retained for a maximum period of 6 months, after which time that information, including any backup copies, must be destroyed.
l. An audit provision whereby the third party may be audited at least once annually, at a date to be determined by the Government of Canada, to ensure compliance with these requirements.

Private member's bill introduced to give Privacy Commissioner order-making powers

2013-03-14T05:39:00.000-03:00

On February 26, 2013, Charmaine Borg introduced Private Member’s Bill C-475 (41-1), an Act to amend the Personal Information Protection and Electronic Documents Act (order-making power), to the House of Commons. Bill C-475 is expected to see its first hour of debate at Second Reading on Monday, April 15th, 2013 and a vote on second reading is expected before the end of May.
The Bill proposes to amend PIPEDA to:

Require organizations to notify the Privacy Commissioner of any breach to the security of personal information where there is a possible risk of harm to the affected individual(s);
Allow the Privacy Commissioner to order organizations to notify affected individual(s) of a data breach if an appreciable risk of harm is found;
Create order-making powers to be used by the Privacy Commissioner to enforce the Personal Information Protection and Electronic Documents Act in the event that an organization mishandles the personal information of Canadians ; and
Empower the Federal Court to impose fines in cases of non-compliance with an enforcement order issued by the Privacy Commissioner.

I'm in favour of breach notification as long as the threshold is high enough to prevent "false positives" but low enough so that individuals are alerted when the breach is likely to actually affect them. I'm not in favour of giving the Privacy Commissioner general order making powers, particularly in the absence of completely revising the structure of the office to ensure that the somewhat contradictory powers of advocate, cop, prosecutor, judge, jury and executioner are not given to the same person.
While private members' bills historically don't go anywhere, it will be interesting to watch the debate over this one.

Insurance company inadvertently discloses personal information to complainant’s employer

2013-03-12T07:58:00.003-03:00

In PIPEDA Report of Findings # 2012-009, the Office of the Privacy Commissioner of Canada considered a complaint brought by an individual against an insurance company for the disclosure of personal information to the complainant’s employer without her consent. The complainant was employed at a hair salon and was contemplating leaving her employer to set up a competing business. The complainant contacted an insurance company to obtain quotes on insurance for the new business and specifically requested that the company not call her back at her current workplace. Notwithstanding this direction, the company did and left a voice mail in the employer’s general inbox. The contents of a voice mail message were heard by the complainant’s employer, who terminated the complainant’s employment.

The Assistant Commissioner found that there had been a disclosure of personal without her consent, so the complaint was “well founded”. The Assistant Commissioner made specific recommendations to the insurance company, and it ultimately agreed to 1) implement a new procedure that minimizes the amount of information that employees leave in client telephone messages, and 2) amend existing procedures to ensure client contact information and messaging preferences are updated regularly to maintain accuracy. The insurance company also agreed to implement these procedures, so the complaint was also found to be “resolved”.

Privacy Commissioner faults two summer camps for exchanging information about camper

2013-03-12T07:57:00.002-03:00

In two related complaints against two summer camps, the Assistant Privacy Commissioner of Canada faulted the camps for exchanging information about a camp applicant without adequate consent. In PIPEDA Report of Findings #2012-007, the parent of a prospective camper complained to the Office of the Privacy Commissioner of Canada because the camp contacted another summer camp that the child had attended previously. The camp in question first stated that they had not contacted the second camp at all, but exchanging such background information was relatively standard in their business and, if they had, they would have had adequate consent by virtue of their privacy policy and privacy statement that was available to the complainant.

In speaking with the second camp, the Assistant Commissioner determined that the exchange of background information had taken place, notwithstanding the company’s initial statements. With respect to adequate consent, the Assistant Commissioner reviewed the relevant privacy statements and concluded they were too vague and uncertain to result in consent for this sort of information collection. The Assistant Commissioner recommended that the camp obtain better consent for such collections and uses of personal information, and provide privacy training to employees. The recommendations were accepted and the complaint was determined to be “well founded and conditionally resolved”.

With respect to the second summer camp, which had disclosed information to the first summer camp, the Assistant Commissioner found that it violated PIPEDA in PIPEDA Report of Findings # 2012-008. Specifically, the complainant alleged that it had disclosed the former camper’s personal information without consent. The camp admitted that it had disclosed the information, but stated it was a standard practice and that adequate consent had been obtained. The Assistant Commissioner examined the camp’s privacy statements and concluded the information was minimal and not a sufficient basis for consent.

The Assistant Commissioner concluded that the complaint was “well founded and conditionally resolved”, as the camp agreed to follow her recommendations to implement a better policy and to provide employee privacy training.