The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Wednesday, February 27, 2008
What's the deal with surveillance cameras in bathrooms? I suppose that the WC is the last bastion of privacy, so it was bound to be invaded by surveillance cameras sooner or later.
Here's a story from the UK where school officials conceded to furious students to remove CCTV cams from school bathrooms: School removes CCTV cameras from children's toilets after furious protest from parents the Daily Mail
Labels: privacy, surveillance, video surveillance
Thursday, February 21, 2008
There seems to be a growing practice of celebrities selling photos of their infant children. It is said (by the celebs or their publicists) that this is to control the release of these photos, which the press will get their hands on in any event. That doesn't ring true to me and it seems that it probably feeds the demand for such photos. Even worse, the kids have privacy rights and while parents are the ones who get to make decisions on their behalf, they should also be acting in the best interests of the kids. Selling their photos doesn't seem to be in anyone's interest other than the parents who receive the cash.
At least this is what I told ABC News when asked.
abc13.com: Pregnancy pays off in Hollywood 2/21/08If you could sell photos of your baby for $1 million, would you do it?
Jennifer Lopez, who hasn't had a hit record or movie in several years, is close to selling her baby photos for $4-$6 million to People magazine, according to Advertising Age. People recently paid an estimated $1.5 million to B-list singer Christina Aguilera for exclusive shots of her new son, Max.
Lopez is just the latest in a long line of celebrities and the almost famous to sell the first photos of their babies to magazines and supermarket tabloids. From Angelina Jolie and Brad Pitt to Britney Spears to Nicole Richie and Joel Madden to Tori Spelling, more and more stars are making deals to control the inevitable media coverage of their children and put some cash in their pockets.
Exploitation?
But is it expected or exploitative for celebrity parents who face aggressive media coverage of their every move to peddle photos of their children to the highest bidder?
Some ethicists and child psychologists are disturbed by the practice, which treads the nexus of money, parenthood and fame.
"If your own parents are literally selling you out, where can one feel safe?" asks Dr. Bruce Weinstein, a syndicated ethics columnist. "What's especially troubling is that the person who's the subject of these photos isn't able to give informed consent. I could image that person being really troubled by it."
Weinstein isn't swayed by the rationale offered by celebrities, that it's a way for them to control the inevitable media maelstrom. "If you look at what happened with Britney Spears or Angelina Jolie, [selling the photos] didn't quell the feeding frenzy. Whether People or OK gets first dibs, people still want to take photos of the child."
And he isn't impressed with the fact that some stars have contributed some of the baby bonanza to charity, such as Jolie and Pitt, who gave $2 million of a reported $4 million windfall to Global Action for Children and Doctors Without Borders.
Weinstein cited St. Paul's letter to the Romans: "We are not to do evil that good may come from it" to explain his argument.
"If you're already starting from extreme wealth, that argument doesn't hold much water," he says. "They're already in a position to give money to charity."
Child psychologist Sam Hackworth says that the practice could be troubling depending on the circumstances and the ego of the parent.
"If kids understand that the parent did it to control the photos, they can see that as a rational reason," says Hackworth. "But if it was clearly just to make money, if a child's older and realizes that the only way we've maintained this lifestyle is because you sold my photos, that could be troubling."
David T.S. Fraser, a privacy lawyer in Nova Scotia, Canada, says that while he sympathizes with celebrities who are trying to deal with out-of-control paparazzi, the practice of selling baby photos actually seems to have the opposite effect.
'Feeds The Market'
"If anything it probably feeds the market for these photos," he explains. "The other magazines will want to compete and could be even more aggressive."
Fraser also questioned why celebrities who desired to control the coverage of their children demanded money. "The selling of the photos is also a little suspect. Why not just hand them out? There's a disconnect between controlling the release and profiting from it. It's almost as if they're being pimped out. You can certainly see why people would think that the kids are being exploited for profit or otherwise."
Spokespeople for People magazine and OK declined to comment on the dollar figure cited in reports about the bidding for Lopez's baby photos.
Lopez's publicist did not return calls. Her husband Marc Anthony's publicist said that the $4-$6 million figure is not accurate but she would not indicate whether the true amount is higher or lower.
Asked whether any of that money will be donated to charity, Anthony's publicist said, "We will discuss that and make that public when we're ready to do so."
The magazines, of course, have their own rationale for buying the photos: to sell millions of copies.
Although People's issue featuring Aguilera's son is reportedly selling poorly, a spokesperson insisted that the issue was not a flop and that the final sales numbers were still being counted.
Previous celebrity baby issues have sold extremely well. Even after the magazine raised the price of the issue featuring Jolie and Pitt's daughter, Shiloh, by 50 cents, it sold 2.2 million copies.
"It does help magazines," says Samir Husni, known as Mr. Magazine, who chairs the journalism department at University of Mississippi. "There is an old saying: Give me a picture of a baby, a beautiful woman, chocolate or a dog and I will sell a magazine."
Candace Trunzo, the editor of Star magazine, said that she would not be surprised if People paid as much as $6 million for the photos.
The Pictures Sell Magazines
"It's a matter of competition and J.Lo is interesting. She couldn't get pregnant for a long time. She's had plenty of relationship drama. And she's having twins."
Trunzo, whose magazine has been criticized by journalism ethicists for paying for stories and tips, said that there's no difference between a magazine paying for words or photos.
"People is reaching into its pockets and paying for the story, for J.Lo to say how the birth went, it's a first-person story with pictures," she says. "They set themselves above the fray but they're doing the same thing that everyone else is doing. It's what we do. I think that our readers like to see babies. If you're a dad or mom, you take out your baby pics, everyone goes ooh and aah. People will buy that cover."
Labels: privacy
The Alberta Commissioner's office has been busy and productive as of late. The Commissioner has ruled that a database of pawn shop patrons is unlawful and has ordered that the database that's been in operation since 2006 be destroyed. Check out the decision/order here: Order P2007-001, F2007-001 and F2007-002.
Some media coverage here: Edmonton's pawnshop database violates privacy laws, commissioner rules
Wednesday, February 20, 2008
In a long awaited decision, the Information and Privacy Commissioner of Alberta has ordered a nightclub to cease scanning drivers licenses. The practice is an unreasonable collection of personal information and is not justified under the Personal Information Protection Act.
From the decision, the Commissioner didn't see the connection between the collection of drivers license information and the supposed purposes for collecting it:
[para 31] From my review of the evidence and the parties’ submissions, I find that, at best, the Organization offers conjecture that collecting driver’s license information of patrons may act as a deterrent to violent behaviour. The Organization did not submit any evidence to establish that collecting the Complainant’s driver’s license information, or that of other patrons, is in any way a deterrent to violent behavior. In addition, it did not provide any evidence regarding the causes of violence in bars or statistics relating to the incidence of violence in bars before and after the implementation of a driver’s license collection program. I draw the inference that the Organization is unable to produce any evidence to draw a correlation between violence, patron safety, and collecting driver’s license information. As a result, the Organization has failed to establish any reasonable relationship between collecting driver’s license information and any of its stated purposes for scanning driver’s licenses. I am therefore unable to conclude that the Organization has a reasonable purpose within the meaning of section 11 when it scans patrons’ driver’s licenses.[para 32] For these reasons, I find that the Organization did not comply with the requirements of either section 11(1) or (2) when it scanned the driver’s license information of the Complainant, as its collection of personal information is not reasonable related to its purpose....
On the topic of whether putting up a poster results in informed consent:
[para 53] The Complainant’s evidence is that his driver’s license was scanned before he could raise an objection. He had assumed that the Organization’s employee would check his birth date, but she instead scanned the information on the license into a database. The Organization does not challenge the Complainant’s version of events, but points to a poster it has now posted for patrons explaining why it collects driver’s licenses and what it does with them. It argues that this poster satisfies the requirements of section 13(1).[para 54] As noted above, the poster explains that its collection practice is intended “to encourage our patrons to behave responsibly and deter those who are seeking to ruin your experience with us, from entering the venue.” The poster is not clear about the purposes of the Organization in collecting the information and does not warn patrons that information will be retained for a period of 7 – 10 days or longer by the Organization.
[para 55] I find that the poster is misleading and does not provide sufficient information for patrons to provide informed consent to the Organization’s collection of personal information. In addition, the Organization provided no evidence that the poster was in place when it scanned the Complainant’s driver’s license. In fact, paragraph 8 of the Organization’s affidavit establishes only that the notice was posted on August 24, 2006, the date of the affidavit.
[para 56] I find that the Complainant did not consent to the scanning of the information on the face of his driver’s license, other than to permit the Organization employee to confirm his date of birth. I also find that the Organization did not provide adequate notice to the Complainant of its collection of his personal information. As none of the provisions of 14 apply, and because an individual cannot consent to the unreasonable collection of personal information, I find that the Organization was required to provide notice of its collection and did not. As a result, I find that the Organization contravened section 13 of the Act when it collected the Complainant’s personal information.
The Calgary Sun reports that the owner of the bar is considering appealing and is "furious" about the decision: The Calgary Sun - Bar owner furious after licence checks halted.
Labels: alberta, id swiping, pipa, privacy, surveillance
Not interested in being captured on CCTV? Wear an IR light emitting headband. Apparently this device from Germany offers "protection from the protection". This is courtesy of Boing Boing, where one commentator says this is only useful to thwart IR cameras as most CCTV cameras have an IR filter attached. I don't know if this is the case, but it's clever. See Google's translated version of http://www.oberwelt.de/projects/2008/Filo%20art.htm
Labels: privacy, surveillance, video surveillance
Tuesday, February 19, 2008
Recently, the us Federal Trade Commission successfully brought an action against Accusearch (aka Abika) for selling customer phone records without consent.
Readers will recall that Abika was the subject of a complaint brought by CIPPIC in Canada that is still ongoing.
District Court Bars the Sale of Consumers’ Telephone Records to Third PartiesA federal judge has barred the illegal operation of an information broker who advertised and sold confidential consumer telephone records to third parties without the consumers’ knowledge or consent. In entering summary judgment for the Federal Trade Commission, Judge William F. Downes of the U.S. District Court for the District of Wyoming also required the defendants to give up nearly $200,000 in ill-gotten gains derived from the consumer phone records they sold, and ordered that the individuals whose records were sold be notified.
In May 2006, the FTC charged AccuSearch, Inc., doing business as Abika.com, and its principal, Jay Patel, with violating federal law by selling consumers’ phone records to third parties without the consumers’ knowledge or authorization. According to the FTC complaint, the defendants advertised on their Web site that they could obtain the confidential phone records of any individual – including details of outgoing and incoming calls – and make that information available to their clients for a fee. To obtain such information, which is not legally available to the public, the FTC alleged that the defendants caused others to use “false pretenses, fraudulent statements, fraudulent or stolen documents or other misrepresentations, including posing as a customer of a telecommunications carrier,” to induce the telecommunications carriers to disclose the confidential records. Consumers whose phone records were sold by defendants suffered substantial injury as a result of those sales. The FTC charged that the defendants’ practices were unfair in violation of the FTC Act.
In his ruling, Judge Downes found that the defendants’ obtaining and selling of confidential phone records without consumers’ knowledge or consent was “necessarily accomplished through illegal means,” and that defendants knew that the phone records were being obtained surreptitiously. The court further found that this practice caused substantial injury to consumers, including: serious health and safety risks experienced by some consumers from stalkers and abusers; economic harm associated with changing telephone carriers and upgrading security on their accounts; and a host of “substantial and real” emotional harms. The court concluded that consumers had no way to avoid these harms. “In fact,” Judge Downes wrote, “the evidence presented before the court indicates that confidential consumer phone records were sold through Abika.com despite considerable efforts by consumers to maintain the privacy of those records.” Finally, the court found no countervailing benefits to consumers or competition that could be derived from defendants’ practice.
Judge Downes also rejected the defendants’ claimed immunity under Section 230 of the Communications Decency Act, 47 U.S.C. § 230, a federal statute that confers immunity on interactive computer service providers for publishing information content provided by a third party. The court found that the defendants failed to establish two of the three necessary elements of a CDA defense, holding that the FTC’s lawsuit did not seek to “treat” defendants as a publisher within the meaning of the CDA, and that the defendants participated in the creation or development of the information content.
Following his opinion, Judge Downes permanently barred the defendants from obtaining, causing others to obtain, marketing, or selling consumers’ telephone records except as permitted by law. The order also bars the defendants from purchasing, marketing, or selling consumer personal information unless the information was lawfully obtained. The order prohibits the defendants from making deceptive statements to obtain consumers’ personal information and from buying such information from third parties.
The judge’s order requires the defendants to give up the $199,692.71 in ill-gotten gains they earned through illegally obtaining and selling the records. The order also authorizes the FTC to notify the individuals whose phone records were sold by defendants, to the extent that those consumers can be located. The order allows the FTC to use the forfeited ill-gotten gains for this purpose. Finally, the order contains certain bookkeeping and record keeping requirements to allow the FTC to monitor compliance.
The defendants have appealed the order to the Tenth Circuit Court of Appeals.
The FTC wishes to thank the Office of the U.S. Attorney for the District of Wyoming for its assistance in this matter.
The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, click http://www.ftc.gov/ftc/complaint.shtm or call 1-877-382-4357. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to more than 1,600 civil and criminal law enforcement agencies in the U.S. and abroad. For free information on a variety of consumer topics, click http://www.ftc.gov/bcp/consumer.shtm.
Labels: health information, pretexting, privacy, telemarketing
Monday, February 18, 2008
Today's Globe & Mail has an interesting article on electronic health records. Though the Information and Privacy Commissioner of Ontario is featured, the article is light on privacy content. Nevertheless, for those who follow the area, it is a good update on where things are and where they are going.
globeandmail.com: Your medical chart, just a mouse click awayWith the ease of online banking comes this Canadian first: patients perusing their X-rays, checking laboratory test results and discreetly obtaining a second medical opinion - all from the comforts of their home computers.
Ontario's Privacy Commissioner even keeps her electronic health record, called MyChart, on a memory stick, a device the size of a pack of gum that neatly tucks into a pants pocket.
"Given that I travel extensively, it's very important to have access to my [medical] records at a moment's notice," said Ann Cavoukian, who has undergone neurosurgery three times.
Although MyChart is available only to patients at Sunnybrook Health Sciences Centre in Toronto, other Canadian hospitals are coming out with their own versions of the paperless health record.
"By 2010, the goal is to have half of the population with an electronic health record," said Richard Alvarez, president and chief executive officer of Canada Health Infoway, an independent, federally funded agency that works with provinces and territories to invest in electronic health-record projects, typically by funding half the cost. By 2016, he wants every Canadian to have one. ...
Labels: health information, privacy
Thursday, February 14, 2008
The Privacy Commissioner of Canada has completed a review of the exempt databanks maintained by the RCMP and has concluded that many of the records should not be there in the first place. She calls it "disturbing":
News Release: Large number of files mistakenly held in RCMP exempt data banks "disturbing," says Privacy Commissioner (February 13, 2008) - Privacy Commissioner of CanadaLarge number of files mistakenly held in RCMP exempt data banks "disturbing," says Privacy Commissioner
Commissioner tables first special report to Parliament; raises serious concerns about data banks containing documents Canadians can’t access
February 13, 2008 — An audit has found that many of the national security and criminal operational intelligence files sheltered from public access in the RCMP’s exempt data banks did not belong there, says the Privacy Commissioner of Canada in a special report to Parliament.
"These data banks have been crowded with tens of thousands of files that should not have been there," says Commissioner Jennifer Stoddart.
"Government transparency and accountability are fundamental concepts in democratic countries like Canada. Being named in a national security exempt bank file could have a harmful impact, particularly in a post 9-11 environment. For example, it could potentially affect someone trying to obtain an employment security clearance, or impede an individual’s ability to cross the border."
Exempt data banks serve to withhold the most sensitive national security and criminal intelligence information. Government departments and agencies which control these records will consistently refuse to confirm or deny the existence of information in response to an individual’s request for access.
Canadians should be able to see their personal information – except under limited circumstances, such as where the disclosure could threaten national security, international affairs or lawful investigations.
"The large number of documents held in these exempt banks when their inclusion was unwarranted is disturbing – particularly given the RCMP was advised of compliance problems 20 years ago and made a commitment to properly manage such banks " says Commissioner Stoddart.
"More than half of the files examined as part of our audit should not have been there."
The Privacy Commissioner announced during her appearance before the Maher Arar inquiry – where the sharing of personal information by police became a central issue – that her Office would audit exempt data banks held by federal government departments and agencies.
The audit findings are detailed in a special report tabled today in Parliament. This is the first time the Privacy Commissioner has used her powers under the Privacy Act to issue a special report.
RCMP’s Exempt Banks
The RCMP has two exempt banks: Criminal Operational Intelligence Records and National Security Investigations Records.
Of the files the Office of the Privacy Commissioner (OPC) tested, more than half of the national security files and over 60 per cent of criminal operational intelligence files did not warrant exempt bank status. Exempt banks are designed to hold only the most sensitive of such information. These files did not meet the threshold for inclusion in an exempt bank as set out in the Privacy Act and/or the RCMP’s own policy.
These findings are of particular concern given that, with few exceptions, the audit was conducted on files already examined by the RCMP as part of a recent internal review.
To illustrate, one seven-year-old file in the national security exempt bank detailed a resident’s tip that a man had gone into a rooming house and drugs might be involved. Police investigated, but found the man had simply dropped his daughter off at a nearby school and stepped out of his car to smoke.
RCMP Internal Review
While the OPC audit was proceeding, the RCMP conducted its own internal review, which has so far resulted in the removal of more than 45,000 records from the criminal operational intelligence exempt data bank. This review found varying rates of compliance:
- Almost 99 per cent of criminal intelligence exempt data bank holdings – more than 2,700 documents – at RCMP headquarters should not have been there.
- At B Division in Newfoundland and Labrador, roughly two-thirds of documents – close to 37,000 records – were incorrectly kept in the criminal intelligence exempt bank.
An internal review of the national security exempt data bank holdings at 13 divisions resulted in the removal of more than 1,400 files – more than 40 per cent of the files examined.
Notwithstanding the large number of records removed from the exempt data bank holdings as a result of the internal review, the OPC audit concluded both banks remain overpopulated.
"The problems are largely due to a general lack of awareness within the force of exempt bank policy and the absence of ongoing monitoring," says Commissioner Stoddart.
Past History of the RCMP Exempt Bank
In the late 1980s, the RCMP’s criminal operational intelligence exempt bank order was rescinded for non-compliance following another OPC review.
"That exempt bank order was reinstated with an understanding that the RCMP would adhere to guidelines for managing exempt bank holdings. Unfortunately, the RCMP has not met this commitment," the Commissioner says.
"While there is a clear need for exempt data banks to ensure highly sensitive information related to security and intelligence work is protected, privacy concerns must also be considered. Greater care must be taken to ensure that personal information is concealed in an exempt data bank only when absolutely necessary."
Results
The Privacy Commissioner is satisfied that the RCMP is taking the audit observations and recommendations seriously and will take action to ensure its exempt banks comply with the Privacy Act and RCMP policy.
The OPC will examine how the RCMP has followed through on its plans to improve how the exempt banks are managed within the next two years.
The special report and a backgrounder are available at http://www.privcom.gc.ca/.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.
From the Globe & Mail:
globeandmail.com: No need for RCMP to keep files secret, privacy czar saysNo need for RCMP to keep files secret, privacy czar says
OMAR EL AKKAD
February 14, 2008
OTTAWA -- More than half the files in the RCMP's secret data banks should not be there, the federal Privacy Commissioner said yesterday in a report that is likely to renew calls for an overhaul of the national police force.
An audit by the commissioner's office found that tens of thousands of files in the RCMP's two "exempt" banks - which are designed to hold the most sensitive national security and criminal intelligence information - should not be secret, and many should have been removed years ago.
"These finds are particularly concerning given that, with few exceptions, the audit was conducted on randomly selected files already examined by the RCMP as part of an internal review," Privacy Commissioner Jennifer Stoddart said in a news release accompanying the report.
Ms. Stoddart said the large number of files kept secret was not only unjustifiable, but illegal.
In one case, a man on a Canada-U.S. bus tour, exasperated with a delay by the tour guide, joked that he should hijack the bus, Ms. Stoddart said. The bus driver told U.S. customs officials, and the RCMP were called. Even though it was deemed that the incident was clearly not a serious hijacking attempt, a file was kept in one of the secret banks for more than five years.
Ms. Stoddart said Canadians should be concerned about the large number of unnecessarily secret files because they can have a serious impact on someone looking to cross the border or obtain security clearance for a job.
Because the files are part of the secret data banks, she said, the RCMP will neither confirm or deny they exist when individuals ask the police force if they have any files on them.
Ms. Stoddart said her findings were especially surprising because a previous audit 20 years ago also discovered serious compliance problems with the data banks - problems the RCMP undertook to fix at the time.
The RCMP made the same pledge again yesterday."We will be implementing every one of this report's recommendations," Chief Superintendent Dan Killam said in a news release. He said that the force will re-examine files retained in banks known as Criminal Operational Intelligence Records and National Security Investigation Records.
"The end result will be a new accountability structure that will see responsibility for these banks shared between operational areas of the force and experts from our Access to Information and Privacy Branch," Mr. Killam said. "Based on our reading of Ms. Stoddart's report, we believe this increased oversight of the exempt banks is what she and other Canadians want."
Ms. Stoddart's report, which marks the first time the commissioner has used her powers under the Privacy Act to issue a special report to Parliament, is more bad news for a police force already under intense public scrutiny.
Liberal MP Ujjal Dosanjh said the new findings are a clear indication that the government should adopt the recommendations of a federal task force last year that proposed a new civilian board of management for the force.
"It is absolutely shocking that the RCMP would show such reckless disregard for information about individuals of which 99 per cent did not deserve to be there in the first place," Mr. Dosanjh said. "That should send shivers down every Canadian's spine."
Ms. Stoddart said she believes the large number of unnecessarily secret files are the product of negligence rather than malice.
"I think it just fell by the wayside."
Labels: privacy, privacy act
Labels: facebook, privacy, social networking
Thursday, February 07, 2008
Labels: international travel, laptop, privacy
Wednesday, February 06, 2008
The Federal, Provincial and Territorial Privacy Commissioners came out yesterday against proposed RFID embedded super drivers licenses designed to facilitate border crossings:
Nova Scotia News - TheChronicleHerald.caKeep drivers' information in Canada — officials
Privacy commissioners slam plan to produce national identity cards
By DIRK MEISSNER
The Canadian Press
Wed. Feb 6 - 6:15 AM
VICTORIA — Personal information about Canadian drivers must stay in the country as plans are developed to introduce high-tech driver’s licences in Canada that will be accepted as identification at United States border crossings, Canada’s privacy commissioners said Tuesday.
The commissioners issued a joint statement that called on Ottawa and provincial and territorial governments participating in the so-called enhanced driver’s licence programs to ensure the personal information of participating drivers stays in Canada.
The commissioners also said they continue to voice their opposition to any plans to introduce national identity cards and systems.
British Columbia and the federal government reached an agreement last month to start issuing the enhanced driver’s licences on a trial basis. Ontario is examining a similar licensing program.
The enhanced licences, equipped with radio frequency chips, allow border officials to access personal identity information. They can be used as an alternative to a Canadian passport.
Jennifer Stoddart, Canada’s privacy commissioner, said her office is monitoring the progress of the enhanced driver’s licence program and recently received a government privacy-impact analysis. She said her office is not yet ready to give the green light to the licence program.
"Maybe our positions are more nuanced than that when we say with all these progressive and incremental steps towards measures that increasingly limit Canadians’ privacy, this is what you should be looking for," Stoddart said.
"These are the steps you need to follow," she said. "Have you chosen the least privacy-invasive route?"
David Loukidelis, B.C.’s privacy commissioner, said Canadians need to be reminded that a Canadian passport is a well-established, highly secure identification document.
"These enhanced driver’s licences or EDL programs do raise concerns about security and privacy of personal information on a number of fronts," Loukidelis said.
There are concerns that the radio frequency technology on the chips embedded into the licences could be skimmed by others or used to track individuals, he said.
The commissioners are concerned about the transfer across borders of databases containing personal information about Canadians, Loukidelis said.
"We don’t do that now with passport databases and we don’t see why we would need to do anything differently when it comes to enhanced driver’s licences."
The B.C. government has received 800 volunteers for the enhanced driver’s licence program within the first two days of the pilot project.
John van Dongen, Intergovernmental Affairs Minister, said 500 licences will be issued in British Columbia.
He said the information contained in the licences provides border officials with proof of citizenship, a photograph to confirm identity and status to legally cross the border.
"They do not access medical records," he said. "They do not access driver’s records. They do not access fines, tickets, penalties. They do not access accident history. None of that information is of any interest to the border agencies in either country."
Labels: bc, british columbia, privacy, rfid
Tuesday, February 05, 2008
When Hollywood asked Verizon and AT&T to monitor and block customer trasmission of suspected pirated content, Verizon said no. AT&T is apparently looking into it. See: Verizon Rejects Hollywood’s Call to Aid Piracy Fight - Bits - Technology - New York Times Blog.
In somewhat related news, the European Court has said that ISPs can't hand over customer data to rights owners seeking civil remedies, unless local laws explicitly allow it. See: E.U. Court: Downloaders Can Stay Private - New York Times.
Labels: privacy
I just got a notice about what should be an interesting online debate, hosted by the Economist.com. From an e-mail from The Economist:
I’m reaching out on behalf of The Economist Debate Series a program of open conversations on important global topics led by high-profile debaters.Our second series of three debates kicks off today and the first proposition raises important questions about civil rights and the trade-off between Privacy vs. Security. As a blogger and member of the community that The Economist aims to serve with this lively debate, we wanted to extend an invitation to you and the readers of Canadian Privacy Law Blog to join the debate by blogging or commenting to the debate floor. (No subscription is necessary).
More details are below…
Timing & Proposition:
Feb. 5 – Feb 15: “Privacy vs. Security – This house believes that security in the modern age cannot be established without some erosion of individual privacy.”
Should people sacrifice elements of our privacy for the sake of making our world a more secure place?
Expert Debaters & Moderator
Two global thought leaders in security and freedom will square off on either side of the issue.
Pro: Neil C. Livingstone, Chairman and CEO of ExecutiveAction LLC
Livingstone is the chairman and CEO of ExecutiveAction LLC, an international business solutions and risk management company. In addition to serving on numerous homeland security advisory boards, Livingstone has written nine books and more than 200 articles on terrorism and national security and has appeared on more than 1,300 television programmes as a commentator on intelligence and national-security issues.
Con: Bob Barr, Chair for Freedom and Privacy at the American Conservative Union
A former member of the U.S. House of Representatives from Georgia (1995-2003), Barr now occupies the 21st Century Liberties Chair for Freedom and Privacy at the American Conservative Union. In addition to teaching and practicing law, Barr serves as a board member of the National Rifle Association and heads a consulting firm, Liberty Strategies LLC. Dubbed by the New York Times as “Mr. Privacy”, Barr writes and speaks widely on civil liberties. Previously, Mr. Barr served as the U.S. Attorney in Atlanta, and as an official with the CIA.
Moderator: Daniel Franklin, Executive Editor, The Economist & Editor-In-Chief, Economist.com & Editor, The World in 2008
Guest Participants
Additional leaders in this field are serving as guest participants through the course of the debate:
Thomas M. Sanderson Deputy Director and Senior Fellow, Transnational Threats Project (CSIS)
Scott Berinato, Executive Director, CSO Magazine
W. Kenneth Ferree, President, The Progress & Freedom Foundation
Future Debates in the Series
Feb 25 – March 7: Information Management. Is Technology succeeding at simplifying our lives, or is it just making things more complicated? Does the negative impact of information overload outweigh the positive impact of new tools and technologies?
March 18 – 28: IT Governance. Should each country have independent control over its own cyberspace, or should a governing entity oversee the Internet and policies surrounding it?
Also, check out our Facebook group, “I’m Following The Economist Debate Series.”
Please check back regularly to see the latest comments by your industry peers and to see if the moderator or debaters picked up your or other viewpoints from the floor.
Please support discourse, and may intelligence prevail!
Labels: facebook, privacy, social networking
The Privacy Commissioners of the provinces, territories and Canada are planning to speak out about RFID drivers licenses as part of their semi-annual get-together, being held in Victoria this week. This has been precipitated by BC's recent announcement to introduce a new RFID embedded license to facilitate border crossings. See: Code-broadcasting chips to be embedded in B.C. driver's licenses.
The Information and Privacy Commissioner of Alberta has chastised a physician in that province after his patient database was used to send invitations to his birthday party. An individual who had "opted out" from such use received an invitation and complained to the Commisioner. See: edmontonsun.com - Alberta- Doc's birthday invitations land him in hot water and the Commissioner's decision H2007-1.
Labels: alberta, health information, privacy
Monday, February 04, 2008
I got a number of calls today from media outlets today about a controversy that has erupted in Montreal. It appears a Second Cup franchisee recently installed a fake surveillance camera in bathroom stalls in an effort to dissuade drug users from using the bathrooms to shoot up.
My thoughts are summed up in the following quote from the Canadian press:
The Canadian Press: Montreal Second Cup owner forced to take down bathroom surveillance camera... Still, privacy advocates are uncomfortable with the creeping presence of cameras in more intimate places such as bathrooms. Whether the camera works or not, the effect, they say, is the same.
"One of the weird things about this area of law is the fact that it is designed in many ways to protect people's feelings," said David Fraser, a privacy lawyer based in Halifax. ."It's about people not wanting to feel they're under surveillance."
For Fraser, the underlying issue is the sense of violation that comes with feeling one's private space is being subjected to anonymous, prying eyes.
"There isn't any real material difference between a fake camera and a real camera," he said. "Whether they're real or fake, you still have the feeling of being watched." ...
Labels: privacy, quebec, surveillance, video surveillance
Sunday, February 03, 2008
Here's a really great read from Bruce Schneier:
Schneier on Security: Security vs. PrivacyIf there's a debate that sums up post-9/11 politics, it's security versus privacy. Which is more important? How much privacy are you willing to give up for security? Can we even afford privacy in this age of insecurity? Security versus privacy: It's the battle of the century, or at least its first decade.
In a Jan. 21 New Yorker article, Director of National Intelligence Michael McConnell discusses a proposed plan to monitor all -- that's right, all -- internet communications for security purposes, an idea so extreme that the word "Orwellian" feels too mild.
The article (now online here) contains this passage:
In order for cyberspace to be policed, internet activity will have to be closely monitored. Ed Giorgio, who is working with McConnell on the plan, said that would mean giving the government the authority to examine the content of any e-mail, file transfer or Web search. "Google has records that could help in a cyber-investigation," he said. Giorgio warned me, "We have a saying in this business: 'Privacy and security are a zero-sum game.'"I'm sure they have that saying in their business. And it's precisely why, when people in their business are in charge of government, it becomes a police state. If privacy and security really were a zero-sum game, we would have seen mass immigration into the former East Germany and modern-day China. While it's true that police states like those have less street crime, no one argues that their citizens are fundamentally more secure.
We've been told we have to trade off security and privacy so often -- in debates on security versus privacy, writing contests, polls, reasoned essays and political rhetoric -- that most of us don't even question the fundamental dichotomy.
Security and privacy are not opposite ends of a seesaw; you don't have to accept less of one to get more of the other. Think of a door lock, a burglar alarm and a tall fence. Think of guns, anti-counterfeiting measures on currency and that dumb liquid ban at airports. Security affects privacy only when it's based on identity, and there are limitations to that sort of approach.
Since 9/11, approximately three things have potentially improved airline security: reinforcing the cockpit doors, passengers realizing they have to fight back and -- possibly -- sky marshals. Everything else -- all the security measures that affect privacy -- is just security theater and a waste of effort.
By the same token, many of the anti-privacy "security" measures we're seeing -- national ID cards, warrantless eavesdropping, massive data mining and so on -- do little to improve, and in some cases harm, security. And government claims of their success are either wrong, or against fake threats.
The debate isn't security versus privacy. It's liberty versus control.
You can see it in comments by government officials: "Privacy no longer can mean anonymity," says Donald Kerr, principal deputy director of national intelligence. "Instead, it should mean that government and businesses properly safeguard people's private communications and financial information." Did you catch that? You're expected to give up control of your privacy to others, who -- presumably -- get to decide how much of it you deserve. That's what loss of liberty looks like.
It should be no surprise that people choose security over privacy: 51 to 29 percent in a recent poll. Even if you don't subscribe to Maslow's hierarchy of needs, it's obvious that security is more important. Security is vital to survival, not just of people but of every living thing. Privacy is unique to humans, but it's a social need. It's vital to personal dignity, to family life, to society -- to what makes us uniquely human -- but not to survival.
If you set up the false dichotomy, of course people will choose security over privacy -- especially if you scare them first. But it's still a false dichotomy. There is no security without privacy. And liberty requires both security and privacy. The famous quote attributed to Benjamin Franklin reads: "Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety." It's also true that those who would give up privacy for security are likely to end up with neither.
This essay originally appeared on Wired.com
Labels: air travel, airlines, google, privacy, schneier
Saturday, February 02, 2008
The Justice Minister of Newfoundland and Labrador says a recent data security breach was caused by the P2P program LimeWire, which had been installed on a laptop used by a consultant. See: LimeWire led to data breach: N.L. justice minister.
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.