The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Thursday, January 07, 2010
I was interviewed by the Halifax Chronicle Herald on the need for a thorough debate about the privacy impact of body scanners and to make sure that we are actually dealing with the problem. And if we're going to use the technology, we need to ensure that all steps are taken to mitigate the privacy impact.
Safety vs. privacy: - Nova Scotia News - TheChronicleHerald.caSafety vs. privacy: Legal expert warns tradeoff of agreeing to virtual strip search might not be worth it
By KELLY SHIERS Staff Reporter Thu. Jan 7 - 4:47 AM
A Halifax privacy expert says airline passengers willing to undergo virtual strip searches are trading privacy for security in an equation that may not result in increased safety in the air.
"Because this is almost unprecedented in its intrusiveness, that means we really need to have a debate about it," David Fraser said Wednesday.
"If you throw out people’s privacy, it doesn’t necessarily mean you’re going to end up with the best security.
"I think we need to have all the facts in front of us about how effective these things are, what sort of impact they’re having on privacy, and how (we can) increase the effectiveness of security while trying to mitigate the impact it can have on privacy."
RELATED» Privacy czar probes Ottawa’s plan for airport surveillance » Slovaks plant explosive in traveller’s luggage in failed security test» Airport security: Last line of defence
Mr. Fraser, a privacy lawyer with McInnes Cooper, said most of the people he has spoken with have reacted positively to the news that airports across the country, including in Halifax, will soon use scanners that see through clothes.
The machines show a three-dimensional outline of a naked body that allow screening officers to see whether someone is carrying dangerous items.
"When they balance their safety versus their privacy, they’re happy to give up their privacy in exchange for their safety," he said.
The scanners have been used at some airports outside Canada and were expected to be introduced in this country at some point.
But on Tuesday, the federal government announced it will buy 44 machines as part of an international response to a man’s attempt to blow up a jet approaching Detroit on Christmas Day. The man was wearing explosives sewn into his underwear.
The devices are only supposed to be used on passengers who have been singled out for secondary screening. Those passengers can choose to go through the machines or be frisked.
Mr. Fraser said he would prefer to be scanned rather than have the kind of intrusive pat-down that would be required in order to detect explosives sewn into underwear.
But he said he believes technology is only part of the answer to combating terrorism in the air.
"It’s convenient to throw technology at the problem and I think there may be an assumption this is going to make everybody safe, but I’m not sure this is necessarily the case," he said.
The devices have shortcomings, even if they are better than what is now in place, he said.
And technology, he said, may not be as effective as "strategic investments in humans" who are collecting, analyzing and using the massive amounts of data about possible threats and possible terrorists.
He said the public should ask questions about the use of the images and the safeguards that will be in place to protect them.
Under a plan approved by Canada’s privacy commissioner, an officer would view the image in a separate room and never see the passenger. The images are supposed to be erased automatically and no copies kept.
Other possible safeguards could include scanning screeners to ensure they’re not carrying cameras or cellphones capable of taking pictures of the images, Mr. Fraser said. And just as pat-downs are only done by members of the same sex, perhaps that rule should apply to viewing the naked images, he said.
Labels: air travel, airlines, privacy, security
Sunday, January 03, 2010
The thwarted Christmas Day bombing plot has certainly raised security levels in airports over the holidays. Individual passengers are being frisked before boarding, presumably to make sure they don't have any hidden compartments in their unmentionables (but inspectables). Carryons are being dramatically restricted to reduce screening times, as all such items have been hand inspected. Not at all surprisingly, this has brought body scanning technology to the fore.
In October of this year, the Federal Privacy Commissioner gave her conditional approval to the use of the technology. The conditions are that the images are not retained and the scanners are used only as a secondary screening tool. (See: A necessary image - The Globe and Mail.) However, all passengers to the US are now subject to secondary screening. The Globe article says that technology exists to blur faces and genitals, but I would think that genital blurring may might have obscured a cleverly hidden crotch bomb.
Also according to the Globe (Nigeria, Netherlands to introduce full-body imaging; Canada undecided - The Globe and Mail), both countries that were connected to the pantsbomber, Nigeria and the Netherlands, are introducing body scanning for all flights to the United States. So are UK airports (BAA to introduce full-body scanners at UK's Heathrow).
I travel a lot. Personally, I'd rather be virtually stripped in five seconds than physical patted down by a stranger over two or three minutes. But I'm not so shy. I would also think that the same technology that is currently used to detect explosives residue should be rolled out on a wider scale as well.
For a good overview of the technology and the debate, check out: Full-Body Scanners at Airports: The Good, the Bad, and the Ugly Technomix Fast Company.
Also, CBS (via YouTube) does a pretty good job of covering the debate:Labels: air travel, airlines, homeland security, privacy, security
Monday, May 07, 2007
David Canton has just posted a link to a very interesting and insightful article on the TJX/Winners breach, which sheds light on how the scammers were able to penetrate the TJX system to take approximately TWO HUNDRED MILLION credit card numbers.
How Credit-Card Data Went Out Wireless Door - WSJ.com... When wireless data networks exploded in popularity starting around 2000, the data was largely shielded by a flawed encoding system called Wired Equivalent Privacy, or WEP, that was quickly pierced. The danger became evident as soon as 2001, when security experts issued warnings that they were able to crack the encryption systems of several major retailers.
By 2003, the wireless industry was offering a more secure system called Wi-Fi Protected Access or WPA, with more complex encryption. Many merchants beefed up their security, but others including TJX were slower to make the change. An auditor later found the company also failed to install firewalls and data encryption on many of its computers using the wireless network, and didn't properly install another layer of security software it had bought. The company declined to comment on its security measures.
The hackers in Minnesota took advantage starting in July 2005. Though their identities aren't known, their operation has the hallmarks of gangs made up of Romanian hackers and members of Russian organized crime groups that also are suspected in at least two other U.S. cases over the past two years, security experts say. Investigators say these gangs are known for scoping out the least secure targets and being methodical in their intrusions, in contrast with hacker groups known in the trade as "Bonnie and Clydes" who often enter and exit quickly and clumsily, sometimes strewing clues behind them.
The TJX hackers did leave some electronic footprints that show most of their break-ins were done during peak sales periods to capture lots of data, according to investigators. They first tapped into data transmitted by hand-held equipment that stores use to communicate price markdowns and to manage inventory. "It was as easy as breaking into a house through a side window that was wide open," according to one person familiar with TJX's internal probe. The devices communicate with computers in store cash registers as well as routers that transmit certain housekeeping data.
After they used that data to crack the encryption code the hackers digitally eavesdropped on employees logging into TJX's central database in Framingham and stole one or more user names and passwords, investigators believe. With that information, they set up their own accounts in the TJX system and collected transaction data including credit-card numbers into about 100 large files for their own access. They were able to go into the TJX system remotely from any computer on the Internet, probers say....
Labels: cardsystems, privacy, retail, security, tjx
Sunday, January 14, 2007
Over the last little while, I've been using wireless more and more. When traveling, an unsecured hotspot is often all you can get. For access to my work resources, there's secured VPN to keep things safe and sound but what about the more mundate stuff?
By messing around, I've discovered that many of the sites you may use on a regular basis have secure alternatives. For example, instead of hitting GMail at http://www.gmail.com, try https://mail.google.com. Or for bloglines users, you can use https://www.bloglines.com/myblogs. When you're not sure of the security of your connection, check to see if there's an SSL version you can use. You never know ...
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.