You Might be Interested In

To commemorate Data Privacy Day today, we offer up our latest Top Ten list…The Top 10 Ways Your Privacy is Threatened:

10. Surveillance cameras, swipe cards, Internet searches – as you go about your daily routine you actually leave a trail of data behind you for others to collect, merge, analyze and even sell, often without your knowledge or consent.

9. New and exciting technologies are emerging daily; but often your personal information is the cost of admission. Think about the information you have surrendered just to play online games, join virtual worlds, or even shop online.

8. Millions of people post all sorts of personal information about themselves, their family and their friends on social networking sites without reviewing the privacy policies, modifying the privacy settings, or considering how this information can be used or misused by others.

7. Governments are indiscriminately collecting mountains of personal data in the name of national security and public safety.

6. Businesses are collecting more and more information about an ever-greater number of people, often without having appropriate means to protect the information or dispose of it.

5. Data breaches happen every day in both the public and private sectors. Recent incidents have exposed the personal information of millions of people. In fact, you could already have been one of those people, but due to the lack of mandatory breach reporting laws in Canada, you may never even be informed.

4. Fraudsters have become extremely devious and technologically savvy. From the other side of the planet, they can steal your personal information. These days, you need to shred documents, protect your computer, watch out for fraudulent e-mails, be on guard against pretexting and much more.

3. Identity theft, which is fuelled by excessive personal information collection and failure to protect it, is rampant – and it is becoming a very lucrative business for criminals.

2. We live in a global society where information flows freely around the world – from person to person; jurisdiction to jurisdiction; public sector to private sector – and all privacy protection laws are not created equal.

1. The notion that “if you have nothing to hide, you have nothing to fear”. Privacy is an essential freedom that shapes our society; an internationally recognized human right; and the foundation of modern democracy – but if we don’t value our privacy or stand up for it as our right, it will be eroded over time.

What are you doing to take note of Data Privacy Day? Check out our Data Privacy Day page for new information and material demonstrating the importance of data privacy issues and encouraging people to become better guardians of their own personal information. And be sure to share with us how you protect your personal information for a chance to win one of our T-shirts!

Recently, a journalist for Wired magazine attempted to live a location-aware lifestyle. That means he tried to take advantage of the GPS capabilities of every electronic tool he could get his hands on, linking all his activities to his location and then transmitting that data to his network.

In his article, Mat Honan describes one period of introspection – and comes away with a startling realization:

To test whether I was being paranoid, I ran a little experiment. On a sunny Saturday, I spotted a woman in Golden Gate Park taking a photo with a 3G iPhone. Because iPhones embed geodata into photos that users upload to Flickr or Picasa, iPhone shots can be automatically placed on a map. At home I searched the Flickr map, and score — a shot from today. I clicked through to the user’s photostream and determined it was the woman I had seen earlier. After adjusting the settings so that only her shots appeared on the map, I saw a cluster of images in one location. Clicking on them revealed photos of an apartment interior — a bedroom, a kitchen, a filthy living room. Now I know where she lives.

This Christmas, Internet company Yahoo gave its users an early Christmas present – a  new data retention policy, promising to anonymize user data after 90 days.

The information found in user log files has been a contentious issue – while some argue the data itself might not contain personally identifiable information about the user, it can still be used to create a snapshot of that user, providing useful tidbits like where and when they go online, and what they’re searching for. When you combine that information with, say,  account information from a web-based e-mail account, photo blog, or personal profile on a social networking site, the snapshot that emerges is a fairly detailed one. (Over at slaw.ca, David Fraser explains how these log files work.)

On Christmas Eve, the New York Times supported Yahoo’s announcement in an editorial calling Yahoo’s new policy “considerably better” than those of Google or Microsoft when it came to protecting the privacy of its users. “Internet users should be able to control how much of their personal data companies keep,” said the Gray Lady.

We say it’s all about personal control.

South of the border, Sony Music recently settled with the U.S. Federal Trade Commission (FTC) after the FTC filed a suit against Sony claiming the company had violated children’s privacy rights.

Last Wednesday, the FTC accused Sony of being in violation of the Children’s Online Privacy Protection Act, or COPPA, by collecting, maintaining and disclosing personal information of children under the age of 13 without parental consent.

The FTC estimates that Sony collected the personal information of about 30,000 children on 196 websites operated by Sony Music. That includes names, addresses, mobile phone numbers, e-mail addresses, dates of birth, ZIP codes, usernames and gender. But that’s not all:

“Many of these sites also enable children to create personal fan pages, review artists’ albums, upload photos or videos, post comments on message boards and in online forums, and engage in private messaging.”

The following day, Sony and the FTC announced the suit had been settled, with the company agreeing to pay a fine of $1 million, put in place a screening process that complies with the FTC rules and hire a Web compliance officer to monitor the issue. The fine is reportedly the largest settlement for a case involving COPPA, which came into effect in 2000.

One way (and a fairly simplistic way at that) to view this settlement is that it works out to about $33 for each child’s information.

But these kids – and the rest of Sony’s website visitors – may see the value of their information in another way. A recent study by IBM found that people – and especially younger people – were willing to trade away their information for incentives like free high quality music or videos, discounts to favourite stores and air travel or hotel points:

“Close to 60 percent of total respondents were willing to provide information about themselves — such as age, gender, lifestyle or communications preferences — in exchange for something of value. Younger respondents had fewer concerns about revealing personal preferences, and a sizeable portion of participants over the age of 45 were also willing to share information about themselves. However, all respondents indicated the need for perceived value and incentives as a trade-off to provide personal information.”

And finally – what’s your information worth on the black market?

Cybercrime is big business – now reportedly even bigger than the international drug trade. In this world, credit card information can be bought and sold for as little as $1, and entire identities can be purchased for $5.

So how much is your information worth? As much as you care to protect it.

In 2000, this 15-year-old hacker brought down some of the most heavily visited websites on the net: Amazon, eBay, CNN, Yahoo!. At the time, reports claimed the hack caused a billion dollars’ worth of damage to these companies.

Since that time, cybercrime has become big business, with some reports suggesting it’s on par with or bigger than the illicit drug trade. Identity theft features prominently in this underground frontier, with credit card information and entire identities up for sale by the thousands.

Tonight, CBC is airing Web Warriors, a one-hour documentary with an exclusive look at the world of hackers, and the cyber-sleuths who pursue them. If you miss it on TV, the entire documentary is available on CBC’s site as well.

And on the subject of teenage hackers, we’d like to point you towards Little Brother, the novel for young adults by BoingBoing blog coeditor Cory Doctorow. Little Brother takes place in the not-so-distant future where a group of teens use technology to protest the ever-increasing government surveillance around them. It’s a story that looks at hacking, jamming and surveillance, and offers insight into the privacy vs. security debate…all through the eyes of a 17-year-old.

Increasingly, employers are looking at how to tackle the thorny issue of employees’ use of social networking sites like Facebook, Myspace and LinkedIn.

It’s a challenge all employers will have to face, given the growing ranks of social network site users here in Canada and around the world. What’s more, a recent study out of Ryerson University identified a new digital divide between young Canadians who socialize online frequently and regularly, and the employers and managers for whom they work. Their study found that the two groups – younger employees and older employers – have differing viewpoints on privacy when it comes to online networks. Furthermore, researchers found that, by and large, employers currently don’t have policies, guidelines or practices in place that govern the use of social networking sites in the workplace.

However, a small number of employers are starting to. So far, the responses by employers have varied widely – from banning outright all workplace access to social networking sites, to developing codes of conduct and guidelines for employees’ online activities.

The Trades Union Congress in the U.K. has developed a toolkit on IT security for their members, with one section devoted solely to social networks and privacy for employers and employees. They’ve also got a briefing note on online social networking and the implications for human resources managers.

In the coming weeks, we’ll be releasing our own guidelines to help employers draft their own policies on the use of social network sites in the workplace.

To date, both the U.K. and the province of Ontario have issued their own advice on social networking and work, from the employee’s perspective – be sure to take a look at those as well.

Yesterday, the CRTC rendered its decision on ISP’s traffic shaping practices. It announced that it was denying the Canadian Internet Service Providers’ (CAIP) request that Bell Canada, which provides wholesale ADSL services to smaller ISPs across the country, cease the traffic-shaping practices it has adopted for its wholesale customers.

“Based on the evidence before us, we found that the measures employed by Bell Canada to manage its network were not discriminatory. Bell Canada applied the same traffic-shaping practices to wholesale customers as it did to its own retail customers,” said Konrad von Finckenstein, Q.C., Chairman of the CRTC.

Moreover, the CRTC recognized that traffic-shaping “raises a number of questions” for both end-users and ISPs and has decided to hold a public hearing next July to consider them.

We’ll be following the public hearing closely, and here’s why: Internet traffic management requires the use of can use deep packet inspection (DPI) technology – technology that can “read” packets of information flowing through the Internet. In this case, packets are being read to identify specific Internet activities – like the use of peer-to-peer (P2P) file-sharing applications. That same technology can be used to read a whole lot more about what you do on the Internet: what you’re watching, downloading or reading, who you’re talking to, what you’re saying, as well as where you are and who you are.

As we’ve mentioned on this blog, our office is already looking into a complaint about DPI and we expect to have a decision soon.

The time has come for net neutrality, both as an economic and a social policy issue, to be examined by the Canadian government. And we look forward to being a part of that discussion.

On October 11, In 22 cities across Europe, citizens demonstrated to express their concerns over what they see as the increasing growth in government-created surveillance societies. October 11 was Freedom Not Fear Day, organized by the German Working Group on Data Retention.

In Berlin alone, over 15,000 protesters gathered in a rally that ended at the Brandenburg Gate. (The organizers have argued that 15,000 is a lowball number from the authorities, and the actual number could be closer to 50,000.) Peaceful and creative action took place throughout Europe, including art performances in Vienna, public lectures in Rome, and the construction of a collage made from uploaded photos of UK surveillance equipment and tactics in London.

From the website of the German Working Group on Data Protection:

“Surveillance mania is spreading. Governments and businesses register, monitor and control our behaviour ever more thoroughly. No matter what we do, who we phone and talk to, where we go, whom we are friends with, what our interests are, which groups we participate in – “big brother” government and “little brothers” in business know it more and more thoroughly. The resulting lack of privacy and confidentiality is putting at risk the freedom of confession, the freedom of speech as well as the work of doctors, helplines, lawyers and journalists.

The manifold agenda of security sector reform encompasses the convergence of police, intelligence agencies and the military, threatening to melt down the division and balance of powers. Using methods of mass surveillance, the borderless cooperation of the military, intelligence services and police authorities is leading towards the construction of “Fortresses” in Europe and on other continents, directed against refugees and different-looking people but also affecting, for example, political activists, the poor and under-priviledged, and sports fans.

People who constantly feel watched and under surveillance cannot freely and courageously stand up for their rights and for a just society. Mass surveillance is thereby threatening the fabric of a democratic and open society. Mass surveillance is also endangering the work and commitment of civil society organizations.

Surveillance, distrust and fear are gradually transforming our society into one of uncritical consumers who have “nothing to hide” and – in a vain attempt to achieve total security – are prepared to give up their freedoms. We do not want to live in such a society!

We believe the respect for our privacy to be an important part of our human dignity. A free and open society cannot exist without unconditionally private spaces and communications.”

In the United States, Freedom Not Fear Day was supported by a number of NGOs, including the Electronic Frontier Foundation (EFF) and the Electronic Privacy Information Center (EPIC). Together, they issued a release calling for an end to watch lists and data profiling programs that fail to comply with the federal Privacy Act, the establishment of comprehensive data protection legislation, and the repeal of the Patriot Act.

But Freedom Not Fear Day was a decidedly more subdued affair in the U.S. Besides this endorsement and statement issued by EPIC, EFF and IP Justice, no other activities appear to have been scheduled to commemorate Freedom Not Fear Day in Washington D.C. Canadian activities were similarly subdued: the official website notes that a light projection was planned for Toronto’s City Hall but information on who organized it and how it turned out couldn’t be found.

Granted, the roots of Freedom Not Fear Day are in Berlin and the global day of action seems to have spread to other European capitals but it’s interesting to note that North Americans seem reluctant to stand up to the notion of “security theatre“.

With another federal election underway, a number of policy issues with privacy implications have been put on hold until after October 14. The debate over copyright was one of the most contentious issues before the House and certainly one that captured the interest of Canadians throughout the country. Before the election call, we received a letter from James Pew, a music studio owner in Toronto. He voices his concerns as a small business owner over the proposed copyright legislation, pointing out that it “does not take into account the needs of consumers and Canada’s creative community who are exploiting the potential of digital technology”. (You can view his full letter on his blog.)

Our office felt the need to respond to Mr. Pew, outlining our own concerns with the draft legislation – namely, that the use of digital rights management (DRM) software by copyright holders and customer tracking by ISPs largely ignores consumers’ privacy rights. Below is Commissioner Stoddart’s response to the letter in its entirety.

While the draft legislation died with the dissolution of Parliament and subsequent election call, we fully expect the copyright debate to pick up where it left off in the next session of Parliament.

Dear Mr. Pew,

Thank you for including me in recent correspondence with your Member of Parliament.  In that letter, you put forth your impressions of amendments proposed this summer for Canada’s Copyright Act.  I appreciate your thoughts and had some concerns of my own about Bill C-61.

My Office has been involved in the issue since similar amendments were proposed in 2005.  In that instance, as with Bill C-61, the legislation died with an election call.  However, the underlying issues still cause me some concern.  As I explained in a letter to the responsible Ministers, as Canada’s Privacy Commissioner, two particular aspects of the legislation trouble me.

First, the amendments would allow companies to use digital rights management (DRM) software on media sold to Canadian consumers.  These tools have been used in the past to collect personal information without users’ knowledge or consent.  DRM software has also been shown to create other security problems.  These practices largely ignore the principles found in Canada’s private-sector privacy legislation, the Personal Information Protection and Electronic Documents Act.  As a result, I have asked the Ministers who oversee the copyright file to consider the privacy implications of any new law.  Our Office also prepared a primer on DRM, should you be interested.

Secondly, and perhaps even more serious, is the new role Internet Service Providers (ISPs) would be required to play in tracking, recording and reporting on consumers.  Most Canadians neither expect nor want routine, systematic surveillance bundled into their internet services.  Casting such a wide dragnet over millions of subscribers – simply to ensure copyright compliance in isolated cases – seems to me grossly disproportional.  This is particularly worrisome where the commercial interests of telecommunications companies converge with media producers, to the detriment of consumers’ privacy rights.

All this is to say, while I have been raising these issues within government and the wider public, I hope the current election will provide an opportunity for the various parties to clarify their position on these important matters.  Again, thank you for your letter.

Sincerely,
Jennifer Stoddart
Privacy Commissioner of Canada

Speaking at the Canadian Bar Association Conference earlier this week, the Privacy Commissioner talked about the privacy implications of courts and administrative tribunals posting to the web decisions and other documents containing personal information.

While her speech generated a handful of articles, her comments created a bit of a stir when one newspaper article misinterpreted what she had said, suggesting that the Commissioner was proposing that all court decisions be scrubbed of personal information before being made widely available.  Of course, neither the Privacy Act nor the Commissioner’s mandate applies to the courts.  In her speech, the Commissioner was actually discussing the legal obligations of government institutions subject to the Privacy Act. (You can read the transcript of her speech here.)  These institutions have tended to evoke the practices of the courts as a justification for the disclosure of personal information, a tendency that inspired the Commissioner’s remarks.  Other interpretations of the Commissioner’s comments better capture her concerns.

Below is the commissioner’s letter to the Toronto Star which appeared yesterday morning.

Re: Hide IDs in court rulings, privacy chief says, Aug. 20

I am writing to correct a false impression left by the article. My mandate does not extend to the courts. However, it is interesting to note that they, like my office, have been wrestling with the issue of posting personal information online. My role is to ensure that federal administrative tribunals respect the privacy rights of Canadians.

Ordinary Canadians provide their personal information to these tribunals for various reasons. They may, for instance, be seeking access to a government benefit or reparation for an alleged government mistake.

A law-abiding citizen fighting for a government benefit should not be forced to expose her medical history or other highly sensitive personal information to public scrutiny. They should not have to abandon their privacy rights.

My office has recently investigated complaints about the online posting of personal information by several administrative tribunals. We expect to release our findings in these cases in the fall.

Jennifer Stoddart, Privacy Commissioner of Canada