You Might be Interested In

Twitter. That’s right; I’m going to talk about Twitter, making the Office of the Privacy Commissioner of Canada the official end point for the “Have you heard about Twitter?” meme. (For a quick summary of this meme, listen to this audio from a podcast called Jordan Jesse Go!)

Twitter, the instant messaging application that limits each message to 140 characters, is experiencing tremendous growth across a range of demographic groups.  Entrepreneurs, employees, supervisors, managers and executives are leaping aboard, sharing information as broad as golf scores, children’s hobbies, favourite movies, the relative tedium of on site meetings, and more interesting tidbits about their daily business.

Senior executives from across the Fortune 500 are experimenting with the service – and are being tracked by members of the traditional media.

While the Office doesn’t want to discourage the use of new technologies, especially when they seem to encourage professional development and the creation of personal networks, we continue to gently remind Canadians to watch what they say online.

This is especially true when it comes to business. Loose and quick finger work can result in uncorrectable errors and mis-statements. Every level of an organization handles information that could be considered sensitive or a business secret – from information in human resources files to the data underlying market forecasts.

Every online identity is expected to have a personality, and it is preferred that they have a professional or personal obsession that provides colour and detail to their activities.

If you are experimenting with an application like Twitter, you should have a clear idea of your desired identity in mind when putting finger to keypad.

THAT’s the way to avoid embarrassment – at home and at the office.

Today the OPC issued Captured on Camera, a fact sheet intended to help Canadians understand the privacy issues surrounding street-level imaging applications like Google StreetView and a similar product offered by Canpages.(html), (pdf)

The basic message?

“Under Canadian privacy law you should know when your picture is being taken for commercial reasons, and what your image will be used for. Your consent is also needed. There are exceptions, but they are very limited and specific.” …

“We think companies that engage in this activity have to let citizens know that they are going to be photographing the streets of their city, when this will happen, why and how they can have their image removed if they don’t want it in a database.”

There’s more, but you should go read it yourself.

“Captured on Camera” is a joint product of the OPC and the Privacy Commissioners of Quebec, Alberta and British Columbia.

How does society reconcile the technological benefits and privacy impacts of new technology? Deep packet inspection is just one seemingly neutral technological application that can have a significant impact on privacy rights and other basic civil liberties, especially as market forces, the enthusiasm of technologists and the influence of national security
interests grow stronger.

We have produced a web site (http://dpi.priv.gc.ca) meant to serve as a resource on deep packet inspection. It grew out of a desire at the Office of the Privacy Commissioner of Canada to understand more about a technology that has application in network traffic management, behavioural advertising, and law enforcement.

In the summer and fall of 2008, we contacted leading academics and professionals working in telecommunications, law, privacy, civil liberties and computer science to ask if they would contribute a short essay to a project we were planning – a project that would help Canadians understand the impact of just one component of the technology that underlies our networked society.

The resulting project site presents the work of these academics, lawyers, researchers, activists and industry professionals. We value the time they invested in preparing their essays, and we are happy to present their work in a format that will, hopefully, encourage further discussion around deep packet inspection and similar technologies.

You will notice that this web site was developed with sharing in mind. There are opportunities for you to leave your comments about each essay – either through a written comment or by voting on the essay. We have built in links to some of the more popular content sharing services, in case you think some or all of the essays should be brought to the attention of friends, colleagues, legislators or others.

Or, alternatively, please feel free to send me your comments.

What would you think if you wrote a letter and it could be opened up by a postal or a courier service before it reaches its destination?  What would you think if that happened to your online communication?  It’s not necessarily a hypothetical question.

Stemming from a request to the CRTC from the Canadian Association of Internet Service Providers (CAIP) to stop Bell from throttling/shaping their wholesale internet service, the CRTC reached a decision on November 20, 2008.  Though CAIP’s application was denied, the CRTC noted that a number of parties raised concerns related to Internet traffic management practices that were beyond the scope of that particular procedure.

As a result, the CRTC announced that it would be holding public consultations to review the Internet management practices of Internet service providers.

In a previous blog posting we discussed the CRTC decision and this new public consultation – which calls for written submission (due by February 23, 2009) and a public consultation (planned for July 2009).

One issue that has been the focus of much debate is the use of deep packet inspection (DPI) to shape/control traffic.  So, what is the privacy issue? Well, there is the potential for DPI technology to peek into an individual’s entire on-line activity, which may include sensitive personal information.  When DPI is used, it is also seemingly “invisible” to individual users. It is important that we are made aware of DPI’s potential use to manage our activities on the internet.

Last year, the US Federal Communications Commission (FCC) ruled on a complaint about internet service provider Comcast Corporation’s network management practices – which included using DPI and false reset packets to manage traffic generated by peer-to peer (P2P) applications.

The FCC found that Comcast’s level of disclosure to its customers was inadequate, and that individuals would not have been able to reasonably recognize that P2P applications were being discriminated against.
Comcast’s “…practices are not minimally intrusive…but rather are invasive and have significant effects.”

The FCC also noted that Comcast was using DPI to monitor its customers and route electronic communications based on the contents of the communication and not the address.

For the CRTC consultations, a number of interested stakeholders are providing their opinions on Internet traffic management and other related matters.

As we’ve already noted, the OPC is one of those interested parties. We have provided a written submission (.pdf), contributing to the overall discussion of privacy, which can be found on the CRTC’s website.

We hope that if you do have a chance, you are able to look at the submissions from all the parties.  If you would like to share your views on the submissions, we look forward to hearing your thoughts – this consultation is an excellent opportunity to promote and encourage discussion on the privacy issues related to Internet traffic management practices.

This week, the OPC released guidelines for processing personal data across borders.  These guidelines explain how the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to the transfer of personal information to a third party outside of Canada for processing.

Canadian businesses may choose to work with a third party outside of Canada to process data for a number of reasons, such as the ability to provide better customer service, a lack of capacity to process data in house, cost savings, or other considerations.

Examples can include a company hiring an overseas contractor to process data related to a customer loyalty program, or to provide customer service and support around the clock.

Some online companies operate in a virtual environment, buying computing services and product logistics services from suppliers around the world. This naturally means their corporate data will be transferred across one or more international borders.

In today’s world of integrated markets, the transfer of data from one country to another is more common than ever – and that data may very well contain personal information.  It is precisely for that reason the Office  has decided to release these guidelines.

So how is an organization who transfers data across borders responsible for your personal information?  Well to begin, PIPEDA makes the organization responsible for protecting the personal information under its control.

Moreover, it requires an organization to use contractual or other means to “provide a comparable level of protection while the information is being processed by the third party.”

Organizations also need to make it plain to their customers that their personal information may be processed in another country.  In order to be transparent, they need to advise individuals that it could be accessible to law enforcement authorities of that country – in clear and understandable language.

Basically – even if a Canadian organization transfers personal information to a third party for processing – they are responsible for safeguarding that information.

As an individual Canadian citizen, a small business owner or a business executive, It is always a good idea to review an organization’s practices to see what they are doing with your personal information. If in doubt don’t hesitate to ask them – we all have a right to know how our personal information is being used!

Is there anything more annoying that 100 people ahead of you in line when you are trying to purchase that perfect holiday gift? Well what about while you are in the midst of your harried purchase, being asked to pull out your driver’s licence so the retailer can record the number? Not only can this be annoying, but it might also be a violation of your personal privacy.

The Office of the Privacy Commissioner and the Information and Privacy Commissioners of Alberta and British Columbia recently announced the release of a guide for retailers who make it a practice to collect driver’s licence information and numbers. This guide is meant to help these retailers better protect the privacy of their customers.

In general, privacy legislation (such as the federal Personal Information Protection and Electronic Documents Act, PIPEDA, and Alberta’s and British Columbia’s respective Personal Information Protection Acts) requires an organization to collect, use or disclose personal information for appropriate and reasonable purposes, to limit collection to what is necessary to meet their purposes, and to make sure this information is properly safeguarded.

In practice, retailers often record or photocopy a driver’s licence for a number of purposes, such as to verify an individual’s identity. However, this may be accomplished in a less privacy intrusive manner, such as examining the driver’s licence to confirm information, or in some cases limiting collection to the name and address that appears on the card.

The guide indicates that a driver’s licence contains sensitive information. Recording, scanning or photocopying the card may result in the collection of information such as a photograph, height, physical descriptions and other information – far more detail than what the retailer needs to conduct their business.

There may be some cases where it is ok to record some of this information, for example the collection of limited personal information during a refund or exchange (PIPEDA Case Summary #361). However it may not be reasonable to record driver’s licence numbers for the return of products (Settled Case # 16).

You can always ask for an explanation as to why your driver’s licence information is being collected, especially if it is being photocopied. If you still have concerns whether this collection is appropriate, you can visit the OPC website, refer to this guide or contact the appropriate Privacy Commissioner’s Office for further information.

With another federal election underway, a number of policy issues with privacy implications have been put on hold until after October 14. The debate over copyright was one of the most contentious issues before the House and certainly one that captured the interest of Canadians throughout the country. Before the election call, we received a letter from James Pew, a music studio owner in Toronto. He voices his concerns as a small business owner over the proposed copyright legislation, pointing out that it “does not take into account the needs of consumers and Canada’s creative community who are exploiting the potential of digital technology”. (You can view his full letter on his blog.)

Our office felt the need to respond to Mr. Pew, outlining our own concerns with the draft legislation – namely, that the use of digital rights management (DRM) software by copyright holders and customer tracking by ISPs largely ignores consumers’ privacy rights. Below is Commissioner Stoddart’s response to the letter in its entirety.

While the draft legislation died with the dissolution of Parliament and subsequent election call, we fully expect the copyright debate to pick up where it left off in the next session of Parliament.

Dear Mr. Pew,

Thank you for including me in recent correspondence with your Member of Parliament.  In that letter, you put forth your impressions of amendments proposed this summer for Canada’s Copyright Act.  I appreciate your thoughts and had some concerns of my own about Bill C-61.

My Office has been involved in the issue since similar amendments were proposed in 2005.  In that instance, as with Bill C-61, the legislation died with an election call.  However, the underlying issues still cause me some concern.  As I explained in a letter to the responsible Ministers, as Canada’s Privacy Commissioner, two particular aspects of the legislation trouble me.

First, the amendments would allow companies to use digital rights management (DRM) software on media sold to Canadian consumers.  These tools have been used in the past to collect personal information without users’ knowledge or consent.  DRM software has also been shown to create other security problems.  These practices largely ignore the principles found in Canada’s private-sector privacy legislation, the Personal Information Protection and Electronic Documents Act.  As a result, I have asked the Ministers who oversee the copyright file to consider the privacy implications of any new law.  Our Office also prepared a primer on DRM, should you be interested.

Secondly, and perhaps even more serious, is the new role Internet Service Providers (ISPs) would be required to play in tracking, recording and reporting on consumers.  Most Canadians neither expect nor want routine, systematic surveillance bundled into their internet services.  Casting such a wide dragnet over millions of subscribers – simply to ensure copyright compliance in isolated cases – seems to me grossly disproportional.  This is particularly worrisome where the commercial interests of telecommunications companies converge with media producers, to the detriment of consumers’ privacy rights.

All this is to say, while I have been raising these issues within government and the wider public, I hope the current election will provide an opportunity for the various parties to clarify their position on these important matters.  Again, thank you for your letter.

Sincerely,
Jennifer Stoddart
Privacy Commissioner of Canada

On July 3, 2008 the Office of the Privacy Commissioner of Canada announced the results of a public opinion study we commissioned on the personal information customers hand over (or refuse to) to retailers.  According to the results, more than half of Canadians said that they were apprehensive about giving their personal information to retailers, citing concerns over security issues, identity theft and fraud.

The growing concern about disclosing their personal information is understandable given the rise in privacy breaches over the last year (as seen here and here).

In a speech this summer, Commissioner Stoddart noted that while a greater number of companies were voluntarily reporting breaches to the OPC, “it’s clear we still aren’t hearing about every breach which could have a harmful impact on people.”

In a different speech delivered to the Canadian Bar Association Legal Conference and Expo last month, Commissioner Stoddart spoke about her support for mandatory breach notification:

“I am a strong supporter of mandatory notification. By every measure I’ve seen, breaches are a growing problem. Despite the clear risks, we continue to see too many organizations – large and small – underestimating the need to protect personal information. This results in deficient privacy and security safeguards – and, not surprisingly, data spills.”

She also took the opportunity to provide an update on potential amendments to the Protection of Personal Information and Electronic Documents Act (PIPEDA), Canada’s private sector privacy legislation.  One of the anticipated amendments is a formal requirement to provide breach notification.

As an election has been called for this October, the proposed amendments to PIPEDA are now on the backburner until a new Parliament convenes.

Despite the election call, interest in privacy rights and the future of our privacy legislation remains high. Continued interest and engagement by Canadians reminds us that individuals have a high degree of expectation that privacy rights should be respected and safeguarded.

No doubt, progress on privacy legislation will be keenly followed by individuals, government, academics, privacy advocates and civil society as the next Parliament gets underway.

The social networking site Facebook has been under scrutiny lately for lax security with its applications feature. Applications in Facebook are created by third-party software developers and are run on third-party servers. These applications can take many forms – a quiz, a game, or just another way to reach out to friends – but the common feature in all is that they allow software developers to access Facebook users’ personal data.

And while Facebook says it advises its users to “employ…precautions” when downloading applications, any Facebook user will tell you that most applications simply won’t work if you don’t agree to give the developer access to your information.

BBC’s technology program Click decided to test out this security flaw by creating its own Facebook application meant solely to “steal the personal details of you and all your Facebook friends without you knowing”. The application took them three hours to create and allowed them to not only collect personal information about the Facebook user who had downloaded the application, but all of his friends as well.

Click’s experiment suggests that the concerns of privacy advocates (including those of us at the Office of the Privacy Commissioner) that the applications feature on Facebook exposes users to significant privacy risks, are warranted.  As well, the collection and use of this data by third-party developers could mean that some developers aren’t complying with PIPEDA, Canada’s private sector privacy legislation.

Something to think about the next time you feel like throwing a sheep.

University of Ottawa law professor Michael Geist has launched iOptOut, a website allowing Canadians to opt out of unsolicited phone calls and emails. iOptOut is meant to complement the federal government’s Do-Not-Call list, expected sometime in the fall of this year:

“By registering with iOptOut, you inform the organizations that you select listed in our database that you do not want them to call you. Under the federal Personal Information Protection and Electronic Documents Act (PIPEDA), these organizations would be required to respect your request. At the present time, iOptOut relies on PIPEDA, which overrides Bill C-37’s exemptions.

If an organization contacts you after you make a do-not-call request to it through iOptOut, PIPEDA allows you to enforce your request by filing a complaint with the Privacy Commissioner.”