Archive for the ‘Public Organizations’ Category

15 Apr 2009

Further evidence on how the online and the private truly MESH

Once again, folks from the Office attended “Canada’s web conference”, MESH 2009, in Toronto – a place where flacks, marketers, hackers, people with money to spend, people looking for money, and activists gather and talk about how the web is “affecting media, marketing, business and society as a whole”.

Just ten minutes at this conference is a lesson in how much human communication has changed. People don’t generally put up their hands to ask questions – instead they send messages to the organizers through Twitter. When Toronto Mayor, David Miller (who is known for using the web to get information out to citizens) gave his keynote, and was subsequently interviewed onstage, he paused several times to either tweet or to read new messages he was receiving. And gone are the days of hanging around after a presentation to fill out a feedback form – at this conference people send tweets about the quality of a speaker or session as it’s unfolding, causing others to abandon simultaneously-running sessions to join the one that’s getting all the attention.

All it takes is a quick glance at some of the sessions that were offered (“managing your persona online”; how to integrate social media into your marketing plan”; and “using online word of mouth” are just a few examples) to see how privacy is intertwined with the new online reality. One keynote speaker, Jessica Jackley, co-founder of, the world’s first peer-to-peer online micro-lending web site, is living proof of how the Internet can be used for good. But isn’t privacy also a theme here, what with the online financial transactions that make the whole thing possible, not to mention the protection of the personal details of both the lenders and entrepreneurs?

The MESH conference tagline is “connect, share and inspire” and one of the themes is while social media can be “a difficult reality for some companies, it also offers tremendous opportunities for both businesses and individuals to communicate, collaborate, entertain and inform”. These are exciting words and ideas – as long as we don’t forget the important privacy implications that go hand-in-hand with them.

22 Aug 2008

A clarification on court decisions

Speaking at the Canadian Bar Association Conference earlier this week, the Privacy Commissioner talked about the privacy implications of courts and administrative tribunals posting to the web decisions and other documents containing personal information.

While her speech generated a handful of articles, her comments created a bit of a stir when one newspaper article misinterpreted what she had said, suggesting that the Commissioner was proposing that all court decisions be scrubbed of personal information before being made widely available.  Of course, neither the Privacy Act nor the Commissioner’s mandate applies to the courts.  In her speech, the Commissioner was actually discussing the legal obligations of government institutions subject to the Privacy Act. (You can read the transcript of her speech here.)  These institutions have tended to evoke the practices of the courts as a justification for the disclosure of personal information, a tendency that inspired the Commissioner’s remarks.  Other interpretations of the Commissioner’s comments better capture her concerns.

Below is the commissioner’s letter to the Toronto Star which appeared yesterday morning.

Re: Hide IDs in court rulings, privacy chief says, Aug. 20

I am writing to correct a false impression left by the article. My mandate does not extend to the courts. However, it is interesting to note that they, like my office, have been wrestling with the issue of posting personal information online. My role is to ensure that federal administrative tribunals respect the privacy rights of Canadians.

Ordinary Canadians provide their personal information to these tribunals for various reasons. They may, for instance, be seeking access to a government benefit or reparation for an alleged government mistake.

A law-abiding citizen fighting for a government benefit should not be forced to expose her medical history or other highly sensitive personal information to public scrutiny. They should not have to abandon their privacy rights.

My office has recently investigated complaints about the online posting of personal information by several administrative tribunals. We expect to release our findings in these cases in the fall.

Jennifer Stoddart, Privacy Commissioner of Canada

23 Jun 2008

A word on copyright reform

Last week, after months of speculation from critics and the media, the Minister of Industry unveiled new amendments to Canada’s intellectual property law, the Copyright ActPrevious attempts to revamp the legislation in 2005 dropped off the radar when Parliament went into election mode.  This largely extinguished public debate of the bill, which Canada’s privacy champions had spoken out against.  At the time, the privacy commissioners of Canada, Ontario and British Columbia all expressed similar concern over the government’s direction.

Two years later, it looks as though opposition is igniting again – with a host of opposition critics, legal experts, consumer advocates, IT professionals, educators and media weighing in on the repercussions to be felt if various provisions of the new law actually come into force.  One advocacy group, organized online through Facebook, has attracted tens of thousands of members, all opposed to the legislative provisions.

Parliament is to adjourn for the summer this week, so lawmakers will not examine the bill in depth until the fall – after they’ve had time to digest months of feedback from constituents, industry and others.  With the bill’s new emphasis on customer monitoring by Internet service providers, being rolled out at the same time as deep packet inspection, the increasing behavioural targeting of advertising and new provisions for government investigators to access internet customer data, we expect MPs will be hearing from their constituents – whether at barbeques or by mail – over issues ranging from consumer profiling to citizen surveillance, from online anonymity rights to questions of intellectual freedom.

To get more information on this summer’s debate over the future of the Internet in Canada, check the links.

29 Apr 2008

“Wacky” and proud of it!

Last week, Al Kamen of the Washington Post published an ironic article lightly criticizing his Homeland Security Chief Michael Chertoff about his statement that fingerprints aren’t personal information.

Any thoughts?

18 Apr 2008

Our Top Ten list of Privacy Act fixes

Tool jar

The Privacy Act, the federal privacy law requiring federal government bodies to respect individual privacy rights, hasn’t been substantially updated since 1982 – the same year the Commodore 64 was released and we stopped calling July 1 Dominion Day. What’s interesting about these changes is they could be implemented immediately and relatively easily – and the benefit to Canadians would be a privacy law that is modern, responsive and efficient.

As readers of this blog will know we are quite fond of the Top Ten list. So today, we present you with our list of the Top Ten fixes for the Privacy Act:

10. Parliament could create a legislative requirement for government departments to show the need for collecting personal information.

9. The role of the Federal Court could be broadened to review all grounds under the Privacy Act, not just denial of access.

8. Parliament could enshrine into law the obligation of Deputy Heads to carry out Privacy Impact Assessments prior to implementing new programs and policies.

7. The Act could be amended to provide the Privacy Commissioner with a clear public education mandate. PIPEDA contains such a mandate for private sector privacy matters. Why shouldn’t the Privacy Act for public sector matters?

6. The Act could provide the Privacy Commissioner with greater flexibility to report publicly on the government’s privacy management practices. As it now stands, we are limited to reporting by way of annual and special reports only.

5. The Act could grant the Commissioner greater discretion at the front-end to refuse complaints or discontinue complaints if the investigation would serve no useful purpose or is not in the public interest. This would allow the OPC to focus our investigative resources on those privacy issues that are of broader systemic interest.

4. Parliament could amend the Act and align it with PIPEDA by eliminating the restriction that the Privacy Act applies to recorded information only. At the moment, personal information contained in DNA and other biological samples is not explicitly covered. (But fingerprints are, in case you thought otherwise.)

3. Parliamentarians could strengthen the annual reporting requirements of government departments and agencies under section 72 of the Act, by requiring these institutions to report to Parliament on a broader spectrum of privacy-related activities.

2. The Act could be amended to provide for regular five-year reviews of the legislation, as is the case with PIPEDA.

1. Finally, the Act currently does not impose a duty on Canadian government institutions to identify the precise use for which personal information is being disclosed abroad. An amendment to the Act could require the Canadian government to not only identify the precise use for the transfer of personal information to foreign states, but ensure that adequate measures are taken to maintain the confidentiality of shared information.

Read this for more information.

18 Feb 2008

Invisible people

BBC Radio 4 has a series of radio documentaries on Britain’s control rooms and surveillance systems…with a twist. In “Invisible People”, urban historian Joe Kerr interviews the people who work in these control centres about their jobs, tapping into the human side of Britain’s surveillance society.

21 Jan 2008

Privacy and reform of Canada’s Copyright Act

The reform of Canada’s Copyright Act has been a long and contentious process. We have long held that particular aspects of the copyright debate – and digital rights management technologies (DRM) in particular – could have an impact on the privacy of Canadians.

On Friday, the Commissioner sent a letter to the Minister of Industry and the Minister of Canadian Heritage reiterating our concerns about DRM and the proposed amendments:

“…If DRM technologies only controlled copying and use of content, we would have few concerns. However, DRM technologies can also collect detailed personal information from users, who often do no more than access the content on a computer. This information is transmitted back to the copyright owner or content provider, without the consent or knowledge of the user. Although the means exist to circumvent these technologies and thus prevent the collection of this information, previous proposals to amend the Copyright Act contained anti-circumvention provisions.

Technologies that report back to a company about the use of a product reveal a great deal about an individual’s tastes and preferences. Indeed, such information can be extremely personal. Technologies that automatically collect personal information about individuals without their knowledge or consent violate the fair information principles that are central to PIPEDA and most other privacy legislation…”

As well, the proposal to implement a “notice and notice” scheme, which would require network operators to retain records on network users, could pose difficulties for companies under PIPEDA.

“…These provisions would have allowed copyright holders to send written notice to Internet Service Providers (ISPs), informing them of alleged copyright violators on their network. The network operators would then be required to forward the notice to the alleged copyright violator and to retain records on network use for periods of up to a year while investigation of violations or court action took place. Failure to retain these records would have enabled rights holders to seek damages against the ISP of up to $10,000.

Allowing a private sector organization to require an ISP to retain personal information is a precedent-setting provision that would seriously weaken privacy protections. When this provision was proposed in a previous proposal to amend the legislation it did not include any threshold that had to be met before the notice could be issued, nor did it provide any means for the ISP to contest the demand to retain the data.

The extended retention periods create additional privacy concerns. PIPEDA requires that organizations retain personal information for only as long as necessary to fulfill the purposes for which the information was originally collected. Limiting the extent of data collection and period of retention is a key strategy to minimize the risk of data breaches of personal information…”

The Copyright Act certainly needs to be amended to reflect today’s realities – but any action should continue to take the privacy rights of Canadians into account.

18 Jan 2008

In this zero-sum game, we’re all losers

“We have a saying in this business: ‘Privacy and security are a zero-sum game.'”

This quote is attributed to Ed Giorgio, a former chief code breaker at the National Security Agency and current security consultant who is working on a plan proposed by the American government to closely monitor all Internet traffic in order to protect their information architecture from attack.

It’s not an uncommon belief among security experts that privacy and security are at opposite ends of a spectrum – in order to have one, you have to give up the other.

The problem with this perspective, though, is that it ignores the complementary nature of the two. As security guru Bruce Schneier responds, “Privacy is part of our security against government abuse.”

Worse, perpetuating this myth forces people to take one side over the other. If you want to protect your country from a crippling attack on its information architecture, you shouldn’t mind having your Google searches and personal emails scanned – or so the logic goes. The flip side of this logic implicates privacy advocates and defenders of civil liberty as ambivalent to national security concerns, or worse, traitors to their country.

It seems the better approach is to recognize that privacy and security can happily co-exist and that governments can develop policies that respect and protect the privacy of its citizens while ensuring national security against the threat of attack.

15 Jan 2008

Hands across the ocean

An article out of the UK this morning reports that the U.S. FBI is considering the development of an international database in collaboration with the U.K., Australia, New Zealand and Canada which could potentially make personal information – biometric data like iris, palm and finger prints – of its citizens instantly available to police forces in other partner countries. The U.S.-led program, called “Server in the Sky”, would aid forces in tracking down major criminals and suspected terrorists.

The proposal to link databases is ambitious: each proposed partner country has different standards for the collection, storage and use of biometric information.

Governments already share information across borders, but under strict controls designed to protect the rights, including the right to privacy, of innocent individuals. While international participation in the Server in the Sky program looks to be in its very early days, it will be interesting to see who participates, and how. In terms of Canadian participation, our citizens rightfully expect that their personal information remains safeguarded and understandably, could be reluctant to see that information freely shared with two countries that were ranked near the bottom of Privacy International’s ratings of privacy protection around the world.

31 Dec 2007

A new year’s errand list

As we close out 2007, we’d like to sound a note of caution for privacy rights in Canada. We are lucky to have a variety of protections for personal information and data at the territorial, provincial and federal levels. Nevertheless, the Commissioner took a moment last week to highlight some of the steps that need to be taken by individuals, corporations and the government in the face of continuing challenges:

“Heightened national security concerns, the growing business appetite for personal information and technological advances are all potent – and growing – threats to privacy rights,” said Commissioner Stoddart. “The coming year will be another challenging one for privacy in Canada.”

What challenges, you may ask? Privacy International, a London-based non-governmental organization, issued their annual report on privacy protection world-wide. Canada was one of three countries recognized as a world-leader, but we were criticized on several fronts:

  • Federal commission is widely recognised as lacking in powers such as order-marking powers, and ability to regulate trans-border data flows
  • Variety of provincial privacy commissioners have made privacy-enhancing decisions and taken cases through the courts over the past year (particularly Ontario)
  • Court orders required for interception and there is no reasonable alternative method of investigation
  • Video surveillance is spreading despite guidelines from privacy commissioners
  • Highly controversial no-fly list, lacking legal mandate
  • Continues to threaten new policy on online surveillance
  • Increased calls for biometric documents to cater for U.S. pressure, while plans are still unclear for biometric passports