TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Global Privacy Dispatches - Canada Related reading: Evolving privacy law 'exciting' for IAPP Westin Scholar

rss_feed

""

""

By John Jager, CIPP/C

The Office of the federal Privacy Commissioner (OPC) recently released a Report of Finding under the Personal Information Protection and Electronic Documents Act—PIPEDA Case Summary #2009-010—in which the assistant privacy commissioner investigated a complaint involving the use of deep packet inspection (DPI) by an Internet service provider.
The complaint:
The complainant alleged that Bell Sympatico (Bell) used DPI technology to collect and use customers’ personal information (PI) without consent; that Bell collected more personal information than necessary to fulfill the stated purposes (to ensure network integrity and quality of service); and that customers were not adequately informed about the company’s practices and policies concerning the collection of PI during use of the Internet

Findings:
The assistant commissioner first considered whether the information Bell collected or used for DPI was “personal information” as defined in section 2(1) of PIPEDA. The assistant commissioner found that Bell collected users’ IP addresses, subscriber ID/user identifiers of Bell customers, and application type. As Bell binds an IP address to a subscriber ID, the IP address can be traced back to an individual Bell subscriber, and thus, in this context, the IP addresses are PI.
Based on wording in Bell’s Internet Service Agreements (ISAs) the investigation determined that an individual could reasonably expect that some personal information could be monitored. However, it was also determined that individuals were not clearly informed of the specific purposes of the uses of their PI. According to the findings, the language of the ISAs contained open-ended descriptions and overly broad language from which an individual would be not be able to reasonably understand how their PI could be used or disclosed.

The assistant commissioner found that Bell was not collecting or using more PI than necessary for the purpose of network traffic management.

Lastly, the investigation considered whether Bell adequately informed its customers about its policies and practices relating to DPI. The OPC found that the information provided was fragmented and not readily available on the company’s Web site

Recommendations:
The report included the following recommendations for Bell to improve transparency about its policies and practices:

  • to clarify the extent that a specific paragraph in the ISAs related to traffic-management practices;
  • to integrate policies and practices about network traffic management into one format that is accurate, easily identifiable, retrievable, and understandable;
  • to develop Frequently Asked Questions (FAQs) about traffic-management practices and the privacy impact on customers; and
  • to revise a specific question concerning traffic management to state that PI is collected.

Bell’s response to the recommendations:
Bell implemented a number of measures in response to the first three recommendations. Bell said that it has not adopted the fourth recommendation because it considers that the brevity of the traffic management process results in there being “…no ‘collection,’ per se, of the IP addresses linked to the subscriber IDs in this particular context.”

John Jager, CIPP/C, is vice president of research services at Nymity, Inc., which offers Web-based privacy support to help organizations control their privacy risk. He can be reached at john. jager@nymity.com.

Comments

If you want to comment on this post, you need to login.