Canada Dashboard Digest

Are you sick of hearing about Heartbleed? If you are, you may want to skip some of the stories profiled in this week’s Dashboard Digest. If, however, you are like me, you might still be confused by the array of stories about the technical vulnerability, how it works and what damage it might have caused. I had to do a fair amount of self-study this week to prepare for an on-air interview with the CBC, and I must admit that the more I read about it, the more questions I had.

One thing is for sure: We work in an increasingly dynamic industry where things change faster than ever. What was once considered secure is actually not. Safeguards that you thought were good enough, aren't. I suppose that’s all the more reason the privacy professional needs tools like the Dashboard Digest—to try and stay on top of what’s going on.

With respect to the Heartbleed saga, we felt that you deserved even more opportunity to learn about it, so we have added a session to this year’s Symposium that promises to educate privacy professionals on exactly what they need to know about the vulnerability. I hope you can make it to Toronto if you're keen to learn more.

Somewhat overshadowed by Heartbleed were two rather significant decisions from Commissioners Denham and Cavoukian. Read on to learn more because these, too, are important events. 

Have a great weekend, and happy (Easter egg) hunting!

Kris Klein
Managing Director
IAPP Canada

Top Canadian Privacy News

FINANCIAL PRIVACY

Study: Hackers Outpacing Bank Security (June 30, 2011)

Evidence in a recent study suggests that large credit card-issuing banks are not keeping up with the technological sophistication of hackers, TIME reports. One research firm analyzed and graded the online security practices of the financial sector's 23 largest card-issuing institutions. Based on a 100-point scale, the average score was a 59. "The good news is issuers are doing a better job overall of resolution, but that's the easiest thing to do," says the study's lead author. "Prevention is the hardest to do, but it's got the biggest payback." The study also noted that banks have a strong record of eliminating fraudulent charges from individuals' bank accounts.
Full Story

SOCIAL NETWORKING

Privacy Emphasized in New Google Network (June 29, 2011)

Google has introduced a new social networking service that will allow users to communicate status updates, photos and links, The New York Times reports. The Google+ project will initially be available to a "select group" of Google users, according to the article, who will then be able to extend the network by inviting friends and groups into the network. Though many of the features will be similar to Facebook, Google's site is engineered to allow small groups to share information without sharing updates with all of an individual's friends. "In real life, we have walls and windows, and I can speak to you knowing who's in the room," says a Google representative, "but in the online world, you get to a 'Share' box and you share with the whole world...We have a different model." (Registration may be required to access this story.)
Full Story

STUDENT PRIVACY—CANADA

District: No Posting School Pics Online (June 27, 2011)

The Winnipeg School Division has adopted a new policy aimed at protecting children. The policy forbids posting photos or video of public school events to the Internet, reports the Edmonton Journal. Kristine Barr, chairwoman of the division's policy/program committee, said that parents can photograph events for personal use, but any photos or video that include children other than their own may not be posted online. Principals will be responsible for notifying people of the rule and asking them to remove disallowed content from the Internet. Barr says she recognizes this will be "difficult to enforce" but that the division hopes parents, staff and others will comply. 
Full Story

DATA LOSS

Critics: Breach Response Has Been Lackluster (June 27, 2011)

The Globe and Mail reports that Citigroup's handling of its recent data breach is drawing criticism. Following a hack by cybercriminals that exposed more than 360,000 credit card accounts, Citigroup did not offer to buy those affected one year of preventative credit monitoring services, as has become typical for companies after a breach occurs. The deputy director of national priorities for Consumer Action said that consumers "might want to turn to Citibank and ask them to do more." Marc Rotenberg of the Electronic Privacy Information Center said, "Citigroup needs to take this recent breach more seriously than they have." Meanwhile, Citigroup has disclosed that about 3,400 of those affected have lost about $2.7 million.
Full Story

DATA LOSS

More Companies Train and Prepare for Breaches (June 27, 2011)

Business Insurance reports on the growing concern businesses have in the face of increased hacker attacks and cybersecurity risks. The report notes that breach preparation will place a business in a better position to appropriately respond to an event and, subsequently, improve its ability to receive cyber risk coverage from insurers. Vinny Sakore, CIPP/IT, of Immersion Ltd. says, "With data breaches, experience is critical," adding that it's important for consultants to improve client awareness of data breach issues. Rick Prendergast at Kroll Fraud Solutions says that breach costs have risen 22 percent since 2009, prompting more companies to take breaches more seriously and "to certify that breach training has taken place across the enterprise."
Full Story

HEALTHCARE PRIVACY

Medical Identity Theft on the Rise (June 27, 2011)

Chronicling the story of a man who's roommate stole his medical identity, NPR's "Marketplace" explores the rise in medical identity theft and the affect it has on victims. A recent Ponemon Institute study found that victims of medical identity theft spend, on average, $20,000 in lost time, increased insurance premiums and legal fees, and the report points out that "Once another patient masquerades as you, your medical records are inaccurate, and that can jeopardize your future treatment." Electronic medical records should make tracking thieves easier, the report states, but Pam Dixon of the World Privacy Forum says hurdles remain.
Full Story

PERSONAL PRIVACY

Companies Help Individuals Control Personal Data (June 27, 2011)

In light of the vast amount of information that is collected online, companies are emerging with an alternative business model that allows consumers to control their personal data, The Mercury News reports. Instead of cookies that track consumers online, some companies are attempting to create a new model where individuals could access and track their personal information and refute false personal information that might exist on the Web. Additionally, Google has launched "Me on the Web" to help individuals monitor their personal data. One startup's CEO says, "We felt like there was a huge opportunity to turn the consumer model upside-down--to help people manage, create and grant access to the best data about themselves."
Full Story

DATA LOSS

External NATO Website Breached (June 24, 2011)

The North Atlantic Treaty Organization (NATO) has released a statement announcing that a NATO-related website, operated by a third party, has been compromised, TIME reports. In addition to blocking access to the site and providing customer notification, the statement noted that "NATO's e-Bookshop is a separate service for the public for the release of NATO information and does not contain any classified data." NATO also announced, according to the report, that is has created a "cyber defense action plan" that will deal with growing cybersecurity threats.
Full Story

ONLINE PRIVACY

Opinion: Biggest Problem is Policies (June 24, 2011)

In an op-ed for ITWorld, Dan Tynan writes that while online privacy is based on a clear concept--people should have control over their personal information--the average privacy policy is not. "If you want people to understand privacy--and maybe not be either so blasé or so paranoid about how their data is being used--we need privacy policies that human beings can understand," he writes. Using real-life examples of how confusing policies can be, Tynan outlines his suggestion for a pop-up box with four bullet points outlining simple facts about websites' collection and use practices and ways to opt out.
Full Story

FINANCIAL PRIVACY

Commissioner Monitoring U.S. Tax Law (June 24, 2011)

Privacy Commissioner Jennifer Stoddart is "closely monitoring" a U.S. law that is slated to pursue tax evaders living abroad, The Globe and Mail reports. U.S. tax authorities plan to require foreign financial institutions to disclose the amount of money held by American accountholders. A spokeswoman for Stoddart said, "The concern is the collection of customers' personal information and the transfer to the U.S." The U.S. law, which will go into effect in 2013, would pressure Canadian banks, brokers, insurers and mutual funds to collect U.S. Social Security numbers and account balances and share them with the Internal Revenue Service. According to the report, Finance Minister Jim Flaherty is seeking an exemption, saying that Canada is not a "tax haven."
Full Story

BIOMETRICS

Denham To Audit Facial Recognition Use (June 24, 2011)

British Columbia Privacy Commissioner Elizabeth Denham has said she will monitor the use of Insurance Corp. of British Columbia (ICBC) footage to identify post-Stanley Cup rioters in police investigations. The Province reports that under the Freedom of Information and Protection of Privacy Act, ICBC is permitted to hand over information to police with a court order, but Denham said she will "ensure that imagery that is identified for this investigation will not be used for further investigations of the police." An ICBC spokesman noted that the police will not have access to the image database but will provide an image and a court order, and ICBC will look for a match.
Full Story

PRIVACY LAW

Supreme Court To Hear Jury Vetting Cases (June 24, 2011)

The Globe and Mail reports that the Supreme Court of Canada has agreed to hear appeals from four men who claim their trials were tainted by jury vetting. Three of the men were convicted of murder in 2005 and one of fraud in 2008. The Ontario Court of Appeals dismissed earlier appeals by the four men claiming that police and prosecutors conducted secret background checks on jurors, affecting their trials. The cases prompted an investigation by Ontario Privacy Commissioner Ann Cavoukian, who determined the background checks had violated privacy legislation and ordered an end to the practice.
Full Story

PRIVACY LAW

Work Requests Leave for Supreme Court Appeal (June 24, 2011)

Alberta Information and Privacy Commissioner Frank Work is asking for a leave from his position in order to contest an Alberta Court of Appeals decision to the Supreme Court of Canada. The decision declared that "an organization's methods of collecting personal information must only be reasonable and need not be the least-intrusive method," reports Canadian Technology & IP Law. Work argues the decision gives organizations a way around PIPA and sets a "dangerous precedent" that will compromise privacy rights.
Full Story

PRIVACY LAW

Petition Launched to Oppose Bills (June 24, 2011)

More than 30 organizations, businesses and academics are opposing a trio of bills expected to be introduced later this year. Straight.com reports that OpenMedia.ca has launched an online petition against bills C-50, C-51 and C-52, which are expected to be included in omnibus crime legislation in September, the report states. OpenMedia.ca says the bills would allow for warrantless information gathering and increased surveillance by law enforcement authorities. "Every provincial privacy commissioner...has spoken out against this," said OpenMedia.ca Communications Manager Lindsey Pinto, who added, "This could set a very negative precedent for surveillance in Canada."
Full Story

PRIVACY

Awards To Fund Privacy Research (June 24, 2011)

Privacy Commissioner Jennifer Stoddart has announced the recipients of the 2011-2012 Contributions Programs, which will provide $350,000 for privacy research and public education initiatives. Recipients will use the funds to advance privacy research. Initiatives include the creation of  a cross-media game to teach children about privacy; an interactive educational package about protecting personal privacy for teachers to use, and a study focusing on the interaction between private-sector data gatherers and law enforcement authorities. Stoddart said funding privacy research and outreach "generates new ideas, approaches and information, which Canadians can use to make smart decisions about protecting their personal information."
Full Story

ONLINE PRIVACY

Experts: The Internet Never Forgets (June 24, 2011)

Amidst fallout from post-Stanley Cup riots in Vancouver, the Ottawa Citizen talks to Internet experts about the potential damage online images can do to a person's reputation. Once information is on the Internet, some experts say, it's there for good. But people can manage their online reputation by posting positive information about themselves or hiring companies with "reputation advisors" to shape their online personas. Google recently launched a tool that alerts people when information has been posted about them online and suggests how to remove unwanted postings. However, a London technology analyst notes, "the Internet does not have a delete button."
Full Story

DATA LOSS

Study: Breaches More Frequent and Severe (June 23, 2011)

A Ponemon Institute study has found that 90 percent of businesses experienced a data breach in the past year, and attacks were more severe and difficult to prevent. Network World reports that mobile devices--employee laptops, smartphones and tablets--are responsible for most breaches, while business partnerships also elevate risk. Fifty-three percent of businesses reported a low level of confidence in their ability to avoid future attacks, which the authors attribute to "the fact that so many organizations are having multiple breaches." An MSNBC report outlines ways for individuals to protect themselves in light of the recent "seemingly endless string" of data breaches, and according to the report, most aren't made public. Meanwhile, CIO has posted an online quiz to test readers' knowledge of data breaches.
Full Story

ONLINE PRIVACY

Browser Updates Do-Not-Track Option (June 23, 2011)

Mozilla has made its new do-not-track option easier to find and set in its latest Web browser update, ZDNet reports. Firefox 5 is the first in the company's accelerated release cycle--a plan to release browser updates every three months. The latest update also includes a do-not-track mechanism for the Android version of the browser. Mozilla's do-not-track feature relays header information to advertising companies, which then have the option to honor the request to avoid data collection. Microsoft's Internet Explorer 9 also features a do-not-track mechanism, but unlike Firefox, the report states, it uses a "tracking protection list--essentially a block list to decide which third-party elements of a Web page to block or allow."
Full Story

ONLINE PRIVACY—CANADA

Commissioner: Dating Sites Must Improve Privacy (June 22, 2011)
Internet dating site eHarmony says it is in the process of providing users with options to permanently delete their online accounts after an investigation by Canada's privacy commissioner, the Toronto Star reports. The investigation followed a complaint from an eHarmony customer who said the dating site told her that her account and personal information could not be permanently deleted, despite her requests. Stoddart's investigation, included in her annual report tabled yesterday in parliament, also found that "a quick scan of other sites reveals that some do not even have the privacy policies. Some that have privacy policies do not specify how they handle personal information after a user is no longer active on the site." Canadian privacy attorney and IAPP Canada Managing Director Kris Klein, CIPP/C, told the Daily Dashboard that Stoddart's eHarmony investigation is interesting because "Facebook was in trouble for a very similar thing. It was very public, what Facebook had to do to change itself and comply, yet eHarmony didn't until now." Klein added he will be "curious to see how many more people have to get in trouble before companies just proactively do the right thing."

SURVEILLANCE—CANADA

OPC Bringing Airport Authority Case to Court (June 22, 2011)

Privacy Commissioner Jennifer Stoddart is calling for a court decision after a Greater Toronto Airports Authority (GTAA) employee used surveillance equipment to track her ex-husband through the airport, the Toronto Star reports. Stoddart detailed the unresolved complaint in her report to parliament, noting the GTAA did not respond to a request for information in the 30 days required and "held more personal information about the complainant than it had provided in its belated response to the complainant's access request." Stoddart is asking the court to find the GTAA "failed to meet its obligations under PIPEDA," require implementation of the commissioner's recommendations and award damages to the complainant.
Full Story

PRIVACY LAW—CANADA

Annual Report Issued: Company’s Improvements Insufficient (June 21, 2011)

An audit by the privacy commissioner of Canada has found that Staples Business Depot stores failed to wipe clean the hard drives of devices intended for resale, despite commitments to address such problems. Included in a report to parliament on the Personal Information Protection and Electronic Documents Act (PIPEDA), which was tabled today and includes information on other ongoing investigations, Commissioner Jennifer Stoddart's audit found that the office supply store "did improve procedures and control mechanisms after our investigations," but they were "not consistently applied nor were they always effective, leaving customers' personal information at serious risk." The company had said it would take corrective action following two complaints to the commissioner. The audit found that of 149 data storage devices, one-third still contained customer data.
Full Story

DATA LOSS

Online Network Hacked, 1.3 Million Affected (June 21, 2011)

A recent rash of cyberattacks continues, this time affecting 1.3 million members of Sega's online video game network, Sega Pass. Reuters reports that names, birth dates, e-mail addresses and encrypted passwords of users were stolen from the database. Sega Europe discovered the breach on Thursday and notified network users and Sega Corp, which then shut down the site. A company spokeswoman apologized for the breach, saying that Sega is working on improving security measures. A hacker group responsible for attacks on other video game sites has offered to track down these hackers, according to the report.
Full Story

PRIVACY LAW

Bill Could Affect ISPs and Law Enforcement (June 17, 2011)

The Globe and Mail reports on planned legislation that would make it mandatory for ISPs and search engines to log and retain communications at the request of law enforcement entities. Under the proposed legislation, authorities would not need a warrant. The Investigative Powers for the 21st Century Act, Bill C-51, was originally introduced during the last parliament and will be reintroduced as part of a "super crime bill," the report states, adding, "The big six ISPs that dominate Internet access in Canada...have been relatively quiet about their views on the subject."
Full Story

PERSONAL PRIVACY

Board Violates Privacy Rules (June 17, 2011)

Alberta's privacy commissioner has ruled that the Workers' Compensation Board (WCB) contravened privacy rules by disclosing the personal information of a worker to a doctor, CBC reports. Gail Cumming, a privacy consultant, says that WCB staff needs better training. She added, "So I have circumstances where they've violated the Freedom of Information and Protection of Privacy Act (FOIP), I've brought it to their attention; they've indicated it's a 'whoops.' And only the WCB is allowed to have a 'whoops' when it comes to FOIP."
Full Story

DATA PROTECTION

Report: Don’t Stop Anonymizing (June 17, 2011)

In the wake of high-profile cases raising questions about how effective the process of anonymizing customer data is, a report from Ontario Information and Privacy Commissioner Ann Cavoukian and the University of Ottawa's Khaled El Emam has found that "de-identification is an important means to safeguard privacy," ReadWriteWeb reports. "Not only does de-identification protect individual privacy, it also enables the valuable use of information for authorized secondary purposes, such as health research, which benefits not only individuals but society as a whole," Cavoukian said. The study found that while 100-percent anonymization could not be guaranteed, re-identification is not easily accomplished. Editor's note: IAPP members, watch for more about Khaled El Emam's work on de-identification in the next edition of The Privacy Advisor, which comes out on June 28.
Full Story

DATA PROTECTION

Survey: Canadian Businesses Not Concerned About Potential Breaches (June 17, 2011)

Research company Ipsos Reid's recent survey of 1,011 companies showed that 47 percent said they are not worried about the repercussions of losing sensitive data, Canada.com reports. Thirty-eight percent said they did not have a protocol for storage and disposal of sensitive information, the report states, and 28 percent said they weren't aware of their legal obligations when it came to data protection. "Most people have the opinion that it will never happen to me," said one chief security officer.
Full Story

GEO PRIVACY

Opinion: Advances in Vehicle Technology Create Risks (June 17, 2011)

In an opinion piece for the Toronto Star, President of the Toronto Automobile Dealers Association Sandy Liguori writes that as vehicles' computer systems become increasingly sophisticated, potential threats are "waiting to be exploited" and calls for a more aggressive stance from governments, companies and law enforcement. Meanwhile, Nissan is looking into a blogger's claims that the navigation systems in its Leaf vehicles send drivers' location data to third parties. A SeattleWireless.net blog post claims that the information is transmitted via Nissan's subscription-based Carwings system when a driver updates his RSS feeds. (Registration may be required to access this story.)
Full Story

DATA PROTECTION

Council Releases PCI Standards Guiding Document (June 16, 2011)

The Payment Card Industry Security Standards Council has released a set of guidelines for companies to ensure compliance with industry standards, Computerworld reports. The 39-page document describes how each of the 12 PCI security requirements can be applied in a virtual environment, the report states, and offers recommendations on how to stay compliant in the cloud, delineating between entities' and cloud vendors' responsibilities. "Consequently, the burden for providing proof of PCI DSS compliance for a cloud-based service falls heavily on the cloud provider," the document states. The guidance is the "best document that the PCI Security Standards Council has written to date," an independent PCI consultant said.
Full Story

SOCIAL NETWORKING

LinkedIn Privacy Changes Point To Social Ads (June 15, 2011)

MediaPost News reports on LinkedIn privacy policy updates as hinting at the introduction of "social ads" based on users' activities. LinkedIn "appears eager" to avoid privacy issues, the report states, and will allow users to opt out of social ads. "Most importantly, we do not provide your name or image back to any advertiser when that ad is served," one LinkedIn official noted, while another said, "This upcoming change to the privacy policy reflects the evolving ways in which our members are using the LinkedIn platform, and it allows us to explore this area should we choose."
Full Story

DATA PROTECTION—CANADA

Commissioner Calls for a Change in Thinking (June 15, 2011)

Ontario's privacy commissioner has released a white paper on how organizations can build privacy into legacy systems, reducing data loss risks, SC Magazine reports. Replacing systems that have already been built without privacy considerations is often not an option, Commissioner Ann Cavoukian said at a Toronto event this week. Instead, organizations should create technologies that incorporate privacy as a default by limiting the amount of personal information collected, reducing the amount of time that it's stored and encrypting retained data, among other initiatives. Cavoukian also shared concerns about WiFi systems' ability to report users' location data.
Full Story

PRIVACY

“Cyberinsurance” in High Demand (June 15, 2011)

The "cyberinsurance" industry is experiencing an up-tick in business with recent high-profile breaches driving companies' desire to protect themselves from spending potentially millions of dollars on breach-related costs. Companies are upgrading IT and human resources practices and training employees in order to get coverage--in some cases worth hundreds of millions of dollars. "Concensus is building" on what policies cover, but standardization remains a hurdle, says one insurance expert who predicts, "One day the industry will actually be so robust that...we'll have the leverage to actually create standards." A Ponemon Institute study shows the average breach cost $7.2 million last year, "But with the scale and scope of hacking attacks growing daily, some companies cannot be cautious enough," the report states.
Full Story

PRIVACY

Experts Discuss the State of Privacy (June 14, 2011)

In his blog, "my heart's in accra," Harvard's Ethan Zuckerman writes about the Hyper-public conference in Cambridge, MA, last week, where privacy experts discussed the state of privacy worldwide. Berkman Center Director Urs Gasser described a Swiss Court's privacy ruling putting restrictions on Google's Street View mapping feature in public spaces and forbidding it in private spheres, indicating the "complexity of delineating between public and private" and pointing to the need for a "nuanced definition of privacy." John Palfrey of Harvard Law School suggested young people have not given up on privacy but don't yet know how to "navigate these new spaces," while conference organizer Judith Donath discussed societies' evolving norms around privacy.
Full Story

PRIVACY

Commissioners Honored (June 10, 2011)

Canadian Privacy Commissioner Jennifer Stoddart and Ontario Information and Privacy Commissioner Ann Cavoukian both received awards this week honoring their work in the privacy field. Cavoukian received the 2011 Kristian Beckman Award from the International Federation for Information Processing, which is given annually to an individual who has "significantly contributed to the development of information security, especially achievements with an international perspective." The Montreal Gazette reports on Stoddart's selection as a recipient of the Barreau du Québec's Mérite Christine-Tourigny "for her remarkable work in the protection of personal information and because of the significant impact of her professional actions on the evolution of law in that area."
Full Story
 

PERSONAL PRIVACY

Artificial Intelligence Prompts Privacy Concerns (June 10, 2011)

The Globe and Mail reports on the growing use of artificial intelligence (AI) by businesses to mine and consolidate customer data. AI can collect and store information about individuals, including their payment habits and location information, allowing companies "to track our habits." According to the article, "some advocates argue that privacy issues should be a public concern and that action is required to safeguard information," while a computer science expert said, "We have to get over, at some point, the idea that we have privacy. We don't...We have to redefine what privacy means."
Full Story

DATA LOSS

Bank Misplaces Personal Information (June 10, 2011)

Three CD-ROMs that listed the names, addresses, account numbers and social insurance numbers of Scotiabank customers have gone missing, the Toronto Star reports. Describing the incident as an "extremely rare occurrence," the bank said the parcel containing the information "has gone missing while in internal mail between two" departments. Scotiabank has notified its customers, but, according to the article, it has not been determined how many customers were affected.
Full Story

PERSONAL PRIVACY

Debate Surrounds Offender Website (June 10, 2011)

Legislators in Ontario have proposed publishing the province's sex offender registry--which includes approximately 14,100 individuals--on a publicly accessible website, The Canadian Press reports. Proponents think it is "an essential tool that would better protect children from predators," but critics have expressed concern that it could cause "vigilante action." Information and Privacy Commissioner Ann Cavoukian questions what could be gained and what could result from the website. She notes that police already track registered sex offenders and can disclose information to the public if there is a potential threat. "It might also lull the public into a false sense of security," she said.
Full Story

DATA LOSS

Conservative Party Donor Info Hacked (June 10, 2011)

Hackers that broke into the Conservative Party's website claim to have accessed the personal information of individuals who donated to the party through the site, reports the Toronto Star. The data includes names, addresses, e-mail addresses and, in some cases, partial payment card numbers. A Twitter post by a user claiming responsibility for the hack linked to a webpage listing 1,719 individuals' data and an offer to download thousands more, the report states. A Conservative Party spokesman said that while much of the information stolen is publicly available, it will contact all those affected and continue to investigate "as well as work with authorities on this matter."
Full Story

DATA THEFT

Expert: Gov’t Must Improve Cybersecurity (June 10, 2011)

With the rise of high-profile data breaches spawned by hacker groups, one expert thinks the federal government needs to strengthen its cybersecurity strategy, The Vancouver Sun reports. Calling it "BreachFest 2011," the expert said, "it's now become apparent that the ecosystem that we communicate in has some serious problems globally." He also discusses a recent report that attacks originating from Chinese servers may have accessed classified information from the Treasury Board, Department of Finance and Department of National Defense. He argues that the federal government should give existing authorities more resources, not more powers.
Full Story

ONLINE PRIVACY

Opinion: On Clouds and Crime Laws (June 10, 2011)

Two perspective pieces in The Vancouver Sun touch on recent developments that have implications for privacy and data protection. Bill Keay follows up on Apple's move to the iCloud. For consumers, "stepping into the cloud requires a leap of faith," Keay writes, adding that cloud servers are "a rich target for hackers." In another commentary, Ian Mulgrew discusses the impact on privacy and civil liberties of the Conservative government's "tough-on-crime" legislation, saying, "Neither the government, RCMP nor the national security agencies has provided evidence we need to allow this incredible intrusion."
Full Story

SOCIAL NETWORKING

Increased Lawsuits from Workplace Use (June 10, 2011)

Lawsuits and labour disputes stemming from the use of social media in the workplace are on the rise, The Vancouver Sun reports. According to polls cited in the article, nearly 75 percent of Canadian employees use social networking sites at work, and 45 percent of managers use them to vet potential candidates. One lawyer said that companies should establish an "appropriate-use policy" that sets clear parameters for employees. He added, "There's no 'cookie-cutter, one-size-fits-all' policy...You have to think of the nature of your business, the culture of your organization and the resources at your disposal."
Full Story

SOCIAL NETWORKING

Regulators: Facial Recognition Concerns Abound (June 10, 2011)

Privacy concerns continue to surface in the wake of the announcement of Facebook's new facial recognition feature, with regulators being called upon to investigate. The Electronic Privacy Information Center (EPIC) is organizing an effort in the U.S. to file a complaint with the Federal Trade Commission, Financial Times reports, while in Europe, the Article 29 Working Party, Irish DPA, UK Information Commissioner's Office and German DPA are among those raising concerns. "Again Facebook has changed its Privacy Declaration without the users' consent," said German Data Protection Commissioner Peter Schaar, adding, "I do not think that Facebook's action conforms to European and German data protection law."
Full Story

BEHAVIORAL TARGETING

IPv6 Rollout Could Necessitate Privacy Rethink (June 9, 2011)

Yesterday, hundreds of companies began testing the next-generation Internet address protocol--Ipv6. The new standard will replace IPv4, which is running out of unique IP addresses for the world's many devices, Computerworld reports. IPv6 will "have the ability to profile Internet behavior to more accurately target online ads," writes Laurie Sullivan for MediaPost. And although it is too soon to tell, "IPv6 could likely require companies to go back to the drawing board and renegotiate privacy laws with the SEC because of the ability to identify more granular data collected through ad targeting," she adds.
Full Story

ONLINE PRIVACY

Investigation Finds Apps Put Data at Risk (June 9, 2011)

A computer security firm has found that some popular mobile applications store users' personal data in plain text on their mobile devices, reports The Wall Street Journal. The viaForensics investigation found information such as unencrypted user names, passwords and transaction amounts on smartphones, which goes against industry best practices. "Data should not be stored on a phone," said Andrew Hoog, chief investigative officer of viaForensics. Hoog also said that while app developers are becoming more aware of data security issues, the fact that vulnerabilities still exist indicates security is not a top priority. One app maker's spokeswoman said that it's necessary for some information to be stored on phones, and the practice is allowed by the PCI Security Standards Council. (Registration may be required to access this story.)
Full Story

DATA LOSS

Opinion: Management Lessons from Breaches (June 8, 2011)

The Financial Times reports on lessons that should be gleaned from data breaches that have affected several large companies. Saying that recent high-profile data breaches were "more a failure in management than a failure in security," the column notes that chief executives should place data governance on par with processes such as financial reporting and brand management. A major breach of privacy can have an effect on a company similar to a product recall or defect. "Managing consumers' data and privacy is an executive matter of the highest priority," the column states, adding that security efforts like encryption and firewalls are "only part of the challenge."  (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Opinion: A Tale of Two Ideologies (June 8, 2011)

In a feature for The Atlantic Monthly, John Hendel explores the push-and-pull between calls for a "right to be forgotten" online and support for an open Internet in suggesting the world's "two biggest transnational institutions may soon fall into a complex, ideological struggle over people's rights to digital expression." One United Nations official suggests the removal of data, as sought in the right to be forgotten being advocated in the EU, would violate free expression. Hendel questions, "Could Europe's right to be forgotten evolve into a direct violation of the UN's newly entrenched principles and commitment to Internet liberty?" And his conclusion is, "Expect the battles to only be beginning."
Full Story

DATA PROTECTION—CANADA

Commissioner Gives Google Good Grades (June 7, 2011)
Canadian Privacy Commissioner Jennifer Stoddard has announced that Google has taken satisfactory steps towards protecting personal data, ITWorld reports. Google has agreed to implement five recommendations from the commissioner, including increased privacy and security training to all of its employees and the creation of a "governance model" that reviews the privacy protections within its products prior to launch. The company has also agreed to undergo an independent, third-party audit of its privacy programs within the next year and disclose the results to the commissioner's office. Stoddart added, "given the significance of the problems we found during our (Street View) investigation, we will continue to monitor how Google implements our recommendations."

PRIVACY LAW—CANADA

Commissioner Seeks Appeal to Court Decision (June 6, 2011)

Alberta Information and Privacy Commissioner Frank Work says an Alberta Court of Appeal decision sets a "dangerous precedent" that will compromise privacy rights, The Montreal Gazette reports. The case originated when furniture retailer Leon's required a customer to provide her driver's license number and license plate number in order to pick up an item she'd purchased and put on hold there. The woman reported the incident to Work's office, and an adjudicator ruled against Leon's, requiring it to cease the practice and destroy similar data it had already collected. The company appealed twice and won in a March decision. Work has requested an appeal to the Supreme Court.
Full Story

DATA LOSS

Hacker Groups Breach Websites (June 6, 2011)

Nintendo announced that one of its affiliate servers in the U.S. was illegally accessed "a few weeks ago," The New York Times reports. The company said the server did not contain consumer information, and "the server issue was resolved some time ago." The hacker group LulzSec claimed responsibility for the incident and a breach of an FBI partner organization called InfraGuard--a group dedicated to disclosing information about physical and cyber threats to the U.S. infrastructure. Meanwhile, hackers breached a European server belonging to the computer manufacturing company Acer last weekend. The incident may have compromised the data of approximately 40,000 customers. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING

Study: Teens and Adults Have Common Practices (June 3, 2011)

A study comparing the behavior of adults aged 19 to 71 and adolescents aged nine to 18 revealed that time spent on Facebook is the determining factor in how much people post to the site, reports The Vancouver Sun. Adolescent respondents shared more but also spent, on average, 55 minutes per day on Facebook, while the adults spent 38 minutes. The survey also revealed older users were less "mindful of the potential consequences of online sharing" but used privacy settings more. "Our research shows that people simultaneously care about their privacy and share a lot on Facebook...The take home is that there needs to be more education about privacy on Facebook," said the study's co-author, Amy Muise.
Full Story

PERSONAL PRIVACY

Opinion: Put Smart Meters On Hold (June 3, 2011)

The public needs to see exactly what information smart meters will be able to collect, now and in the future, opines Charles Buettner in The Vancouver Sun. Noting a Cambridge University study that reported on the Danish government's recent moratorium on smart meters due to privacy concerns, Buettner says questions over smart meter data persist in Canada as well. BC's privacy commissioner is working with public utility BC Hydro to vet concerns, but, Beuttner asks, what will happen if the company ever turns private? "We need the BC government to relent from the smart meter program until the public, those paying for the plan, can review and advise on it."
Full Story

  PRIVACY LAW

Leaked Cable Suggests Privacy Workaround (June 3, 2011)

A University of Ottawa professor says government officials may have broken Canadian privacy law in allegedly helping the U.S. government skirt restrictions on obtaining information about a potential Canadian citizen, reports APTN National News. A U.S. State Department cable obtained by news agencies reveals that, in responding to a U.S. request, justice and foreign affairs officials suggested the U.S. State Department request the information "through Canadian law enforcement channels under the terms of the mutual legal assistance treaty." Professor Amir Attaran said, "Whoever gave this advice...should be severely reprimanded and probably fired" for "conspiring with a foreign government to violate Canada's laws as a Canadian public servant."
Full Story

DATA LOSS

Hackers Claim Responsibility for Breach (June 3, 2011)

The New York Times reports on a hacker group that has claimed it breached SonyPictures.com, accessing the personal information of approximately one million customers. The group, calling itself LulzSec, claimed the website was unencrypted and contained e-mail addresses, birth dates, addresses and passwords. In a statement released on Thursday, the group said it has accessed several databases and used SQL injection to infiltrate SonyPictures.com. A Sony spokesman said the company is "looking into these claims." The news of the breach comes on the same day that Sony representatives appeared before a U.S. House of Representatives subcommittee hearing on data security. (Registration may be required to access this story.)
Full Story

PRIVACY

Opinion: “Nothing To Hide” Argument Flawed (June 2, 2011)

The argument that "Only if you're doing something wrong should you worry, and then you don't deserve to keep it private," stems from faulty assumptions about privacy and its value, writes Daniel Solove in The Chronicle of Higher Education. Privacy can't be reduced to one simple idea, and people, courts and legislators often have trouble acknowledging certain privacy problems because they don't fit into a "one-size-fits-all conception of privacy," Solove writes. The "nothing to hide" argument assumes that privacy is about hiding bad things, without taking into consideration the freedoms privacy infringements erode, such as free speech and association. "In the end, the nothing to hide argument...has nothing to say," Solove says.
Full Story

DATA LOSS—CANADA

Company Faces Lawsuit After Breach (June 1, 2011)

In response to a data breach affecting Honda Canada, a class-action lawsuit has been filed seeking $200 million in damages, reports threatpost. Filed in Ontario, Canada, the suit claims the company exercised "poor security" and failed to notify customers in a timely manner. Honda Canada has apologized for the breach and has defended its notification actions, claiming that it needed to investigate the breadth of the breach and determine what information was compromised. (Editor's note: The IAPP will host a Web conference on June 23 from 1 - 2:30 p.m. on privacy-related class-action lawsuits and a recent and potentially instructive Supreme Court decision in this area. Watch for more details soon.)
Full Story

ONLINE PRIVACY

Schmidt: Google Now More Cautious on Privacy (June 1, 2011)

Intensifying scrutiny by public- and private-sector watchdogs has Google taking a more guarded approach toward privacy, CNN reports. "We're so sensitive on the privacy issue now," Google Executive Chairman Eric Schmidt said yesterday at an event in California, where he also shed light on the company's privacy processes. "Historically, we would just throw stuff over the wall," he said. "We now have a very, very thorough process." Google lawyers and policy experts now collaborate with development teams during product creation. Schmidt's comments follow the recent announcement that the company is withholding its rollout of a facial-recognition app due to the potential privacy ramifications.
Full Story