Canada Dashboard Digest

Are you sick of hearing about Heartbleed? If you are, you may want to skip some of the stories profiled in this week’s Dashboard Digest. If, however, you are like me, you might still be confused by the array of stories about the technical vulnerability, how it works and what damage it might have caused. I had to do a fair amount of self-study this week to prepare for an on-air interview with the CBC, and I must admit that the more I read about it, the more questions I had.

One thing is for sure: We work in an increasingly dynamic industry where things change faster than ever. What was once considered secure is actually not. Safeguards that you thought were good enough, aren't. I suppose that’s all the more reason the privacy professional needs tools like the Dashboard Digest—to try and stay on top of what’s going on.

With respect to the Heartbleed saga, we felt that you deserved even more opportunity to learn about it, so we have added a session to this year’s Symposium that promises to educate privacy professionals on exactly what they need to know about the vulnerability. I hope you can make it to Toronto if you're keen to learn more.

Somewhat overshadowed by Heartbleed were two rather significant decisions from Commissioners Denham and Cavoukian. Read on to learn more because these, too, are important events. 

Have a great weekend, and happy (Easter egg) hunting!

Kris Klein
Managing Director
IAPP Canada

Top Canadian Privacy News

ONLINE PRIVACY

Sites Personalize Privacy Settings (August 31, 2011)
Image-hosting website Flickr has announced updates to its privacy settings allowing users to customize who sees geotags on shared photos. Users can now use the site's geofence settings to place a "blanket" privacy control on photos based on location, and geotags that do not fit into a specific category will default to the most private setting, ArsTechnica reports. On its blog, the company wrote, "A few years ago, privacy controls like this would have been overkill...But today, physical places are important to how we use the Web. Sometimes you want everyone to know exactly where you took a photo. And sometimes you don't." Meanwhile, Facebook's new privacy controls allow users to determine who can and cannot view posts and requires user approval for photo and post tagging.

PRIVACY LAW—CANADA & U.S.

Officials Say Privacy Must Be Paramount (August 30, 2011)
Amid the release of reports by Canadian Foreign Affairs Minister John Baird in the wake of a declaration between Canada and U.S. leaders on integrating security, the National Post reports on calls for better privacy protections for Canadian citizens. Baird has said, "If we want to ensure cross-border law enforcement activities and other programs, they have to respect the legal and the privacy rights of Canadians. That is incredibly important." Meanwhile, Canadian Privacy Commissioner Jennifer Stoddart is calling for the highest level of privacy protection to cross-border law enforcement, the report states.

ONLINE PRIVACY

Identifiable By Association (August 30, 2011)

In an article for Slate, Kevin Gold discusses the "leaky" nature of online privacy. Pattern recognition software has made it increasingly possible to determine a person's identity not by the data that they themselves have shared online, but by what their friends have shared. A researcher from Northeastern University found that only 20 percent of college students needed to participate in filling out profile information online "in order to deduce facts about the nonresponders who friended others," the report states. Using statistics about common characteristics, it's possible to make a "statistically motivated guess as to whether a person belongs to a particular community."     
Full Story

ONLINE PRIVACY

Virtual World Group Uncovers Real World Data (August 29, 2011)

An organization within the Second Life online virtual world is collecting real-world information on users, sidestepping the sites' terms of use and possibly some data protection laws, reports Avril Korman for Search Engine Watch. While Linden Lab, the company that owns the site, offers tools to customize the user experience, the report states that it is not providing adequate support, causing a rise in self-policing organizations. One such organization has, in concert with others, begun collecting information on "people's real lives, including jobs, medical conditions and family," and posting it to an unsecure wiki site, according to Korman. Some users are dismissing the threat, but Korman says, "Until Linden Lab starts actually managing their own (virtual) land and dealing with security issues in an effective manner, this problem and others like them will continue."  
Full Story

PRIVACY

OPC Releases Survey Findings (August 26, 2011)

A survey of 2,000 Canadians has revealed that many technology users fail to take basic steps to protect their personal information. The 2011 Canadians and Privacy Survey, which was commissioned by the Office of the Privacy Commissioner, revealed that the majority of respondents do not use password locks or device settings to protect their personal data. "Mobile phones increasingly hold a lot of personal information, but it doesn't seem like Canadians think they do," Privacy Commissioner Jennifer Stoddart told Postmedia News. The survey also measured Canadians' attitudes about privacy as it relates to social networking, national security and other areas.
Full Story

PRIVACY LAW

Opinion: Privacy Laws Aren’t The Problem (August 26, 2011)

In an opinion piece for The Hamilton Spectator, Ontario Privacy Commissioner Ann Cavoukian responds to criticism about the province's privacy laws, suggesting that it's generally not the privacy laws that are to blame in cases where the laws are seen as obstacles but those who implement them. "Privacy forms the basis of our freedoms--it is the necessary underpinning of liberty," Cavoukian writes. "Blaming privacy laws puts our democratic freedoms at risk without addressing the real problem, which may be bureaucratic inertia, misguided policies, inefficient practices or simple misunderstanding of those laws."
Full Story

DATA PROTECTION

Work: Practices Not Improving (August 26, 2011)

Alberta Privacy Commissioner Frank Work says people are not getting better at protecting their personal information and that the statistics for hacking breaches are "startling." The Calgary Herald reports that there have been 90 complaints made to Work's office in 16 months. "I'm running out of superlatives when we know people are going to lose things and why we're not taking more precautions," Work said. Noting the importance of computer encryption, Work added, "If you run out-of-date computer operating systems and anti-virus software, along with unneeded administrator accounts, you will be owned by hackers."
Full Story

INFORMATION ACCESS

Court Rules Gov’t Should Provide Documents (August 26, 2011)

An article in The Hill Times discusses the federal court's recent decision that the government should release information on a former politician. The case involved a Canadian Press reporter who filed an access of information request to Library and Archives Canada for records on a former NDP leader. The government denied his requests, and the information commissioner validated the denial. But the court declared recently that the government should inform the reporter if additional information exists, saying that withholding the historical documents ran counter to the library's mandate to aid the "acquisition, preservation and diffusion of knowledge."
Full Story

SOCIAL NETWORKING

Facebook Rolls Out Privacy Changes (August 26, 2011)

The Financial Post reports on Facebook's recent changes to its privacy settings. The changes allow users to check a box indicating which friends can see which online posts; share locations from PCs and laptops; control being "tagged" by others in posted photos, or choose to block a user entirely--disabling them from photo tags or other interactions on the site. The company wants to make the sharing options "unmistakably clear," said a Facebook spokesman.
Full Story

PRIVACY

OPC Announces New Advisory Committee Members (August 26, 2011)

The Office of the Privacy Commissioner (OPC) has announced the addition of three new members to its external advisory committee. Mark McArdle, a technology executive; Loreena McKennitt, a singer and composer who won a landmark human rights privacy case in 2006, and Jean-François Renaud, the associate founder of a consulting company, will join the 18-member committee, which provides advice on the OPC's strategic direction.
Full Story

ONLINE PRIVACY

Gamers Say Licensing Agreement Goes Too Far (August 26, 2011)

Some gamers who have looked closely at one gaming company's end-user licensing agreement (EULA) say the policy goes too far. In order to download EA Origin games, players must agree to allow EA Origin to collect, use, store and transmit information that identifies their computers. "EA may also use this information, combined with personal information for marketing purposes and to improve our products and services," the EULA says. "We may also share that data with our third-party service providers in a form that does not personally identify you." One user has launched a campaign to "raise awareness of Origin's privacy violation," International Business Times reports.
Full Story

PRIVACY LAW—CANADA

Company Settles Over Robocalls (August 25, 2011)

Canada's minister of industry says he's pleased with the settlement between the Canadian Radio-television and Telecommunications Commission (CRTC) and Goodlife Fitness Centres, Inc. The settlement is related to the company's telemarketing methods using "robocalls" without members' prior consent. Using automatic dialing-announcing devices without prior consent is forbidden under CRTC guidelines. The company has agreed to pay $300,000; publish corrective notices in newspapers and on its website; cease the robocalls, and organize a business education event with the CRTC to encourage telemarketing compliance, the report states. Minister of Industry Christian Paradis said the settlement is "good news for Canadian consumers."   
Full Story

IDENTITY THEFT

Caller ID Spoofing Threatens Personal Privacy (August 23, 2011)

The New York Times reports on the rise of an easy-to-find and legal service known as "spoofing" that allows identity thieves to access others' voicemail accounts by disguising their phone numbers and consumer advocate Edgar Dworsky's recent finding that thieves can also access some automated bank and credit card systems. Many mobile phone providers and financial institutions have phone systems that disclose personal information--like recent purchases--when a call is made from the customer's phone number. "There are additional steps mobile phone companies and the card issuers could take to stop this sort of thing from ever happening," the report states. "The fact that many of them don't, however, makes this your problem to solve." (Registration may be required to access this story.)  
Full Story

BEHAVIORAL TARGETING

Company Advises Against UDID (August 22, 2011)

Software developers who build programs for Apple's operating system have been asked by the company to avoid using unique device identifiers (UDID) in software for its iPhones and iPads, The Wall Street Journal reports. UDIDs make it easier for advertising networks, analytics firms and others to observe and track users' online behavior. A deadline for the change has not been specified, but the company's website tells developers that the tracking tool "has been superseded and may become unsupported in the future." The Center for Democracy & Technology's Justin Brookman said, "I want to see how this all plays out, but at first glance, this is a really good result for consumers." (Registration may be required to access this story.)        
Full Story

PRIVACY LAW

Expert: Student Texting Incident Could Be Charter Case (August 20, 2011)

A Saskatchewan student whose grandparents filed a lawsuit after his school's vice-principal read his text messages may be able to argue his privacy was violated under the Charter of Rights and Freedoms, The StarPhoenix reports. Sanjeev Anand, dean of the University of Saskatchewan's law school, said while the Supreme Court has found that school authorities can search students at school, "the question becomes the extent of the search...What is less clear is whether the vice-principal could engage in a more extensive search of the actual texts on the phone. It may be that this search by the school official may be found to be unconstitutional."
Full Story

PERSONAL PRIVACY

Privacy Included in “Smart” Security Product (August 20, 2011)

CBC reports on new technology allowing homeowners to control appliances and thermostats remotely using a smartphone. Ontario Information and Privacy Commissioner Ann Cavoukian said such technologies bring significant benefits to people's lives and that privacy concerns would only surface if the personal information was sent to a central monitoring station. The vice president and general manager of Rogers Smart Home Monitoring, which offers the new service, says building privacy into the product was important. Each user has a four-digit password in order to control appliances, and the central monitoring system doesn't have access to smartphones' e-mails, text messages or cameras, he said.
Full Story

DATA LOSS

91 Cases and Counting (August 20, 2011)

Alberta's privacy commissioner has launched nearly 100 investigations into privacy breaches since May 2010, CTV reports. A recent case involving several boxes of sensitive mortgage documents found in a dumpster prompted Privacy Commissioner Frank Work's 91st investigation. The recovered documents included licence, bank account and mortgage numbers. "For heaven's sake, smarten up," Work said, referring to those responsible for the incident. "Some of the things we're seeing are utterly irresponsible."
Full Story

SURVEILLANCE

Council Debates Surveillance Policies (August 20, 2011)

At its annual policy review last week, Trent Hills Council discussed whether its video surveillance policy meets the standards established by Ontario's privacy commissioner when it comes to video camera placement and data retention. One councillor claimed that a camera placed outside a municipal library that records activity at the municipal pool across the street is in violation of the standard that cameras should monitor the property at which they're located, Northumberland News reports. Clerk Marg Montgomery said surveillance cameras on municipal property must adhere to the Municipal Freedom of Information and Protection of Privacy Act and the cameras helped to catch vandals last year.
Full Story

PRIVACY LAW

OPC Releases PIPEDA Guidance for Lawyers (August 20, 2011)

The Office of the Privacy Commissioner of Canada (OPC) has announced the release of a handbook to help lawyers become more familiar with the Personal Information Protection and Electronic Documents Act (PIPEDA). Launched at the Canadian Bar Association Canadian Legal Conference and Expo 2011, PIPEDA and Your Practice--A Privacy Handbook for Lawyers provides best practices for personal information management, use, collection, disclosure and response. "While lawyers may be familiar with privacy laws in general," says an OPC spokeswoman, "they may benefit from some concrete guidance on how to apply the laws to their own practice."
Full Story

SURVEILLANCE

Opinion: Lawful Access Legislation Too Invasive (August 20, 2011)

In an column for The Globe and Mail, Lawrence Martin contends that proposed "lawful access" legislation will give law enforcement authorities "a freer hand in spying on the private lives of Canadians." Martin writes that 9/11 changed "the view that the citizen's right to privacy was paramount...and now the expansion of intrusive power is set for passage as part of the Conservatives' omnibus law-and-order legislation." Noting that the nation's federal and provincial privacy commissioners "are lining up against the legislation, as are citizens' groups," he warns that combining "the lawful access measures in the omnibus crime package will help limit debate and public rancour."
Full Story

DATA LOSS

Opinion: Insurance Policies Rarely Cover Breaches (August 20, 2011)

In an article for The Lawyers Weekly, Gordon Hilliker discusses the importance of liability insurance. "Any organization with a website, online storage facilities or even just an e-mail account is vulnerable to a claim that it has caused damage to another's computer software or data," he writes. Most organizations purchase a commercial general liability policy. However, such a policy generally does not cover data breaches. A Sony insurer, for example, recently filed a suit claiming it's not responsible for legal costs following the company's data breach. The Insurance Bureau of Canada has revised its policy to exclude data breach coverage. Hilliker advises organizations to seek policies that specifically cover cyber risks.
Full Story

HEALTHCARE PRIVACY

Opinion: EHRs Have Many Benefits (August 20, 2011)

Responding to an op-ed piece published in The Windsor Star last week, Ontario Information and Privacy Commissioner Ann Cavoukian highlights the benefits of moving to electronic health records (EHRs). The op-ed followed news that nearly 12,000 screening reports went missing. "Your comment," Cavoukian wrote, "that this incident should also 'be raising the concern about the ability of eHealth' doesn't follow. It is too simplistic...there are actually many benefits to electronic solutions from a privacy perspective."
Full Story

DATA PROTECTION

Opinion: Are PIAs Enough? (August 19, 2011)

In a Communications of the ACM article, David Wright of Trilateral Research considers whether privacy impact assessments (PIAs) should be mandatory. As databases grow, so do data breaches. PIAs are a reasonable tool for any organization managing personal data, but are they enough? Wright says no; the most effective way to protect sensitive information is to use PIAs with a "combination of tools and strategies, which include complying with legislation and policy, using privacy-enhancing technologies and architectures and engaging in public education..." Whether PIAs will become mandatory, in the meantime, remains to be seen. (Registration may be required to access this story.)      
Full Story

ONLINE PRIVACY

Researchers Uncover “Supercookies” (August 18, 2011)
The Wall Street Journal reports on the latest online tracking methods, including the existence of "supercookies" found on popular websites. Researchers at Stanford Univeristy and the University of California at Berkeley say that supercookies are able to recreate a user's profile even after normal cookies are deleted. According to the report, companies who were found to be using the tracking technology have since stopped the practice. A Microsoft representative said as soon as the supercookies were "brought to our attention, we were alarmed. It was inconsistent with our intent and our policy." Hulu said in an online statement that it "acted immediately to investigate and address" the supercookie issue. (Registration may be required to access this story.)

BEHAVIORAL TARGETING—CANADA

Paperless Receipts Raises Privacy Concerns (August 15, 2011)

CTV News reports on the increased use of paperless receipts by large retailers and the subsequent privacy issues that accompany the new shopping option. To get the electronic receipt, customers must provide an e-mail address, which allows marketers to cross-reference preferences and buying habits. The Office of the Privacy Commissioner's Anne-Marie Hayden says that Canadian privacy laws require that retailers inform customers about the use of their data, adding that customers "should be aware of the implications of choosing an e-receipt over a paper one" because "an e-receipt creates a record that could be tied back to them."
Full Story

DATA PROTECTION

Tokenization Guidelines Released (August 15, 2011)

The Payment Card Industry Security Standards Council (PCI SSC) has released guidelines on tokenization, SC Magazine reports. The PCI DSS Tokenization Guidelines Information Supplement provides suggestions for "developing, evaluating or implementing a tokenization solution, including insight on how a tokenization solution may impact the scope of PCI DSS efforts," the report states. "These specific guidelines provide a starting point for merchants when considering tokenization implementations. The council will continue to evaluate tokenization and other technologies to determine the need for further guidance and/or requirements," said PCI SSC General Manager Bob Russo. 
Full Story

STUDENT PRIVACY

Suit Filed After Texting Case (August 12, 2011)

The Toronto Star reports on a lawsuit filed by the grandparents of a Saskatchewan student whose vice-principal confiscated his cell phone after it rang in class and read the then 12-year-old's text messages. The student was then required to assist police in recovering a stolen vehicle, and the grandparents are alleging school officials invaded the boy's privacy and "jeopardized his safety."  The school board has said the teen did not have "any reasonable expectation of privacy in relation to text messages sent or received by him using his cellular telephone during school hours" as it was in violation of school policy, the report states.
Full Story

PRIVACY LAW

How To Comply with Ontario’s New FIPPA (August 12, 2011)

All public and private hospitals will be subject to the provisions of the Freedom of Information and Protection of Privacy Act (FIPPA) when the newly broadened law becomes effective on January 1, 2012. The act will apply retroactively to January 1, 2007, and will apply to all records held or under the control of the hospitals. In this Canada Dashboard Digest exclusive, privacy experts from Deloitte discuss what hospitals need to do in order to comply.  
Full Story

DATA PROTECTION

Rioters’ Smartphone Use Spotlights Lawful Access Laws (August 12, 2011)

Rioters in the UK are using BlackBerry's secure Messenger service to organize, prompting privacy concerns surrounding government access to communications. In Canada, some privacy advocates are concerned that the situation will promote the passage of the Conservative government's proposed "lawful access" legislation that would give authorities warrantless access to certain communications data, reports The Vancouver Sun. One surveillance expert says politicians use political unrest to push through laws that, in this case, allow for "a generalized collection of private information to deal with very specific crimes by a small number of people." He called the law "dangerous for privacy, and it removes the element of judicial oversight from the system."
Full Story

PERSONAL PRIVACY

Bus Driver’s Privacy Debated (August 12, 2011)

CBC News reports on a bus drivers' union claims that a Société de Transport (STO) driver's privacy was invaded when a passenger recorded him filling out paperwork while driving his bus in Gatineau, Que. The passenger posted the video to YouTube. Quebec's privacy commission said that the STO falls outside its jurisdiction because it is a nonprofit organization. The information and privacy commissioner of neighboring Ontario, Ann Cavoukian, described the union's claims as "outrageous," saying, "When you are performing a job, in this case a public service involving public safety...you do not have a privacy interest because your work should be transparent."
Full Story

IDENTITY THEFT

Commissioner Warns of Potential Fraud (August 12, 2011)

Privacy Commissioner Jennifer Stoddart has warned citizens to be more protective of their personal information at retail stores. She notes that individuals do not have to disclose their phone numbers, area codes or other similar data when making a purchase, warning that it increases the chances of identity theft. "The more personal information that's collected about you," Stoddart said, "the more risk you run of identity theft or being the victim of fraud, so be very careful about the personal information you give out," 680News reports.
Full Story

BIOMETRICS

Researcher Introduces New Facial Recognition Software (August 12, 2011)

New facial recognition technology that can identify individuals irrespective of their placement within a photo was unveiled Tuesday at a conference in Vancouver, the Toronto Sun reports. The software is capable of scanning thousands of photos into a database where "telltale signs" of individuals' hair, eyes and ears can be recognized. Similar technology is used by the Insurance Corporation of BC to help police identify assailants, but the province's privacy commissioner is monitoring its use. The researcher who unveiled the technology queried, could "government just use this technology...to look for a particular person? It's not our method, but yes."
Full Story

PRIVACY LAW

Experts Urge Gov’t To Examine Crime Bill Provisions (August 12, 2011)

Citing privacy concerns, a consumer watchdog group is asking the government to study provisions that were included in three surveillance bills during the previous parliamentary session, the CBC reports. The provisions would require Internet service providers to give law enforcement authorities customer data without a warrant. One lawyer familiar with the bills said, "The overarching concern is it's an erosion of civil liberties and online privacy with no real justification for it."
Full Story

HEALTHCARE PRIVACY

Opinion: eHealth Records Deserve Protection (August 12, 2011)

In an opinion piece, The Windsor Star writes that the recent loss of approximately 12,000 colon cancer screening reports raises privacy concerns around eHealth records. The column asserts that the loss of the tests "should also be raising concern about the ability of eHealth...to manage sensitive health information and ensure privacy." The loss of sensitive health data "could have a profound impact on families, careers and an individual's future if it gets into the wrong hands." One IT specialist said of the eHealth project that no data is secure and a "guarantee of privacy remains impossible." 
Full Story

Company Cancels Advertising Scheme (August 12, 2011)
LinkedIn has announced that it will no longer pursue its new form of advertising called "social ads," which shared users' activities and included their pictures, The Wall Street Journal reports. The company began testing the initiative in late June after announcing it to users. Complaints about user privacy followed, including a statement from the Dutch Data Protection Authority that the company's changes may have breached Dutch privacy law. The company's head of marketing solutions told users, however, that "The only information that (was) used in social ads is information that is already publicly available and viewable by anyone in your network." (Registration may be required to access this article.)

SOCIAL NETWORKING

Threat To Destroy Site May Be Hoax (August 12, 2011)

A reported threat by a hacker group to destroy Facebook on November 5 may have been a hoax, reports eWeek. The group claimed earlier this week that it would destroy Facebook on the grounds of privacy issues, stating that the site's privacy controls are lacking. But some are skeptical about the claims. The CEO of Kapersky Lab, Eugene Kaspersky, tweeted about the news on Wednesday, saying it "most probably is fake." Others have also registered skepticism.  
Full Story

Changes to the Freedom of Information and Protection of Privacy Act (August 9, 2011)

 

Megan Brister Michelle Gordon Alain Rocan Miyo Yamashita

 

In 2012, Ontario will usher in a new era of transparency and oversight by including all public and private hospitals under the scope of the Freedom of Information and Protection of Privacy Act (FIPPA). On December 8, 2010, the Ontario government passed legislation to broaden the scope of FIPPA and designate hospitals as “institutions” under the act. This gives hospitals approximately one year to comply with FIPPA, the changes to which will be effective on January 1, 2012.

“In my 2004 Annual Report, I urged the Ontario government to compile and review institutions that are primarily funded by government but not yet covered by the Acts. One of the foundations underlying FOI is the principle that organizations that exist by virtue of public funding should be subject to public scrutiny through FOI laws. Now, the Ontario Hospital Association has asked the province to place Ontario hospitals under the act.”

—Commissioner Ann Cavoukian, 2009 Annual Report

FIPPA will apply to all records held or under the control of the hospitals. The act will apply retroactively to January 1, 2007. Under the amended FIPPA, the general public will have a right of access to hospital administration, financial and other records, unless the records are excluded from the right of access or subject to an exemption under FIPPA, as would be the case for patients’ personal health information.

Unlike the Personal Health Information Protection Act, which allows a person to access only records about him or herself, the right of access under FIPPA applies to records about every person. The newly revised legislation will allow anyone to access any record held or controlled by an institution on any issue, subject to the exclusions and exceptions set out in the act. A record may include any information concerning procurement, employees, strategic plans and budgets.

What do hospitals need to do to comply?

Hospitals will need to complete a number of operational tasks this year to ensure they are ready for their new obligations under FIPPA in 2012.

“A record number of Freedom of Information requests were filed across Ontario in 2010. A total of 38,903 requests were filed in 2010, eclipsing the previous record of 38,584, set in 2007. The spike in 2010 represented the first increase in FOI requests in three years.”

—Commissioner Ann Cavoukian, 2010 Annual Report

Conduct an inventory of records subject to FIPPA

Deloitte...

ONLINE PRIVACY

The War On Anonymity (August 8, 2011)

A SPIEGEL International report discusses what some describe as a war on online anonymity. Some say anonymity is the Internet's greatest strength--promoting free speech and privacy--but others see it as increasingly dangerous. In the wake of terrorist acts and cyber-bullying worldwide, there is a push to reveal the identities of extremist bloggers and online bullies. In fact, a Carnegie Mellon study found that when users were required to identify themselves by using their real names, they behaved in a more civilized way. However, an American Association for the Advancement of Science report states that "Anonymous communication should be regarded as a strong human right."  
Full Story

SOCIAL NETWORKING

Start Up Allows for Privacy On the Web (August 8, 2011)

A social network launched in April of this year claims to give people "real-world style, disposable interaction on the web," reports PaidContent. In an interview, SecretSocial co-founder Zubin Wadia discusses the idea behind the company and its plans for the future, including becoming the "go-to place" for private conversations when using other online networks. All SecretSocial conversations have an expiration date set by the users involved, at which time the conversation is deleted from user browsers as well as the company's servers. According to Wadia, one of the problems behind Internet privacy is the assumption that data needs to be retained forever. "A lot of this data analysis, complex or not, can occur in realtime," he says.
Full Story

PERSONAL PRIVACY

National Security and Personal Privacy: Can They Coexist? (August 5, 2011)

The Toronto Star looks at how 9/11 has and will continue to shape national security and the resulting impact on civil liberties and personal privacy. Analyst Christopher Sands predicts that the Canada-U.S. border will become "a data collection location," where scanners, transponders and chips will work together to identify us and collect duties, for example. Sands says this scenario would mark a shift towards liberty--a new "don't hassle me" environment. Ontario Information and Privacy Commissioner Ann Cavoukian says she is "very optimistic" about the prospect of security and privacy co-existing, because "You can't have liberty and freedom without privacy."

Full Story

PRIVACY LAW

Geist: Court Oversight Key (August 5, 2011)

In the Ottawa Citizen, Internet law expert Michael Geist discusses last week's Ontario Superior Court decision in the case of a former mayor. The court ruled not to force exposure of the identities of anonymous posters to a website's chat forum who, the plaintiff claimed, defamed her. Geist discusses the court's decision-making process, and says, "Given the court's careful analysis of the speech and privacy issues, the case also provides a reminder of the value of court oversight before ordering the disclosure of personal information. This may be in jeopardy since the government is currently contemplating lawful access legislation that requires such disclosures without court oversight, tilting the balance away from privacy and creating a potential chill for those speaking out online."

Full Story

DATA PROTECTION

PET Award Winners Named (August 5, 2011)

Ontario's Information and Privacy Commissioner and Microsoft have named the winners of the 2011 Award for Outstanding Research in Privacy Enhancing Technologies (PET Award). The authors of a paper on the protection of genetic information and a researcher who raised awareness about the privacy vulnerabilities present in microtargeting advertising systems are this year's winners. "With emerging technologies growing rapidly in every area of our lives, leading-edge research into privacy is necessary to protect everyone's personal information. I applaud the winners on their remarkable achievement and innovation." The PET Award was created in 2003 to encourage privacy-enhancing technological development.

Full Story

 

DATA PROTECTION

Report Identifies Global Cyberspying (August 5, 2011)

A U.S.-based cybersecurity company has issued a report stating that it has identified a single cyberspying perpetrator that has infiltrated governments around the world as well as U.S. corporations and U.N. groups over the course of the past five years, The New York Times reports. Stating the attacker may be a "state actor," the report did not disclose the location of the transgressing computer system or the specific business targets. McAfee, the company that issued the report, said it has identified 72 targets, 49 of which are U.S.-based. Department of Homeland Security Secretary Janet Napolitano said of the report, "We obviously will evaluate it, look at it and pursue what needs to be pursued in terms of its contents." (Registration may be required to access this story.) 

Full Story

BEHAVIORAL TARGETING

Web Tracking Raises Revenue, Threatens Privacy (August 4, 2011)
USA Today reports on the rise in online tracking for behavioral advertising and the subsequent challenges tracking poses to personal privacy. Privacy advocates are concerned that digital shadowing will erode "traditional notions of privacy," while new research suggests that as more companies exercise online tracking, opportunities for the loss of privacy increase, the report states. Ernst & Young's Sagi Leizerov, CIPP, says, "It is a mistake to consider tracking benign...It's both an opportunity for amazing connections of data as well as a time bomb of revealing personal information you assume will be kept private."

ONLINE PRIVACY

Company To Sell Tracking Abilities to Merchants (August 4, 2011)

Online deals company Foursquare is looking to bring in revenue by selling its merchants software that will enable them to track--and therefore better target specials to--their customers who use the service. Traditionally, social media companies have turned to advertisers to monetize "free" services, and Foursquare's method may end up putting them in the center of the privacy debate, according to Erik Sherman, writing for BNET. "The minute you start analysis on people at specific stores, particularly smaller stores with repeat customers, consumer anonymity begins to fade," Sherman writes. "Set the right specials, and a store owner could begin matching faces, names (especially from credit card purchases) and online identities."
Full Story

EMPLOYEE PRIVACY—CANADA

Medical Records Used in HR Investigation (August 4, 2011)

According to the Alberta Office of the Information and Privacy Commissioner (OIPC), Alberta Health Services (AHS) violated the Health Information Act when it used an employee's addiction counseling information in a human resources investigation. After signing a consent form to allow his health records to be shared with his treating physician, the employee's records were given to the AHS human resources department to determine "the fitness of the employee to continue his duties," reports the Edmonton Journal. An AHS spokesperson said the company would comply with the OIPC's request to change their data sharing policies in these circumstances.   
Full Story

GEO PRIVACY

Company Limits WiFi Location Database (August 2, 2011)

CNET News reports that Microsoft has stopped publishing the locations of WiFi connections on its Live.com database. Access to the website has been restricted as of last Saturday, according to the report. The location data was gathered from Windows Phone 7 phones and "managed driving" that records WiFi signals accessed from public roads. A Microsoft representative wrote, "This change improved filtering to validate each request so that the service will no longer return an inferred position when a single Media Access Control address is submitted," adding, "We will continue to update our service with improvements that benefit the consumer in both positioning accuracy as well as individual privacy."  
Full Story

PRIVACY LAW—CANADA

Commissioner Takes Prison Agency to Court (August 1, 2011)

The Office of the Privacy Commissioner (OPC) is taking the federal agency responsible for the country's prison system to court for allegedly violating the Privacy Act, the National Post reports. Stoddart says that on two occasions the Correctional Service of Canada has not appropriately responded to requests to provide inmates with the personal information the prison system keeps about them. The Privacy Act requires government agencies to provide personal information within 30 days of a request. The OPC's communications director, Anne-Marie Hayden, says, "In both complaints, our investigators found that the Correctional Service of Canada had failed to give complainants timely access to their personal information."  
Full Story

BIOMETRICS

Study: Facial Recognition Technology Powerful, Intrusive (August 1, 2011)

The Wall Street Journal reports on research conducted at Carnegie Mellon University that successfully identified approximately one-third of participants using the same facial recognition technology recently acquired by Google. Using profile data from Facebook, the study's author could also correctly predict the first five digits of the participants' Social Security numbers nearly 27 percent of the time. One law professor notes that the combination of available, "anonymous" online data and the technology makes re-identifying people possible. The study's author says, "This paper really establishes that re-identification is much easier than experts think it's going to be." (Registration may be required to access this story.) 
Full Story