Canada Dashboard Digest

Many will have already heard the relatively big news this week: A new bill, S-4, was introduced in the Senate that will amend PIPEDA if it passes. I'm surprised it didn't actually get more news considering the fanfare when the government tabled it.

There is some skepticism about whether or not the government is serious this time around because it has introduced somewhat similar bills in the past only to let them die a slow and painful death. This new bill was introduced in the Senate, and some are speculating that this may have been done to try and get the bill passed quickly.

For sure, these amendments are a long time coming. Many of them are what I call “common-sense fixes." For example, getting the English and French versions of the law to jive with one another a bit better. Other more meaningful fixes are those that mirror the Alberta and British Columbia provisions dealing with employee personal information and business transactions.

The folks at the OPC are probably happy with the proposed amendments that will allow them to enter into compliance agreements with organizations. Essentially, these agreements will allow the OPC to monitor organizations for up to a year after the completion of an investigation to ensure that all recommendations are satisfactorily implemented.

Lastly, I think the codification of a breach notification scheme is a good thing, too. I don’t think this new scheme will have a significant impact because previous guidance from the federal commissioner has been clear that they expect notification to take place even without the codification in the law. So, I think most organizations have already been operating with this scheme in mind. But, getting clarity in any law is always a good thing, so I suppose it is in this case, too.

As far as the “new penalties” go, I again don’t think there’s too much to worry about. Before any penalty could be levied, a matter would have to be referred for criminal prosecution—something that probably won’t happen except in the most egregious cases. This is a far cry from the administrative monetary penalties that can be levied in some European jurisdictions directly by the data protection authority.

So, all in all, pretty good news for privacy in Canada—for some—this week. And when we also read that CRA employees were fired for privacy violations, perhaps privacy is something this government is realizing is a priority issue that people care about.

Kris Klein
Managing Director
IAPP Canada

Top Canadian Privacy News

SOCIAL NETWORKING

Facebook Changes Include Expanded Facial Recognition (August 30, 2013)

The Wall Street Journal reports on Facebook’s announcement that it is “updating its privacy policies to clarify how the personal information of its more than one billion users” is collected and used—including at least one change: the expanded “use of facial recognition software to include profile pictures.” Some of the language is being included to comply with the recent $20 million settlement of a lawsuit over Facebook’s "Sponsored Stories" feature. Chief Privacy Officer Erin Egan, who outlined the changes to two legal documents, explained, “we revised our explanation of how things like your name, profile picture and content may be used in connection with ads or commercial content to make it clear that you are granting Facebook permission for this use when you use our services.” (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Canadians Split on Whether Gov’t Should Surveill E-mail (August 30, 2013)

The Globe and Mail reports on a recent survey indicating Canadians are split on whether they approve of government reading their e-mail. The Canadian Internet Registration Authority commissioned the poll, in which approximately 49 percent of respondents said it was “completely unacceptable” for governments to monitor e-mail and other online activities, while approximately 47 percent said it was “acceptable in some circumstances.” Asked whether such surveillance would be appropriate if it protected against a terrorist attack, 13 percent said it would be “completely acceptable,” while 64 percent said it would be “acceptable in some circumstances.” Byron Holland writes for National Post, “Given past lessons about personal privacy, how can Canadians seem so apathetic?”
Full Story

SURVEILLANCE

Geist: Privacy Regulators Should Take Action (August 30, 2013)

In a report for Toronto Star, University of Ottawa Prof. Michael Geist writes that while “the near-weekly revelations of pervasive surveillance activities generates both debate and mounting opposition in the United States and Europe, the Canadian reaction has remained somewhat muted.” Citing the contention over Verizon’s potential entry into Canada, Geist suggests the door may be open “to greater public scrutiny of the privacy practices of all telecom carriers.” When it comes to the privacy risks, Geist writes “it is surprising that Canadian privacy regulators…have remained largely on the sidelines as the surveillance revelations mount.” Meanwhile, Ivor Tussell writes for The Globe and Mail that following the NSA scandal, companies that put privacy first could see greater profits.
Full Story

ONLINE PRIVACY

Commissioner Discusses Privacy Policy Concerns (August 30, 2013)

Privacy Commissioner Jennifer Stoddart discusses the recent global privacy sweep of more than 2,000 online privacy policies and other issues in advance of the end of her tenure as commissioner this December in this interview with Yahoo Finance. When it comes to determining whether a company has appropriate privacy safeguards in place, Stoddart notes, “If the ordinary person can't understand clearly what kind of personal information the company is taking from you; if they can't read, reasonably easily, the privacy policy; if they can't find information on the site about privacy practices; if they have further questions and there's no place to contact the company, I think they should be wary...If you can't understand the privacy policy, I'd say that's a bad sign. A very bad sign.”
Full Story

EMPLOYEE PRIVACY

OIPC: GPS Tracking of Employees Is OK (August 30, 2013)

BC’s Office of the Information and Privacy Commissioner (OIPC) has ruled that two elevator companies in the province can continue to use GPS technology to keep tabs on their employees, The Canadian Press reports. The employees had filed complaints that the practice violated their privacy. The OIPC did rule, however, that one of the companies must temporarily suspend the practice until it provides better notice to workers about data collection and use. One privacy advocate says the case indicates the need for new discussions about tracking given advances in technology since legislation on the matter was crafted. Meanwhile, Postmedia News suggests appropriate privacy policies can help keep employers out of trouble.
Full Story

DATA LOSS

Breach Audit Shows No Evidence PI Was Accessed (August 30, 2013)

The District of West Vancouver has completed an audit following breaches by hackers last month. An Internet security expert audited the district’s server and found no indication of personal information being accessed, the report states. “While the report found no evidence that our residents’ information was compromised, we are taking action,” said Acting Chief Administrative Officer Nina Leemhuis. “Recommendations from the report have already begun to be implemented.” The recommendations include replacing the server and software. “The security of residents' information is of the utmost priority for us,” Leemhuis said.
Full Story

INTERNATIONAL RELATIONS

The Brussels and Warsaw Privacy Peace Talks (August 29, 2013)
Next month, U.S. Federal Trade Commissioner Julie Brill and Deputy Assistant Secretary of State Danny Sepulveda will travel to Brussels to discuss privacy with EU officials. Later in the month, Poland will host the 35th Conference of Data Protection and Privacy Commissioners, a meeting that will be attended by privacy officials and stakeholders from around the world. In the latest installment of Privacy Perspectives, Hogan Lovells’ Christopher Wolf argues that the “gatherings provide an opportunity to declare a ceasefire in the war of words—a war in which most of the ‘incoming’ has originated on the European side of the Atlantic in the wake of the Snowden NSA revelations, and a war that threatens progress in international cooperation on privacy.”

PRIVACY RESOURCES

The Complex Concept of Accountability (August 28, 2013)

The principle of accountability is found in guidance across the globe, and while it is recognized as an essential element of an effective privacy program, demonstrating it and measuring it can be a challenge. The IAPP Resource Center has compiled research, articles and presentations on the topic. From Hunton & Williams’ “Accountability: A Compendium for Stakeholders” to the Article 29 Working Party’s opinion on the principle of accountability, you’ll find the information you need to clarify what it means and how to demonstrate it.
Close-Up: Accountability

ONLINE PRIVACY

Gov’t Requests for Facebook Data Outlined in Transparency Report (August 28, 2013)

In the first half of 2013, Facebook fielded governments’ requests for data on more than 38,000 Facebook users and complied with about 80 percent of those requests, Reuters reports. That’s according to the social networking giant’s first report on the scale of data inquiries it receives globally. Of those, U.S. law enforcement authorities made the most requests, seeking data on between 20,000 and 21,000 users between January and June, the report states. That’s up from the amount of requests they made in the six month-period prior, which was roughly between 18,000 to 19,000. Authorities in India, the UK and Germany also requested data on large numbers of users.
Full Story

PRIVACY SCHOLARSHIP

IAPP/PLSC Award-Winning Papers Posted (August 28, 2013)

Earlier this month, The Privacy Advisor spoke with the authors of the award-winning papers from the Privacy Law Scholars Conference: Ryan Calo and Daniel Solove and Woodrow Hartzog. Now, both papers have been posted to the Social Science Research Network and you can read the current drafts. Find Solove and Hartzog’s “The FTC and the New Common Law of Privacy” here. Find Calo’s “Digital Market Manipulation” here. Geekwire talks with Calo as well about his paper and its implications for the current Internet marketplace. Editor’s Note: Calo, Solove and Hartzog will present their papers at the IAPP Privacy Academy, in Seattle, Sept. 30-Oct. 2.
Full Story

ONLINE PRIVACY

Lenders Determining Creditworthiness Via Facebook Friends (August 28, 2013)

CNN reports that a handful of tech startups are using social data to determine the risk of lending to people. That’s because financial lenders have discovered social connections are a good indicator of a person’s creditworthiness, the report states. Lenddo, for example, determines whether an individual is “Facebook friends” with someone who was late in paying back a loan. “It turns out humans are really good at knowing who is trustworthy and reliable in their community,” said the company’s CEO. “What’s new is that we’re now able to measure through massive computing power.”
Full Story

CLOUD COMPUTING

Managing Risks in the Growing Cloud Environment (August 27, 2013)

As a precursor to his presentation at the IAPP Privacy Academy in Seattle this fall, Chris Zoladz, CIPP/US, CIPP/E, CIPP/IT, CIPP/G, writes in this latest Privacy Perspectives blog post that, “While there are real security and privacy concerns surrounding the cloud, they are by no means insurmountable.” Acknowledging studies that predict the growth of the cloud market to more than $120 billion by 2020, Zoladz offers common characteristics of those companies currently active in the cloud and advocates for “strong encryption with appropriate key management,” adding, “What would be the security and privacy risk if only encrypted data is ever stored in the cloud and only you as the cloud customer have the encryption keys?”
Full Story

DATA PROTECTION

Password-Cracking Just Got Smarter (August 27, 2013)

Passwords just got a lot easier to crack, Ars Technica reports. That’s because password-cracker “ocl-Hashcat-plus,” a freely available service for offline hashed password cracking, can now decode passwords with as many as 55 characters. The program previously could only crack passcodes with 15 characters or less, but Web users have increasingly used longer passcodes and phrases to protect their online data. “This was by far one of the most requested features,” said the program’s lead developer. The development means Hashcat users can now achieve as many as eight-billion guesses per second “on a virtually unlimited number of compromised hashes.”
Full Story

PRIVACY

GE Appoints Chief Privacy Counsel (August 26, 2013)

General Electric has announced the appointment of Peter Lefkowitz, CIPP/US, as chief privacy counsel. Lefkowitz most recently served as vice president of privacy and security legal and chief privacy officer at Oracle. “I’m honored to join the strong global privacy team at General Electric. Privacy is increasingly a business and brand differentiator, and GE is at the forefront of managing privacy compliance and providing thought leadership,” Lefkowitz told the IAPP. He will take his post September 9.
Full Story

PRIVACY IN POPULAR CULTURE

Privacy Is “More Complicated Than We Realized” (August 23, 2013)

When Shel Israel and Robert Scoble started looking into their second book together, Age of Context: How Mobile, Sensors and Data Will Change Your Life, it was because “we’re enthusiasts of new technology,” said Israel. As Rackspace’s startup liaison officer, Scoble has gained wide renown in tech circles for his Scobleizer blog and Twitter handle. Israel is maybe best known for his writings for Forbes, where he looks at “the ever-evolving tech industry.” So maybe their initial impressions of privacy should not be surprising: “We joked that people ought to get over it,” Israel said with a laugh. “But the more we listened, the more deeply we realized that we don’t really have a choice about what’s coming.” The Privacy Advisor offers you exclusive thoughts from Israel about how privacy will become a business driver, plus a free download of the privacy chapter from the book.
Full Story

ONLINE PRIVACY

Companies Enhancing Ways To Go Incognito (August 23, 2013)

Companies that offer secure online communication services are increasingly pushing private texting applications over encrypted e-mail, reports The Wall Street Journal. While consumer e-mail programs require authentication credentials—which are then stored in a database—for user login capabilities, the companies say the encryption for smartphone-based services happen on the device, so there is no way to unencrypt the messages remotely. Both Apple and Android secure messaging services say they have seen an increase in downloads in the past month. Meanwhile, a new website called justdelete.me collects on one page links that will delete online accounts, including social media, photo-sharing and shopping accounts, simplifying the process of vanishing from the Internet. (Registration may be required to access this story.)
Full Story

CONSUMER PRIVACY

Audit Finds 13 Areas of Noncompliance (August 23, 2013)

A Metro Vancouver privacy audit has found 13 areas of noncompliance, though officials note there were no privacy breaches found, Vancouver Courier reports. “These are the most basic privacy requirements," said Vincent Gogolek of the BC Freedom of Information and Privacy Association. “They are in violation of the BC privacy law.” Among the issues cited were the potential for PII to be stored outside the country, the need for a formal privacy impact assessment process and examples of personal information not restricted on a need-to-know basis. Metro Vancouver has said it is working to resolve the problems.
Full Story

SURVEILLANCE

CSEC Spying Allegations Surface (August 23, 2013)

Toronto Sun reports on allegations the country’s cryptologic agency, Communications Security Establishment Canada (CSEC), “may have been illegally snooping on Canadians.” The CSEC’s commission, whose job is to ensure the agency is complying with Canadian law, issued a report Wednesday that a "small number of records suggested the possibility that some activities may have been directed at Canadians, contrary to law.” CSEC operations focus on electronic surveillance and assisting the Canadian Security Intelligence Service. “Defence Minister Rob Nicholson needs to release all information related to this spying immediately,” the NDP’s Jack Harris said. Meanwhile, three Canadian telcos are campaigning against Verizon’s entry into the country citing the U.S. NSA spying allegations.
Full Story

ONLINE PRIVACY

Who Gets Data After Death? (August 23, 2013)

The persistent question of what happens to digital data after people die is one that members of the Canadian Bar Association (CBA) began wrestling with at their annual conference this week, Postmedia News reports. University of Saskatchewan Associate Dean Doug Surtees, a wills lawyer, explained that current law “doesn’t take ‘digital assets’ into account, and it’s time for legislation to deal with what will inevitably become a growing problem,” the report states. As Surtees put it, “Companies write agreements in ways that give people very, very few rights with respect to their digital assets, so I think what we need is legislation that simply sets out the rules.”
Full Story

DATA LOSS

College Contravened FOIP (August 23, 2013)

Alberta’s privacy commissioner has found Bow Valley College contravened the Freedom of Information and Protection of Privacy Act when it failed “to secure personal information from almost two dozen of its decommissioned servers,” Calgary Herald reports. The 2012 incident involved 21 computer servers the college sent to a nonprofit that specialized in recycling such equipment. However, when one of those servers was later purchased, the buyer found information on nearly 200,000 students and staff still remained on it. The recycling company said it was unaware the servers contained personal information and “the college did not request data-wiping services,” the report states. The commissioner found “the college had taken reasonable steps to prevent a similar incident.”
Full Story

STUDENT PRIVACY

Breach Prompts Renewed Calls for Resignation (August 23, 2013)

CBC News reports Opposition Liberals are repeating their calls for Education Minister Jody Carr to resign over a privacy breach involving a New Brunswick high school student. New Brunswick Privacy Commissioner Anne Bertrand has ruled “the Department of Education and Early Childhood Development is guilty of three privacy breaches in the case,” the report states, noting, “Carr acknowledged in May that a political assistant released a mark the student earned on an exam. The minister apologized for the privacy breach at that time and referred the matter to Bertrand's office.”
Full Story

ONLINE PRIVACY

Can What We Post Online Ever Be Forgotten? (August 22, 2013)

In a blog post for Field Fisher Waterhouse’s Privacy and Information Law Blog, Phil Lee, CIPP/E, CIPM, asks the question that continues to persist in discussions of online privacy: “Can your data, once uploaded publicly onto the web, ever realistically be forgotten?” Lee writes that while much discussion has centered around EU’s proposed “right to be forgotten,” leaving legal arguments aside, the question is “whether it is even possible to purge all copies of an individual’s data from the web.” The answer, he suggests, “is both yes and no: yes, it’s technically possible, and no, it’s very unlikely ever to happen.”
Full Story

ONLINE PRIVACY

Project Loon Raises Concerns (August 22, 2013)

The Atlantic explores Project Loon, Google’s plan for a “soaring, international balloon armada, beaming Internet to the parts of the world that don't have it.” While the report acknowledges there is potential for humanitarian benefits in “bringing a connection to the farthest reaches of the developing world,” it also cautions, “If Google's claims about the Loon balloons' navigability are true, it is in fact an 'unmanned aircraft,' sometimes more pejoratively referred to as a drone,” with vast possibilities for data collection. And questions of jurisdiction abound, the report states, noting, “With its Project Loon, Google is venturing into not one but two vast open spaces—the law and the sky.”
Full Story

BIG DATA

Is This Our Biggest Public Policy Challenge? (August 21, 2013)
Difficult questions about balancing national security with privacy have come to light since the NSA surveillance disclosures and its use of Big Data, “Yet the benefits of Big Data…exceed the realm of national security or even government usage and extend to areas such as scientific research, public health and energy conservation by the private sector,” writes Omer Tene in this latest installment of Privacy Perspectives. Tene, who is now the IAPP’s first vice president of research and education where he administers the IAPP Westin Research Center, writes, “Finding the right balance between privacy risks and Big Data rewards may very well be the biggest public policy challenge of our time,” and calls for “momentous choices” between “weighty policy concerns” and “individuals’ rights to privacy” and freedom of speech, among others.

PRIVACY RESOURCES

Drill Down to the Most Valuable Content for You (August 21, 2013)

The improvements to the IAPP Resource Center just keep coming. We’ve added industry verticals to the mix. Are you in higher education and looking for help with FERPA? Check out the education section of the tools page. Confused about GLBA? Look in the finance section. And if you don’t find it by browsing, we’ve improved search, too; you can now specifically search the section that relates to you—just tools, just research or even just research helpful for the healthcare industry, for example. Take a look, and as always, if you can’t find what you’re looking for, let us know, and we’ll do our best to help.
IAPP Resource Center

PRIVACY LAW

From Gmail to HIPAA to Class-Actions, Questions Abound (August 19, 2013)

The privacy news seems to have stirred up more legal questions than answers this past week, as you’ll discover in the Privacy Tracker Global News Roundup. With effective dates coming up for HIPAA in the U.S. and FOIA reforms in the UK, privacy pros are figuring out the new lay of the land. Court cases in the U.S. and France bring up e-mail privacy questions, both in and out of the workplace, and in the UK one court ruling may reveal a need for stronger data destruction policies. Lastly, an article from The New York Times questions the new trend of class-actions leaving plaintiffs empty-handed. (IAPP member login required.)
Full Story

ONLINE PRIVACY

Our Collective Privacy and One Strange Tale (August 19, 2013)

What happens when individuals decide to publish their entire lives on the Internet? Is it just their privacy they are giving up, or is it also the privacy of their friends, family and others that is violated, too? Last week, a former sportswriter published a website revealing countless personal thoughts, photos and memories and timed it to go public after his death by suicide. But in revealing his personal secrets, others around him were affected as well. This post for Privacy Perspectives explores the implications of our collective privacy and how our choices to disclose personal data can have wide-reaching effects on those around us.
Full Story

SURVEILLANCE

Google to Commissioners: Glass Is Not Privacy Threat (August 16, 2013)

SCMagazine reports Google has written to Canada’s privacy commissioners to assure them that its Glass product is not a privacy threat. “Google's global privacy counsel, Peter Fleischer, has assured four of Canada's privacy commissioners that the concerns they and others expressed in a June 18 letter are unfounded,” the report states, referencing a letter from Privacy Commissioner Jennifer Stoddart and 35 privacy commissioners from around the world to Google CEO Larry Page questioning the privacy implications of Glass. Fleischer wrote that “it is still early days” for Google’s new product, adding, “Protecting the security and privacy of our users is one of our top priorities.”
Full Story

SURVEILLANCE

Opinion: Are Canadians Protected Against Gov’t Telecom Surveillance? (August 16, 2013)

As Verizon aims to enter the Canadian market, it’s important to look at the privacy implications of allowing a U.S. company into the country, writes Michael Geist in a blog post. That’s especially true following recent revelations about NSA surveillance practices in the U.S. “It is worth asking whether the Canadian carriers can provide assurances that Canadian phone and Internet activity is any less prone to surveillance,” Geist writes. And, he writes, Privacy Commissioner Jennifer Stoddart has stated that Canadian law contains many of the same provisions as the USA PATRIOT Act, which allowed for government spying.
Full Story

PERSONAL PRIVACY

ID Cards, Traffic Mapping Have Some Uneasy (August 16, 2013)

Plans to combine TransLink’s Compass fare card with BC’s new identification cards have privacy advocates and BC’s privacy commissioner concerned, The Vancouver Sun reports. The plans are contained in the government’s whitepaper for the new ID card program. “I don’t expect my bus pass to track me,” said the executive director of the BC Freedom of Information and Privacy Association. Meanwhile, BC’s Ministry of Transportation and Infrastructure, Transport Canada and TransLink have unveiled an online map displaying traffic information based on cellphone signals, raising concerns about personal data being collected.
Full Story

DATA PROTECTION

IBM Gets Certified Under APEC Privacy Rules (August 15, 2013)

IBM has announced it has achieved certification under the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR), the first company to do so, according to a press release. The CBPR system is designed to facilitate data flows between the U.S. and the other APEC member economies, through voluntary, enforceable codes of conduct. IBM Chief Privacy Officer Christina Peters, CIPP/US, said, “CBPR rules will become the foundation of a globally accepted system that enables data to be shared throughout different regions with strong and trustworthy privacy protections.” Hogan Lovell’s Partner Christopher Wolf told The Daily Dashboard, “APEC CBPRs, containing enforceable commitments for the protection of personal data, are a lot like BCRs (binding corporate rules) that the EU recognizes as sufficient for cross-border transfers. Their adoption and effectiveness suggests that the EU should move its focus from the adequacy of the U.S. legal framework to whether personal data is being adequately protected through mechanisms like the CBPRs.”
Full Story

ONLINE PRIVACY

Study: Consumer Reaction to NSA Could Hurt Ad Targeting (August 14, 2013)

AdWeek reports on a study revealing that consumer concerns about online privacy have jumped from 48 percent to 57 percent since the National Security Agency surveillance programs were first disclosed in June. The findings, according to the report, could have “huge implications for the targeted advertising” industry because users will likely alter privacy settings and block tracking. The study also noted, if similar trends continue and some browser makers block third-party cookies by default, “the ad industry’s ability to effectively use third-party cookies for marketing purposes will decrease.” The study also found that 31 percent said they now actively take steps to protect their privacy online.
Full Story

PRIVACY BIZ

Leizerov on Thinking Strategically About Privacy (August 14, 2013)

In a column for SC Magazine, Ernst & Young's Sagi Leizerov, CIPP/US, discusses the importance of thinking strategically about privacy. Governance, technology and regulation, he notes, are “three distinct megatrends forming based on market conditions and the impact they are having on how organizations approach privacy.” Leizerov writes, “Regulators realize that their tools of compliance and enforcement are simply not enough,” adding, “As such, they are becoming more active participants—strategic advisors—in decision-making discussions with organizations and consumers.” Though enforcement actions are “an important tool,” Leizerov says the “focus is shifting more toward collaboration, communication and education.”
Full Story

DATA LOSS—CANADA & U.S.

Hospital Notifies 1,300 of Breach, Nurse Fired (August 14, 2013)

A nurse has been fired by Canadian-based Norfolk General Hospital for unauthorized access to more than 1,300 patient records, Brantford Expositor reports. An investigation revealed the nurse allegedly violated the Personal Information Protection Act multiple times dating back to 2004. Compromised data included patient names, health care numbers, dates of birth, contact information, doctor names and reason for visit. The organization has notified affected patients. A Vermont-based healthcare and hospice facility has also announced a breach and notified affected patients after an employee’s laptop was stolen. Meanwhile, Boston Public Schools will redesign student information cards after a hard drive, containing PDF images of 21,054 student IDs, was lost.
Full Story

DATA LOSS

Responding to a Data Breach (August 14, 2013)

According to the Ponemon Institute’s 2012 Data Breach Notification Study, most consumers that have received a breach notification say the breached organization did not do a good job in communicating and handling the data breach. What’s your plan for breach response? If you need some guidance on responding to a breach, the IAPP Resource Center can help. Check out Close-Up: Responding to a Data Breach for valuable tools, research and articles from experts in the field. (IAPP member login required.)
Read Now

ONLINE PRIVACY

Global Sweep Highlights “Significant” Shortcomings (August 13, 2013)

The Office of the Privacy Commissioner of Canada (OPC) today released the findings of the first-ever Global Privacy Enforcement Network Internet Privacy Sweep, noting “shortcomings in how some online organizations provide information about their privacy practices.” The OPC’s blog includes key details as well as screenshots from the sweep. “While we did see some good examples that demonstrated it is possible to create transparent privacy policies, unfortunately, we also found some sites with no policies or that offered only brief, over-generalized statements about privacy,” said Canadian Privacy Commissioner Jennifer Stoddart, noting one “particularly disappointing example…was a paternity testing website with a privacy statement so skimpy it would fit into a tweet.”
Full Story

BIG DATA

Making the Case for Data Assets, Not Privacy (August 12, 2013)

Alex “Sandy” Pentland discussed the importance of Universal People Sensors and the benefits of using Big Data to enhance the public good, effectively making our lives safer, at the IAPP’s Navigate un-conference in June. This Privacy Perspectives blog post delves into Pentland’s discussion and looks at how consumer choice and trust can play an important role in promoting the public good in a Big Data world.
Full Story

SURVEILLANCE

Satellite Technology a Boon for Business (August 12, 2013)

The New York Times reports on affordable miniature satellites that will soon be orbiting Earth and sending back frequent, low-cost snapshots from space. The data captured from such technology will be valuable, one expert says, perhaps used by insurance companies to take “before” and “after” views of insured property to validate claims, for example. But some may not be so excited about such surveillance, said New York University Prof. Mitchell Stephens, calling the satellite’s pictures “a Godlike view, looking down from the heavens.” (Registration may be required to access this story.)
Full Story

DATA LOSS

RCMP Clears HRSDC Employees of Wrongdoing (August 9, 2013)

The Royal Canadian Mounted Police (RCMP) have announced that no criminal investigation will be initiated against federal employees involved in the loss of a hard drive containing the personal data of 583,000 Canadian citizens, the Montreal Gazette reports. Human Resources and Skills Development Canada (HRSDC) had unsuccessfully sought to locate the hard drive since last November. “The results of the (internal) investigation provide no indication that the hard drive was taken with the intent of obtaining information for non-authorized use,” the HRSDC said.
Full Story

DRIVERS’ PRIVACY

Insurance Companies Track Habits via Wireless Device (August 9, 2013)

The Globe and Mail reports on usage-based insurance programs and a wireless device that can track driving habits. The device can measure distance travelled, frequency of braking, acceleration and what time of day driving occurs, all of which can help determine insurance rates. Usage-based insurance has recently been launched in Ontario and Quebec on a voluntary basis. A Desjardins Insurance representative said, “We cannot use the data to cancel, not renew or increase the premiums, or use it for a claim.” The program is opt-in and currently has more than 20,000 participants. Privacy concerns over the programs persist, but Ontario Information and Privacy Commissioner Ann Cavoukian has said Desjardins has taken steps to protect consumer privacy.
Full Story

SURVEILLANCE

Stoddart and Friends To Meet with Google (August 9, 2013)

Canada Privacy Commissioner Jennifer Stoddart will meet with Google to discuss what she and other data protection authorities have described as “significant privacy issues” with Google Glass, Canadian Lawyer reports. This week, Google responded to a letter written by Stoddart and her peers about concerns over how Google Glass—a wearable computer—would comply with privacy laws. Google Global Privacy Counsel Peter Fleischer has said in response that the product is being built with “users and non-users in mind.” The date of the meeting is yet to be established.
Full Story

PERSONAL PRIVACY

Privacy-Invasive Questions Asked of Candidates (August 9, 2013)

Questions being asked of candidates for the leadership of the Manitoba Liberal party demonstrate a need for new rules on how political parties gather and keep personal information. That’s according to privacy-law expert Brian Bowman, who says there aren’t currently privacy laws that apply directly. An eight-page questionnaire candidates must complete to be considered include questions on spouses, finances and children, the Ottawa Citizen reports.
Full Story

ONLINE PRIVACY

Twitter Retargeting Service Gets Advocate Approval (August 8, 2013)
The Guardian reports on what Twitter’s new retargeting advertising service may mean for user privacy. Users “won’t see more ads on Twitter, but they may see better ones,” the company told its users. While some privacy advocates have scrutinized the plan, others say Twitter’s approach is admirable given its adherence to “Do Not Track” settings and its easy opt-out. The Electronic Frontier Foundation says other companies should follow Twitter’s lead: “We think Twitter is setting an important example for the Internet: It is possible to exist in an ecosystem of tailored advertisements and online tracking while also giving users an easy and meaningful opt-out choice.”

SURVEILLANCE

NSA Is Casting “Far Wider Net” Than Previously Disclosed (August 8, 2013)

While the NSA has publicly acknowledged collecting and searching the contents of Americans’ digital communications without a warrant, it was previously understood that only conversations between Americans and targeted foreign nationals were collected and searched. Now, reports The New York Times, the documents released by Edward Snowden reveal that any communication that crosses the border and even mentions a piece of information connected to a suspect is being collected and searched. The NSA says this practice is legal under the 2008 FISA law. An anonymous senior intelligence official told The Times the NSA “makes ‘a clone of selected communication links’” to gather the information. NSA officials have publicly denied this practice in the past. The ACLU and other organizations are calling this “precisely the kind of generalized spying that the Fourth Amendment was intended to prohibit.” (Registration may be required to access this story.)
Full Story

MOBILE PRIVACY

Android 4.3 Keeps WiFi On, Even When It’s “Off” (August 8, 2013)

The latest version of the Android operating system comes with a new feature that some technologists are drawing attention to: Even when a user switches WiFi access off, the device will continue to scan for WiFi networks. This is done, according to a report from ValueWalk, “for providing better location information to apps.” However, there is a way to disable this functionality, which is detailed in the article. WPIX, a television station in New York, notes this default setting is raising privacy concerns.
Full Story

CYBERSECURITY

Tor Network Breached (August 7, 2013)

The web anonymity service Tor announced that its network had been breached through a vulnerability in the Tor Browser, Naked Security reports, and that malicious JavaScript may have revealed the identities of those using the service. Tor allows web users to mask their browsing habits by sending data through onion routers to mask the original header information—including the user’s IP address. As a result, a hidden server network run by Freedom Hosting was taken offline. Freedom Hosting’s owner and operator Eric Eion Marques is currently being held without bail and awaits extradition by the FBI for allegedly distributing child pornography online. Based on the timing of the arrest and the insertion of the malicious code, some speculate U.S. investigators introduced the script. “There are lots of rumors and speculation as to what’s happened,” writes the Tor Project on its blog. “We’re reading the same news and threads you are and don’t have any insider information.”
Full Story

PERSONAL PRIVACY

Will Data Ownership EVER Be a Privacy Solution? (August 6, 2013)
“Why is it that better methods of digital contracting and data ownership have not yet developed to help us protect our privacy online?” asks Adam Thierer in this installment of Privacy Perspectives. Thierer, a senior research fellow at George Mason University’s Mercatus Center, writes, “there probably hasn’t been as much demand for formal contracting because many users don’t mind today’s ‘take-it-or-leave-it’ model of online services” and that formal contracting around privacy “has always been tied up with the same thorny issues of information ownership and enforcement, which have complicated digital copyright policy.” But maybe that's changing.

ONLINE PRIVACY

Making the Case for More Obscurity and Less Anonymity (August 5, 2013)

Speaking at Navigate in June, Prof. Woodrow Hartzog explored the value of and made the case for using online obscurity to help protect a user’s personal privacy. By obscuring our online profiles—by varying degrees depending on intent and context—Hartzog said we can help protect some of our online privacy. But what about those who hide behind masks of online anonymity to spout nefarious words of hate speech? This Privacy Perspectives installment explores the tension between the need for online obscurity and the need to unmask those who prowl the Internet with damaging intent.
Full Story

PRIVACY PROFESSION

The Case for a Code (August 2, 2013)

Should privacy professionals have a code of ethics? That was the question first raised on Privacy Perspectives by Alex Fowler, and now continued by K Royal, CIPP/US, CIPP/E. Balancing roles as a nurse and an attorney, Royal discovered a tension allowing for conflict between professional obligations. The same may be true for privacy professionals serving as in-house counsel. “The potential for conflict is reduced when the law speaks clearly to the issue, but becomes muddy when the ‘right thing’ is not statutorily driven,” Royal writes. “Does one’s duty to the company carry more weight than one’s duty to a data subject? Does one have a duty to a data subject if the law is silent?”
Full Story

PRIVACY LAW

Denham: No Violations by BC Liberals (August 2, 2013)

A report released by British Columbia Information and Privacy Commissioner Elizabeth Denham indicates the BC Liberal Party did not breach the province’s privacy laws through its controversial plan to reach out to so-called “ethnic” voters, The Vancouver Sun reports. “While the information collected by government is personal information as defined by provincial privacy legislation,” wrote Denham, “the investigation did not find evidence that government improperly disclosed that information as part of the outreach plan.” Denham added, “Further, the investigation did not find evidence that the BC Liberal Party either improperly collected or disclosed personal information as part of the outreach plan initiative.” A columnist for The Sun wrote about Denham’s “unprecedented use of her powers in investigating” the outreach scandal.
Full Story

GEOLOCATION

Opinion: More Protection Needed for Geolocation Data (August 2, 2013)

In the U.S. case State v. Earls, the Supreme Court of New Jersey ruled that the evidence seized as a result of geolocation data used—without a warrant—to track a man suspected of a home burglary was not valid. In Canada, the courts have been going in a “distinctly different direction” writes Denise Brunsdon for IP Osgoode. For example, she writes, an Ontario Court of Appeal recently “found it acceptable for police to search mobile devices without an additional phone-specific warrant if the phone had no password protection.” Brunsdon says the “demand to recognize geolocational privacy is widespread…and we need better protection in this area.”
Full Story

DATA LOSS

RCMP Shared Mental Health Data; District’s Site Breached (August 2, 2013)

The RCMP has violated the privacy of members who were treated for mental health issues by providing their personal medical files in a dispute with a British Columbia psychologist, The Canadian Press reports. As a result, the Mounted Police Professional Association has asked for a full investigation to see if the problem is systemic. Meanwhile, thousands of West Vancouver residents’ personal data may have been exposed after the district’s website was accessed by an unauthorized user.
Full Story

PRIVACY SCHOLARSHIP

Deception Is at the Heart of PLSC-Winning Papers (August 1, 2013)

At each year’s Privacy Law Scholars Conference, scholars workshop papers that bring together the academic privacy community with those working in industry, advocacy, law and government. The IAPP awards the two papers that receive the most votes from attendees with a cash prize and a speaking slot at the IAPP Privacy Academy, to be held this year in Seattle, Sept. 30 through Oct. 2. In an exclusive for The Privacy Advisor, we interview the winners and discuss their inspiration for the papers and the conclusions they’ve drawn about deceptive privacy practices and what the FTC might start doing about them.
Full Story

ONLINE PRIVACY

Companies Shifting To Meet Consumer Expectations (August 1, 2013)

Forbes reports on products that are changing based on consumer expectations of privacy. Pinterest is now offering users a Do-Not-Track option. Google Now is a digital assistant capable of alerting users if a flight is delayed or a particular route is backed up with traffic, but Google reserves the service’s full functionality for those users who don’t mind their locations being tracked, the report states. And Facebook’s latest ad offerings target users based only on age and gender rather than more granular data.
Full Story