Today’s “buzz” on Google Buzz offers lesson for new service roll-outs

April 20, 2010

Canada’s Privacy Commissioner, Jennifer Stoddart, has teamed up with nine other country’s privacy watchdogs today to warn Google and other organizations to better respect people’s privacy rights. The privacy commissioners have sent a letter to Google, accusing it of overlooking privacy values and legislation in launching new online products.

The privacy commissioners’ letter states, “we are increasingly concerned that, too often, the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications. We were disturbed by your recent rollout of the Google Buzz social networking application, which betrayed a disappointing disregard for fundamental privacy norms and laws… Unfortunately, Google Buzz is not an isolated case. Google Street View was launched in some countries without due consideration of privacy and data protection laws and cultural norms. In that instance, you addressed privacy concerns related to such matters as the retention of unblurred facial images only after the fact, and there is continued concern about the adequacy of the information you provide before the images are captured… We therefore call on you, like all organizations entrusted with people’s personal information, to incorporate fundamental privacy principles directly into the design of new online services. That means, at a minimum:

  • collecting and processing only the minimum amount of personal information necessary to achieve the identified purpose of the product or service;
  • providing clear and unambiguous information about how personal information will be used to allow users to provide informed consent;
  • creating privacy-protective default settings;
  • ensuring that privacy control settings are prominent and easy to use;
  • ensuring that all personal data is adequately protected, and
  • giving people simple procedures for deleting their accounts and honouring their requests in a timely way.”

    • The privacy commissioners’ demand that Google and other organizations better incorporate privacy into the design of new online services underscores the need for the “Privacy by Design” initiative that Ontario’s Information and Privacy Commissioner recently discussed in my “A Conversation with Dr. Ann Cavoukian” post. All organizations, regardless of their size (after all, we’re all not Google), would be well-advised to learn from today’s “buzz” about Google Buzz.

    Leave a Comment » | Data Protection, Due Diligence, Ontario's Information and Privacy Commissioner, Personal Information, Privacy, Privacy Commissioner of Canada, Social Networking Websites, Technology | Tagged: , , , , , , | Permalink
    Posted by Brian Bowman

    OPC asks “how many unused profiles do you have online?”

    March 12, 2010

    The Office of the Privacy Commissioner of Canada has just posted this excellent article about the dangers of forgetting about personal information submitted to create online profiles.

    This really is the kind of personal information that identity thieves love so the OPC article is a useful read. In fact, businesses whose employees create accounts on their behalf would be well-advised to have employees read the OPC article.

    Leave a Comment » | Identity Theft, Privacy, Privacy Commissioner of Canada | Tagged: , , , , | Permalink
    Posted by Brian Bowman

    Businesses should learn from 2010 Olympics surveillance camera debate

    February 16, 2010

    The 2010 Olympics are finally here! So too are the reportedly pervasive crowd surveillance cameras that are monitoring spectators’ every move.

    Privacy advocates are already voicing concern.  But unlike previous public debates regarding privacy and surveillance cameras, I expect that the concerns that’ll be raised during and after the 2010 Olympics will be more comprehensive than the traditional “privacy vs security” debate. For instance,  Jennifer Stoddart, Canada’s Privacy Commissioner, recently commented on this blog that “one of the big issues will revolve around the pervasive crowd surveillance measures, and what will happen with all of the cameras and recordings after the flame is extinguished.”

    Of course, there are legal tests that governments (and businesses) should use to determine the appropriateness of installing surveillance cameras in the first place. But once any organization has decided to install surveillance cameras there’s a corresponding requirement to appropriately manage the data that’s collected. For instance, organizations must ensure that they have security, retention and destruction policies in place. This is the “devil in the detail” that’s often overlooked.

    I expect public scrutiny of the surveillance cameras being used during the 2010 Olympics. And such scrutiny will increase public expectations on businesses to properly manage data that they too collect by surveillance cameras.

    2 Comments | Monitoring, Privacy, Privacy Commissioner of Canada, Safeguarding, Security, Technology, Video Surveillance | Tagged: , , , , , | Permalink
    Posted by Brian Bowman

    Canada’s Privacy Commissioner delivers landmark speech on the future of privacy regulation

    February 10, 2010

    Jennifer Stoddart, Canada’s Privacy Commissioner, delivered a landmark speech today at the 11th Annual Privacy and Security Conference in Victoria, B.C. 

    In her remarks, Stoddart discussed the challenge of technology, globalized data flows and social change. While reflecting on her years as Canada’s “village elder” in the privacy community, Stoddart commented:

    “When I took over as Privacy Commissioner, Facebook didn’t exist. Neither did Twitter, Flickr, YouTube, Google Street View, Foursquare, iPods and all the many novel ways in which people now routinely connect with the rest of the world. And it’s not just technology that’s different; it’s other drivers of change as well. Like real-time globalization, for instance, and the instantaneous worldwide flow of data. It’s the way people embrace and respond to technology. Their expectations of what the technology can do for them, and at what cost. Is it desirable, for example, to buy greater convenience at the cost of less privacy? In light of these colossal changes over the past decade alone, it would be foolish to try to predict what the next decade will hold. But what we can say for certain is that the regulatory framework we have in place now for the protection of privacy and personal information is already being sorely tested.”

    Read the Privacy Commissioner’s full remarks here.

    Leave a Comment » | Internet, Privacy, Privacy Commissioner of Canada, Technology | Tagged: , , , | Permalink
    Posted by Brian Bowman

    A Conversation with Frank Work, Alberta’s Information and Privacy Commissioner

    February 3, 2010

    Continuing a series of blog posts that I’m calling “A Conversation with…” (the first being A Conversation with Jennifer Stoddart, Privacy Commissioner of Canada), I’m delighted to post the following conversation with Frank Work.

    Commissioner Work is as personable as he is professional. I’ve had the pleasure to speak at privacy conferences with Commissioner Work and let’s just say that I’m glad I presented first!  As privacy professionals will know, he’s a plain spoken, intelligent speaker and so his sessions are always a “must attend”.

    Thanks to Commissioner Work for agreeing to engage in this online Q & A conversation.  If you’d like to learn more about Frank Work, the Office of the Information and Privacy Commissioner of Alberta (the “Alberta OIPC”) or the issues raised in this conversation, I’d encourage you to visit the Alberta OIPC’s website.

    Q.  Your office has investigated identity theft arising from crystal meth abuse. What’s the link between the two?

    A.  A couple of years ago the Edmonton police raided a hang out for meth users.  They found a lot of papers from businesses in the area, which they gave to us.  Cell phone contracts, credit bureau checks, credit card information and so on.  The police told me that meth users, unlike some other substance abusers, are pretty alert when they are high.  They don’t sleep.  They have lots of time to do the kind of detailed work necessary to engineer credit card fraud and identity theft.

    Q.  So what can the public do to protect itself from that kind of identity theft?

    A.  Individuals should shred bank and credit card statements.  They shouldn’t carry certain ID, like birth certificates, on them. These kinds of foundation documents are very useful for identity theft.  Always report lost or stolen credit cards, but also lost or stolen driver’s licences, birth certificates, and passports.  Check your bank and credit card statements to make sure someone else isn’t using them.  Do a credit bureau reference on yourself maybe once a year.  If your score is lower than you think, find out why.  If your score changes from one year to the next, find out why. Sometimes it can be identity theft (someone using your good name). Sometimes it can be an error on the part of the credit bureau.

    The other side of the problem is organizations that have peoples’ info.  They must take proper care of it.  As I said, we have been given credit reports, draft mortgages, cell phone contracts, purchase of goods contracts and bookkeepers files, all thrown away.  These papers all have potential for fraudulent use.  Businesses need to shred this stuff.  Furthermore, for businesses that have customer databases, how well secured is it?  Who on their staff has access to it?  We have had cases where someone in the business is taking the info and using or selling it for fraud and identity theft.

    Q.  Alberta’s private sector privacy legislation was recently amended to include mandatory breach notification. How will this impact privacy regulation in, and outside of, Alberta?

    A.  It is early days yet.  Hopefully it will make organizations extra careful with personal information.  Will that raise the bar for organizations in other provinces?  Maybe.  If you are going to change your practices here, you might as well change them everywhere.  Possibly more provinces will legislate.  A big piece of the picture will be when the Federal government amends PIPEDA in this regard.  Maybe this will increase pressure to do so.  It will be a challenge to figure out what “a real risk of significant harm” is.  It will be a challenge to figure out in which cases there should be notice given and what kind of notice.

    Q.  You’ve worked as a lawyer in different countries around the world. How does Canada’s approach to privacy compare to your experience in other places?

    A.  We aren’t perfect but we are way ahead of most other jurisdictions.  The “commissioner” system of enforcement has served us well because we do not have the kind of well funded civil society organizations which can advocate for privacy.  Commissioners can and do advocate.  I mean, I would love to have an ACLU, or and EPIC or an EFF in Canada.  Our civil liberties people, like FIPA in BC do great work with the resources they have but resources are scarce.  We need some rich people to endow some of these groups.  The other thing is that I think, relative to other societies, Canadians have a disposition towards privacy.  We get it to some extent.  I like to think it is because we are, yes, polite, and respectful of other people.  That makes us respect each other’s space.  We must not lose that as the world becomes one big facebook/google culture.  Teach your children well.

    Q.  Looking forward, what kind of privacy developments should we watch for in 2010?

    A.  Cyber attacks, hacks and other losses will continue.  Governments will continue to bring surveillance technologies to bear every time anything bad happens. I will continue to get judicially reviewed.  I would like to think people will start resisting surveillance and other intrusions into their lives but I don’t see it happening.  Governments like surveillance.  Heck, the public likes surveillance because we are just so bad at risk assessment.  We are scared of everything it seems and we want someone to keep an eye on everything for us.  It will be interesting to see if technology begins to fail us.  For example, what if there is another airplane bombing attempt and the technology doesn’t prevent it?  They bring in new technology.  And that doesn’t prevent the next one (God forbid).  Maybe they run out of technology, although, for the money involved I don’t see that happening.  Someone will come up with a new toy.  Will someone ever say “this technology isn’t doing what we want it to and it is costing us a bundle?”  I think that will be a social shock.

    5 Comments | Airport Security, Identity Theft, Personal Information, PIPA, PIPEDA, Privacy, Privacy Breach, Privacy Commissioner, Security | Tagged: , , , , , , , | Permalink
    Posted by Brian Bowman

    Today is Data Privacy Day 2010!

    January 28, 2010

    January 28th is Data Privacy Day 2010! Canada’s Privacy Commissioner is marking the day by “urging companies to ensure they have the proper systems in place to safeguard information; and reminding individuals to think twice about what they post on the Internet.” See the Privacy Commissioner’s news release here.

    Leave a Comment » | Data Protection, Privacy, Privacy Commissioner | Tagged: , | Permalink
    Posted by Brian Bowman

    Privacy folks crying wolf on scanners

    January 7, 2010

    Will the virtual strip-search scanners soon to be operational in Winnipeg’s Richardson International Airport be an invasion of privacy? Absolutely. Should they be installed despite privacy concerns? Absolutely.

    Read more>>

    You may note that the above link takes you to the Winnipeg Sun.  I’m delighted to have been asked by Sun Media Corp. to provide Comment columns like today’s on a monthly basis.  I hope you find them of interest!

    1 Comment | Airport Security, Personal Information, Privacy, Privacy Commissioner, Security | Tagged: , , , | Permalink
    Posted by Brian Bowman

    “Naked” airport scanners get green light

    November 3, 2009

    FlasherDon’t let anyone tell you that something can’t be done because of privacy laws. For example, how many times have you heard someone say, “privacy laws handcuff the ability of law enforcement to protect Canadians” or “businesses can’t compete because of heavy-handed privacy laws”?  Yes, in very limited circumstances privacy laws can restrict certain activities.  But, these cases are few and far between.  In many more circumstances, privacy considerations simply need to be built into the design of a product or service. 

    Case in point is the recent coverage that Assistant Privacy Commissioner of Canada, Chantal Bernier, has approved the use of airport scanners that can see through your clothes.  Who would have thought that the Office of the Privacy Commissioner of Canada would ever approve what have been refered to as “naked” airport scanners?  But if you look at the manner in which the scanners will apparently be rolled out, there appears to be a balance between security and privacy considerations.  As I’ve previously posted, “Privacy by Design” can help those with a “can-do” attitude. 

    Regardless of whether I agree that the “naked” airport scanners are lawful (and regardless of whether I’ll choose to walk through one of these scanners myself), it’s great to see an attempt at “Privacy by Design” in action. To be honest, however, my greatest concern is for the poor airport security professionals who may one day have to look at my less than stellar outline.  I’m not sure how much they get paid, but it’s probably not enough!

    Leave a Comment » | Privacy, Privacy Commissioner, Security | Tagged: , , , , | Permalink
    Posted by Brian Bowman

    Are the media subject to PIPEDA?

    September 16, 2009

    Broadcasting

    Is there one set of privacy rules for regular businesses and one for the media? In a past case summary, the Office of the Privacy Commissioner of Canada (the “OPC”) found that a radio station which had broadcast the name and comments of a caller who had phoned the radio station’s news tips line to relay specific details of a robbery was not a violation of the Personal Information Protection and Electronic Documents Act (PIPEDA). Why wasn’t this a violation?

    PIPEDA contains provisions aimed at protecting the media’s right to “freedom of expression”, which is a pretty fundamental right worth protecting in a free and democratic society.  Specifically, PIPEDA’s privacy obligations don’t apply to “any organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose”.  When the collection of personal information is solely for journalistic purposes, journalists aren’t required to obtain the consent of individuals about whom the information relates. The result is that if a journalist’s activities are truly “journalistic” then they can proceed with the collection and broadcast of personal information without seeking permission from individuals.  Of course, it’s still a good idea to obtain consent in most circumstances despite the exemption.   

    When the media collects, uses or discloses personal information for reasons that are not journalistic, serious issues arise as they would for any regular business. In the finding noted above, the OPC determined that the personal information collected by the radio station was intended soley for journalistic purposes. That’s why the OPC was of the view that there had not been any violation of PIPEDA. Any illusion that the media are not bound by PIPEDA is wrong.  But there are appropriate exemptions in the law that help them to conduct their important work.

    Leave a Comment » | Media, Personal Information, PIPEDA, Privacy, Privacy Commissioner, Security | Tagged: , , , , , | Permalink
    Posted by Brian Bowman

    Laptop Encryption: “I don’t know what we have to do to drive this message home” says Commissioner

    September 10, 2009

    Laptop 11A summer incident involving sensitive personal information on stolen laptops has brought the issue of data protection once again into the crosshairs of Frank Work, the Alberta Information and Privacy Commissioner

    In a press release, the Commissioner expressed shock and disappointment with the fact that the stolen laptops, which contained the personal health information of more 300,000 individuals, were not encrypted. “This is shocking for me…I don’t know what we have to do to drive this message home” said the Commissioner. “The standard in Alberta for storing personal or health information on portable devices is encryption. I can’t accept anything less.” The Alberta incident is strikingly similar to an incident that occurred in Ontario back in 2007.  The Ontario incident also involved the theft of a non-encrypted laptop containing personal health information.  A review of the incident by Ann Cavoukian, Ontario’s Information and Privacy Commissioner, produced an order for information of this type to be encrypted. 

    These incidents demonstrate how easily sensitive data can be compromised when stored on laptops.  Encryption is a relatively easy way to improve the security of such information.  But, where do you start? There are numerous encryption options available.  Choices range from free open source encryption software like TrueCrypt to full information security consultations from companies that offer comprehensive data protection services like Seccuris. Regardless of which course you choose, one fact remains the same, encrypting laptops significantly improves security and that’s just smart business.

    Leave a Comment » | Access to Information, Data Encryption, Data Protection, Laptops, Mobile devices, Personal Information, PIPEDA, Privacy, Privacy Breach, Privacy Commissioner, PSDs, Safeguarding, Safekeeping, Security, Security Breach, Smartphones, Technology | Tagged: , , , , , , , , , , , , , , | Permalink
    Posted by Brian Bowman

    « Previous Entries
    Next Entries »
    Follow

    Get every new post delivered to your Inbox.

    Join 77 other followers