no privacy right in identity linked to ip address

The Ontario Court of Appeal released its decision in R v. Ward earlier today. The case involved the conviction of a worthless low-life pedophile by the name of David Ward.

The police were able to find him due, in part, by tracking down his IP address and asking his ISP to provide the identity of the customer using the IP address at the time. His ISP did so voluntarily, even though the police did not have a search warrant. The appeal focused on whether or not he had been subject to unreasonable search and seizure, in violation of the the Charter of Rights, and whether or not he had a reasonable expectation of privacy.

The Court of Appeal’s decision concluded that the disclosure of this information by the ISP to the police did not violate his Charter  rights nor was there, nor should there have been, a reasonable expectation of privacy.

While my personal sentiments in respect of Mr. Ward would be that I could care less if he rotted in a jail cell for the rest of his days, the ends, as they say, do not always justify the means. And if the law is to be applied equally to everyone, I do believe there are some rather disconcerting implications regarding the conclusions in this case, notwithstanding the court’s attempt to put a ring fence around its application.

No time for the detailed analysis right now but it will be forthcoming. In the meantime, I encourage you to read the case – what do you think?

social media, privacy and discovery

I read with interest a story about a recent case in the US involving a personal injury claim. In short:

Campa Construction Corporation argued it should be granted access to Pedro Caraballo’s Facebook, Myspace and Twitter accounts, including to his deleted files.

The request was “overly broad” and not specific enough in what it was looking for, the court said.

Campa had argued that pictures, videos and posts on the sites were as important as medical records and that they could show Caraballo engaged in activities which would undermine claims about his injuries.Caraballo is suing Campa after a wall fell on top of him as he worked to connect sewer pipes in a trench.

The court indicated that “digital ‘fishing expeditions’ are no less objectionable than their analog antecedents” and therefore declined to grant the request.

It is interesting to compare the US case with a similar decision in Canada a few weeks ago, but with quite different results. In Sparks v. Dube, not only was the request granted, but granted ex parte for the following:

1)  A Preservation Order and, in the alternative, an Interlocutory Injunction are hereby made and issued compelling Erica Sparks: 1) to preserve and maintain without deletions or alterations the entire contents of her personal web page(s) on the social network Facebook including but not limited to photographs, text, links, postings, event details and video clips until further direction of the court, and 2) to participate in the carrying out of the following orders where her participation is required;

2)  The Interlocutory Injunction shall expire ten days after these orders take effect instituted;

3)  The Applicant-Defendant shall personally and immediately serve all orders and a copy of this judgment upon the Plaintiff’s solicitor, Mr. James Crocco, who shall not disclose any of the orders set out herein nor the contents of this judgment except on terms as they are allowed by these orders;

4)  Upon being served, Mr. James Crocco shall arrange for a solicitor in his firm or an agent lawyer of his choice to be appointed to carry out as soon as reasonably possible, and in the case of the Interlocutory Injunction within ten days of the taking effect of these orders, the orders set out that pertain to his client Erica Sparks subject to the following terms:

a)  The appointed solicitor shall be remunerated by the Defendant for his or her services;

b)  That solicitor shall immediately contact Ms. Sparks and, without disclosing the nature of the subject matter to be discussed, schedule a meeting with her at a location convenient to access and download data from the Internet and reduce it to usable form, such as hard copy for data so suited or memory stick or other such device for videos, as soon as reasonably practicable;

c)  Upon personally meeting with Erica Sparks at the location chosen the appointed solicitor shall apprise her of the terms and conditions of the Preservation Order and Interlocutory Injunction as well as the other orders contained herein that pertain to her;

d)  Immediately upon disclosure of the terms and conditions of the orders set out, Erica Sparks, in the presence of the solicitor engaged, shall create a permanent tangible records in hard copy, wherever possible, or to other suitable device, of the entire contents of her web page(s) on Facebook including, but not limited to, all photographs, text and links and shall record by a memory stick or other suitable device any videos posted or linked to Erica’s Sparks’ Webpage, one copy of which shall be sealed upon the carrying out of that part of these orders and delivered to Mr. James Crocco to be held and preserved by him until further direction of the court; but the delivering of a sealed copy of the entirety of her web page(s) shall not operate to preclude Erica Sparks from providing her counsel, Mr. James Crocco, or anyone else of her choosing with a copy of the entirety of her web page(s) in order to prepare for the Production Hearing or further proceedings;

5)  Upon complying with the said orders the solicitor appointed to supervise the downloading of the material referred to herein shall immediately review all of the material downloaded to ensure that the orders have been carried out in full and shall then certify to the court in writing that there has been strict compliance with the orders contained herein, and that the sealed packet represents the entire contents of the Facebook web page(s) of Erica Sparks as well as videos posted or linked to it or them;

6)  Upon the successful execution of the orders set out herein and the execution of the certification of strict compliance with the orders contained herein by the solicitor appointed to supervise the downloading of the material referred to herein  Erica Sparks shall be free to resume unrestricted access to her web page(s) on Facebook including its substantive composition;

7)  The Motion begun on December 9, 2010 shall be adjourned to a date to be fixed by the Clerk of the Court of Queen’s Bench for the Judicial District of Woodstock;

8)  The Defendant shall then file with this court and serve on the Plaintiff, in timely fashion, a Notice of Motion for the production and disclosure of the contents of the sealed packet of information/data;

9)  Once a date for a Production Hearing has been set Mr. James Crocco shall bring to that hearing the sealed packet of data retrieved from the Facebook web page(s) of Erica Sparks pursuant to the orders contained herein;

10)                     Upon completion of the execution of the orders contained herein, that apply to the retrieval of the entire contents of Erica Spark’s Facebook web page(s) on the terms as set out in these orders, the temporary oral sealing order sealing the entire file and court record in this matter that was imposed on December 9, 2010 at the conclusion of the ex parte hearing shall be lifted without further order of the court.

11)                     The Plaintiff shall upon execution of these orders and the holding of a Production Hearing, in timely fashion, file a further and better Affidavit of Documents.

(emphasis added)

Needless to say, quite a different outcome and much to the benefit of defendant, who was seeking evidence to disprove the plaintiff’s claims of damages for soft tissue injuries. Apparently, the case settled shortly after the information was downloaded.

Interesting how both cases involved similar situations, but resulted in quite different outcomes.

how not to use social media

It never ceases to amaze me how some folks manage to mess things up when it comes to social media. I could perhaps understand it a few years ago, when Facebook and LinkedIn weren’t all that popular just yet, and the former was more or less limited to students. But these days, I would have thought that people would know better. And to some extent they do. For example, as compared to just a few years ago, most people I see on Facebook have taken the effort to turn on at least some of the privacy settings, which hasn’t always been the case.

In any event, apparently we now have another first – the first person to have been convicted for a tweet. The prize goes to Mr. Paul Chambers, for this lovely tweet: “Robin Hood airport is closed. You’ve got a week and a bit to get your s**t together, otherwise I’m blowing the airport sky high!”

He was convicted of sending a menacing electronic communication. Fortunately for him no jail time was involved, though he was fined and apparently also lost his job as a result of the prosecution.

Social media, privacy, personal information and one’s communications through them are, collectively, a very complex topic. I’m sure that if you wanted to, you could spend a whole day (or longer) teaching people how to navigate Facebook’s privacy settings. Or LinkedIn’s. That being said, I usually try to keep my advice on using social media very simple: Before you post, tweet, blog or send, imagine what would happen if whatever it is you’re sending out will appear on the front page of the New York Times. Would you be comfortable with that? If not, then perhaps keep it to yourself. Or share it with close friends or colleagues over a coffee or a beer.

I imagine this might be of a bit of an oversimplification, and perhaps even rather obvious. Also, if someone already lacks any sense of judgement, it certainly won’t help (then again in that case nothing likely will). And it certainly won’t help you if you’re, say, someone with unusual predilections who can use only social media as an outlet. All that said, I find it to relatively good rule of thumb. Also a lot quicker than taking a couple of hours each time Facebook, once again, adds another 30 settings to its privacy controls.

new canadian privacy and anti-spam laws – updated again

Update 2: Here is a redline showing the changes from the November, 2009 version of ECPA to the May 25 version of FISA, in Word and PDF. The Word version shows the wording of some existing provisions which FISA is amending. You’ll need to scroll over to the right starting around s. 70 to see them. Not included in the PDF version. Doesn’t look like much has changed. Happy reading.

Update: Links to the bills added. See also comments and observations from Barry Sookman, Michael Geist (one on FISA and the other on SCPIA) and David Canton. Mostly just initial observations, except for Mr. Geist’s post on SCPIA. His nickname for the bill (the “Anti-Privacy Privacy Bill”) should give you an idea of his thoughts on it.

Yesterday the federal government announced the tabling of two new significant pieces of legislation. The first is the Fighting Internet and Wireless Spam Act, which has been acronymed as “FISA”. And no, I don’t know why they dropped the W. Maybe easier to pronounce? As many readers probably know, this is the rechristened Electronic Commerce Protection Act that died last year when Parliament was prorogued. In addition to the catchier name, there were a few substantive tweaks to the law. You can read the rather long winded press release though the link above. Alternatively, here’s the point form version:

  • fairly strict and comprehensive approach to unsolicited commercial e-mail (i.e. spam), described as “multi-faceted”
  • enables government agencies to share information with international counterparts to pursue foreign violators
  • sizeable fines for violations – up $1 million for individuals and $10 million for businesses ($15 million in certain cases) for each violation
  • allows businesses and consumers to sue spammers directly, modelled on U.S. laws
  • technology neutral – spam, spim, junk faxes, robocalls – all treated the same

The second piece of legislation are amendments to the existing Personal Information Protection and Electronic Documents Act (or PIPEDA). Doesn’t quite roll off the tongue as nicely as FISA. [Update: The amending act is actually nicely entitled the Safeguarding Canadians’ Personal Information Act which is somewhat sexier.] Point form summary:

  • breach notification requirement – must notify privacy commissioner for material breach and individuals if risk of harm
  • enhanced consent requirements to ensure people (particularly minors) clearly understand the consequences of sharing personal information
  • exceptions added to help people (financial abuse, missing persons, identify dead people)
  • exceptions added for business contact information and to manage employees, information produced for work purposes and due diligence in acquisitions and similar corporate transactions
  • exceptions added for private sector investigations and fraud prevention
  • prohibitions on notifying individuals in connection with disclosure of personal information to law enforcement agencies

More to come in due course.

woman sues rogers for exposing affair to husband

Can mobile carriers be liable for divorce? I guess we’ll find out soon enough. There was a story in the Toronto Star this morning that told of a woman who is suing Rogers for $600,000 because her husband left her. She alleges this was caused by Rogers taking the liberty of sending her husband a consolidated bill when he signed up for internet and home phone. They apparently then lumped in her cell phone bill, which she alleges she did not request. When the husband saw the bill and noticed a series of long phone calls, he called the number and apparently found out about his wife’s affair.

Needless to say, Rogers is asserting that it is not liable, primarily it seems on the basis of lack of causality – i.e. it was the affair that led to the break-up, not the disclosure of personal information. Of course the wife will argue that the break-up would not have happened but for Rogers disclosure, which is likely alleged to be in contravention of her agreement with Rogers or the Canadian Personal Information Protection and Electronic Documents Act.

Interestingly, on the latter front, she apparently did not choose to make a complaint to the federal privacy commissioner, instead deciding to proceed by way of a statement of claim in the Ontario Superior Court.

I have my doubts as to the likelihood of her success. Despite the unfortunate circumstance she and her two young children now find themselves, I don’t think the courts will have much sympathy for her claim. Even if there were a breach by Rogers, I’m not sure how much in the way of damages she would be awarded. The question here would be whether the court believes the damages would have been foreseeable by Rogers. I think that would be unlikely. But who knows. In any event, I’m sure this is a case that The Ashley Madison Agency will be following very closely.

alberta enacts breach notification requirement

Alberta’s Personal Information Protection Amendment Act, 2009 came into effect over the weekend (May 1, to be precise). The amendments included a variety of changes but perhaps most notably include a new notification requirement if an organization experiences a security breach.

The Alberta government has come out with a brochure (PDF) to help organizations understand their obligations under this new requirement. Here’s the Coles Notes version:

  • you must notify the Alberta Privacy Commissioner of any loss, unauthorized access or unauthorized disclosure of personal information without delay
  • notification is mandatory (i.e. it’s an offence if you don’t) if a reasonable person believes there is a real risk of significant harm to an individual as a result of the breach and optional if it isn’t
  • the Commissioner then decides whether individuals need to be notified. If they do, the Commissioner will tell you and you will need to comply accordingly

The brochure itself contains helpful explanations, examples and illustrations on some of these concepts, such as what is meant by “real risk of significant harm” and who is responsible for notification, which I won’t regurgitate here.

While this is old hat in the US, with many (most?) US states already having having such requirements in place, it is relatively new in Canada. Apart from the somewhat terse breach notification requirements under the Ontario Personal Health Information Protection Act, Alberta’s legislation appears to be the first in Canada. The concept however has been subject to discussion for some time now. Other provinces (I believe Newfoundland and New Brunswick) have legislation pending along the same lines, but Alberta’s is the first to address breaches relating to personal information generally, not just health information. The Uniform Law Commission of Canada has also studied the matter a fair bit and came out with a report and draft legislation (PDF) last year. John Gregory, the General Counsel of the Ontario Ministry of the Attorney General, has also given presentations (PPT) on the topic.

In short, all this points to the fact that it isn’t a question of whether there will be such requirements throughout Canada, but rather when. Organizations that hold a significant amount of personal information would be well-advised to consider the adequacy of their existing security measures and whether they need to be upgrade, given the potential cost of security breaches in light of these requirements.

“Anonymized” data really isn’t—and here’s why not – Ars Technica

You have zero privacy anyway. Get over it.

So spoke Scott McNealy more than a decade ago. At the time he made this statement, he received a fair amount of criticism. Turns out, he might very well have had a point, though perhaps for reasons he might not have foreseen.

A recent paper highlights the issue of the “reidentification” or “deanonymization” of anonymized personal information. However, the issue goes beyond anonymized information to the very heart how one should define personal information that is or should be protected under privacy legislation.

“Anonymized” data really isn’t—and here’s why not – Ars Technica.

Canadian privacy legislation simply defines personal information as “information about an identifiable individual” (excluding certain information about someone in their capacity as an employee). However, what does “about an identifiable individual” mean? Does it mean that the person collecting the particular nugget of information can associate it with a person’s identity? Or, perhaps more disconcertingly, does it include data that has the potential to be associated with someone by analyzing that particular bit of information, which alone (or even in conjunction with all the other information collected by a given organization) could not be linked with a particular individual, with information available from other sources?

norwich orders, part ii (an editorial of sorts)

<rant>

I was a bit surprised to find this article that covered the court orders that had required Google to disclose information on some Gmail users and the subsequent orders in Canada against certain Canadian ISPs, which was the subject of a previous post. The long and short of it is that the author considers Norwich orders to be some sort of grave, grave intrusion on privacy rights and personal liberty. Hence, this dire warning at the end of the article:

No matter how many precautions we take to remain private or cloak our identity, the authorities and other potential litigants usually have little difficulty obtaining this content. And they do it not by nefarious mean like hacking, but through our very own court system.

Internet users everywhere would do well to take heed. Your emails — and maybe even your Google searches — could be one subpoena away from the prying eyes of federal authorities, not to mention private litigants.

Why am I surprised? Because it seems to lack the most basic understanding of the legal system. I won’t get into all the details of the workings of Norwich orders – the original article by Omar Ha-Redeye that I had previously mentioned does a very good job at that, and I would certainly commend it to the author of this article so he may perhaps gain some insight.

The fact of the matter is that no, your privacy rights and right to anonymity have not suddenly disappeared altogether. However, as with all rights there are limitations. Thus, while U.S. citizens have the right to bear arms, they do not have the right to shoot people. If someone were to do that, they should reasonably expect their gun (and likely their liberty) to be taken away. Similarly, if someone uses their right to anonymity in an attempt to commit a crime or harm someone else, they should reasonably expect that right of anonymity to be taken away – at least to the extent it relates to the crime.

Remarkably, the author seems to suggest that the use of “subpoenas” (presumably he meant to refer to the Norwich orders) are almost the equivalent of, say, parking tickets, that the authorities or litigants can simply write up  if and when they choose to stomp on someone’s personal liberties for no good reason. What an unfortunate misperception of the legal system. The very reason why someone must go to the courts to obtain such as order is to ensure that the interests of the parties involved are balanced and safeguarded. If someone seeking the order does not have a reasonable and valid basis for doing so, it is likely that the order would not issue.

Regarding process, he cites Eric Goldman:

“People need to know that very little information that they give or make available to third parties [like Google] is unavailable to the government or private litigants,” says Eric Goldman, director of the High Tech Law Institute at Santa Clara University School of Law. “I think most people are surprised at how relatively easy it is for the government and private litigants to obtain ‘their’ information.”

I can’t speak to the process in the U.S. or what Mr. Goldman considers to be “relatively easy”. What I can say is that in Canada there is reasonable due process and consideration before such orders are issued. Just to cite one part of Mr. Redeye’s article:

A Norwich order is a pre-action discovery mechanism that is described by Spence J. in Isofoton S.A. v. The Toronto-Dominion Bank,

Requests for Norwich relief are largely unfamiliar to Canadian courts.  A Norwich order essentially compels a third party to provide the applicant with information where the applicant believes it has been wronged and needs the third party’s assistance to determine the circumstances of the wrongdoing and allow the applicant to pursue its legal remedies.

The 5 elements identified in this case for granting such an order include:

(i) Whether the applicant has provided evidence sufficient to raise a valid, bona fide or reasonable claim;
(ii) Whether the applicant has established a relationship with the third party from whom the information is sought such that it establishes that the third party is somehow involved in the acts complained of;
(iii) Whether the third party is the only practicable source of the information available;
(iv) Whether the third party can be indemnified for costs to which the third party may be exposed because of the disclosure, some [authorities] refer to the associated expenses of complying with the orders, while others speak of damages; and
(v) Whether the interests of justice favour the obtaining of disclosure.
[emphasis added]

The privacy interests of the alleged wrongdoer were overcome by the last element, the interests of justice, because of the applicant’s equitable right to information.  Spence J. pointed to Alberta v. Leahy and Bankers Trust Orders (from Bankers Trust Co. v. Shapira) indicating that court orders can override confidential information, even for financial records, and Glaxo-Wellcome PLC v. M.N.R. that the privacy interests of alleged wrongdoers is somewhat diminished.

Perhaps its just me, but this doesn’t sound particularly easy.

Of course, as with most things, the legal system is certainly not perfect, and there may well be instances where abuses might occur, or wrong decisions might be made by the courts where the scales of justice tip a bit. But to point at the sky and say it’s falling because of this case seems to me to be somewhat premature, to say the least.

Or at very least, as far as privacy concerns go, consider focusing more on things like the NSA and TIA than the courts.

</rant>

data/privacy breaches – costs are increasing – time for investment?

An interesting piece in E-Commerce News about a new report from PGP and Poneman about the cost of data/privacy/security breaches and the reasons for them. Some excerpts:

Data breach incidents cost U.S. companies US$202 per compromised customer record last year compared with $197 in 2007 according to the study. The average total per-incident cost rose to $6.65 million in 2008 up 5.3 percent from $6.3 million in 2007.

Healthcare and financial services companies experienced the highest customer churn rates — 6.5 percent and 5.5 percent respectively.

Third-party organizations accounted for more than 44 percent of all data breaches in 2008 and the resulting investigation and consulting fees made these the most costly form of data breaches.

Nearly 90 percent of all cases in the 2008 study involved insider negligence.

Many of the security problems companies face are preventable — but most organizations don t have the right software tools and security policies in place to deal with data breaches he observed.

“It s a combination of software and risk management ” explained Ponemon. “Good technology like encryption data-loss prevention tools and data-access tools can help — but they re not the complete answer because so many of these incidents are due to negligence and carelessness.”

Of course, there is a bit of of a conflict here given that the sponsors of the study also happen to offer security solutions. Nonetheless, the figures are important to keep in mind to drive home the point that the direct costs (not to mention the reputational costs) of a privacy or data breach are very real. And very substantial. Hopefully, some figures like this will prompt companies to invest more in proactive measures to reduce the risk (and costs) of privacy breaches.

If you’re beyond that stage, then you might want to read this: Practical Tips for Responding to Privacy Breaches (full disclosure: I work for the firm that published this article).