Newly noticed: Photo Attorney

After a very long hiatus, I've been reinfected with the photography bug thanks to acquiring a new digital SLR (some of my recent work is at http://www.privacylawyer.ca/photo or can be found on Flickr here (RSS)).

And of course, everything has to do with privacy and civil liberties, so I've also become quite interested in the recent "war against photography" (examples here, here, here and here). There are also a few interesting perspectives about photography in public places and privacy. People have been harassed for taking pictures of their own children because other children may also be included in the photos. I don't have all the answers, but it's interesting to try to keep up with the debate. To that end, I've added Photo Attorney to my RSS reader, to follow what Carolyn E. Wright has to say on the topic.

Privacy interests to be considered in publication ban

A long-time friend of this blog just recently sent me a link to a new decision from the British Columbia Supreme Court (R. v. Pickton, 2010 BCSC 1198 ), in which the Court was asked to issue a publication ban to protect the identity of an individual witness for reasons of privacy.

The individual applicant had previously been a sex worker and drug addict. In 1997, police laid a charge against Robert Pickton, alleging that he had attempted to murder her but the prosecution was discontinued. Her evidence is relevant in the current proceeding against Robert Pickton. No publication ban was entered at the time of the 1997 prosecution.

Since then, the applicant has left the sex trade and is no longer a drug user. She is married, has kids and appears to be living a normal life in the lower mainland of British Columbia.

She brought an application to prevent her name from being disclosed during the current prosecution of Pickton. The application was strongly opposed by the media.

When dealing with publication bans, the courts take their lead from Dagenais v. Canadian Broadcasting Corp., [1994] 3 S.C.R. 835, 1994 CanLII 39 (S.C.C.) and R. v. Mentuck, 2001 SCC 76, [2001] 3 S.C.R. 442, neither of which explicitly address privacy interests.

A publication ban should only be ordered when:

(a) such an order is necessary in order to prevent a serious risk to the proper administration of justice because reasonably alternative measures will not prevent the risk; and

(b) the salutary effects of the publication ban outweigh the deleterious effects on the rights and interests of the parties and the public, including the effects on the right to free expression, the right of the accused to a fair and public trial, and the efficacy of the administration of justice.

In this case, the media argued that the applicant was only "about embarrassment and nothing more". They suggested that her interests could be protected by changing her name.

Justice Williams did not agree:

[20] I am satisfied that the Applicant will suffer a significant breach of privacy if her name is not protected by a publication ban and that this impacts on her personal security and that of her family. The privacy interests of the Applicant are a legitimate aspect of the proper administration of justice and must be considered in the analysis. The Respondents’ submission that the Applicant’s privacy interests are insufficient seems contrary to a number of authorities including the Criminal Code provisions which deal with publication restrictions for victims and witnesses. These provisions expressly recognize the privacy interests of the victims and witnesses. The concept of dignity springs to mind. Although it is nowhere mentioned in the subsection, I cannot believe that it is not a factor worthy of some consideration in the analysis.

Given that the media are free to report on all the details of her previous encounter with Pickton and of any evidence she has given more recently, but without her name, the balance tilted in favour of protecting her identity.

[28] The Applicant, having participated in the proceedings against Mr. Pickton requests that she be able to live in her community free from the public scrutiny that will arise if her name and identity are published. She does not seek to prevent the details of her story from being published. In my view, granting the Applicant’s request achieves the proper balance that the Dagenais-Mentuk framework requires between the open court principle and the proper administration of justice. The temporary publication ban which has thus far protected the Applicant has been shown to minimally impair the ability of the Respondents to perform their function. The publication ban respects the open court principle and allows the public to scrutinize this proceeding. The publication ban protects the proper administration of justice because it permits the Applicant’s story to be told in a way that illustrates that the justice system respects, where possible, the privacy interests of victims and witnesses of crime.

Future of Privacy in Scientific American

I hope to have the time this weekend to make my way through the incredible variety of privacy-related articles in the most recent Scientific American. Thanks to Library Boy for pointing to this, which I surely would have missed had it not been for his link.

Check them all out:

• Industry Roundtable: Experts Discuss Improving Online Security
  
• Internet Eavesdropping: A Brave New World of Wiretapping
  
• How RFID Tags Could Be Used to Track Unsuspecting People
  
• Digital Surveillance: Tools of the Spy Trade
  
• Data Fusion: The Ups and Downs of All-Encompassing Digital Profiles
  
• Cryptography: How to Keep Your Secrets Safe
  
• Beyond Fingerprinting: Is Biometrics the Best Bet for Fighting Identity Theft?
  
• Tougher Laws Needed to Protect Your Genetic Privacy
  
• Do Social Networks Bring the End of Privacy?
  
• How Loss of Privacy May Mean Loss of Security
  
• Privacy in an Age of Terabytes and Terror

Facebook agrees to address Privacy Commissioner's concerns

This just in:

News Release: Facebook agrees to address Privacy Commissioner’s concerns - August 27, 2009

Privacy Commissioner of Canada satisfied that proposed changes to the social networking site’s privacy practices and policies would bring Facebook into compliance with Canadian law.

OTTAWA, August 27, 2009 — Facebook has agreed to add significant new privacy safeguards and make other changes in response to the Privacy Commissioner of Canada’s recent investigation into the popular social networking site’s privacy policies and practices.

The company’s decision to implement the Privacy Commissioner’s recommendations is a positive step towards bringing Facebook in line with the requirements of Canada’s privacy law.

“These changes mean that the privacy of 200 million Facebook users in Canada and around the world will be far better protected,” says Privacy Commissioner Jennifer Stoddart.

“This is extremely important. People will be able to enjoy the benefits of social networking without giving up control of their personal information. We’re very pleased Facebook has been responsive to our recommendations.”

Last month, the Privacy Commissioner issued a report on an in-depth investigation triggered by a complaint from the Canadian Internet Policy and Public Interest Clinic.

While Facebook took some steps to resolve privacy concerns, the Commissioner remained dissatisfied by Facebook’s response at the end of the investigation. She was particularly concerned about the risks posed by the over-sharing of personal information with third-party developers of Facebook applications such as games and quizzes.

Facebook was given 30 days to respond to the Commissioner’s report and explain how it would address the outstanding concerns. Following a review of Facebook’s formal response and discussions with company officials, the Commissioner is now satisfied Facebook is on the right path to addressing the privacy gaps on its site.

“Facebook is promising to make significant technological changes to address the issue we felt was the biggest risk for users – the relatively free flow of personal information to more than one million application developers around the world,” says Assistant Commissioner Elizabeth Denham, who led the investigation on behalf of the Office.

“Application developers have had virtually unrestricted access to Facebook users’ personal information. The changes Facebook plans to introduce will allow users to control the types of personal information that applications can access.”

An over-arching issue highlighted during the investigation was that the way in which Facebook provides privacy information to users is often confusing or incomplete.

Facebook agreed to changes to help users to better understand how their personal information will be used and, ultimately, to make more informed decisions about how widely to share that information. The Commissioner has reviewed these improvements and will be following up with Facebook as the changes are implemented.

The following is an overview of key issues raised during the investigation and Facebook’s response:

1. Third-party Application Developers

Issue: The sharing of personal information with third-party developers creating Facebook applications such as games and quizzes raises serious privacy risks. With more than one million developers around the globe, the Commissioner is concerned about a lack of adequate safeguards to effectively restrict those developers from accessing users’ personal information, along with information about their online “friends.”

Response: Facebook has agreed to retrofit its application platform in a way that will prevent any application from accessing information until it obtains express consent for each category of personal information it wishes to access. Under this new permissions model, users adding an application will be advised that the application wants access to specific categories of information. The user will be able to control which categories of information an application is permitted to access. There will also be a link to a statement by the developer to explain how it will use the data.

This change will require significant technological changes. Developers using the platform will also need to adapt their applications and Facebook expects the entire process to take one year to implement.

2. Deactivation of Accounts

Issue: Facebook provides confusing information about the distinction between account deactivation – whereby personal information is held in digital storage – and deletion – whereby personal information is actually erased from Facebook servers. As well, Facebook should implement a retention policy under which the personal information of users who have deactivated their accounts will be deleted from the site’s servers after a reasonable length of time.

Response: Facebook has agreed to make it clear to users that they have the option of either deactivating their account or deleting their account. This distinction will be explained in Facebook’s privacy policy and users will receive a notice about the delete option during the deactivation process.

While we asked for a retention policy, we looked at the issue again and considered what Facebook was proposing. We determined the company’s approach – providing clarity about the options, offering a clear choice, and alleviating the confusion – is acceptable because it will allow users to make informed decisions about how their personal information is to be handled.

3. Personal Information of Non-users

Issue: Facebook should better protect the privacy of non-users who are invited to join the site.

Response: Facebook agreed to include more information in its terms of use statement. Facebook confirmed that it does not use email addresses to track the success of its invitation feature, nor does it maintain a separate email address list for this purpose.

4. Accounts of Deceased Users

Issue: People should have a better way to provide meaningful consent to have their account “memorialized” after their death. As such, Facebook should be clear in its privacy policy that it will keep a user’s profile online after death so that friends can post comments and pay tribute.

Response: Facebook agreed to change the wording in its privacy policy to explain what will happen in the event of a user’s death.

Facebook has committed to a timetable for implementing all of the changes, some of which, such as the third-party application changes, are technologically complex. The company has already started to make changes and we expect them to be fully complete within a year.

“It’s now up to Facebook to demonstrate to us that they are living up to their commitments,” says Assistant Commissioner Denham.

“With the conclusion of the Facebook investigation, our Office has made clear our expectations for how social networking sites need to protect personal information. Other sites should take note – and take steps to ensure they’re complying with Canadian law.”

Statements by the Commissioner and Assistant Commissioner are available on the OPC’s website.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

Remarks by Jennifer Stoddart, Privacy Commissioner of Canada

Remarks by Elizabeth Denham, Assistant Privacy Commissioner of Canada

Letter from OPC to CIPPIC outlining its resolution with Facebook

Alberta Commissioner launches investigation into medical identity theft

This is the first Canadian case of "medical identity theft" or impersonation that I've seen widely reported:

CBC News - Calgary - Mistaken identity case sparks investigation

Alberta's privacy commissioner has announced an investigation into the "Golo" identity case.

Golo is the nickname of a man who was admitted into Foothills Hospital, died on May 21, 2009, and then was buried in a Calgary cemetery, all under someone else's identity.

He allegedly used an Alberta Health Care card stolen from a casual acquaintance.

The investigation will examine "what steps are reasonable to take to ensure health information is accurate and complete before it is used by a health services provider," according to a news release from the information and privacy commissioner's office.

A report will be released to the public once the investigation is completed.

Calgary police are still trying to determine Golo's identity.

Commissioner to reveal result of Facebook negotiations tomorrow

Apparently both the Privacy Commissioner of Canada and Facebook intend to hold separate press conferences tomorrow to discuss the outcome of the last month of negotiations between the two about whether Facebook is in compliance with Canadian privacy laws. See: Canada may reveal next step on Facebook privacy.

Privacy? We Got Over It.

Yesterday's Wall Street Journal had an interesting Op/Ed on privacy, highlighting contemporary expectations of privacy.

Information Age - WSJ.com

Privacy? We Got Over It.

August 25, 2008; Page A11

In 1988, Congress banned video stores from disclosing the titles of films that people rent. The issue arose because in the battle to block Robert Bork from the Supreme Court, someone leaked his video rentals.

Fast-forward to this summer, and a federal judge hearing a $1 billion copyright complaint by Viacom ordered YouTube to turn over online records about which computer addresses were used to watch which videos on the site. The judge dismissed privacy concerns as "speculative." How quickly our expectations of privacy have changed.

Privacy advocates objected that with access to Internet protocol addresses, it would be possible to track who watched what. Hundreds of millions of people have watched videos on YouTube since its founding in 2005 -- indeed, by one estimate, virtually everyone who uses the Web has watched a video on the site. This makes it surprising that there was such little public outcry about this potential loss of privacy. Google, which owns YouTube, has complied with the judge's order by using encryption to hide individual records, but it is indeed "speculative" how much people would object to disclosing this online behavior.

This incident is a telling moment. We seem to be following the advice of Scott McNealy, chairman of Sun Microsystems, who in 1999 said, "You have zero privacy anyway. Get over it." And the observation by Oracle CEO Larry Ellison: "The privacy you're concerned about is largely an illusion. All you have to give up is your illusions, not any of your privacy."

These comments could be dismissed as technology executives trying to minimize complaints about technology. But whatever we say about how much we value privacy, a close look at our actual behavior suggests we have gotten over it. A recent study by AOL of privacy in Britain found that 84% of people said they would not disclose details about their income online, but in fact 89% of them willingly did.

Amazon closely records our taste in books, Gmail scans our emails to deliver relevant ads, and electronic tolls track where we drive. Profiles on MySpace and Facebook are accessible, forever. The disclosure that Judge Bork liked to rent British comedies seems quaint in comparison.

Records about us are no longer kept in scattered manila files in dusty cabinets, but digitally, which means in permanent records that can be combined with other records to paint a full picture of our tastes and habits. Information held by different retailers, insurers and government agencies can be mined to create constantly updated files more complete than the most tenacious intelligence report on a suspected criminal a generation ago.

Privacy advocates do their jobs by reminding us of these risks, but our choices all seem to be in the direction of trading away privacy. The fantastic power and convenience of digital life has led us to change what we consider private in ways that we can only begin to understand.

Indeed, our expectations of privacy have changed radically over time. Stanford law professor Lawrence Friedman in his recent book, "Guarding Life's Dark Secrets," documents the total lack of privacy expectations through the medieval period, when people lived together with no option for privacy, to a period of privacy for some people and some purposes as part of what he calls the "Victorian compromise." Propriety was defined through social norms focused on reputation, which included significant freedom for otherwise scandalous behavior if it was done carefully, in private.

"If the nineteenth century was a world of privacy and prudery, a world of closed doors and drawn blinds," Mr. Friedman writes, "then the world of the twenty-first century is the world of the one-way mirror, the world of the all-seeing eye."

We now seem happy to trust companies with our information for benefits such as one-click buying and online searches for personally relevant results. In a digital world where it is possible to know more than ever about everything, including one another, the new vice may be the flip side of privacy -- concealing information about ourselves of legitimate value to others.

In the physical world, surveillance cameras, satellites and bio-recognition systems have redefined privacy expectations. We have learned that "privacy can be very dangerous," as federal appeals judge Richard Posner has observed. "Obviously if you're a terrorist, privacy is enormously important. So the more we think of privacy as endangering us, that will reinforce these commercial incentives to surrender privacy."

Privacy remains a virtue, or at least we still say it does. But the balance has been tipped by other values, such as transparency, a free flow of information and physical security. We're in the early stages of adapting to more digital and visible lives, with privacy expectations better defined by what we do than by what we say.

Privacy Commissioner v Facebook: Next chapter imminent

You may recall that last year, following a high-profile complaint made against Facebook by the Canadian Internet Policy and Public Interest Clinic, the Privacy Commissioner of Canada gave Facebook a year to get its house in order. In particular, the social networking site told the Commissioner that it would take about a year to address issues regarding third party applications on the Facebook platform and the handling of accounts of deceased users.

A year has passed and the media are reporting that there may be a showdown brewing. It is suggested that if the Commissioner is not satisfied with what Facebook is doing today, it's off to court: Privacy czar set to hand down Facebook ruling.

I'm not sure it's as dire as that, but it will be interesting to see what transpires in the coming days.

It should also be borne in mind that the Commissioner is an ombuds(wo)man. If she goes to court, it's a de novo hearing, so the matter starts all over at the very beginning. Factoring in "Internet time", what Facebook was doing a year ago seems like pre-history.

Update: CIPPIC says that Facebook still falls short of its Canadian obligations, according to an article at ITBusiness.ca.

Hackers target hotel chain and swipe details of all guests from the past year

This is simply staggering, but a harbinger of things to come I am sure:

The Sunday Herald - Scotland's award-winning independent newspaper

Revealed: 8 million victims in the world's biggest cyber heist

EXCLUSIVE: Sunday Herald uncovers theft of data from every guest in 1300 Best Western Hotels in past 12 months

By Iain S Bruce

AN INTERNATIONAL criminal gang has pulled off one of the most audacious cyber-crimes ever and stolen the identities of an estimated eight million people in a hacking raid that could ultimately net more than £2.8billion in illegal funds.

A Sunday Herald investigation has discovered that late on Thursday night, a previously unknown Indian hacker successfully breached the IT defences of the Best Western Hotel group's online booking system and sold details of how to access it through an underground network operated by the Russian mafia.

It is a move that has been dubbed the greatest cyber-heist in world history. The attack scooped up the personal details of every single customer that has booked into one of Best Western's 1312 continental hotels since 2007.

Amounting to a complete identity-theft kit, the stolen data includes a range of private information including home addresses, telephone numbers, credit card details and place of employment....

Thanks to the ever-vigilant Rob Hyndman for the link.

China considers criminal penalty on leaking personal data

Some non-Olympic news from China:

It appears that China is considering criminal law amendments similar to those passed recently in Canada to make it a criminal offense to traffic in personal information. See: China weighs criminal penalty on leaking personal data_English_Xinhua.

Privacy commissioner OKs modified Barwatch program

According to the CBC, the Information and Privacy Commissioner of British Columbia has approved a modified version of the BarWatch program. Bars, under BC's Personal Information Protection Act, are allowed to swipe a patron's drivers license or other ID, collecting name, gender, date of birth and a photograph of the patron. The information must be deleted within 24 hours, except for "rowdies", whose information can be kept and exchanged with other bars through the BarWatch database. See: Privacy commissioner OKs Barwatch software.

For more information on this controversial practice, click on the link "ID SWIPING" below.

Elizabeth Denham says federal OPC may need greater enforcement powers

Elizabeth Denham, former Assistant Privacy Commissioner of Canada was recently interviewed by itbusiness.ca saying that the Federal Commissioner's office may need augmented powers to deal with privacy enforcement in the modern age. The OPC has hired two academics to re-examine the ombudsman model that the office currently follows and to look at alternatives.

See the article and video interview here: Privacy watchdog needs sharper teeth.

Facebook to be off-limits to German employers

According to Spiegel, the German government is currently working on an addition to the country's data protection laws that will prevent employers from using Facebook to screen prospective employees, but most other internet-derived information will be fair game:

Saving Jobseekers from Themselves: New Law to Stop Companies from Checking Facebook Pages in Germany - SPIEGEL ONLINE - News - International

But those Facebook users hoping to apply for a job in Germany should pause for a moment before they hit the "deactivate account" button. The government has drafted a new law which will prevent employers from looking at a job applicant's pages on social networking sites during the hiring process.

According to reports in the Monday editions of the Die Welt and Süddeutsche Zeitung newspapers, Interior Minister Thomas de Maizière has drafted a new law on data privacy for employees which will radically restrict the information bosses can legally collect. The draft law, which is the result of months of negotiations between the different parties in Germany's coalition government, is set to be approved by the German cabinet on Wednesday, according to the Süddeutsche Zeitung.

Although the new law will reportedly prevent potential bosses from checking out a candidate's Facebook page, it will allow them to look at sites that are expressly intended to help people sell themselves to future employers, such as the business-oriented social networking site LinkedIn. Information about the candidate that is generally available on the Internet is also fair game. In other words, employers are allowed to google potential hires. Companies may not be allowed to use information if it is too old or if the candidate has no control over it, however.

CBA urges Government to reform Privacy Act

I am currently in Quebec City attending the Canadian Bar Association's annual Canadian Legal Conference. On behalf of the CBA's National Privacy and Access Law Section, I had the honour of presenting a resolution to the National Council calling for reforms to the Privacy Act. The resolution passed with one contrary vote (I wanted to speak with the fellow who voted against it, but didn't get the chance and then lost him in the crowd). This is the third time the CBA has formally called upon the government to look at the antiquated 1982 Act.

The Privacy Commissioner, Jennifer Stoddart, is here and spoke to the Council on the following day.

Her office has issued the following press release about the resolution:

News Release: Commissioner welcomes legal community’s call for privacy law reform (August 18, 2008) - Privacy Commissioner of Canada

Commissioner welcomes legal community’s call for privacy law reform

Quebec City, August 18, 2008 — A Canadian Bar Association (CBA) resolution once again highlights the urgent need for reform of Canada’s federal public sector privacy legislation, says the Privacy Commissioner of Canada, Jennifer Stoddart.

“With this resolution, lawyers from across the country are urging the government to strengthen privacy protection for Canadians. Canada’s federal sector privacy legislation, the Privacy Act, is unbelievably inadequate,” says Commissioner Stoddart. “I hope the federal government will heed the CBA’s call for modernization of the Act. This is the latest in a string of appeals from privacy experts about the need to update legislation which has been far outpaced by technological and societal changes.”

The CBA, which is holding its 2008 Legal Conference in Quebec City, passed the resolution calling for comprehensive revision of the Privacy Act on the weekend.

In particular, it proposes changes to the legislation to ensure that:

• Federal government departments only collect personal information when demonstrably necessary for clear and articulated state goals;
  
• Once collected, personal information is rigorously protected with stringent safeguards and accountability requirements, including a breach notification requirement; and
  
• Personal information is not shared within or beyond Canada’s borders unless those safeguards and requirements can be guaranteed.

The Office of the Privacy Commissioner of Canada (OPC) has long been advocating for reform of the Privacy Act, which is a quarter-century old and has never been substantially updated.

Last spring, the House of Commons Standing Committee on Access to Information, Privacy and Ethics began a study of the Privacy Act and possible amendments. The OPC reform proposals to the committee are posted at http://www.privcom.gc.ca/keyIssues/ki-qc/mc-ki-pa_e.asp. The OPC looks forward to the Committee’s recommendations.The CBA resolution is available at www.cba.org/cba/resolutions/pdf/08-06-a-pdf.pdf. The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

Auto finance company scopes GPS tracking and borrower profiling

When I first saw this headline referring to GPS tracking, I assumed that a car finance company would want GPS on vehicles to make it easier to repossess the car if the borrower defaults. That's intrusive, but makes sense. The finance company essentially owns the vehicle until it's paid off, so maybe it's reasonable for it to know where it is.

But not so, according to the article (Auto finance company scopes GPS tracking - Computerworld). An auto finance company is quietly making inquiries in the United States about whether it can use GPS on vehicles to track, profile and categorize the driver to evaluate the risk of the underlying loan so the loan can be sold on on the secondary market.

Privacy Commissioner to accept Fracebook's friend request

According to the Toronto Star, the Privacy Commissioner is going to accept Facebook's friend request, just on the eve of the deadline to comply with the Commissioner's prevous adverse finding:

TheStar.com Canada Facebook, privacy commissioner make friends

Susan Delacourt

Ottawa Bureau

OTTAWA – Friendship, fittingly, appears to have broken out in the dispute between Canada's privacy commissioner and the Facebook social networking site.

Today is the 30-day deadline for Facebook to respond to a strongly worded report issued last month by Canada's privacy commissioner, Jennifer Stoddart, criticizing how people's personal information was being treated by the global giant in online friendships.If Stoddart is not happy with Facebook's response, she has 15 days to decide whether to get the Federal Court of Canada involved.

But the two sides appear to be solving their problems in harmony.

Alexandra Brown, a Toronto spokesperson for Facebook, said a formal response is being sent today to the privacy commissioner's office, complete with timelines for Facebook to respond to the concerns raised in last month's report. Over the past month, the two sides have reportedly been working well together, with privacy-commission officials paying a visit to Facebook headquarters in Palo Alto, Calif., to negotiate a compromise.

"I know there's been lots of discussion and there will continue to be discussion over the next 15 days," Brown said.

Canada's privacy commission was sounding similarly upbeat about the status of the dispute.

Anne-Marie Hayden, a spokesperson for the commission said: "We continue to have very positive discussions with Facebook.... It's going very well."

Neither side was willing to talk about details of their agreement to date or even what is in the report that Facebook sent to the privacy office today. Hayden said that the privacy commission needs time to review what Facebook has filed, and more will be said closer to the next deadline, 15 days from now.

Stoddart's original report on Facebook last month identified concerns in the following areas:

* A lack of adequate safeguards to restrict outside software developers — of games, quizzes and the like — from gaining access to personal profiles of users and their online friends.

* Facebook's indefinite retention of personal information of people who have deactivated their accounts.

* A lack of clarity about how Facebook material can be used in the event of a person dying, which the privacy office calls "memorialization" concerns.

* A lack of protection of information about non-users — people who may not have their own Facebook accounts, but whose personal data may be on friends' or associates' pages.

Commissioner launches her "Legal Corner"

The Federal Privacy Commissioner has launched on her website a "Legal Corner" which contains a wide range of resources that will be of interest to practitioners in the area of privacy law. See: http://www.privcom.gc.ca/leg_c/index_e.asp.

Facebook must satisfy Canada's privacy commissioner by Monday

Following the Commissioner's adverse finding against Facebook, the social networking site's deadling to respond is tomorrowf (See: Canadian Privacy Law Blog: Canadian Privacy Commissioner calls on Facebook to improve privacy practices). I don't expect a big response from Facebook, so we'll have to wait to see if the Commissioner takes them to court. See: Facebook must satisfy Canada's privacy commissioner by Monday.

Federal Commissioner settles ID-swiping dispute

The Privacy Commissioner of Canada just recently announced a settlement has been reached in its application to the Federal Court to stop Canad Corporation of Manitoba from ID-swiping patrons of its nightclubs. This followed an investigation by the OPC that recommended the practice be terminated and that the data collected be destroyed. Canad refused to follow the OPC's advice, so the Commissioner commenced an application to the Court to have the matter dealt with there.

Here's the summary from the Commissioner's site.

Recent Court Activity

Settlement between the Privacy Commissioner of Canada and Canad Corporation of Manitoba Ltd.

Legal Update

The Privacy Commissioner of Canada has reached a settlement with the Canad Corporation of Manitoba Ltd (Canad Inns), a hotel chain that operates a number of night clubs in Manitoba. This settlement follows legal proceedings stemming from an investigation into the collection of personal information of bar patrons using a machine that copies and stores personal information appearing on the front of an identification card such as a driver’s licence.

The Office of the Privacy Commissioner’s investigation was prompted by a complaint from a Canad Inns customer who objected to having her licence information scanned.

The Privacy Commissioner’s office understood Canad Inns’ need to effectively verify the age of its patrons and to ensure an appropriate level of security in its night clubs. In addition to the identification machines, Canad Inns also used video surveillance, metal detectors, pat downs, security personnel and lists of banned people in order to secure the safety of patrons.

The investigation ultimately concluded that the machines collected more information than was necessary for those stated purposes and that the information collected was being retained for too long.

Canad Inns disagreed with recommendations to stop using the machines and to remove the personal information already collected by them.

As a result, the Privacy Commissioner filed a notice of application before the Federal Court to enforce the recommendations.

Following court-ordered mediation in early 2009, the Court gave Canad Inns a period of time to determine feasible means to limit the personal information it collects.

As part of the settlement between Canad Inns and the Privacy Commissioner, the company has made commitments to:

• Stop collecting personal information at its night clubs via its identification machines;
  
• Destroy the personal information collected with the machines; and
  
• Limit the amount of personal information found on its list of barred people and ensure that this information is adequately secured.

The Office of the Privacy Commissioner of Canada is pleased that Canad Inns has agreed to take steps to ensure that the privacy rights of its patrons are respected.

The Privacy Commissioner has agreed that it would not be unreasonable for Canad Inns to collect limited personal information (names, dates of birth and photos) from bar patrons and to retain that personal information for 24 hours. This is a similar approach to that taken in both British Columbia and Alberta, where provincial privacy commissioners have investigated similar issues.

A case summary of the Office of the Privacy Commissioner of Canada’s investigation is also available at: http://www.priv.gc.ca/cf-dc/2008/396_20080227_e.cfm.

Supposedly secure ePassports easily cloned

Cynics, who may say that "chipped" passports are more about control than security, may point to articles like this one to support their position:

‘Fakeproof’ e-passport is cloned in minutes - Times Online

New microchipped passports designed to be foolproof against identity theft can be cloned and manipulated in minutes and accepted as genuine by the computer software recommended for use at international airports.

Tests for The Times exposed security flaws in the microchips introduced to protect against terrorism and organised crime. The flaws also undermine claims that 3,000 blank passports stolen last week were worthless because they could not be forged.

In the tests, a computer researcher cloned the chips on two British passports and implanted digital images of Osama bin Laden and a suicide bomber. The altered chips were then passed as genuine by passport reader software used by the UN agency that sets standards for e-passports.

The Home Office has always argued that faked chips would be spotted at border checkpoints because they would not match key codes when checked against an international data-base. But only ten of the forty-five countries with e-passports have signed up to the Public Key Directory (PKD) code system, and only five are using it. Britain is a member but will not use the directory before next year. Even then, the system will be fully secure only if every e-passport country has joined....