For the London Free Press – March 15, 2010

Read this on Canoe

Canada’s privacy commissioner calls for modernized laws to address evolution of cyberspace

Last month, Canada’s privacy commissioner, Jennifer Stoddart, gave an address titled “The Future of Privacy Regulation” at the 11th annual Privacy and Security Conference in Victoria.

Describing herself as the “village elder” in the privacy community, her speech detailed many of the changes that have occurred in cyberspace over the last decade.

The advent of Facebook, Twitter, Flickr, YouTube, Google Street View, and iPods all occurred during the last seven years of her tenure.

She also identified “real-time globalization” and “instantaneous worldwide flow of data” as changing the terrain of privacy regulation.

These developments have resulted in significant challenges for administering th e regulations that protect the privacy of Canadians’ personal information.

“In light of these colossal changes over the past decade alone, it would be foolish to try to predict what the next decade will hold,” she said.

“But what we can say for certain is that the regulatory framework we have in place now for the protection of privacy and personal information is being sorely tested.

“We have bent and stretched it in many different ways,” she added. “And if we don’t want it to snap, we need to figure out how to fortify it for the decade ahead.”

Stoddart recognized that the Privacy Act, which governs the federal public sector, and the Personal Information and Electronic Documents Act, which governs the private sector, need to be modernized so we are properly equipped to meet future changes.

Stoddart noted the technology we now use has created a previously unheard-of market for businesses following consumer behaviour. This creates difficulties for regulators in terms of what information the average consumer knowingly consents to share.

The challenge of new technology is compounded by the increasingly global scope of data flows across borderless virtual communities. When our personal information ends up in countries lacking strong privacy regulation, Canadians may not have the privacy rights they enjoy in Canada.

Despite the challenges, Stoddart said Canada’s business community works closely with privacy regulators to ensure they comply with the rules.

Canada is also seeking to work more closely with other countries to create common rules and standards and to ensure uniform enforcement.

Efforts underway include the Spanish Initiative, a draft international privacy standard put forward by an international working group and endorsed in Madrid, which Stoddart calls a “valuable first step towards a harmonized approach to data protection.”

The Asia-Pacific Economic Co-operation (APEC) group as been working to protect information flowing into Asian countries. APEC is developing cross-border privacy rules to govern international information flow and facilitate co-operation between national authorities.

While acknowledging that “a single, enforceable global standard for privacy won’t materialize overnight — if ever,” Stoddart stressed that Canada must continue to actively pursue standardized regulations to protect Canadians’ privacy rights.

The Canadian Privacy Commissioner just invited interested parties to file written submissions on privacy issues surrounding cloud computing.  Also for expressions of interest from anyone wanting to take part in a formal panel discussion in June.

Cloud computing - however one defines it - can be a compelling model, as it can provide advantages in cost, simplicity, and scalability.

It can though, pose issues around things like privacy, confidentiality, security of data, business continuity, and disaster recovery.  The importance of those issues varies depending on how the particular cloud product works, what you use it for, and how mission critical it is.

Yesterday I wrote about privacy consultations regarding the online tracking of consumers.  Privacy advocates want to ensure that consumer choice and privacy are respected.   Similarly, pressure is put on ISP’s and search engines to limit the amount of information they retain about their customers, and the length of time they retain it.  All laudable objectives.

On the other hand, law enforcement wants to require ISP’s to retain certain information about sites their customers visit for long periods of time to facilitate criminal investigations. See this CNet article for example.

Seems inconsistent to me.

For the London Free Press – February 8, 2010

Read this on Canoe

Canadians are invited to submit comments

Canada’s Privacy Commissioner, Jennifer Stoddart, recently announced a new consultation with the Canadian public on privacy issues related to the online tracking, profiling and targeting of consumers by marketers and other businesses.

Canadians are invited to submit comments and participate in panel discussions. Details are on the Privacy Commissioner’s website at http://www.priv.gc.ca/.

The commissioner says this consultation will “provide a forum for the exploration of the privacy implications related to this modern industry practice, and the protections that Canadians expect. Our goal, therefore, is to shine a spotlight on this evolving technological trend.”

Online consumer tracking takes several different forms. The most basic level of tracking places cookies on one’s computer to collect data about browsing habits. Global Positioning Systems (GPS) in mobile devices can supply consumer data. Deep packet inspection of Internet traffic is another way to gather data.

Of course, we advertise a vast amount of personal information about ourselves when we join social networking sites. Facebook, MySpace and LinkedIn are prime examples.

What many may not realize is that personal data available about anyone can be gathered from various sources and pieced together to create comprehensive personal profiles which are available for a price. The buyer may use the information to help them market their products to specific consumer groups. It can be a valuable commodity.

It is unlikely that anyone will put a complete stop to online consumer tracking. Some of it offers real benefits to consumers. The key is to attain a balance where privacy is respected without getting in the way of the advantages the technology provides.

Transparency and choice are important components. We should be made aware of what is being collected and why, and be able to choose whether or not the benefits are worth the disclosure.

This consultation is an opportunity for the public to become engaged in a topic that affects us all. Written submissions are being accepted until March 15.

They are also looking for people to take part in formal discussion panels in Toronto in April, and in Montreal in May.

This consultation aims to give the commissioner’s office a “comprehensive view of the privacy risks associated with the online tracking, profiling and targeting of consumers, and contribute to the development of new public education and outreach materials,” it says.

“It will also help shape the office’s input into the next parliamentary review of the private-sector Personal Information Protection and Electronic Documents Act.”

A second consultation will be held later focused on cloud computing, or using software from a remote location rather than having it on your own computer. It, too, is a technology that has compelling advant-ages, but can carry privacy risks and uncertainties.

Fanshawe College is putting on an eMarketing conference March1st entitled “Turning Clicks into Customers“.   The keynote speaker is Mitch Joel, author of  Six Pixels of Separation”.

I’m speaking at a breakout session on “Legal Issues for a Digital World” .

I’ll be commenting on issues including copyright, cloud computing, the Streisand effect, and social media and privacy.   

There are several factors that make digital law different from analogue law.  As I’m putting my presentation together, I’m realizing that the concept of  practical obscurity plays a big role in explaining some of the differences.

Today is international Data Privacy Day.

From the official website:

Data Privacy Day is an international celebration of the dignity of the individual expressed through personal information.  In this networked world, in which we are thoroughly digitized, with our identities, locations, actions, purchases, associations, movements, and histories stored as so many bits and bytes, we have to ask – who is collecting all of this – what are they doing with it  – with whom are they sharing it?  Most of all, individuals are asking ‘How can I protect my information from being misused?’  These are reasonable questions to ask – we should all want to know the answers.

Also see more info on Wikipedia.

The Canadian Privacy Commissioner says: On Data Privacy 2010 we’d like to take a moment to remind everyone that is the responsibility of both individuals and companies to make sure that personal information is safe.   

Is the headlong rush to install body scanners in airports:

(a) an effective way to stop dangerous weapons getting on aircraft?

(b) a kneejerk reaction to the attempted underwear bombing?

(c) A massive, expensive invasion of privacy with no real benefit?

(d) More security theatre that makes it appear that something is being done, but accomplishes nothing?

(e) Wasting time and resources that could address the issue in more effective ways?

(f) Causing far more harm and inconvenience to air travellers than is justified by the small chance it will make a difference?

(g) Closing the barn door after the cows have all left?

These are questions we should be asking.   Here’s some food for thought:

From David Fraser:

http://www.privacylawyer.ca/blog/2010/01/pantsbomber-revives-debate-over-body.html

http://www.privacylawyer.ca/blog/2010/01/we-need-debate-on-privacy-impact-of.html

http://www.privacylawyer.ca/blog/2010/01/scary-and-funny-undressing-naked-truth.html

http://www.privacylawyer.ca/blog/2010/01/alberta-privacy-commissioner-has-some.html

UPDATE: As I was typing this, David added a good article on this topic on Slaw:  http://www.slaw.ca/2010/01/08/a-real-debate-about-privacy-and-security/

From Bruce Schneier:

http://www.schneier.com/blog/archives/2010/01/nate_silver_on.html

http://www.schneier.com/blog/archives/2010/01/another_contest.html

http://www.schneier.com/blog/archives/2010/01/airport_securit_12.html

3 completely different privacy articles taken together illustrate how privacy is really about informed choices.

First, a Techdirt post by Mike Masnick about a musician from Saskatoon that sought out the Google street view car to get his photo taken to promote his band.   The point is that he wanted the publicity and sought it out.   It was his choice.  That’s unlike the pervasive surveillance culture such as in the UK where one does not have a choice.

Second, Boing Boing’s Cory Doctorow refers to Google CEO Eric Schmidt’s comment that  privacy isn’t important, and Bruce Schneier’s brilliant response to that as follows:

Google CEO Eric Schmidt says privacy isn’t important, and if you want to keep something private, “maybe you shouldn’t be doing it in the first place” (in other words, “innocent people have nothing to hide.”)

Bruce Schneier calls bullshit with eloquence: “For if we are observed in all matters, we are constantly under threat of correction, judgment, criticism, even plagiarism of our own uniqueness. We become children, fettered under watchful eyes, constantly fearful that — either now or in the uncertain future — patterns we leave behind will be brought back to implicate us, by whatever authority has now become focused upon our once-private and innocent acts. We lose our individuality, because everything we do is observable and recordable.”

(There is a T-shirt or poster waiting for a condensed version of that)

Third, the  EFF posts about the good, the bad, and the ugly about Facebook’s new privacy changes.  I know its a pain to have to take the time to deal with it – but we all need to go to our Facebook accounts and change whatever we need to.   Keep in mind that its our choice how much we want others to see, both by our privacy settings, and what we choose to post in the first place.

For The London Free Press – November 30, 2009

Read this on Canoe

TRAVEL: The practical reality is we have no control over these computer searches, so it’s wise to be prepared

Last summer, directives were issued by the U.S. Department of Homeland Security for searches of computers and other electronic devices at U.S. border points.

The stated goal was to combat crime and terrorism while still protecting personal privacy and civil liberties.

The directives allow border agents to search, detain, copy or examine any electronic device capable of storing electronic information for any reason.

As Homeland Security Secretary Janet Napolitano said at the time, “The new directives . . . strike the balance between respecting the civil liberties and privacy of all travellers while ensuring (Department of Homeland Security) can take the lawful actions necessary to secure our borders.”

Where “sensitive” information in involved, including solicitor-client privilege and medical records, border guards are directed to consult with agency counsel or the local U.S. Attorney’s office. But any information outside of this narrow privileged category may be searched.

Whether such searches truly accomplish the goal is questionable. As information freely flows across borders via the Internet, physical searches of computers will be of little use. And laws such as copyright are so fact-dependent, and even pose challenges to courts trying to sort out what is allowable, that it’s not a decision a border agent should make.

The practical reality is that we have no control over these border searches. So the Canadian Bar Association (CBA) has published a list of suggestions for lawyers crossing the border with laptops or electronic devices.

While the association published its work for the legal community, the suggestions are valuable for anyone entering the U.S. with an electronic device containing sensitive or confidential information.

The full text can be found at www.cba.org/CBA/PracticeLink/ TAYP/laptopborderupdate.aspx, but here are some of the most helpful tips:

- Travel with a “bare” computer that contains only the most essential information. Ensure that all work with data is done via a secure virtual private network (VPN). Consider using SaaS (software as a service) programs based on the Internet, rather than your computer’s hard drive.

- Turn off your computer early: At least five minutes before you get to U.S. Customs, make sure your computer is turned off so unencrypted information in your computer’s RAM has adequate time to void itself.

- Back up your data: Self-explanatory.

- Store data on small devices: Smaller devices can be carried more inconspicuously.

- Protect your phone and PDA: Phones now carry a considerable amount of information and needed to be kept as “clean” as possible in case they’re confiscated.

- ‘Clean’ your laptop once it’s returned: This will ensure that no programs or spyware have been installed on your computer.

In summary, the prudent approach for taking a computer into the U.S. is to ensure it contains no confidential, sensitive or privileged information.

Don’t rely on encryption, because the border agent may simply ask for your password.

The better approach is to leave all information on a Canadian server and access it remotely once in the U.S.

England has turned into one of the least privacy friendly governments.   It is a poster child for being overly invasive – with the usual unsupported claims that is is necessary to fight crime – and the position that governments and police forces can be trusted to be discrete and do the right thing.  But of course, when the official culture is one of invasiveness – the ‘right thing’ is a moving target.

Case in point: Boing Boing reports that a UK inquiry claims the police routinely arrest people they haveo intent of charging solely to get their DNA into their database.