That’s the title of my Slaw post for today.  It reads as follows.

To call a smart-phone a phone is really a misnomer. We need to think of them as computers with internet connections that we carry around in our pockets.

Why is this an important distinction? From a legal perspective, that changes the perspective tremendously. Consider Connie Crosby’s Slaw post “Digital Wallets on Their Way” , and the comment on the post musing about privacy and the warrant-less search of cellphones that is being debated in various jurisdictions.

The privacy aspects of a phone that just makes phone calls without retaining any information, and the consideration of whether law enforcement needs a warrant to look at it – are much different than for the devices we have now. Legislators and courts need to consider that looking at a person’s phone may be the equivalent of walking into their house and looking at their bank statements, credit card bills, reading material, photo albums, and mail, and while they are there, nosing around on their computer to see all the files, email and whatever else is there including the sites they visit.

Considerering just the phone aspect for the moment, they track and save data on not only what calls you made, to who, and for how long – but also where you were when you made the call.

Other information that might reside on our cell phones include personal and confidential information such as banking information, health information, where we have been and when, and records of communications on various platforms that are meant to be private. Also consider that for many it is not only personal use, but also business use that will contain personal and confidential information of others.

And while you can make phone calls on smartphones, consider the other devices that they replace, and other things that they do:

Digital wallet, GPS, map, tracking device, camera, video camera, email client, social media client, phone directory, calendar, note pad, to do list, grocery list, book reader, magazine reader, newspaper reader, web browser, clock, alarm clock, file storage, dictation device, music player, video player, video game player, radio, video-phone, TV, dictionary, encyclopedia, research assistant, comparison shopper, calculator, wi-fi hot spot, bar code scanner, ephemeris, music composer, video / music editor, cookbook, translator, metronome, flashlight, level, … and the list goes on.

That’s the title of my Slaw post for today.  It reads as follows.

The trend to more invasive surveillance and control by North American governments (indeed, by many countries that we consider civilized democracies), or their granting of too much control to others is disturbing. Too many things are making creeping (and sometimes creepy) inroads into privacy rights, along with the usual specious “if you’ve got nothing to hide… ” argument. Too many things are tending towards shoot first, ask questions later. And governments are too eager to look to ISP’s and others who run the internet pipes to control what flows through.

Some examples:

The proposed US SOPA (Stop Online Piracy Act) that is being loudly opposed. It has been characterised as net censorship, an attempt to regulate the internet, and breaking the internet as we know it. It could result in entire web sites being taken down based merely on an allegation that one post or comment infringes copyright.

The proposed Canadian Lawful Access legislation that would allow much more invasive internet information to be given to authorities without warrants. This resulted in a lengthy letter by the Privacy Commissioner to the Ministers responsible.

The increasing use of license plate cameras by police, such as in the Washington DC area. In its simplest, most privacy friendly form, car mounted or fixed cameras read car license plates and flag any that are contained in a database of stolen or suspect vehicles. No record is kept of any plates other than those of interest. But it has come to light that some of the systems store the details of every single plate that they capture, and retain that for long periods of time.

For the London Free Press – November 7, 2011 – Read this on Canoe

The Canadian government recently introduced Bill C-12 (the Safeguarding Canadians’ Personal Information Act) that contains amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA).

The PIPEDA privacy legislation charted new territory when it was enacted a few years ago. Most of these amendments are a result of things learned since then, and have been contemplated for some time.

For example, the new bill amends the “business card exemption” to make it clear that one’s business e-mail address is not personal information.

It was a glaring error when a person’s business telephone number and physical address was deemed not to be personal information, but their business e-mail address was considered personal information.

Provisions are included to govern privacy issues when personal information is transferred during corporate mergers and acquisitions. That includes things such as customer information. This was another glaring error that needed to be corrected.

One of the controversial sections of PIPEDA was the ability (but not the obligation) to provide personal information to government authorities if they provide the custodian of the information with proof of its “lawful authority.”

The meaning of “lawful authority” has been debated over the years. Out of an abundance of caution, many organizations simply required a subpoena or court order before they would turn personal information over to police.

The proposed amendments contain a provision saying that lawful authority means something other than a subpoena or court order. But this addition is not helpful in describing what lawful authority is.

The amendments contain lengthy provisions that will, for the first time, require disclosure of privacy breaches. When enacted, these provisions will require certain breaches to be reported to either the privacy commissioner, to individuals who may be affected, or both.

Not all privacy breaches must be disclosed. The amendments list various factors to determine whether a breach is material and thus must be disclosed to the commissioner.

Factors include the sensitivity of the personal information, the number of individuals affected, and whether the breach indicates there is a systemic problem.

The test to determine whether a breach must be disclosed to individuals is slightly different, being whether “the breach creates a real risk of significant harm to the individual.”

The tests to determine when the thresholds have been reached to require disclosure to the commissioner or the public are somewhat subjective. No doubt the privacy commissioner will interpret the thresholds to be lower than some entities facing a breach would interpret it.

It will be interesting to see how the breach disclosure sections work in practice. Some entities have been very forthright about disclosing privacy breaches. They may consider it the right thing to do, or fear the headline risk if the fact there was a breach is disclosed by another source.

Of course, we may not know how many privacy breaches have not been disclosed that these sections will now require to be disclosed.

That we are in the midst of a huge change in the way we communicate in our work and personal lives is no revelation.  But I think many of us don’t realize how rapidly this change is happening, and the many ways it will affect us.

It is a combination of things like mobile access, handheld computing power, inexpensive apps, cloud computing, location awareness, and social media.

Consider this: mobile devices are outselling PC’s, and digital media is equal to television in importance amongst ad executives. 

The explosion of smartphones and tablets enables us to get information about almost anything immediately wherever we are.  And to provide information to others just as quickly.  Tools like Google Goggles and Siri can do that by simply taking a picture of something, or speaking into our phones. (And really, the “phone” part of our phones is dwindling in importance to the rest of their features.)

All businesses and organizations should be thinking about how this is now affecting  them, and how it will affect them in the future – both in how it will challenge their current business models, and how they can use it to their advantage. 

And don’t forget to think about who your competitors will be.  For example, who is going to own the mobile payment space?  It might be the banks and credit card companies – but it could be telcos or Google.

It also raises interesting legal issues – like who owns the movie rights to a crowdsourced story, and how do privacy rights tie in with location aware services?

The one certain thing is that we ignore this revolution at our peril.

That’s the title of my Slaw post for today.  It reads as follows.

A video has come to light in which Reid Hoffman, the founder of LinkedIn, responded to a question by saying that “all these concerns about privacy tend to be old people issues”.

While it may be that some younger people may be a bit more permissive with their information than older generations, it does not mean that younger people are not concerned about privacy, or are not exercising control over their personal information.

His comment has lead to a strongly worded rebuke by Ann Cavoukian, the Ontario Privacy Commissioner.

From her article:

Here we go again. Once more, the chief of a major online social network has called into question the relevance of privacy in today’s connected world. This time it is Reid Hoffman, founder of LinkedIn, who recently said that “privacy is an ‘old people’ issue.” Really? He’s dead wrong

and

Privacy relates to freedom of choice and control over one’s own personal information – that hasn’t changed, despite the explosion of online social media. In fact, the need for privacy has grown in the face of deceptive practices online, such as identity theft and cyber bullying. Privacy has evolved, with context playing a key role. The onus is now on social media platforms to provide users with clear and simple privacy tools to enable user control.

She goes on to cite several studies that refute the notion.

The Canadian government is expected to propose a bill shortly that would allow law enforcement unfettered access without judicial oversight (ie without a warrant) to certain information about you from your ISP, phone company, or other online service provider. 

David Fraser has posted a good piece explaining what it is about that I encourage you to read.  As David puts it, the concept is “inconsistent with your rights to privacy and is dangerous to the free and open internet. ”

For more information, look at what I have written about it before.  Also look at openmedia.ca which is campaigning against the proposed law.

I’m not a fan of laws that require entities such as ISP’s to retain data about its customers so law enforcement can get to it.  To me, that flies in the face of privacy principles that say one should only retain personal information (both quantity and duration) to the extent it is required to fulfil the purpose of the services being offered.

I’m not convinced that the benefit to law enforcement outweighs the negative aspects of this – which range from costs to the entity retaining, the risk of abuse, and the risk of exposing it.   It is hard enough to protect the information that entities need, let alone information they don’t need.  And the more information you have, the more you are a target for malfeasers trying to get at it.

Mike Masnick of Techdirt has a post worth reading on the subject.  He refers to a researcher and author who says that a current US bill, the “Protecting Children from Internet Pornographers Act”  should be called the  ”Forcing Your Internet Provider to Spy On You Just In Case You’re a Criminal Act of 2011″.

Unfortunately, we are heading down the same path here in Canada with the proposed lawful access statute.

For the London Free Press – July 18, 2011 – Read this on Canoe

The Canadian privacy commissioner, in her 2010 annual report to Parliament, commented on what she believes to be the future of privacy law in Canada.

Jennifer Stoddart mentions three things that need to happen for Canadians to secure a future that is private. They are enforcing privacy laws and ensuring they remain modern and relevant, increasing co-operation between privacy authorities and ensuring that privacy literacy matches our online literacy.

With respect to modern legislation, the privacy commissioner posed the following question: “laws designed for a bricks-and-mortar world up to the task of protecting privacy in the online context?”

The privacy commissioner views it as crucial to the future of Canadians that privacy laws are constantly updated to meet current and future challenges. The drafters of the Personal Information Protection and Electronic Documents (PIPEDa) – which is the cornerstone of Canadian privacy law – created the legislation in a way that mandated a review of the act by Parliament every five years. The first review occurred in 2006. The next review is scheduled to begin in 2011.

Perhaps the most interesting recommendation arising from the report is not something from the commissioner herself, but rather from two legal scholars involved in the preparation of the latest PIPEDa review.

The scholars – Sossin, dean of Hall law school, and Prof. France Houle of the of Montreal – recommended the office of the privacy commissioner should acquire limited power to make orders, including the ability to impose penalties such as fines. They also proposed explicit guideline-making power to assist with the fair and transparent implementation of new order-making powers. This controversial suggestion would significantly increase the power and authority of the privacy commissioner and will no doubt be the subject of debate during the 2011 review.

The increased popularity of the commissioner over the years is remarkable.

The commissioner opened a second office in 2010 in Toronto. The office is targeted at the business, industrial and academic sector located in the GTa. The office of the privacy commissioner determined that almost 44.5% of respondent organizations were located in Toronto or in the GTA.

The privacy commissioner’s office received 200 requests to present speeches and attended and delivered 150 speeches and presentations in 2010. The commissioner also received more than 250 media requests; launched a blog, youth website and youth blog; sent out 700 tweets and attracted almost 2,000 followers on Twitter.

It is ironic to note the privacy commissioner uses various types of social media – such as Facebook and Twitter – to warn Canadians of the privacy dangers of using social media.

Even in the digital age, the paper publications of the privacy commissioner have remained quite popular. The office distributed almost 15,500 publications in 2010 – including pamphlets, guidance documents, fact sheets, guides for businesses and individuals and annual reports.

For the London Free Press – June 20, 2011 – Read this on Canoe

The Ontario Privacy Commissioner’s recently released annual report talks about protecting personal information on mobile devices and the privacy by design concept for the creation of new technology.

An enormous amount of private information is processed, transferred and stored via handheld devices and portable media. Personal cellphones, PDAs, iPads, USB thumb-drives, MP3 players and laptop computers each have the potential to make personal and work-related tasks more efficient and convenient.

A USB flash drive or laptop allows the busy person to work from home. Instead of lugging around boxes of paper, portable media allows the busy person to transport and access the information on the go. Instead of trying to remember intricate details about events or appointments, hand-held devices create a virtual memory warehouse that can be accessed with the flick of a finger.

Despite the benefits of hand-held devices, they have the potential to create immense difficulties when they are misplaced, stolen or sold in a used condition. The transfer of a hand-held device from one person to another, by whatever method, includes the transfer of information unless the information is deleted beforehand. Serious problems and legal liabilities occur when unsecured private or confidential information can be accessed by outsiders. There have been many instances where hard drives and USB sticks containing personal information have gone missing.

Commissioner Ann Cavoukian states, “personal health information must never be stored on mobile devices such as laptops, PDAs and USB keys, unless it is absolutely necessary. And when it is, the data must be encrypted — Full Stop.”

The commissioner provided an update on her “privacy by design” initiative. The privacy by design initiative is focused on embedding privacy safeguards into new technologies at the earliest stages of development. The idea is it is far easier and more effective to design devices, software and services with privacy in mind from the ground up, than to add it on later.

For example, the Ontario Lottery and Gaming Commission recently adopted the privacy by design initiative in facial recognition technology that identifies problem gamblers at various gaming sites. The facial recognition software was embedded with privacy safeguards so that data about non-problem gamblers will never be permanently stored. And data about problem gamblers cannot be accessed unless the problem gambler appears and is visually identified in person at a gambling site.

Another example where the concept was used was Ontario’s smart grid that has the potential to erode privacy from the collection of detailed household electricity consumption information.

The privacy by design philosophy is a laudable one, and ought to result in more privacy-friendly products. But that does not detract from the responsibility we have to ensure that we understand and exercise our own privacy options. Nor does it detract from the obligations of those in possession of our personal information to take adequate steps to protect it.

The Commissioner’s report is available at www.ipc.on.ca.

Last April the Alberta Court of Appeal overturned an Alberta Privacy Commissioner ruling and decided that Leons furniture store was justified in collecting driver’s license and license plate information from customers picking up furniture.  The decision and some of its reasoning was counter to the that typically espoused by various privacy commissioners.

The Alberta Privacy Commissioner has asked for leave to appeal the descision to the Supreme Court of Canada.   Having the SCC weigh in here might lead to some clarity on this issue. 

More detail and links to background material is in this post by David Fraser.