Home / Privacy Resources / Article Search / PrivaTalk - March 2004

PrivaTalk - March 2004

PrivaTalk

March 2004
Volume 4
Issue 2

ISPs Resist Revealing Music Uploaders’ Identities

Canadian Internet service providers recently told a Federal Court judge that technological and privacy issues could keep them from turning over information about customers that is  alleged to have violated the copyrights of music companies.  


It was the first time the Canadian Recording Industry Association (CRIA), a group that represents Canada’s major music labels, had pushed the case out of the media spotlight and into the courts.  CRIA was recently in court asking a Federal Court judge for a motion forcing Internet service providers (ISPs) to turn over the names of 29 customers it says have violated copyrights by sharing music files on the Web.  


CRIA says it has tracked file-sharing activities to IP addresses, but needs the help of ISPs to connect those numbers to actual people.  In a news release, the association says it’s after “large-scale pirates who have been openly and illegally distributing thousands of digital music files over public networks.”  


After hearing arguments from Canadian ISPs, the judge ordered the case adjourned until the middle of March.  


CRIA says Internet file swapping has cost the Canadian industry $425 million since 2000 and led to layoffs of 20 per cent of the staff at music labels across the country.  


At the hearing, ISPs, which included Rogers Cable, Shaw Communications Inc., Telus Corp., and Bell Canada, said they have not had enough time to notify customers accused of violating copyrights.  


Prior to being notified of the music industry’s legal plans last week, most Canadian ISPs had said they would co-operate in handing over information about customers that violated music copyrights.  That position changed when a lawyer representing Telus argued the telecommunications company should not have to hunt down alleged copyright violators for CRIA.  


Calgary-based Shaw Communications said it uses “dynamic” IP addresses and may not be able to identify its customers accused of music file swapping. Dynamic IP addresses are used by more than one customer, making it harder to identify who was on the Internet at a specific time.  


Last year, the Canadian Copyright Board said people are permitted to download songs from the Internet for personal use, but uploading songs constitutes copyright infringement.  However, without a court order forcing ISPs to release names, ISPs would not be obliged to do so.  In fact, to do so without getting customer consent would be a violation of federal private sector privacy laws, which have applied to the telecommunications industry since January of 2001.

PIPEDA Consent Exemption – Transfers for Processing

The next 3 issues of PrivaTalk will each contain an article providing tips on complying with the consent principle in PIPEDA – a core principle that states “the knowledge and consent of the individual are required for the collection, use or disclosure of personal information.  In general, the concept of “knowledge and consent” requires that there be informed consent of the individual to both the fact that personal information is being collected, used and disclosed and the specific purposes for which the organization will collect, use and disclose the information.  


One of the most important exceptions to the consent requirement is not found in section 7’s list of exceptions, but is found in Principle 4.1.3, which provides as follows:  “An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing.  The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.”   


Principle 4.1.3 equates information that an organization “transferred to a third party for processing” with the information remaining “in its possession or custody”, provided that “contractual or other means” are employed to maintain a “comparable” (not identical) level of protection for the information while in the possession of the processor.  In view of today’s extensive outsourcing and pervasive third party information services, it is strange that such an important concept would be buried in one of the Principles and stated so obliquely.  Nevertheless, the former Commissioner confirmed that it is the intention of  Principle 4.1.3 to exempt transfers for processing from the consent requirement.  


The requirement that an organization use “contractual or other means” to control the use of information by the processor will often require that contracts with third parties be created or revised. At a minimum, such agreements should specify that the processor will not use or disclose the information for its own purposes, will adhere to appropriate. security measures (which will generally depend on the sensitivity of the information), will only use the information in the manner authorized by the organization and will destroy or anonymize the information once the processing is complete. In return, the processor will generally want a representation from the organization that it has the appropriate consents to permit the requested processing and an indemnity in the event the representation is untrue.  


While Principle 4.1.3 has not been dealt with in detail, one decision determined that Principle 4.1.3 was breached since the agreement between a bank and it processor did not refer to the processor using a sub-contractor (Case Summary #35) and in the Aeroplan decision it was found that Aeroplan had not entered into a proper confidentiality contract with some of the mailing houses it uses to communicate with its members (Case Summary #42).  


While many common data processing and outsourcing scenarios would clearly fit within the scope of Principle 4.1.3 (if properly documented) there are a number of grey areas. For example, it is unclear if the provision of professional services would constitute "processing". Section 7(3)(a) provides a specific exemption for lawyers and notaries; it could be argued that the inclusion of this specific exemption shows that Principle 4.1.3 was not intended to apply to other professional services such as accountants and consultants. What is more likely is that section 7(3)(a) was included as a result of lobbying by the CBA and other legal groups. The better reading of Principle 4.1.3 seems to be that information can be transferred to any service provider so long as the processor is using the information on behalf of the organization.  


The transfer for processing exception can usefully be used by corporate groups that have information processed by one company in the group (such as a parent company or a data processing affiliate) on behalf of the others. It must be remembered, however, that Principle 4.1.3 will only be applicable if the appropriate contractual safeguards are in place.  


Most of the proposed and enacted provincial privacy statutes deal with outsourcing issues more explicitly than does PIPEDA.  For example, s. 18(2) of the British Columbia Personal Information Protection Act provides:              


An organization may disclose personal information to another organization without consent of the individual to whom the information relates, if:       
(a)   the individual consented to the collection of the personal information by the organization, and
(b)  the personal information is disclosed to the other organization solely
     (i)  for the purposes for which the information was previously collected, and
     (ii)  to assist the other organization to carry out work on behalf of the first organization.  


This seems to make it clear that the contractual requirements discussed above in relation to PIPEDA will not be required for outsourcing situations within B.C.

Privacy Legislation puts a Spotlight on Marketing Practices

The final implementation of Canada’s privacy law, which came into full effect on January 1, 2004, will surely put a spotlight on marketing practices.  The Canadian Marketing Association [ http://www.the-cma.org/ ] is planning to update its self-regulating guidelines with a clause about making it easier for customers to opt out of mailing lists. The clause is designed to show that the marketing industry is being proactive in responding to the public’s privacy concerns.  


John Wright, senior vice-president of the Air Miles reward program at The Loyalty Group [ http://www.loyalty.com/ ], said in a recent keynote speech that marketing executives should play a “quarterback” role in shaping the development of improved privacy policies. He said that the industry needs to move away from seeing it as a legal initiative and more as a marketing imperative.  


The ability to opt out is critical for compliance with privacy laws.  Most list brokers follow the CMA code first introduced 10 years ago, but there was clearly a philosophy of hiding opt-out information in mouse type at the back of the magazine.  


It is clear that the Internet has to a great extent changed marketing, because for the first time many lists are put together in which there is no real relationship between a list owner and the list user. There is a difference, for example, between someone who has subscribed to a magazine and someone who has merely clicked on a Web page.  In general, customers will likely be satisfied if the channels for opting out are clearly visible and easy to follow.  


CRM (client relationship management) databases pose another interesting privacy issue.  Greater care must be taken when recording personal information about clients or prospects, such as a spouse’s name or children’s ages and birthdates.  Although this type of information may be provided by clients or prospects voluntarily, they may not consent to it being recorded in a company system if they were specifically asked, particularly if the database is widely accessible within the organization.  As the marketing industry struggles with this and other issues, the key is due diligence – taking steps to safeguard personal information with procedures that recognize privacy will go a long way, even if not perfect, in dealing with privacy complaints or investigations.  

The United States Anti-Spam Legislation

After six years of debate, the U.S. Congress finally passed "anti-spam" legislation in December 2003. The Act, entitled the Controlling the Assault of Non-Solicited Pornography and Marketing Act, better known as the CAN-SPAM Act, became effective January 1, 2004. The Act sets forth a much-needed set of requirements for commercial e-mail sent to individuals located in the States, and generally preempts state anti-spam laws. Thus. under the Act, companies will be able to conduct e-mail marketing campaigns without fear of running afoul of inconsistent state laws.


Significantly, the Act does not ban spam per se. Instead, it prohibits deceptive or misleading commercial e-mail, requires senders to provide recipients with the ability to "opt out" of future mailings, and imposes a variety of other requirements discussed below. Additionally, the Act requires the Federal Trade Commission to evaluate the creation of a do-not-spam registry similar to the national do-not-call registry, which was established in response to consumer complaints about telemarketers.


The CAN-SPAM Act provides for severe civil and criminal penalties for noncompliance, including statutory damages up to $6 million for willful violations and, in some cases, prison terms of up to five years. The Act does not provide for a private right of action by recipients of spam, but does authorize the federal government, state attorneys general, and Internet service providers to bring actions against violators.


Businesses that engage in direct e-mail marketing (including wireless messaging) should review their marketing practices for compliance with the Act to avoid what could be substantial financial exposure as well as brand damage that can arise from noncompliance. Companies that operate globally must also consider compliance with international requirements, particularly the European Union Privacy and Electronic Communications Directive.


The Act imposes the following obligations on companies, depending upon the category of e-mail that is transmitted:



  • The sender is prohibited from using false information and deceptive subject lines and must include a “from” line that accurately identifies the sender of the e-mail.

  • The sender must clearly and conspicuously identify unsolicited commercial e-mail as an advertisement or solicitation.

  • The sender must include clear and conspicuous notice of the opportunity to opt out of receiving future e-mails and must provide an Internet-based reply mechanism by which recipients opt out, such as a return e-mail address or a link to a Web page from which the user can send an e-mail to contact the sender. This mechanism must remain operative for at least 30 days after the original message is transmitted.

  • The sender, or anyone acting on behalf of the sender, must stop sending e-mails to recipients within 10 business days after receiving an opt-out request.

  • The sender must include a valid physical postal address of the sender.

  • The sender is prohibited from using an automated means to harvest e-mail addresses from Web sites or online service providers that have policies of not sharing users’ e-mail addresses.

  • The sender is prohibited from using automated means to register for multiple e-mail accounts to be used to send spam.

  • The sender may not use another person’s e-mail or computer account to send commercial e-mail.

  • The sender must include a warning label on unsolicited commercial e-mail containing sexually oriented material.

The Act’s prohibition on harvesting e-mail addresses has led to confusion about the purchase or renting of e-mail lists, with the names of individuals located in the States, from third parties. The Act does not prohibit this traditional method of expanding a company’s direct marketing activities, but the Act’s requirements will apply to commercial e-mail sent from such lists. Consequently, companies acquiring such lists should consider seeking sufficient representations and warranties (with indemnification and other appropriate remedies) from the provider of such lists that: (a) the list was not created by means that violate the Act; (b) each recipient has been given clear and conspicuous notice that his or her e-mail address can be shared; and (c) each recipient has not opted out of receiving commercial e-mail. These provisions do not provide a “safe harbor” from liability under the CAN-SPAM Act, but rather provide some measure of recourse. Consequently, companies should exercise care in selecting third parties from which they acquire lists containing individuals located in the States.  

Heightened Concern about Identity Theft

Identity theft in Canada is up about 40 per cent. More than 13,000 Canadians were victims of identity theft in 2003, compared with 8,180 the previous year, according to PhoneBusters, a national call centre established in 1993 by the Ontario Provincial Police to tackle telemarketing fraud.  


The Ontario government has thus launched an information campaign to help consumers avoid becoming victims of identity theft. The campaign, called Keep Your Identity Safe, was recently introduced by Consumer and Business Services Minister Jim Watson at a news conference at Toronto police headquarters.  


Watson said identity theft is North America’s fastest-growing crime. The province is also introducing an identity theft statement designed to allow victims of identity theft to more quickly notify banks, retailers, police and consumer protection agencies.  


For the last 10 years, countless cases of identity theft have sprung up across North America.  One of the reasons is that industry standards for customer privacy protection have been inadequate.  Legislation doesn’t seem to adequately address the issue either.  


Privacy laws should require companies to notify those who have had their personal information leaked.  Currently, the only way one know about a leak is if someone has passed the story on to a reporter.  


Several hundred cases of identity theft first showed up in the U.S. in the mid-1990s, and gradually filtered across the border. Public interest groups reported such cases as early as 1994, but they often fell on deaf ears. The Federal Trade Commission, along with its Canadian counterpart, Industry Canada, didn’t wake up to the issue until the end of that decade.  


The lack of a provision in the Criminal Code of Canada that would enable police to charge individuals during a raid if they are found to have boxes of other peoples’  personal information didn’t help.  Police can now nail perpetrators under PIPEDA if they are found to have information without justification. We may see a number of lawsuits in the coming years, however, on the other hand, trying to prove commercial organizations are guilty of mishandling personal information can be a long and difficult process.  


In the United States, a recent survey commissioned by RSA Security found that consumers now worry about the threat of identity theft and feel it is their responsibility to protect themselves against it. People have little faith in online merchants safeguarding their personal information and are becoming increasingly reluctant to pass on that information online.    


Whilst 63 percent of respondents say they were now ‘more informed’ than they were a year ago, 49 percent don’t consider themselves any safer while 26 per cent consider themselves more vulnerable. Only 18 percent felt themselves safer.  


The respondents had little faith in organizations protecting them. When asked who is ‘very responsible’ for safeguarding their identity, 65 percent replied it was themselves whilst 53 percent mentioned banks and other financial institutions, 29 percent said law enforcement and 24 percent cited merchants.   


Both in Canada and the United States, the combination of heightened awareness, the sense of personal responsibility for one’s own electronic identity and lack of understanding on the technical issues has meant that many people have become more wary about divulging information.    

Wireless Privacy Principles Released by TRUSTe

TRUSTe, one of the the leading Internet privacy seal programs, recently announced the launch of its Wireless Privacy Principles and Implementation Guidelines which provide vendors serving the mobile market with actionable and practical guidelines for protecting consumer privacy. As part of this program, TRUSTe, along with leading partners AT&T Wireless and Microsoft, has formed the Wireless Advisory Committee whose function is to promote privacy standards to increase consumer use of advanced wireless features and applications.  


Other members of the Wireless Advisory Committee include HP, PricewaterhouseCoopers, the Mobile Marketing Association , Wireless Location Industry Association and consumer advocacy groups the Center for Democracy and Technology, and the Privacy Rights Clearinghouse.  


As wireless innovation has grown, so have potential privacy issues impacting consumers. For example, Location Based Services, while limited in current availability, present a potential privacy challenge due to their ability to locate and market to consumers real-time via a wireless device, prior to receiving user consent. The Wireless Advisory Committee will work with companies providing wireless data and wireless web services, to ensure that specific standards regarding consumer notice and consumer consent are achieved. In the case of Location Based Services, vendors would be required to adhere to an “opt-in” only policy.  


Key Principles within the Wireless Privacy Principles and Implementation Guidelines include:  



  • Notice: Wireless service providers should provide a Full Privacy Statement to the consumer prior to or during the collection of personally identifiable information, or upon first use of a service.  

  • Third-party sharing: Wireless service providers should only disclose the consumer”s personally identifiable information to a third party for uses unrelated to the provision of service (such as the marketing of new products and services), if the consumer has provided “opt-in” consent prior to such use. Consumers should have the opportunity to change this preference at any time.  

  • Use of location-based information: Wireless service providers may only use location information for services other than those related to placing and receiving voice calls if consumers opt-in. Wireless service providers should disclose the fact that they retain location information, beyond the time reasonably needed to provide the requested service.  

If the Wireless Privacy Principles are widely adopted by the industry, consumers’ concerns about privacy when using wireless technology may decline.