Home / Privacy Resources / Article Search / PrivaTalk - August 2002

PrivaTalk - August 2002

PrivaTalk

August 2002
Volume 2
Issue 8

Eli Lilly Pays for Inadvertent Disclosure of E-mail Addresses

In the February 2002 issue of PrivaTalk, you will find an article entitled “The U.S. Federal Trade Commission makes Enforcement a Priority” which discusses the breach of privacy findings of the FTC against drugmaker Eli Lilly. The FTC, for the first time, prosecuted an unintentional violation of a Web site’s privacy policies.

People taking Prozac had signed up on Eli Lilly’s Web site for an automated e-mail reminding them to take their dose of the company’s anti-depressant. In June 2001, an e-mail announcing the end of the Medi-Messenger service included the e-mail addresses of all 669 subscribers.

Eli Lilly settled a suit over the matter with the FTC and has now agreed to pay $160,000 to eight states: Massachusetts, California, Connecticut, Idaho, Iowa, New York, New Jersey and Vermont. The agreement did not specify how the money would be divided. A spokesperson for the Massachusetts Attorney General, said those whose e-mail addresses were released would not get restitution because the states do not know their names and don’t want them brought to light again.

Eli Lilly has made a number of public statements that it regrets the inadvertent disclosure of the e-mail addresses due to a serious error on the part of one of its employees. The company has made it clear that it has put a number of measures in place to prevent this from happening again, including appointing a director of global privacy, who periodically reports to the FTC, and having a detailed security program in place.

Employee training programs are even more important. For Canadian and U.S. companies alike, this case demonstrates the importance of ensuring employees understand their responsibilities around the protection of personal information. An e-mail use policy should be in place that outlines the appropriate and inappropriate uses of e-mail, not only to prevent costly errors that can damage a company’s reputation, but also to demonstrate to regulators in the event of a breach, that serious efforts are being made by the company to have employees protect privacy.

Employee Privacy Rights in Canada Get Stronger

In sorting through the legality of workplace surveillance, many assume that employers’ ownership of the equipment and the right to set workplace rules grant them an unfettered right to monitor employees’ usage of company resources such as computers and telephones provided that they disclose the practice. Typically framed as a matter of reasonable expectation of privacy, the belief is that if employees are told not to expect any privacy in the workplace, they don’t have any.

A closer examination of Canadian law suggests the rules for workplace surveillance are gradually shifting, however, moving away from an assessment of the reasonable expectation of privacy toward deciding whether the surveillance itself is reasonable.

There are several reasons for the change. First, Canada’s private-sector privacy legislation sets limits on workplace surveillance. The statute features an “appropriate purposes” provision that limits the collection, use, and disclosure of personal information only for purposes that a reasonable person would consider are appropriate under the circumstances.

This reasonableness clause creates a critical limitation on workplace surveillance since mere employee consent to surveillance is no longer sufficient to justify unlimited surveillance activities. Surveillance is limited to that which a reasonable person would consider appropriate. For example, keystroke computer surveillance, conducted under the guise of fostering a harassment-free workplace might be unlawful absent some clear evidence that such surveillance is responding to a known issue.

Second, labour arbitration cases involving video-surveillance practices provide a sense of how arbitrators are balancing the competing interests of employers and employees. In many of those cases, surveillance is permitted, but only where a substantial problem has been identified, surveillance is likely to solve the problem, alternative approaches have been unsuccessfully pursued, and surveillance is implemented in a fair, even-handed manner.

Third, Canada’s federal Privacy Commissioner has begun to express his concern with surveillance and privacy in the workplace. In a case last year involving the capture of a Department of Defense official’s e-mail, the commissioner lamented a policy on the management of e-mail that stated employees should have no expectation of privacy when using the e-mail system, arguing that privacy protections cannot be eradicated just by informing employees they have no privacy.

With respect to testing or pre-screening employees, the Canadian Human Rights Commission recently released a policy that states drug and alcohol testing is an abuse of human rights under almost all circumstances. Positive results of drug tests do not suggest a person is impaired since test can show traces of drugs weeks after they were used.

The new rules include a few exceptions that permit testing for impairment. For example, if an employer has a “strong reasonable cause” to suspect a worker in a safety-sensitive job such as driving or flying an airplane, is impaired, he can test the worker for alcohol in his system.

The policy, which applies to federal government agencies and departments, as well as federally regulated companies, shows a significant shift towards the protection of employees’ privacy rights. Under the old policy, companies were prohibited from drug testing of employees who worked in areas that had nothing to do with physical safety, but safety-sensitive areas did not fall under the rule. Now, the policy has been broadened to say employers should no longer be pre-screening employees for drugs, nor should they be randomly testing for drugs even in safety-sensitive areas.

These recent developments signal an important shift that focuses on whether the invasion of privacy is itself reasonable, not if the employee had a reasonable expectation of privacy.

In seeking to develop appropriate workplace tests and computer surveillance, it is important to remember that neither the right to privacy nor the right to monitor or test is absolute. Canadian law seeks to balance these respective interests by assessing the reasonableness of the surveillance or test. In years past, an employee’s reasonable expectation of privacy alone was determinative, but this is no longer the case. The emergence of national privacy legislation, international privacy norms, labour and human rights case law all point to a shift towards greater privacy protection in the workplace.

Charities React to the Draft Ontario Privacy Legislation

In the draft Ontario privacy legislation, the Privacy of Personal Information Act, the Ontario government has explicitly attempted to protect the privacy of those who do not want to be asked for donations. However, based on the lobbying efforts of a number of charities, there has been an indication from government representatives that it may water down proposed provisions that would hinder fundraising.

Ontario’s proposed legislation would require organizations to first contact a person to see if they would be interested in being asked to make a donation. The concern for not-for-profits rests in s. 26 of the draft that states “an organization shall not use or disclose personal information about an individual for the purpose of fundraising activities unless the individual consents, except as provided in the regulations”. There is no indication of what the regulations will look like, but the charities are hoping for some degree of “grandparenting”, allowing charities to continue using their existing databases of donor information.

Many questions remain: Can a charity contact someone they have not heard from in 20 years? Where consent is required, will it be sufficient to continue soliciting donors until they return a form indicating they want off the list? Or will charities have to stop soliciting unless and until they have a clear green light?

Thus, it will be interesting to see the regulation the Ministry of Consumer and Business Services comes up with, and whether it will provide enough guidance for charitable institutions. A spokesperson for the Ministry has said that the problems charities have with the proposed legislation is a major part of the revision to the legislation that the province is about to undertake.

It all comes back to consent – the question being, did you give permission, or is it fair in the circumstances to assume that you would have given permission if asked? The United Way has made it clear to the Ministry that the draft legislation, as it currently reads, goes far beyond what is reasonable and necessary, and will do more harm than good. Their argument is that charities are sure to come up with broadly worded consents, and this might be just as annoying to donors as the unauthorized solicitations the draft bill aims to eliminate.

It is important to recognize that if potential donors are not clear about what they are consenting to, that is, if they are not providing informed consent, then this will not satisfy a charitable institution’s obligation to get consent. Although obtaining consent is a difficult proposition for charities in Ontario, as it is for many other industries, such as marketing, consent is fundamental to the protection of privacy. The Ontario government is now in the difficult position of being true to privacy, and keeping the charities happy by giving them a way to make consent work without losing a significant number donors.

Recent Activities of the EU Data Protection Working Group

The EU Data Protection Working Group has issued a working document on determining the international application of EU data protection laws to personal data processing on the Internet by non-EU based Web sites. The document points out that the EU, the US, and other jurisdictions apply similar laws in an extra-territorial manner, though it acknowledges that global enforcement is a challenge. It also concludes that the user’s local law should apply to the question of under what conditions personal data may be collected through the use of cookies. The working group also issued reports on workplace surveillance, privacy standardization, and unique identifiers in telecommunications terminal equipment. The reports are not yet on-line but should soon be available on the Working Group’s site at http://europa.eu.int/comm/internal_market/en/dataprot/ .

The Working Group has also launched a public consultation on Europe’s privacy laws. The consultation, which runs through September, touches on the effectiveness of privacy laws for data controllers and citizens. The multiple choice questionnaires can be found at http://europa.eu.int/yourvoice/dataprotection_en.htm. Among the questions posed to citizens are the following:

- “When you buy or use services on-line, are you concerned that the personal data you give will be misused?”

- “Do you think that employers should be allowed to read the e-mails of their employees sent from or received by the computers of the company?” The choices given include: “Yes, as long as employees have been previously informed of this possibility; No, unless there is a serious suspicion of criminal offence committed by the employee; Yes, as long as this is necessary for the normal functioning of the business.”

Among the questions posed to businesses are the following:

- “Would you favour the creation of an EU Privacy Seal for European Websites (a logo that Web-sites could earn and display by following the best data protection practices)?”

- “What would be your preference in order to add additional flexibility to the existing mechanisms for data transfers from the EU to third countries under the Directive?” Some of the choices provided include: “More flexibility in terms of possible exceptions to the prohibition of transfer under Article 26 (1) of the Directive (e.g. no restriction for transfers of data which clearly present no serious risk to the privacy of individuals); More flexibility for intra-group transfers where there is a controller in the Community (e.g. by recognising intra-group codes of conduct).”

The results of the survey should provide the EU with valuable feedback to consider for future revisions to privacy laws and guidelines in Europe.

In early July, the EU Data Protection Working Group released its decision on the privacy implications of Microsoft's .NET initiative. The Working Party concluded that “although Microsoft has put in place some measures to address data protection, a number of elements of the .NET Passport system raise legal issues and therefore require further consideration.” These include information provided at the time of data collection, the value and quality of consent provided by individuals, and the security risks associated with the plan.

Launched in 1999, .NET Passport aims to simplify e-commerce by allowing consumers to store passwords, credit-card numbers and other personal information in one location. It has already registered over 100 million users. To register, users have to provide personal data – e-mails, usernames, passwords and, in some cases, phone numbers. Microsoft says users supply data on a voluntary basis.

Microsoft has said that it is fully in line with EU rules. Under EU data privacy rules, customers’ personal data can only be used by a firm or passed on to others with the prior consent of the individual. The EU document says officials wanted to examine more closely whether .NET Passport users were fully aware that some of their data would sometimes be transferred to a party other than Microsoft, possibly located in a third country. The officials questioned the value and quality of the consent given by users to such operations, and the data protection rules of the Web sites affiliated to .NET Passport.

We will likely see further development (and potentially softening) of EU’s stringent privacy laws and approaches as the significant challenges and data trade barriers that they create for global companies come to light.

Study finds Consumers are Wary of On-Line Authentication

A recent Gartner of more than 2000 consumers indicates that consumers distrust online authentication systems, posing an obstacle for new Web service business models such as Microsoft’s Passport and AOL’s Screen Name service. Moreover, few people trust Microsoft and AOL to safeguard the personal or financial information required to be disclosed in order for users to conduct on-line transactions.

The study also showed that the majority of consumers with identity or authentication service accounts were unaware they had them, and that many consumers had signed up for accounts because they are required in order to use on-line services.

Microsoft requires users to sign up for a Passport account to access services such as Hotmail and MSN Messenger. Similarly, AOL directs users to its Screen Name service for Web-based access to its My AOL service, e-mail, or calendar features.

The findings may come as a blow to Microsoft and AOL, who are attempting to drive customers to on-line authentication systems as the first step in establishing additional fee-based on-line services.

In the continuing Microsoft antitrust trail, a Sun Microsystems executive claimed that Microsoft is hoping to drive Passport membership through compulsory enrollment in its Windows XP operating system and through other products. Documents introduced in court described Microsoft’s consumer Web services goal as being to create “the largest and most extensive database of profiles on the planet.”

Both Passport and Screen Name offer a single sign-on that gives people access to Web sites without the need for multiple IDs and passwords. Microsoft, AOL and others tout the services as a way to ensure consumers do not have to remember many different IDs and can make secure purchases using built-in e-wallet components.

However, Gartner found most consumers are more concerned about security than convenience. For now, the majority of consumers do not trust technology companies like AOL or Microsoft to deliver on-line identity and authentication services, although many would consider similar services offered by credit card issuers. Forty-seven percent of consumers said they would put their trust most in banks for safely handling e-wallet services, followed by 12 percent for Microsoft, according to Gartner.

In the a survey, 38 percent of consumers said they did “not at all” trust Microsoft and 29 percent said they did not trust AOL with their personal and financial information. Gartner also broke out the question to cover specific technologies, such as Internet access or instant messaging. More than 50 percent surveyed said they did not trust the MSN online service with their personal and financial information, and 49 percent said they did not trust MSN Messenger.

Gartner claims that 86 percent of Passport account holders have not used the service’s e-wallet service, with more than half citing lack of trust as the main reason. Gartner found that less than 10 percent of o-line consumers would be willing to exchange personal information in order to use personalized Web services, such as .Net My Services.

Microsoft isn’t the only company automatically signing up consumers for identity and authentication services, but the software giant’s Windows monopoly will be a decisive advantage over competitors. Even if consumers resisted using Passport e-wallet services for years to come, Microsoft will still benefit greatly from the forced generation of accounts, and who knows what will happen with all that personal information in the future.

A New Peer-to-Peer Protocol for Anonymous Web Use

Peer-to-peer networks have enabled millions to trade music, movies and software freely. A group of veteran hackers recently unveiled a new peer-to-peer protocol that may eventually let millions more surf, chat and e-mail with enhanced anonymity.

Hacktivismo, a politically minded offshoot of the long-running hacker collective Cult of the Dead Cow, announced the new protocol, called Six/Four. Six/Four combines peer-to-peer technologies with virtual private networking and the “open proxy” method for masking on-line identities to provide ultra-anonymous Internet access. Virtual private networks, also known as “tunnels”, allow one computer to establish direct, secure communications with another over the Internet. Banks and government agencies use these VPNs all the time for money transfers and confidential discussions.

Traditional VPNs take the information along a single path from Point A to Point B. Six/Four’s route is more circuitous, sending its tunnel through a series of computers on its peer-to-peer network before heading to the public Internet. Data goes from Point A to Point K to Point Z to Point G, only eventually winding up at Point B.

The end point is called a “trusted peer” in the Six/Four scheme, and upon reaching there the data then makes its way to the Web pages, chat sessions and file servers of the open Internet. Currently, hackers and other privacy-minded folk go through “open proxies” –corporate servers that misconfigure identities – to mask who they are before chatting or visiting Web pages. Six/Four takes this about 100 steps further by adding layer after layer of additional anonymity, because each link in the chain only knows the link immediately before, not the final destination. Theoretically, for every server in between you and the destination server, another search warrant is required to view that computer’s logs, if they still exist, to get your IP (Internet Protocol) address.

Like any technology, Six/Four can be used for good or bad. For example, the Cult of the Dead Cow’s best-known program, Back Orifice, can be used as a tool for snooping on Windows users. Hacktivismo acknowledges that it is up to users of their platform how they use it. A secure P2P (peer-to-peer) chat (application) could be used to transmit terrorist plans. However, people who choose to let their computers become “trusted peers” – the end of Six/Four’s meandering tunnel, which leads to the Internet – will have some control over how their PC is being used. They can decide to keep others from file-sharing, for example, or chatting through their computers.

Six/Four will soon be introduced to the public along with some basic applications, such as tools for anonymous surfing, as well as an application programming interface, so that others can start developing their own programs based on Six/Four. Applications for reading newsgroups, sharing files, and collecting e-mail are expected to be among the first written.