Home / Privacy Resources / Article Search / PrivaTalk - April 2002

PrivaTalk - April 2002

PrivaTalk

April 2002
Volume 2
Issue 4

Controversial Privacy Issues arising from the Use of Government Databases

The Electronic Privacy Information Center (EPIC), a privacy rights group, has filed a Freedom of Information Act suit against the U.S. government. EPIC is seeking to obtain more information about the Transportation Department's plan to launch a computer network that would link all U.S.-based airline reservation systems (containing passengers’ travel history and destinations) to private and government databases (containing personal and demographic information). According to reports in The Washington Post, the system is being designed to recognize subtle patterns in passengers’ purchasing data that would contribute to a threat index or score for each passenger. The system could, for example, tell whether any passengers aboard a plane have shared addresses in the past, or detect a pattern of travel habits among passengers on different flights. Subsequent to the terrorist attacks of September 11th, the newly created Transportation Security Administration began designing security systems such as this airline passenger profiling system and a biometric identification card for transportation system workers.

EPIC filed the lawsuit after its request for expedited processing was denied. The requirements for such requests are set out in the U.S. Department of Justice’s regulations – the need for a “particular urgency to inform the public about the government activity” involved in the request. The court action can be found at http://www.epic.org/open_gov/foia/DOT_complaint.pdf.

Recently in Canada, a Toronto councillor called for an investigation into the alleged improper release of personal information by the City, after a staff report concluded that the municipality sold confidential data from building permit applications to private companies. A privacy impact report on the City’s Integrated Business Management System said that banks, utilities and City councillors were provided with copies of private files containing personal information, in contravention of the Municipal Freedom of Information and Protection of Personal Privacy Act.

The report states that “A review of building notices and work orders ... revealed the practice of ‘courtesy copying’a variety of third parties… The notices and orders contain the personal information of the property owner. Examples include the copying of a property owner's personal information to financial institutions and ward councillors, who ... do not require the personal information in the performance of their duties”. The report also stated that the City was involved in selling personal information, however, the City denies this.

Governments hold a great deal of personal data and have legislative mandates to do so. They do not gather data based on consent regime – as members of civil society, we do not have a choice as to whether to provide the government with our personal information – we must do so in order to function in and benefit from that societal structure. This makes the use of government data or the sharing of that data by the government beyond its initial purpose for collection extremely controversial.

Privacy Commissioner Keeps the Banks Happy but Not the Airlines

Two long awaited decisions were recently released by Canada's Privacy Commissioner, George Radwanski, and have significant implications for many businesses in Canada.

TD Bank had refused to provide a bank customer with access to her credit score and the Commissioner, although reluctantly, concluded that the banks have no obligation to disclose credit scores, which are based on a proprietary scoring system. The decision can be found at http://www.privcom.gc.ca/media/an/wn_020227_e.asp.

Credit scores, or ratings, are used by lenders and landlords to determine whether a customer is likely to make timely payments. Banks have their own credit report card for clients, developed by taking the credit bureau ratings and applying them to a scoring model internally developed and customized to a lender's priorities. TD argued that disclosing the score to a client would reveal “confidential commercial information”, adding that if a minimum of 24 scores were available, its credit model could be cracked by rivals. Radwanski, finding in favour of TD, agreed that the credit score was confidential commercial information, which is exempt under Canada's private sector privacy law. The Commissioner added that he was not “all together intellectually persuaded” but that “it was appropriate in this circumstance to give the bank the benefit of the doubt”. After reviewing TD’s credit score model, Radwanski said he saw nothing that would account for the banks unwillingness to release the score (apart from stated fears of competitive disadvantage), nor anything that would be “of any real, bona fide benefit” to the individual who requests it, provided the bank explains how the credit standing is obtained or why credit was denied. Radwanski encourages consumer to apply to credit bureaus directly to check their ratings. He also warned that if he investigates a similar complaint in the future, and were at that time presented with evidence confirming his scepticism that the chances of cracking banks’ credit algorithms are extremely low, his finding might be different.

As reported in the August 2001 issue of PrivaTalk, the Privacy Commissioner has been investigating Air Canada’s practices with respect to the sharing of personal information about its Aeroplan frequent flyer members with various corporate partners and agents. A decision was recently released and can be found at http://www.privcom.gc.ca/media/nr-c/02_05_b_020320_e.asp. The Commissioner found that the airline violated several sections of Canada’s private sector privacy law, and in particular found fault in Air Canada’s practice of making members opt-out of sharing their personal information, instead of actively seeking opt-in consent for direct mail marketing campaigns.

He also found that the airline released information about its clients before it begun seeking consent, and concluded that the consent initiative – sending a rather vague brochure to 1% of Aeroplan’s 6 million customers – was entirely inadequate.

The Commissioner made the following recommendations:
- Air Canada should inform all Aeroplan members as to the collection, use, and disclosure of their personal information and clearly explain the purposes for such handling of personal information.

- Air Canada should seek positive (or “opt-in”) consent from all Aeroplan members regarding all information-sharing situations outlined in the brochure, and should establish appropriate procedures for obtaining such consent.

- Air Canada should execute appropriate agreements with all the direct-mailing houses it employs as agents to ensure that the personal information of Aeroplan members is protected in accordance with the Act.

Many other companies share personal data and customer lists with various corporate partners, and Radwanski said he will require them to obtain clearer consent from customers in the future. He also stated: “While acknowledging that the Act does provide for the use of opt-out consent in some circumstances, I intend, in this and all future deliberations on matters of consent, to ensure that such circumstances remain limited”. Such a statement will make marketers, who rely heavily on opt-out consent when engaging in marketing initiatives, extremely nervous.

Air Canada assures that it has made substantial changes that will meet with the Commissioner’s approval. The Commissioner is currently reviewing Air Canada’s new privacy policy.

An Ontario Airport First to Deploy Face Recognition Technology

NEXUS Group International Inc.’s AcSys Biometrics Corp., recently announces that its Face Recognition System (FRS) has been deployed in the first Canadian airport to use face recognition technology. Conquest Alliance Group Inc., a Burlington, Ontario-based security consulting and technology integration services company, in a teaming agreement with a NEXUS Ontario-based subsidiary, CompuBlox Inc., successfully deployed an AcSys FRS access control solution at Thunder Bay International Airport for a Transport Canada pilot project. The technology is intended to ease the sudden increase in human resources and expenses required to provide enhanced security after the September 11th tragedy. In the short term, airports have fulfilled the need for increased security by deploying more security personnel. However, the burden that this temporary measure places on human and financial resources has highlighted the need for new, cost-effective solutions that provide a consistently high level of security.

At the pilot site, Thunder Bay International Airport, CompuBlox installed a security system using AcSys FRS Entry face recognition. The security solution uses proximity cards combined with face recognition to create a highly secure access control system securing the airfield. A wall mount unit with camera, speaker, and proximity reader creates a robust security solution. An authorized user swipes the proximity card and is verified by the face recognition system in less than one second. Upon verification, the system unlocks the door.

In testing the system, AcSys FRS face recognition technology was found, at medium security levels, to have a 0% False Acceptance Rate, meaning that impostors were defeated 100% of the time, and a 3.1% False Rejection Rate, meaning that authorized users were denied access only 3.1% of the time. Because AcSys FRS actually learns users’ faces over time, the system retains its accuracy while increasing its user friendliness. AcSys FRS is the only face recognition technology with this capability.

Soon to be installed at the pilot site is an optical turnstile, which will address the possibility of tailgaters. As personnel enter the face recognition area, they will be passively counted using this method. Users must pass single file through a “gateway” to ensure they are counted individually. The optical turnstile’s primary software ensures that entry numbers are in balance with access control numbers. Failure to balance can result in a number of triggers. For example, the security door will lock, or an alarm will sound
in the security operations centre.

The Thunder Bay International Airport Authority has taken a lead role with respect to airport security that will assist all airports to improve security through reliable technology while reducing costs.

New Zealand Prepares to Review Privacy Legislation

The New Zealand Privacy Act, passed in 1993 is currently under review by the New Zealand Law Commission. The need for legislation to protect personal information in the private sector is being put forward for debate in a discussion paper called Protecting Personal Information from Disclosure. The paper questions how the desire for privacy can compete with the interests of the community in matters of free speech and public safety. The Commission is essentially asking whether the Privacy Act, which is now nine years old, strikes the right balance, and is accepting submissions till April 30, 2002. The discussion paper is available at http://www.lawcom.govt.nz.

The paper notes that an article published in the New Zealand Herald last year suggests that there remains a serious question about how well the Act works in practice and whether a better understanding of the Act and its application is required. That article concerned an account executive with an Auckland firm, who volunteered to be the subject of an experiment to show what personal information an ordinary person could find out given no more than the subject’s name. The extent of what was discovered was astonishing.

Very recently, the tragic death of Malcolm Beggs was blamed on how the Act is being used as a reason for not disclosing critical medical information. Beggs was killed by his flatmate who Beggs had no idea was a paranoid schitophrenic. The Mental Health Commission has now recommended that staff dealing with such patients be more open in providing information to family, friends and other government and non-govenrment mental health agencies that come into contact with them. In its review of the Privacy Act and the Health Information Privacy Code put in place in accordance with the Act, the Mental Health Commission says the Act is being wrongly used as a reason for not sharing information because the legislation is misunderstood, and many are of the view that not releasing the information is the safest and easiest option.

The tragedy of Malcolm Beggs' murder was that it was preventable. Under the privacy legislation, staff could have asked Jones at the outset of treatment, or any other time, if they could disclose information about his condition. That would have been the best course of action. But even without Jones' consent, staff could have told family and friends about his condition without breaching privacy legislation. When disclosure is necessary to prevent or lessen a serious and imminent threat to public health or safety, this is allowed for in the Health Information Privacy Code.

The urgent need to apply the privacy law correctly and consistently in the context of disclosures extends beyond mental health care to all industries. The Law Commission suggests than any disclosure of personal information must satisfy a threshold test of importance, for both the extent of the publication and importance to the complainant of the information, to attract the attention of the law. Otherwise the protection offered by any statute runs the risk of being trivialized. The paper states that “an individual should not be entitled to invoke the protection of the law for every discourtesy or mildly wounding disclosure”.

The Law Commission states that improving New Zealand’s existing privacy law may involve repealing the present statute and considering a replacement – the Commission offers three alternatives to comment upon: (1) the legislature do nothing and leave it to the courts to evolve a civil tort remedy for privacy breaches; (2) create a blanket statutory tort under which the threatened publication of protected personal information could be forbidden by injunction, and actual publication be penalized by an award of damages if the court sees fit; or (3) create a series of more precisely targeted civil remedies, such as those offered by the criminal law such as the offence of monitoring private conversations by means of listening devices.

It is clear that New Zealand’s privacy legislation is long overdue for a review, given the increasingly important role that privacy is playing as a basic civil right and as a strategic factor in competitive markets around the globe.

DMA Study Shows E-Mail Marketers are Sensitive to Privacy Issues

Early results from the Direct Marketing Association's annual study of online marketing indicates that most marketers meet its privacy guidelines. The DMA’s State of the E-Commerce Industry Report 2001-2002, scheduled for release next month, suggests that 96 percent of the survey’s 700 respondents, companies involved in direct and interactive marketing, provide ways for consumers to opt-out of e-mail campaigns involving future e-mail offers.

Sixty percent of the marketers who responded – which include both DMA members and unaffiliated on- and offline marketers – also indicated that they don't rent third-party e-mail lists, while 74 percent said they never send non-targeted, mass e-mail campaigns to prospective customers.

The findings come just a month after DMA leadership introduced guidelines designed to curb growing consumer dislike for commercial e-mail. The rules seek to encourage marketers to honour opt-out requests; to use accurate subject lines; to clearly reveal their identity and contact information; and to safeguard consumer data through regular list cleaning.

The rules apply only to DMA members – a fact that some have criticized since hard-core spammers typically operate outside of the realm of legitimate business organizations. However, without a legislative mandate, industry standards are as far as the U.S. can get in an attempt to regulate marketers. In Canada, private sector privacy legislation significantly impacts the practices of marketers. The Canadian Marketing Association’s criticism of Ontario’s draft privacy legislation (see http://www.the-cma.org/regbulletins/reg-114.html)is evidence of that fact.

The DMA’s president has emphasized that the continued growth of electronic commerce depends on consumer trust. It is imperative that e-mail marketers take action by placing greater emphasis on privacy and help building consumer confidence and loyalty.

In spite of the DMA's optimistic findings, the study also indicated some serious flaws in the way that online and cross-channel marketers are implementing their e-mail efforts. For one thing, the survey found that 26 percent of online marketers send e-mails to consumers that have never indicated that they might be a suitable user of the company’s products or services, for example, when a consumer has visited or registered at a related Web site. Thus, these firms could be accused of spamming, or at the very least, with contributing to growing consumer annoyance with unwanted, unsolicited commercial e-mail.

Furthermore, only 35 percent of online or cross-channel marketers said they perform merge/purge to compare their housefiles with rented third-party lists, suggesting that there’s a good chance for duplicate mailings, or even of mailing to opted-out consumers.

The pre-released results of this study indicate the need for the marketing industry to take privacy seriously. This is even more critical in Canada with legislative schemes that could lead to marketers being penalized for privacy violations if complained against. The complete study will be available in April and will be priced at US$495 for DMA members and US$995 for non-members, and can be ordered by visiting the DMA’s Web site at www.the-dma.org/bookstore/cgi/bookstore.

Zero Knowledge Releases Freedom WebSecure

Zero Knowledge Systems, a security and privacy software provider, recently announced its Freedom WebSecure software, that provides Internet users with a secure and private connection to the Web from any location.

According to the company, WebSecure protects against invasive programs and Web sites that log and track users’ online activities, surfing habits, and personal information, while neutralizing potential privacy and security threats from IP tracking, malicious scripts or codes, active content, cookies, and online advertisements. It may be a powerful application for enterprise customers engaging in competitive intelligence research. Freedom Websecure costs US $49.95 for a one-year subscription and can be purchased at http://www.freedom.net.

Zero-Knowledge Systems claims that WebSecure does the following:

- Encrypts and reroutes users’ connection requests through Freedom WebSecure proxy servers so that Web sites cannot track their computer IP addresses and personal information.

- Prevents Web sites, advertisers, spammers or hackers from building detailed profiles about users’ surfing habits, online activities and personal interests such as financial, medical, career or any other personal topics.

- Removes security and privacy threats on the pages users visit so that Web sites cannot use executable files or scripts to monitor users’ online activities.

- Allows users to block active content (such as Java, JavaScript, VBScript and ActiveX) and cookies that can run programs on users’ computers, compromising their privacy and security.

- Allows users to block advertisements, speed up their connection and enjoy a faster and safer browsing experience.

- Can be accessed from any PC at any time with easy controls directly in the toolbar.

After connecting to the Internet and starting Internet Explorer, subscribers click on the Freedom WebSecure privacy button, which brings up an unobtrusive toolbar and a login page. Users log in with a username and password and are instantly secure. Subscribers can also log in when away from their own computer.

Zero Knowledge is a provider of security and privacy solutions for consumers and businesses. Although the company first grabbed the attention of privacy specialists and the media with its consumer-oriented Freedom software, designed to allow anonymous surfing, the company was not too successful at generating sales. It seems that the software was just too complex for the average consumer to master. The company’s new focus on business-oriented products that lower the cost of privacy compliance seems much more promising.