Home / Privacy Resources / Article Search / PrivaTalk - October 2001

PrivaTalk - October 2001

PrivaTalk

October 2001
Volume 1
Issue 9

Terrorist Attacks spur Privacy-Invasive Laws and Initiatives

In response to the September 11th terrorist attacks on the United States, federal officials and lawmakers have called for fast action to broaden government's powers in electronic surveillance and in the prosecution of alleged perpetrators, in their efforts to fight terrorism.

Almost immediately after the attacks, questions were raised about why U.S. intelligence was caught off guard when it has sophisticated electronic surveillance tools. One tool is Echelon, a system to monitor global communications that has never been officially acknowledged (governments have not confirmed or denied the existence of Echelon). Another is Carnivore (now called DCS1000), the FBI's controversial e-mail monitoring system.

Two days after the attacks, the Senate passed an amendment to a disaster relief bill that would extend long-standing phone surveillance laws to the Internet, in order to allow law enforcement agents to obtain Internet communications of suspected criminals, using Carnivore and other tools.

Attorney General John Ashcroft also unveiled the proposed Anti-Terrorism Act of 2001 that includes legal revisions and legislation on criminal justice, immigration, financial infrastructure and intelligence gathering. Some of the provisions include the ability for intelligence and national defence agencies to do the following during terrorism investigations:
· Jail foreigners indefinitely without trial if the Attorney General certifies that they may be involved in terrorism or other national security threats;
· Take DNA samples from people convicted of any terrorism-related crime;
· Access school records that federal laws specifically say are private;
· Access grand jury records that are now closed, or available only with certain limits.
· Review business records using subpoenas.

In the first congressional hearing on the measures, members of the House Judiciary Committee made it clear that unless the package is altered or pared back, it is unlikely to receive swift passage.

Even civil libertarians who say they are concerned about possible erosion of privacy and other rights have indicated more willingness to accept the aggressive pursuit of terrorists using electronic surveillance and expanded legal jurisdiction. However, in the desperation and determination after the terrorist attacks, it is easy to fall into the trap of permanently eroding freedom with a wave of legislation, without effectively reducing terror. Many concerned privacy advocates are urging authorities to take a long-term view of any new eavesdropping proposals.

With dozens of distinct measures under consideration, there needs to be reflection on whether the promise of additional safety outweighs the loss. It is hoped that broader powers will be used prudently.

Going down the path of increased surveillance on-line must be considered in light of sophisticated encryption technology. Some fear that the government will attempt to reverse recent easing of encryption laws on the premise that cryptography may have aided those who conducted the deadliest terrorist strike in U.S. history.

The terrorist attacks have had an impact on surveillance efforts around the world, not just in the United States. There has been talk of a central registry in Canada to battle the stealing of Canadians’ identities for passport, bank account and credit card fraud.

British authorities have asked telephone companies and Internet service providers in the U.K. to retain all communications-traffic data for the next month. The National High-Tech Crime Unit issued the request under the U.K.’s Data Protection Act, which normally prohibits companies from keeping such data any longer than is needed for billing purposes.

Achieving a balance between privacy protection and security surveillance is challenging. It is critical to get it right if we want to live in a world that treats human beings with dignity.

Industry Canada’s Substantial Similarity Test

On September 22, 2001, Industry Canada released details on the test of substantial similarity referred to in Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) in the Canada Gazette, Part I (http://canada.gc.ca/gazette/part1/ascII/g1-13538_e.txt). Section 26(2)(b) of PIPEDA gives the Governor in Council the power to exempt organizations or activities from the federal legislation with respect to the collection, use and disclosure of personal information that occurs within the province, if they are governed by substantially similar provincial legislation. The Governor in Council will receive a recommendation of the Minister of Industry prior to making a determination on substantial similarity. If a province’s legislation is found not to be substantially similar, the federal legislation will apply to organizations and activities within the province as of January 1, 2004.

It is clear that harmonization between federal and provincial laws will create a more consistent set of rules with regard to the protection of personal information that is easier for individuals to understand and businesses to implement. However, does the federal government have the constitutional power to force their legislation on a province that does not enact substantially similar legislation? The federal government enjoys jurisdiction over trade and commerce. Industry Canada claims that the federal legislation (or a substantially similar version of it) must apply across the country in order to fulfill the mandate of supporting and promoting electronic commerce (as stated in the preamble of the legislation). Although privacy protection is important in all contexts, PIPEDA seems to be limited to commercial activities because the federal government does not have a constitutional power to justify extending their reach beyond commerce.

The provinces seem to have accepted this justification – although there were rumblings of constitutional challenges initially, some of the larger provinces have now been focusing on their own legislative frameworks. Quebec has had private sector privacy legislation in place for some time, but B.C. and Alberta are working on a Model Privacy Law, Ontario is getting ready to introduce their own legislation, and health privacy legislation exists in Alberta, Saskatchewan and Manitoba. The Maritimes will probably wait to see what comes out of the other provinces or will let PIPEDA apply to them in 2004.

With respect to the process of substantial similarity set out by Industry Canada, a determination can be triggered by a province, a territory or an organization advising Industry Canada of a provincial/territorial privacy law that may be substantially similar. Alternatively, the Minister of Industry may also recommend to the Governor in Council, on his own initiative, that a piece of legislation be found substantially similar.

The public will have an opportunity to comment on whether a piece of privacy legislation is substantially similar, and such comments will be considered by the Minister of Industry in preparing his recommendation to the Governor in Council. This is a step that the provinces will likely not appreciate. Why should British Columbians be able to comment on, say, an Ontario law?

Note that general privacy legislation or sector-specific legislation may qualify as substantially similar, such as health information legislation or legislation governing credit reporting. As for the criteria for the test, provincial/territorial legislation will be expected to:
· Incorporate the ten principles of privacy found in PIPEDA. The principles must all be represented but do not have to be enumerated distinctly. Special emphasis will be placed on the principles of consent, access and correction rights.
· Provide for an independent oversight body with powers to investigate, and effective redress mechanisms.
· Restrict the collection, use and disclosure of personal information to purposes that are appropriate and legitimate.

These criteria provide an indication of some of the provisions that provincial legislation will contain, given that the goal of the provinces is to ensure that their legislation is declared substantially similar. At the same time, Industry Canada has made it clear that “the legislation affords provinces/territories the flexibility to adapt and tailor their own private sector legislation to the specific needs and conditions of their jurisdiction while meeting the intent of the Act”.

Interested persons can submit comments on the process outlined for the determination of substantial similarity before October 22, 2001.

Pharmacists are Quickly Learning about the Importance of Health Privacy

Five B.C. pharmacists have been disciplined and fined between $5,000 and $10,000 by the B.C. College of Pharmacists for snooping into the personal prescriptions drug records of colleagues, relatives, friends and acquaintances. The records are contained on PharmaNet, the database linking pharmacies and the government-funded Pharmacare drug insurance scheme. The database records every prescription drug dispensed in the province along with the name, address and birth date of the person to whom the drug was sold.

The government introduced the PharmaNet system in 1995 as a comprehensive drug monitoring system intended to help health professionals protect patients against potentially dangerous drug interactions while at the same time allowing the government to electronically monitor drug use, doctors’ prescribing habits, and prevent addicts and others from defrauding the Pharmacare system.

According to the College of Pharmacists, those punished simply looked at the information. However, such breaches of privacy are disturbing – it is not difficult to imagine such sensitive information being shared with a customer’s potential employer who is trying to determine whether a job applicant has a chronic medical condition, or with friends or business associates trying to tarnish a customer’s reputation.

Pharmacists are prohibited by law from using PharmaNet records for purposes other than dispensing a prescription, counselling a patient regarding drug therapy or drug usage, or resolving drug coverage payment claims. They sign a privacy agreement once, when they first gain access to PharmaNet, with no further reminder of their obligations.

The B.C. government was obviously not thinking about privacy seriously when they gave pharmacists such wide access to a repository of prescriptions, and customers no option to remain out of the database. Some physicians who practice close to the Alberta border state that they have patients who have their prescriptions filled in Alberta, so as not to be entered into B.C.’s PharmaNet database. In 2004, if a province has not enacted legislation substantially similar to the federal private sector privacy legislation, the federal legislation will apply within the province. At that time, the consent of customers will be required to collect the records that make up the PharmaNet database.

The need for pharmacists to collect explicit consent has become an issue in Alberta, where the province’s Health Information Act was proclaimed into force on April 25, 2001, with a six month grace period, giving health professionals till the end of October to implement its provisions. The Pharmacists' Association of Alberta advises members that pharmacists who wish to direct bill for prescriptions must obtain informed consent from every patient prior to transmitting their health information electronically to a third party payer, such as a private insurance company. The alternative is to stop sending health information to third party payers, and instruct patients to seek reimbursement on their own. According to the Association, pharmacists should not be forced to accept responsibility for the collection or provision of such consent, since insurance is a private matter between a patient and their insurance company or employer. Another potential solution being considered by the Association is having a consent registry developed by third party agencies, such as adjudicators and insurance companies, to provide an electronic signature of the client to pharmacies in an easily accessible manner.

The Alberta Minister of Health and Wellness rejected the Association’s request for funding to support the training of pharmacists on the Health Information Act. Leaving education costs aside, it is clear that implementing consent requirements in this context and other health care contexts will be costly. However, not taking privacy and security seriously could be more costly in the long run, and result in potential distrust in the medical system.

Debate over National ID Cards Resurfaces

The sole purpose of a national ID card is to allow the government to compel an individuals to produce it to prove that they are who they say they are. The dispute over such cards has mainly been one about privacy because of the potential for government surveillance. For example, the card could be used by police to track travel movements or to single out people with unpopular views or certain ethnic backgrounds for surveillance. Talk about such controversial ID cards fizzled out several years ago, only to resurface now in the aftermath of the terrorist attacks on the United States.

Members of the United States Congress recently made references to the need for national ID cards, fully equipped with biometrics, as part of a larger security plan. Oracle’s Chairman and CEO has offered to donate the software that would make national ID cards possible in the States. The polls seem to show that many Americans now support a national ID card. The Pew Research Center for the People and the Press found that 7 out of 10 Americans favour a requirement that citizens carry a national ID card at all times to show to a police officer upon request. Many felt that national ID cards should only be mandatory for Arab Americans. The racial tensions here are sadly obvious.

Although the Whitehouse has ruled out creating a national ID card system for now, other countries are considering mandating such a card. The U.K. government seems to be considering it and a recent opinion poll showed that 86% of people supported some form of ID card in Britain.

The President and the Defence Secretary of the Philippines also want to establish a national identification system and combine information from various data banks, such as those covering social security and driver’s licenses.

ID cards had failed to stop terrorism in other countries - such as France, Spain and Italy - where they have been in place for some time. The identity card must be shown to the authorities any time it is asked for and there is a real danger that the only people who will be asked to show the cards will be those who look foreign. Statistics in France show that people of North African appearance are twice as likely to be stopped as other citizens. That is not only an infringement of the liberties of ethnic minorities but could lead to communities feeling even more alienated.

Considering national ID cards may be an overreaction – while the system may catch some criminals, it could be hacked or faked or evaded by capable terrorists. The cards may have no real effect in combating terrorism but seriously undermine civil liberties.

EKOS Survey shows Companies’ Practices are not Transparent to Customers

A recent EKOS Research survey commissioned by the Public Interest Advocacy Centre (PIAC) and funded by Industry Canada found that 54% of those asked didn’t know that programs such as Air Miles or gas station reward plans collect, use and disclose information about what they buy, in order to target them with marketing. About two-thirds of Canadians have loyalty cards, so it is clear that such programs are extremely popular. The programs allow people to collect points based on the value of the purchases they make. Points can be traded in for everything from free flights to stereos to shampoo depending on the program. Canada has at least 80 major credit-card based loyalty programs.

Customers sign reward plan enrollment forms stating (in fine print) that information will be shared with partners, but most of these disclosures are not being read. Companies could do a much better job of encouraging customers to understand how enrollment in loyalty programs affects their privacy. Explanations could be easier to read and understand, and when applied for in person, the customer’s consent could be confirmed by employees of the company offering the reward program. If consent is not informed or given with knowledge of how personal information will be used, it is not true consent.

The EKOS survey makes it clear that this is a larger problem – many companies are not transparent about their practices. PIAC found that businesses cannot assume consumer consent to profiling for the purpose of further direct marketing. 82% of Canadians said they want businesses to obtain their permission before tracking their purchases.

Over two-thirds of Canadians do not consider opt-out approaches to be acceptable, unless they are brought to the customer’s attention, are clearly worded, provide sufficient detail and are easy to execute. However, opt-out, or negative options are predominant in the marketplace. Under opt-out approaches, consent is assumed unless the customer says otherwise. Under opt-in, the consumer’s consent must be explicitly provided, so no assumptions are made. Studies show that most people are inclined to do nothing, so marketers strongly favour the default being consent rather than no consent.

Although the Canadian private sector privacy law allows for opt-out consent, the Federal Privacy Commissioner has made it clear that he does not favour opt-out, where the customer is assumed to have read and understood how their information will be used.

74% of Canadians expressed concern about personalized junk mail. It is not obvious to consumers how businesses are getting their names and addresses. One of the fundamental principles of privacy is being open about one’s practices and it is clear that as long as consumers are unaware of the extent to which businesses with whom they deal collect, use and share their personal information, the business community cannot expect to achieve customer trust.

The EKOS study was conducted by interviewing 1000 Canadians over the summer and is considered accurate within 3.1 percentage points.

Interactive TV is on its Way

Though still largely theoretical, a strong push by AOL-Time Warner (AOL) to get interactive television into the marketplace has given it new life. This fall, an experiment will get underway in Colorado whereby interactive TVs will be installed in 30,000 homes. The new software will allow advertisers to send a diaper commercial into a home with children, while at the same time, the bachelor living in a condo on the other side of the street gets an ad for a new sports car.

It is the first step in what has come to be called “T-Commerce” or television commerce, the ability to buy instantaneously over the television through new digital lines and sophisticated set-top cable boxes. Television executives say T-commerce will ensure that consumers get commercials only about things that interest them – which increases their value. Critics worry it will strip individuals of their privacy by turning their televisions into prying eyes, with the ability to track not only what you watch, but also collect information about how you watch and what you buy.

Marketing companies can sell information about people and their neighbourhoods that can be used to decide which commercials will go into which homes. Further down the line, the goal is to have every show watched, every ad viewed, every click, and every download feeding into the creation of user profiles, leading ultimately to the targeting of ads to individual consumers.

Most television watchers haven't seen interactive television yet, but a host of companies are pushing hard to bring it into the home. Once it is off the ground in the United States, we are sure to see interactive TV surface in Canada. It could include Web access, video on demand, shopping and targeted advertising based on what's known about the viewer. Market research firm Carmel Group estimates that there will be 61.5 million interactive television users by the end of 2006.

As interactive services are tested, it is hoped that customer privacy will be kept foremost in mind. The Center for Digital Democracy, a non-profit advocacy group, is warning lawmakers that interactive TV has the potential to reshape America's favourite leisure activity into an exercise in surreptitious data collection and interactive direct marketing. Reports on interactive TV have suggested that the U.S. Congress incorporate rules for this new technology as it considers on-line privacy legislation. For example, customers must be given notice and the ability to choose not have their television watching habits monitored.

TiVo (TIVO.O), a digital video recorder that allows users to pause live shows and skip commercials, came under fire earlier this year when the Privacy Foundation revealed that users could not easily opt out of a feature that monitored what shows they were watching.

The privacy implications of interactive TV are sure to create roadblocks for this new technology, but the technology is a marketer’s dream that advertisers will fight hard for.