Home / Privacy Resources / Article Search / PrivaTalk - October 2002

PrivaTalk - October 2002

PrivaTalk

October 2002
Volume 2
Issue 10

Air Travel Database Receives Criticism from Privacy Commissioner

The Privacy Commissioner of Canada, George Radwanski, in a letter to the Honourable Elinor Caplan, Minister of National Revenue, recently expressed his grave concerns over Canada Customs and Revenue Agency’s (CCRA’s) plans to establish a massive database on the foreign travel activities of all Canadians.

CCRA intends to retain, for six years, the Advance Passenger Information/Passenger Name Record (API/PNR). Every single Canadian travelling outside Canada will automatically have his or her detailed personal information, such as all the destinations to which the traveller flew, form of payment for the ticket, seat selection, and who they are travelling with, placed in a database. The database will be available for virtually any purpose the government deems appropriate – for income tax purposes, for data matches with other government departments, for criminal investigations, etc.

Radwanski called this “an unprecedented intrusion on the privacy rights of Canadians”, and stated that to the best of his knowledge, this was the first time the federal government had set out to build a database on all Canadians using personal information obtained from third parties without the individuals’ consent, not for purposes of providing any service to the individuals but rather of having the information available to potentially use against them.

It is the view of the Privacy Commissioner and his Office that the creation and intended uses of the database lack appropriate Parliamentary authority and violate the Privacy Act and the Charter of Rights and Freedoms. Furthermore, the Commissioner stated that in a free society, the state cannot build dossiers on the private lives of all its citizens just in case one of them commits a crime.

CCRA was given the power to collect the information from airlines in antiterrorism legislation passed after the attacks on September 11th of last year. The Liberal government had insisted the data would only be used to check incoming passengers for criminal records on terrorism threats and would be destroyed within 24 hours. But customs officials informed Radwanski in June of this year that all information on air passengers would be kept in a computer database for six years.

Privacy advocates are rightfully outraged – there is a great deal of potential abuse of the database, and the controversial cross-matching with tax files, police files or other government records goes far beyond the initial mandate of combating terrorism.

Federal Privacy Commissioner finds against ISP Withholding Customer’s E-mail

An individual recently complained to the Federal Privacy Commissioner that her Internet Service Provider (ISP), by continuing to take in and store her e-mails while her account was under suspension and by withholding them from her pending payment of arrears, had improperly used her personal information without her knowledge and consent for a purpose other than that for which it had been collected.

The ISP’s position was that a suspension policy including storage and withholding of e-mails pending payment was an industry standard that a reasonable person would consider appropriate. The ISP contended that the complainant had consented to such a policy when she had signed the original service agreement. After the complaint, the ISP took steps to clarify its service agreement as it related to the suspension policy, but nevertheless, the company maintained that the original explanation had been clear enough for the complainant to understand.

The Commissioner found that the original service agreement did not adequately explain the practice of storing and denying access to e-mails pending payment of arrears, and thus contravened Principle 4.3.2 of Schedule 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA), which states that “organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used”. Thus, the complainant had not given her knowledge and consent regarding the suspension policy and practices, and in turn the ISP used the complainant’s personal information without consent for purposes other than that for which it had been collected, in violation of Principle 4.5.

Given the steps undertaken by the ISP to explain its account suspension practices in an understandable manner, the Commissioner found the ISP to now be in compliance with the Act.

An interesting question that arises from this case is the fact that the Commissioner made no distinction between the use and retention of personal information. That is, he treated retention of the customer’s e-mail messages, where intentional and for a specific purpose, to constitute a use of the information. This begs the question of whether the privacy legislation, and the CSA Model Code for the Protection of Personal Information that appears as Schedule 1 of the legislation, should treat retention of personal information in the same way as use of personal information.

What if retention was considered “use” or otherwise covered by the legislation? Then, under PIPEDA at least, one would have to consider if the retention was reasonable, since people cannot consent to uses of their personal information that are not reasonable. If retention were to be permitted on consent, collectors of information would have to start putting on their consent forms that among other listed uses, they might retain the information to enforce payment. From a customer relations point of view, businesses may not want to do this.

If we were to make a comparison with real property, some would argue that an auto mechanic does not put such a notice in his estimates for repair work, but he has the right to retain a vehicle till he receives payment. However, there is a key distinction between physical property and communications. With communications, time is of the essence. A given communication may have value if delivered on Monday, but may be valueless if delivered on Tuesday. In contrast, the car retains its value when held by the auto mechanic. As well, addressees of messages don't necessarily know that the message has been sent, whereas the car owner surely is aware of its detention.

In the ISP/email case, the customer did not receive an important message, and was not aware that it had been sent. By the time she extracted it from the ISP weeks later, the message – an invitation to apply for a contract – had expired. Retention of such communications, beyond what a reasonable person would expect, therefore can have significant consequences for users. Rather than lumping retention of information into “use” under the legislation, retention should be dealt with separately and treated as another important way in which information is handled by an organization. This may be something for the federal government to consider when PIPEDA comes up for review in a few years.

Calgary School Board Breaches Students’ Privacy

The Alberta Office of the Information and Privacy Commissioner recently released a report finding that the Calgary Board of Education (CBE) disclosed the personal information of thousands of kids to a major U.S. Internet company in exchange for free Web service and advertising cash, without telling families exactly what it would be used for.

The issue was brought to the attention of the Commissioner’s office by a Calgary parent, and the Commissioner in turn launched an investigation, finding that the child’s personal information was being used and disclosed for two purposes. The first purpose was for educating students about the use of e-mail and the Internet, and the second purpose was for advertising, marketing, and revenue-generation. The CBE entered into a contractual agreement with WhoWhere?, a subsidiary of Lycos Ltd., in October 1998. Under the agreement, the CBE disclosed the name, gender, year of birth, username/e-mail address, password and school code of students.

According to the Commissioner’s report, the contract “allowed WhoWhere? to use the information in order to target the students with appropriate advertising and direct marketing offers for which the (CBE) received 25% of the revenue, and free e-mail and Internet service”.

CBE officials are claiming that the personal information was disclosed to set up student e-mail and to ensure kids were subjected to age-appropriate advertising.

New Freedom of Information and Protection guidelines in Alberta, which govern the release of personal information by school boards, came into effect in September 1998, one month before the CBE entered into its contract with Lycos Ltd. School board officials thus acknowledge that their interpretation of the guidelines was at that time in its infancy.

However, the investigations found that the CBE did send out permission slips, but neglected to inform parents of the revenue-generating part of the agreement.

Officials could not say how many students were involved whose information was disclosed, because not all schools took part. It is also unknown how much advertising money was forwarded to the CBE, although it is claimed to be less than $5,000. The contract was terminated by Lycos Ltd. in December of 2000 because they apparently were not making enough revenue.

The Alberta Office of the Information and Privacy Commissioner has ordered the CBE to change its practices and ensure breaches like this never happen again.

Draft Legislation in South Africa Pushes for and Pulls against Privacy

South Africans stand to gain greater control over personal information held by the state, banks, insurers and credit bureaus under a contemplated privacy and data protection law currently being researched by the South African Law Commission.

The goal is to ensure personal information is only used for the purposes for which it is gathered, to regulate collection and storage, compel that a person be notified that their information is held and give a right of access to it, and a right to have inaccurate information corrected.

It would, for example, apply to credit bureaus, which have been accused of collecting not only information on creditworthiness, but also drinking habits, health, political and religious convictions and race. Although most financial institutions have codes of conduct on privacy, these are not necessarily enforceable in law.

Under the proposed privacy law, the state is restricted to collecting only relevant personal data for set purposes. But this is balanced by its right to use personal information to administer pensions, issue passports and identity books, and conduct censuses.

The commission has asked two experts to brief it on the technical safety requirements in storing personal data. The commission intends to publish an issue paper by year-end that will call for public submissions. A discussion paper and draft Bill will follow.

Meanwhile, the controversial Regulation of Interception of Communications Bill was recently approved by the South African National Assembly’s justice and constitutional development committee. The measure, first introduced as the Interception and Monitoring Bill, initially drew sharp criticism from the public and organizations that believed it interfered with a constitutional right to privacy.

Essentially, the bill allows the state and law enforcement agencies to intercept and monitor electronic and postal communications, including calls made on cell phones, of any South African. Prior judicial sanction is required for all orders allowing interception or monitoring, but exceptions are made for emergency situations or cases where a life is in danger.

Among other things, the Bill also requires telecommunications service providers to install the equipment that makes interception and monitoring possible. The government hopes that the measure will help in the fight against crime, as telecommunications are increasingly being used in organized crime.

With these two legislative initiatives being contemplated at the same time, one that enhances privacy and one that appears to erode privacy, the debate over reaching the right balance in South Africa between privacy and other social values, such as security and crime prevention, is sure to be a long and challenging one.

Study finds Information-Security Budgets are on the Rise

A report recently released by market researcher Vista Research in partnership with survey firm Harris Interactive summarized the results of a survey of nearly 300 high-level information technology managers. The results indicate that more than half the companies surveyed had increased their information-security budget in the past year, in many cases at the expense of other parts of their overall technology budget.

The windfall from the spending doesn’t seem to be going to well-known security companies. The report found that security decision makers are currently using mainstream companies rather than those that specialize in security solutions. Half of the participants cited Symantec as one of the companies they relied on to provide security to their business. 47 percent said Cisco was among their choices, and 42 percent cited Microsoft. Security-only companies ranked much lower: Check Point Software at 12 percent, Watchguard at 7 percent and ISS (Internet Security Systems) at 4 percent.

The report found that 12 percent of respondents had a significant security breach or major fraud in the past year. It is clear that two events spur proactive spending: experience with breaches and regulatory requirements. A senior financial analyst stated in the report that long term increases in security spending will be driven by regulations, not security incidents. The analyst suggests that serious security breaches tend to produce dramatic, but short-lived spikes of activity, not prolonged spending.

However, security spending will likely only be driven by a regulatory framework if the laws governing protection of information are adequately enforced. If organizations are not being investigated or facing penalties or damage to their reputation due to non-compliance, there is no scare factor to motivate organizations to take precautionary and expensive measures to protect personal information.

Biometric Technology gains Popularity

Iris-scanning technology, that will be introduced at Toronto’s Pearson International Airport and Vancouver International Airport early next year, promises to speed up customs and immigration clearance for travellers and to make air travel safer. Elinor Caplan, Minister of National Revenue, recently announced the pilot project, and the system, called CANPASS-Air, that will allow pre-approved travellers to clear customs by simply looking into a camera that recognizes the iris of their eyes as proof of identity. Members will also be able to declare goods and pay duties and taxes at the kiosks. The cost to members will be $50 a year.

In conjunction with other new technologies, CANPASS-Air checks clients against a security system as if they were meeting an officer in person, and refers suspect clients to further inspection, thus limiting the amount of interaction with trusted clients which allows Customs personnel to focus on people they don’t know.

Iris scanning has proved to be more reliable than other biometric indicators such as finger-printing because the colourful ring around the pupil is unique from eyeball to eyeball and person and person. Unlike a fingerprint, it can't be replicated, and the machines recognize only “live” eyes.

It also doesn't have the negative connotations that finger scanning has for many Canadians. When we think of finger scanning, we think of finger-printing and in turn, criminal activity.

But, unlike retinal scanning, which scans the back of the eyeball, iris scanning, like facial scanning, can pose a bigger potential risk to individual privacy. Iris scanning, for instance, can be done from as far as almost a metre away. Potentially, the technology could scan someone’s eyes without his or her knowledge.

A conference recently sponsored primarily by the U.S. National Institute of Standards and Technology discussed the need for standards that are applicable to any biometric technology. Open, consistent standards for biometrics, and associated testing, are critical to providing higher levels of security in personal identification systems. Delegates also discussed how legislation on the proper uses and controls of biometric information could relieve some worries about privacy.

On the one hand, having good rules in place is always helpful, but the rules must not be used to legitimize expansion of the use of biometrics inappropriately, particularly given the potential erosion of privacy involved.