Home / Privacy Resources / Article Search / December 2002

December 2002

PrivaTalk

December 2002
Volume 2
Issue 12

The Canadian Government’s Lawful Access Proposal – Serious Privacy Issues

In a document entitled Lawful Access, released in the summer of this year, the federal Department of Justice outlined its proposal for requiring every Internet Service Provider (ISP) in Canada to have the facilities in place to monitor the Internet activity of individual customers.

The document (www.canada.justice.gc.ca/en/cons/la_al/) explains that police and national security agencies have found that criminal use of new communications technologies have made it increasingly difficult for them to investigate serious crimes such as drug trafficking, child pornography, murder, money laundering, price fixing and deceptive telemarketing.

The Federal Privacy Commissioner stated in his recent letter to the Minister of Justice and the Attorney General of Canada: “The interception and monitoring of private communications is a highly intrusive activity that strikes at the heart of the right to privacy. If Canadians can no longer feel secure that their web surfing and their electronic communications are in fact private, this will mark a grave, needless and unjustifiable deterioration of privacy rights in our country.” His concerns have been echoed by provincial privacy commissioners across Canada.

Law enforcement agencies already have the ability to monitor personal wireless communications services, as the necessary facilities are part of the licensing requirement outlined in the Radiocommunications Act. The objective of the Lawful Access proposal is simply to ensure that the same capability is available for Internet communications and other wired and wireless communications technologies. The proposal outlines the nature of the access facilities that would have to be maintained and suggests that service providers would cover the cost of installing the monitoring facilities.

The proposal, however, contemplates requirements that would have a different effect for ISPs than for voice communications providers. It proposes the potential requirement to have the storage capacity necessary to preserve user data that might otherwise be deleted. This implies the storage of historical textual data that could be used to examine the Web sites visited by an individual and the content of chat discussion and e-mail messages. For voice service providers this would likely affect only the customer account and transaction data, both of which expose virtually nothing of the communications content. Conversely, ISPs would also be required to preserve content-related textual data that is very easily searched for crime-related keywords and language patterns. It is this requirement and the potential for its abuse that is concerning privacy advocates.

Individuals are often told that there is nothing to worry about as long as they are obeying the law. The problem with this consolation is that it does nothing to re-establish the comfort and peace of mind that is afforded by the belief that one’s actions and thoughts are truly private.

The Commissioner has stated that there is no evidence demonstrating that there is a serious problem that needs to be addressed. He states in his letter that “Lacking any evidence of serious problems requiring correction by invading the privacy of Canadians, it is not possible to be persuaded that the proposals address these problems effectively, proportionally, and in the least privacy-invasive manner possible.”

Although the consultation paper does not contemplate general retention orders for Internet and cellular telephone data, it does propose the creation of a “data-preservation order” to act as an expedited judicial order that requires service providers to store and save existing data that is specific to a transaction or client. The purpose of such an order is to ensure that communication service providers, as custodians of communications data, do not delete subscriber-specific information until such time as they are served with a search warrant or production order. According to the Federal Privacy Commissioner, preservation orders are just as dangerous and inappropriate, from a privacy point of view, as retention orders.

Preservation orders would enable law enforcement and national security authorities to require wireless telephone services and internet service providers to preserve detailed records of every telephone number called, every Website and every page on that site visited, what was searched for and what was downloaded.

Privacy advocates must be reminded that local governments in Canada have been experiencing a steady rise in crime in areas surrounding major urban centres. This trend has been accompanied by a corresponding increase in the cost of law enforcement, and law enforcement officials often find themselves the losers in the battle of technology they must wage with the criminal element in our communities. Privacy advocates concerned about this loss of privacy should concentrate their efforts on ensuring that an appropriate system of checks and balances is in place to ensure that law enforcement officials and employees of service providers don’t abuse the power afforded them through monitoring facilities.


Privacy Complaint against a Marketing Company in Canada

A recent complaint to the Federal Privacy Commissioner has serious implications for the marketing industry. An individual alleged that a marketing firm, which conducts consumer product surveys, improperly discloses the personal information of survey respondents. The complainant felt that the company did not adequately specify the extent to which personal information collected is disclosed for marketing purposes and also felt that the company misleads or deceives individuals as to the purpose of collection. The complainant was also concerned about the opt-out consent used on the survey forms and the appropriateness of the arrangement given the sensitivity of the information in question (the survey asked questions regarding health and personal finance). Lastly, the complainant raised specific concerns about whether the company clearly informs the public of its personal information management policies and practices.

The Commissioner determined that the company did not adequately specify the extent to which personal information was to be used for marketing purposes. The survey materials did not make it clear that the respondent’s personal information was intended to be disclosed to third parties for marketing purposes. The Commissioner did not consider these materials a reasonable effort on the company’s part to inform individuals of the purposes for which their personal information was gathered.

In the Commissioner’s opinion, the privacy policy contained a better explanation of purposes and the intention to disclose to third parties for direct marketing purposes. That being said, he noted that the policy was not easily or immediately available to the individual at the time of responding to the survey and in fact was not even made known to the individual respondent. In view of the reasonable expectation that the specification of purposes be coincident with collection, he did not find it reasonable for the company to rely on purpose statements made in a policy that is not available at the time of responding to the survey and is only available on an unadvertised website.

Since the company had failed to meet the requirement for the individual’s knowledge, he determined that it did not obtain valid informed consent of individual respondents to the collection, use or disclosure of their personal information via the surveys. The Commissioner therefore found it in contravention of Principle 4.3 on getting consent.

With respect to the company’s efforts to comply with the Act, the Commissioner was troubled by the vast discrepancy between the website and the survey materials. He questioned why the company would make its purposes reasonably clear in a remote and unadvertised privacy policy located on its website, namely that personal information would be disclosed to third parties for the purpose of direct marketing, but then in the survey materials explain the purposes in such limited terms as fact-finding, opinion-gathering, and product quality improvement. He further wondered why the company would make the effort to formulate a more or less compliant privacy policy and then not draw individual respondents’ attention to it. In the Commissioner’s view, far from providing a reasonable understanding of the use or disclosure of personal information, as the company had argued, the survey materials did not inform individuals as to the true purposes of the surveys and detracted from the fairness of the company’s collection of personal information.

The Commissioner determined that the check-off arrangement provided on the survey forms was vague, not prominently placed, and ambiguous as to the form of consent that it sought. The Commissioner is already on record as having concluded that any personal information may be sensitive in a given set of circumstances. He therefore could not accept the company’s practice of disclosing information it deemed to be non-sensitive in cases where a survey respondent did not indicate either “Yes” or “No” to such disclosure. He considered the consent arrangement inappropriate given the potential sensitivity of the personal information in question.

Given that at the time of the complaint the company did not have a representative accountable for the organization’s compliance with the Act, and that specific information about the company’s privacy-related policies and practices were not readily and reasonably available, the Commissioner found that the company did not meet its obligations under the Act.

Ontario Law Requiring Blood Tests Delayed due to Privacy Concerns

The Ontario government recently revealed that concerns over privacy and other rights have delayed the implementation of a one-year-old law that allows emergency workers to demand blood tests of people with whose bodily fluids they have come into contact.

Under the law, which was passed and given Royal Assent last December, a medical officer of health can order a blood sample from someone who has exposed an emergency worker, Good Samaritan or crime victim to bodily fluids. Blood would be tested for diseases such as HIV, AIDS, hepatitis C and spinal meningitis.

The government has not actually put the law into effect yet, and Public Security Minister Bob Runciman concedes there have been concerns it might not stand up to a constitutional challenge. The government promises that the law, believed to be the first of its kind in Canada, will take effect on May 1, 2003.

Although the government said constitutional issues are being hammered out, Charter challenges are still expected, given the large invasion of bodily privacy. The government, however, says the law is necessary because of people such as Natalie Hiltz, a police officer who was bitten on the hand by a prostitute in 1997. The woman refused to supply a blood sample and Ms. Hiltz took a drug cocktail for six months. She later found out the woman was HIV-positive. Although Ms. Hiltz did not ultimately contract the virus, her suffering could have been prevented by this Ontario law. The invasion of privacy issues with this law could mean we may never see this law come into force.

The United States Government Proposes Total Information Awareness

The United States government proposes to root out terrorists by building a massive, computerized spy network called Total Information Awareness (TIA), which would collect and analyze huge volumes of data on citizens.

The federal government’s Defence Advanced Research Projects Agency, which helped develop the Internet and conducts cutting-edge military research and development, is seeking bids from contractors to help build this huge digital system that would sift through people’s email, telephone records, credit card purchases, bank transactions, medical records, property records and travel documents. The system would collect these data on people in the United States and abroad.

It's important to emphasize that TIA would employ technology that does not yet exist. As the project’s request for proposals says, “The database envisioned is one of an unprecedented scale." Even the term “database”, as now understood, fails to describe the immensity of the system. If TIA could be developed, it wouldn’t function for several years.

TIA would essentially use data mining technology, totally untested in the national security context, to detect potential terrorist threats. Data mining, currently used by industry to track buying habits and target telemarketers, among other things, involves the computerized scrutiny of vast amounts of unrelated information in the hope of finding patterns that can predict future behaviour.

TIA would link a huge number of commercial and governmental databases, both in the United States and overseas. These databases could presumably range from student grades to mental health histories to travel records.

U.S. government officials have made weak promises to abide by the Fourth Amendment, which protects against unreasonable searches and seizures. Technologies will apparently be used for controlling automated search and exploitation algorithms and for purging data structures appropriately, and this is supposed to protect the privacy of individuals not affiliated with terrorism. In other words, the system will analyze the private records of people without a search warrant. Then, having determined that those people aren't suspicious, it will purge those records. A far cry from protecting privacy.

Accordingly, the American Civil Liberties Union feels that members of Congress should suspend all work on the Total Information Awareness initiative until it can be fully reconciled with the Constitution.

Ranking of States’ Privacy Protection Efforts

California ranks highest in protecting its citizens against invasions of privacy, according to a ranking issued by Privacy Journal, a U.S. publication on privacy.

California finished at the top because its legislature has passed a number of new legislative protections in the last two years; also, its courts and its constitution provide the strongest privacy protection in the nation. In 1999, when Privacy Journal announced its first ranking of the states, California and Minnesota tied for first. This year, after Privacy Journal considered laws and practices since 1999, California finished first and Minnesota finished second, both with numerical rankings 33 percent higher than the next ranked state. The top ten states, according to Privacy Journal, are, in alphabetical order: California, Connecticut, Florida, Hawaii, Illinois, Massachusetts, Minnesota, New York, Washington, and Wisconsin. There was little change among the top ten states from Privacy Journal’s original ranking of the states, in 1999. California, Minnesota, and Hawaii – alone among the states – have state offices assigned to protect personal privacy.

The most significant strides in protecting privacy were made by Vermont, whose courts and attorney general are vigorous in protecting privacy, and California and Minnesota, plus four states that have enacted laws protecting medical confidentiality. They are Arizona, Hawaii, Maine, and Washington State, all states that finished in the top half of Privacy Journal’s ranking in 1999 and in 2002.

There was some movement in Texas, one of four states adjudged “not on the radar screen” in 1999. The state legislature there enacted laws on use of genetic information by insurance companies and employers and use of automatic dialers by telemarketers and now requires telemarketers to consult a state do-not-call list.

Privacy Journal Publisher Robert Ellis Smith stated that if the federal government had been ranked like a state, it would have placed in the fourth tier. U.S. federal laws do not protect medical records nor provide access to them, they do not protect library records at all, and federal law has only partial protection for financial records. Protections against electronic surveillance were weakened in 2001 with the passage of anti-terrorism legislation. On the other hand, federal protection for personal information in government files exceeds the protections in nearly all states.

Privacy Journal rates the states on several factors, including whether they protect privacy in their constitutions, have laws protecting financial, medical, library, and government files, and have fair credit reporting laws stronger than the federal law. Points are added when the highest court in the state has a strong record on privacy and deducted for anti-privacy actions by state agencies or the state legislature. The ranking is based on the 2002 edition of Privacy Journal’s “Compilation of State and Federal Privacy Laws,” a 106-page reference book available for $35 from Privacy Journal, www.privacyjournal.net.

P3P – Will it Survive?

Take-up for the Platform for Privacy Preferences (P3P) specification has slowed dramatically. Nearly 20% of the top 500 Websites are using the specification but the rate of new adoptions has fallen to about 1% per month. See the April 2001 issue of PrivaTalk for a description of P3P.

Moreover, the financial services industry, which handles sensitive personal data about customers, has a P3P adoption rate that is much lower than average. Only 11% of the top finance and investing Web sites have implemented P3P, according Ernst & Young, which began reporting on P3P adoption rates in August of this year. In comparison, 18% of the 500 Websites with the highest traffic among U.S. Internet users are using P3P. At the current pace, it would take about eight years for all the top sites to adopt P3P.

Individuals and companies backing the on-line privacy standard developed by the World Wide Web Consortium (W3C) recently met to discuss whether a second version was needed. They instead chose to explore some of the issues that are keeping companies from adopting P3P.

A major concern seems to be that the specification’s “vocabulary” is not rich enough to allow exact translations of written data privacy policies into an XML-based format that can be read by Web browsers and compared against the preferences set by individual users.

The Financial Services Roundtable’s technology group, the Banking Industry Technology Secretariat (BITS), said that it wanted the W3C “to state explicitly” that machine-readable P3P statements were not legally binding documents. One reason for the sluggish rate of adoption is the economy. Another is uncertainty about how legal systems will enforce P3P-based privacy policies.

Over time, the P3P working group may look at the idea of adding “negotiation abilities” into P3P. P3P-capable Web browsers react to policies on Web sites in a yes/no manner according to user preferences. A negotiation feature would let companies interact with users and, for instance, offer coupons in exchange for personal information. However, that would also require flexible privacy policies to handle any negotiation results.

Given the increased awareness of privacy around the world, P3P will likely survive – although, as with any new consumer protection technology, adoption will be slow.