Home / Privacy Resources / Article Search / PrivaTalk - February 2003

PrivaTalk - February 2003

PrivaTalk

February 2003
Volume 3
Issue 2

Ontario Court Finds Police Use of Infrared Technologies an Unreasonable Violation of Privacy

A recent decision of the Ontario Court of Appeal signals that courts are wary of technologies that pose a threat on civil liberties. Intrusive technologies that encroach on civil liberties won’t be tolerated, even if such technologies assist police efforts.

The court acquitted a man whose hydroponic marijuana operation was detected by police who flew overhead with infrared equipment. The ruling made it clear that police must henceforth obtain search warrants for these flyovers, since the heat they measure may emanate from other private activities that generate surges of energy, such as taking a bath or using lights at unusual hours. Justice Abella found a need to protect privacy since such activities could be “intensely personal”. She stated for the court that there is a clear distinction between the kind of observation police make using the naked eye or binoculars and more threatening forms of intrusion that are the product of technology.

The ruling thus erased an 18-month sentence imposed against Walter Tessling, whose home contained enough marijuana plants to yield many kilograms of the narcotic.

RCMP conducted the aerial surveillance in 1999, after getting a tip from an informant that Mr. Tessling and a friend were producing and trafficking marijuana. Police in the Tessling case were told by Ontario Hydro officials that there was no unusual hydro usage at his home. Still suspicious, they flew over using equipment.

Infrared surveillance will now in Ontario be subject to the same laws that exist for obtaining warrants to conduct a raid, plant a listening device or intercept phone calls. What is novel about this case is that it involves technology where inferences can be drawn about what is going on in your home without the police going anywhere near it, hardly trespass in the traditional sense of the word.

Crown counsel argued that individuals have no reasonable expectation of privacy about the heat emitted from their homes, and nor does it reveal intimate details about their activities. However, the court said that it is mpossible to ignore the fact that those surface emanations have a direct relationship to what is taking place inside the home – thus, Mr. Tessling clearly had a reasonable expectation of privacy, and it was unreasonably violated.

This case has significance outside of the criminal context as well – private investigators hired by organizations for a variety of reasons, such as to pre-screen employees or to confirm disability benefits claims need to understand that the technologies and methods used in their work may be found to be a violation of privacy, even if these tools are not directly invasive but result in inferences being made about the individuals being investigated. Under the Personal Information Protection and Electronic Documents Act, federally regulated companies need to take appropriate steps to ensure that any private investigators they outsource to are compliant with privacy principles, since the company remains accountable for the protection of personal information. Private investigators will themselves be governed by the legislation, or a substantially similar provincial version, come 2004. If used by the private sector, invasive technologies could be seen as a violation of the “Limiting Collection” privacy principle since such use may mean the information is not being “collected by fair and lawful means”.

Federal Privacy Commissioner Releases Annual Report Containing a Useful Summary of Where Businesses are Going Wrong

The federal Privacy Commissioner released his Annual Report to Parliament on January 29, 2003. The report is available to the public on the Commissioner’s website. The Commissioner spoke at great length about the anti-terrorism initiatives of the government as being deeply disturbing and stated that “Together, they add up to an unprecedented assault on the fundamental human right of privacy by the government of Canada.” The second half of the Annual Report deals with the private sector legislation, the Personal Information Protection and Electronic Documents Act. This article will focus on the Commissioner’s comments about his experience and rulings under that Act.

The Commissioner stressed that it does not matter who generates the information, or who technically “owns” it, an argument often made by physicians about medical files and employers about personnel files. If it has been assigned in an individual’s name, the chances are that the Commissioner will accept it as being his or her personal information.

The Commissioner identified 9 systemic problems in his report that his Office has come across in the course of investigating companies under the private sector legislation. These compliance problems are summarized in this article and provide a useful list of issues to watch out for and learn from for those who will be governed by the legislation, or a substantially similar version, come 2004.

1. Lack of follow-through

The Commissioner has found that most companies have corporate brochures and Web sites that proudly proclaim a privacy code, and thus appear to be in full compliance with their obligations under the Act. However, investigations are showing that a number of organizations are not putting their codes into practice.

A privacy code is pointless without comprehensive and detailed policies and procedures, and these in turn are pointless unless they are known by those within an organization that handle personal information, and consistently observed and applied.

2. Not designating a privacy officer

The Act specifies that an organization must designate one or more individuals responsible for the organization’s compliance with the principles of the Act. The Commissioner has investigated organizations that have not yet designated such an individual or did not identify any person as the responsible privacy officer.

PrivaTech: Designating a privacy officer should ideally be the first step when thinking about implementing compliance initiatives, well in advance of when the legislation applies to the organization. The privacy officer must have enough seniority within the company to be able to make decisions that will change the way the organization handles personal information.

3. Not knowing how to handle access requests and complaints

The Commissioner found that most organizations seem to understand that an individual has a right to gain access to his or her personal information and to challenge an organization's compliance. However, when it comes down to receiving an actual access request or complaint from an individual, some organizations are still uncertain how to go about processing it. Thus, organizations need to have clear policies in place to deal with such interactions with customers and employees, that are consistently followed.

4. Keeping information too long or not long enough

Retention is another principle to which some organizations need to pay greater heed in the form of specific policies and guidelines. The law makes it clear that:
a) A minimum and a maximum retention period should be established for personal information;
b) Information that has been used to make a decision about an individual must be kept long enough to allow the individual access to the information; and
c) Information no longer required to fulfill identified purposes should be destroyed, erased or made anonymous.

The Commissioner has been finding that organizations are either destroying personal information too soon – that is, before the individual has a chance to gain access to it – or habitually keeping it for long periods of time, far past any need to do so.

PrivaTech: The first step in creating a retention policy is data classification. Different types of data (e.g. financial, customer profiles, etc.) warrant different retention rules and may be governed by other laws as well. Retention policies need to take paper and electronic documents into account.

5. Not meeting the time limit for access

The Commissioner published a number of decisions against organizations who didn’t meet the 30-day time limit for responding to an access request. In most of these cases, however, the failure to meet the time limit was due more to a lack of efficient procedures for processing the requests than to deliberate refusal on the organization’s part.

PrivaTech: Organized, accurate files become critical to meeting the time limits for providing access. Also, companies need to know in advance how long it takes to retrieve documents stored off-site.

6. Not limiting collection to what is necessary

Under the Act, organizations must take steps to ensure not only that their purposes for collecting personal information are legitimate and reasonable ones, but also that both the amount and type of information collected are necessary to fulfill those purposes.

The Commissioner provides as an example in his Annual Report the unacceptable use of the Social Insurance Number (SIN) as a mandatory identifier. The SIN may be required for tax reporting purposes by some organizations (e.g. insurance companies), but the vast majority of the private sector do not have a legitimate reason for collecting SINs from customers.

PrivaTech: This will be a major issue for the private sector as many businesses collect SINs as a means of avoiding confusion over similar names among customers. If a company’s computer system only accepts the SIN as the primary identifier, substitute numbers may need to be used or system changes should be factored into the privacy budget, since the SIN cannot be collected as a condition of service if it is not required for tax reporting purposes.

7. Not identifying purpose for which information is collected

Persons from whom organizations demand information have a right to know why. According to the Act, an organization must identify the purposes for which it collects information, the purposes must be documented, and they must be specified to the individual at or before the time of collection. It is also incumbent on the organization to make sure that employees who do the collecting can explain the purposes to individuals. Several complaints so far have brought to light violations of one or more of these principles.

PrivaTech: Some organizations may feel they are in compliance with the legislation because they collect information and only use it for legitimate purposes. However, the Commissioner makes it clear that it is not enough that purposes be legitimate. They must also be identified. If the purposes are identified in a corporate privacy policy, the policy must be clear and easily available at the time of collection.

8. Not instituting proper safeguards

The Commissioner noted that in actual or potential breaches of informational security that have been brought to his attention, the central issue has been the adequacy of the safeguards instituted by the organization. The obligation to protect personal information once it has been collected is obviously one that some organizations need to start taking more seriously. The Commissioner offered several examples, such as a company he found not to be exercising appropriate operational controls to keep employees pay statements confidential.

PrivaTech: As set out in the Act, safeguards may take many forms, ranging from physical measures such as locked filing cabinets, to organizational measures such as security clearances, to technological measures such as the use of passwords and encryption. Having a full security policy that covers the protection of various types of data is much more effective (and less risky) than implementing isolated measures that may work together inadequately to offer full protection.

9. Not recognizing that employees have privacy rights too

The Commissioner states that many federally regulated organizations have jumped to the conclusion that the Act only applies to the collection, use and disclosure of personal information about their customers. As a result, some organizations have been surprised by complaints filed against them by their own employees, past or present. In good part, the violations at issue in such complaints originate from an organization’s neglect to take its staff into account in developing privacy policies and procedures.

PrivaTech: Employee privacy is an important issue that all employers need to be aware of. Among other things, an employee privacy policy should outline how the company handles employee data, who it is disclosed to and in what context, when an employee can expect privacy and when they should not (conditions must be reasonable), and if and when employees are monitored. – even if no legislation that will govern, should be dealt with what should be their expectation of privacy and if and when they are being monitored. The goal is to ensure that there are no surprises – the employee should be clear about the organization’s information-handling practices right at the beginning of the employment relationship.

The Annual Report’s summary of issues that the Commissioner has been dealing with under the private sector legislation over the past year, provides an invaluable overview of privacy compliance initiatives that businesses need to take in order to prevent a privacy crisis.

Japan’s Revised Privacy Legislation – Will it Make it Through this Time?

The new Japanese privacy legislation, a replacement for a similar measure that died in last year’s Diet session, excludes media organizations, as well as individual reporters and journalists, from the proposed provisions, resulting in no restrictions on the media’s handling of personal information.

The government wants the new bill, which incorporates changes proposed by the ruling coalition, to be voted into law during the current regular session, which is scheduled to end in late June. The going will not be smooth, however, in part because some of the previously proposed contentious provisions have been retained.

The aborted bill was based on five “basic principles”, such as the requirement that the use of information be limited to clear and specific purposes. The media strongly objected to the inclusion of these principles, and the new bill has been severely weakened as a result. The new version of the bill refers to “basic ideas” for compliance (scaled back principles), specifying that personal information “should be treated with care, given the principle of respect for the individual”, and be “handled properly”.

The authority of the state minister to issue recommendations and orders concerning the handling of personal information has also been weakened. In addition to media organizations and journalists, the new bill specifically exempts academic, religious and political institutions, in an attempt to protect freedoms of expression, learning, religion and political activity.

Along with the new privacy bill, the government is seeking Diet approval for a revision to a related bill designed to protect personal data held by central government offices. The revision bill says employees with administrative agencies who give files on confidential personal data to third parties without justifiable reasons will be punished either by imprisonment or a fine.

This is a necessary revision in light of recent revelations about data leaks by public officials in Japan. Many concerns remain because the government offices would still be allowed not only to collect sensitive data, such as medical records and political orientations, but also to use such information for unspecified purposes. Many people are also worried that without tight legal safeguards the new national database on resident registrations might be abused. No concentrated efforts have been made to plug any loopholes that might lead to the misuse of government-held personal data.

There are many concerns that have not been addressed with the new bill – for example, no consideration seems to have been given to the impact of the bill on non-profit organizations.

Originally the bill was conceived as catch-all legislation covering all fields of activity. That is why the five basic principles were formulated; the other four principles called for the proper acquisition of information and for the securing of accuracy, safety and transparency in its use. Those rules were generally sound, except in certain cases involving media and other organizations.

Now that those guideposts have been scrapped, the new bill hardly serves the purpose of basic legislation. Moreover, with a host of exceptions thrown in, it is difficult to provide across-the-board regulatory protection for personal information – an idea proposed in the original bill. The new bill, therefore, needs to be re-examined – it’s protections may have been weakened to the point of making the legislation pointless.

American Public Supports Biometric Identifiers on the Condition of Privacy Protection

SEARCH, a national consortium of criminal justice agencies, the U.S. Bureau of Justice Statistics and Privacy & American Business, an independent privacy think tank, recently released results of a survey of more than 1,000 people finding that the use of fingerprint, retina and facial scans for routine commercial transactions is fast approaching and Americans seem more than prepared to provide their biometric impressions. The survey found that public support for biometrics hinges on the privacy safeguards put in place by legislators and adopted by companies to protect consumers from potential misuse of their biometric identifiers. Consumers will trust companies with new forms of their personal information as long as firms stick to basic privacy safeguards. In Canada, where biometrics has not been adopted as rapidly as in the United States, consumers may not be as trusting of the use of such technology. However, as biometrics becomes more familiar, the same principles will apply as in the States, that is, as long as companies stick to basic privacy safeguards, consumer trust will develop.

The study found that many Americans find that it’s acceptable for companies to request biometric identifiers for a variety of transactions. Nine out of 10 said biometric screens were acceptable to check the identity of a gun buyer against a database of convicted felons, and consumers also approved biometrics in the following applications, according to the study:

· Verifying the identity of customers making credit card purchases: 85 percent.
· Withdrawing funds from an ATM: 78 percent.
· Accessing sensitive files, such as medical or financial: 77 percent.
· Conducting background checks: 76 percent.
· Screening out those banned from gambling or professional card counters in casinos: 56 percent.

American consumers seem particularly interested in submitting to biometrics if they believe the scans will keep them safer or result in increased convenience.

Consumers’ apparent enthusiasm for biometric identifiers also may be based on a belief that such technologies are more effective in fighting identity fraud. However, broad use of biometrics in large populations may actually result in less security if someone can masquerade with your biometrics. There will be some frustrations with false rejections or false positives.

The study showed that consumers were cognizant of the privacy tradeoffs they may be making. Eighty-six percent said consumers should be fully informed about the uses an organization will make of their biometric ID and why it is needed. About the same amount said companies shouldn’t use the data for any purpose other than the one they originally disclosed.

Among American companies rolling out biometric technologies to their customers, Charles Schwab is using voice scan for account access over the telephone and Disney World subjects its annual pass holders to a two-finger geometry scanner at the entrance gate, the study said.

The use of biometrics is being tested in airports in Canada, and it won’t be long before the technology is adopted by the financial and other sectors as well. Privacy protection will be critical in the implementation of such technologies, in order to build consumer trust.

Taking the Necessary Steps to Deploy a Secure Wireless Network

Companies that are considering deploying their own wireless local-area network need to consider a number of factors. Security in particular is a concern because a wireless network is no longer contained inside the walls that would normally guard a network’s infrastructure. Anyone with the right antenna can pull a company’s network data right out of the air and, conceivably, from a good distance away.

So why do companies bother with wireless LANs in light of the security risks? One big draw is the ease and speed of installation. A wireless LAN can be deployed in a fraction of the time a wired LAN requires because no cabling needs to be laid beforehand. An existing network can be extended in a matter of minutes to locations that weren’t previously possible.

Another major draw of wireless LANs is the flexibility that end users will encounter when they connect to the network. Just open a laptop, turn on the wireless client adapter and – assuming you are within range of an access point (“AP”) – you're connected.

The following are the steps that you, as a company, should take when deploying a wireless LAN to ensure a secure network:

Step 1: Establish security policies

Starting with a solid security policy for your existing network is a priority when looking at any wireless deployment. After all, a wireless network is just an extension of a wired network and will use that network as its base.

Having a solid wireless security policy before installing (or buying) a wireless network can help prevent the scope of the project from growing. Some modifications to an already existing security policy may need to be made to reflect the changes that a wireless addition to the network can make. This includes network documentation and educating users on the impact and challenges a wireless network can present. Proper training can ensure that everyone is focused on the safety of mission-critical data.

Wireless networks can run in 2 modes: “infrastructure” or “ad hoc” mode. Infrastructure mode employs the model of a classic LAN with centralized servers providing data to hosts and the use of APs to connect wireless clients. An ad hoc network is simply a peer-to-peer network in which clients are connected directly to one another via their wireless client adapters.

It makes more sense for a company to use infrastructure mode, because there is little opportunity to enforce security when clients connect directly to each other.

Step 2: Pretest products

Pretest the AP products you’re considering deploying in a closed test environment to make sure all the pieces work together. If you're planning on creating a LAN-to-LAN bridge with APs, look into getting specific antennas to suit your need and distance requirements. The right antenna will ensure that you're broadcasting network information to a specific destination and not to surrounding areas.

Step 3: Find rogue devices

Before conducting a site survey to find where wireless APs should be deployed, it's important to find “rogue” APs – installed by users wanting to roam the building without being tied to their desks – that may already be hanging off the network.

Because setting up an AP is relatively easy and rogue APs can be hidden almost anywhere (under a conference table or behind a computer monitor on a desk), finding rogue devices is extremely important.

Step 4: Conduct site surveys

A site survey will determine where APs should be placed and the coverage area for each AP.

Step 5: Install the wireless LAN

After completing the site survey, its time for deployment. If you are deploying multiple APs in an area, it is important to think about overlapping coverage areas. Specifically, it's important to make sure that the channels on which the APs transmit and receive signals don't conflict with one another.

Positioning APs so that their range is limited to a specific coverage area (for example, by placing an AP on an inside wall instead of an external wall) or using specialized antennas to focus the wireless coverage area is a good idea. However, be aware that just changing your antenna to narrow the coverage area will not guarantee that someone with a focused antenna will not be able to pull your signal out of the air from the parking lot or
outside the perimeter fence.

During the deployment phase, Dynamic Host Configuration Protocol (DHCP) servers can also be useful for providing IP addresses just for your wireless LAN clients. Setting up a DHCP server for wireless LAN clients on the wired side of the network behind a firewall can also enhance security.

Step 6: Check encryption settings

All the hype about wireless security concerns seems to revolve around the default Wired Equivalent Privacy (WEP) protocol, which uses encryption and a shared key to provide link-level data security for the wireless connection.

One problem is that many installations don't even turn on WEP, which is the most basic form of AP security. Only WEP with at least 128-bit keys should be used and WEP keys should be frequently changed.

Step 7: Deploy firewall and a VPN

At a minimum, it is important to install firewalls between your wired and wireless networks. Security can be enhanced by blocking unneeded services and ports (such as FTP and Telnet) from the wireless LAN using firewall rules and using cryptographic measures whenever possible.

A virtual private network infrastructure sup is a must for the wireless LAN, because it creates a secure tunnel from the firewall to the wirelessly connected laptop or client. This is especially important if staff members are going to be using public wireless LANs such as those in hotels or other public places.

By their very nature, wireless networks present greater security challenges than wired LANs. But if a company follows these basic steps and works with third-party products for additional encryption, authentication and VPN support, there's no reason why a wireless network can’t be used for mission-critical data.