Home / Privacy Resources / Article Search / PrivaTalk - May 2003

PrivaTalk - May 2003

PrivaTalk

May 2003
Volume 3
Issue 5

Canada’s Proposed Travellers’ Database is Scaled Back

Canada Customs and Revenue Agency will reduce information sharing in its controversial database of travel information as a concession to concerns of the Federal Privacy Commissioner, George Radwanski.  


The privacy commissioner of Canada applauded  planned changes to the Advance Passenger Information/Passenger Name Record (API/PNR) system. The database created by the CCRA will hold information on Canadians as well as foreign travelers entering Canada.  


The database, Radwanski said in a prepared statement, is to contain “extensive information obtained from airlines, on the foreign travels of all law-abiding Canadians -- more than 30 data elements including where and with whom we travel, method of payment for tickets, contact addresses and telephone numbers, even dietary and health-related requirements communicated to the airlines.” The information will be stored for up to six years.  


The CCRA database has been a controversial project since its inception, raising voices of opposition from privacy advocacy groups across Canada. Radwanski has been one of its most outspoken critics and has on numerous occasions criticized the largely unchecked manner in which the CCRA could use the information stored within the database. Although it was created largely under the guise of an anti-terrorism measure, the information within the API/PNR could be shared with other government agencies to monitor for possible tax infractions or other criminal activity.  


In a letter to the privacy commissioner, Revenue Minister Elinor Caplan said that information not required for customs purposes, including meals and health information, would be purged from the database.  


There will also be changes made to the way the stored information is used, she wrote. API information, meaning the passport information, will continue to be stored for six years but only a select group of “targeters and intelligence officers” will have access to the records.  


The much more detailed PNR information will also continue to be stored for six years, but access to it will now be regulated depending on the length of time it has been on record.  


For the first 72 hours, the PNR information will be used by customs and immigration agents to assess the travelers risk. For two years following the information will be accessible to intelligence officers and analysts but it will be depersonalized. It will be shared with other government departments or agencies for non-customs related purposes only if a warrant is obtained. For the last four years the information can only be used in matters related to the security of Canada. It will also remain depersonalized unless the commissioner of the CCRA personally approves re-personalizing it due to reasonable suspicions that the person in question is a high security risk.  


Radwanski  statement said that the changes effectively eliminate the potential use of this information for fishing expeditions and significantly limit the use and sharing of personal information about travel activities. He also called the changes “a great victory for the privacy rights of all Canadians.”  


Radwanski’s enthusiastic endorsement of the proposed changes have many privacy advocates very concerned. There is reason to suspect that the announcement may sound a lot better than what its impact will be, and the appropriateness of the government holding such massive stores of information on Canadians is still in question.  


Databases go hand in hand with data mining and the inadvertent leakage of information that may contain a great deal of error. The announced changes are a somewhat welcome move though, only insofar that any change is better than none at all. From a privacy standpoint though, it would be better not to have such a database at all.  


Striking a fair and reasonable balance between anti-terrorist and crime-fighting needs and the right of law-abiding citizens to be safe from state snooping is something governments around the world are struggling with.      

Provincial Privacy Laws – Governments Moving Too Slowly or Too Quickly

A Regina gynecologist has issued an apology to his patients after about 300 medical files from his office recently turned up in a recycling bin. The files, most of which bear Bastian’s name stamp, are dated between 1990 and 1998. They include patient’s names, hospitalization numbers and detailed medical information.  The College of Physicians and Surgeons of Saskatchewan says it has been getting complaints from worried patients.  


Saskatchewan’s Medical Profession Act addresses issues of confidentiality and specifies adult patient files must be retained for six years after the date of the last entry. However, the act does not say exactly how medical records are to be destroyed.  


In 1999 the provincial government passed the Health Information Protection Act, which deals with the duty to protect health information, but it hasn’t been proclaimed into law. Breaches of the act are punishable by fines or jail.  


Bastien says he regrets any breach of confidentiality the files may have caused. He says the files were mistakenly dumped into the public recycling bin instead of being shredded.  


Saskatchewan’s Health Minister defended the delay in proclaiming the Health Information Protection Act by saying that the government is consulting with health care officials.  He also stated that he expects the bill to become law during the current legislative session.  


Meanwhile, the B.C. government surprisingly introduced its private sector privacy legislation, the  Personal Information Protection Act, on April 30th.  The government has pushed ahead quickly through first and second reading leaving a very small window of opportunity for stakeholders to comment on the bill. This is rather surprising as it was expected that a draft of the legislation would first be released for public consultation. The Bill is scheduled to come into force on January 1, 2004, in hopes of preventing the federal Personal Information Protection and Electronic Documents Act from applying within the province.  


NDP opposition has accused the Liberals of trying to sneak the bill through the legislature. However, British Columbia's privacy commissioner is applauding the new law which gives the commissioner much broader powers.  As in most other provinces, currently the commissioner only has jurisdiction to investigate the public sector.  


The B.C. legislation provides much wider coverage than the federal legislation, since it will apply to charities and employee information.   


A detailed review of the B.C. legislation will be provided in the June issue of PrivaTalk – stay tuned!  


So what’s the right amount of consultation on privacy legislation?  Saskatchewan and B.C. are at two opposite extremes.  The Ontario government seems to have gotten so bogged down with listening to and incorporating stakeholder feedback into their draft Privacy of Personal Information Act, that the complex bill, with industry specific exemptions, never got to introduction.  When it comes to privacy laws, the significant impact on businesses makes consultation critical.  At the same time, there is such a thing as too much consultation, particularly because it is impossible to please all stakeholders. Protecting privacy is an obligation that many businesses would just prefer not to deal with.  

ISPs look for Solutions to Spam – Legislation and new Technologies may Help

It’s not news that Internet service providers are sick of spam, but now it seems their patience has truly worn thin. Their servers are gagging on an overload of junk mail, they have to pay people to block and purge spammers’ bogus transmissions from their systems and they are just plain fed up with subsidizing the spam industry.  


ISPs recently gathered at the 10th annual ISPCON conference, and devoted a great deal of time to the war against spam. Everyone in attendance agrees that spam is a big problem. But few agree on how to stop this toll on of their networks. Stopping spam isn’t difficult, but stopping it without angering clients and legitimate e-mail marketers is a challenge.  


Judging by the products demonstrated at IPSCON, the next generation of spam-fighting tools will be permission-based e-mail, a sort of caller ID for e-mail systems that allows users or ISPs to screen messages and decide what to respond to and what to ignore.  


The ePrivacy Group demoed SpamSquelcher, which analyzes e-mail traffic moving through an ISP’s network and prioritizes legitimate e-mail, handling spam in much the same way that the post office handles bulk snail mail. First class (legitimate) e-mail gets processed first. Bulk advertising gets transmitted if, and when, the ISP has the resources and time to do so.


The idea is not to stop spam, but to make it less profitable. Spammers count on being able to deliver millions of messages very quickly, and SpamSquelcher dramatically slows down spam transmission speed. The spam still gets through, soothing any worries about heavy-handed blocking techniques, but the tool conserves ISP resources for legitimate users.  


One of the more interesting permission implementations was demonstrated by a Hawaiian company, Titan Key [ http://www.titankey.com/ ]. Titan Key stops spam before it is sent and also tricks spammers into deleting e-mail addresses from their marketing lists. Titan Key seems to be the only software that can make a particular e-mail address stop working for a spammer, yet keep it working just fine for others.  


There are a number of state laws dealing with unsolicited commercial e-mail (UCE), but no Canadian equivalent.  However, in January 2003, the Working Group on Electronic Commerce and Consumers released a document entitled “Canadian Code of Practice for Consumer Protection in Electronic Commerce.”  The principles are similar to a growing body of U.S. statutes that ban UCE rather than requiring it to be specifically labeled as advertising.  Its as if legislators in the states are thinking that since nobody is following the labeling statutes, if they outright prohibit UCE, maybe it will somehow stop.  


Two of the important Canadian Code of Practice principles are the following:


1.      Vendors shall not transmit marketing e-mail to consumers without consent, except where there is a pre-existing business relationship.  It further explains that a pre-existing business relationship is not established by consumers merely visiting, browsing or searching on a vendor’s web site. 


2.      Marketing messages shall contain a prominently displayed return email address and provide in plain language a simple procedure by which consumers can notify vendors they no longer wish to receive messages.  The requirement of having a working unsubscribe functionality is standard in current U.S. laws.


If we were to see legislation in Canada regarding spam in the future, it would probably come in the form of amendments to the Competition Act, which is the law that deals with fair marketing practices.  The Working Group on Electronic Commerce and Consumers has a great deal of cross-membership with the Technical Committee that developed the CSA Model Code for the Protection of Personal Information.   


It’s clear that technical solutions or legislative solutions alone will not solve the spam problem. In all likelihood, a combination of these is required.

New Privacy Legislation in Ireland and Japan

Ireland has finally implemented the 1995 Directive on Data Protection, almost five years after the expiry of the EU’s deadline. Ireland becomes the 14th of the 15 Member States to get its domestic privacy legislation in order. Luxembourg has still to comply.  


The deadline for implementation of the Directive was October 1998. The UK implemented it just in time, with its Data Protection Act 1998 which completely replaced the earlier 1984 Act. Ireland’s implementing law, the Data Protection (Amendment) Act 2003, amends rather than replaces the country’s 1988 Act.  


The Directive was designed to ensure that there are no barriers to the free flow of information between member states of the European Union while demanding a high standard of protection for personal data.  


The bulk of the provisions in the Irish law will come into force on July 1st,  2003. The remainder, including provisions relating to registration and and access to information, do not yet have a date set for commencement.  


The 1988 Act and 2003 amendment are available as a 73-page PDF from:  http://www.dataprivacy.ie/images/Compendium%20Act.pdf  


Meanwhile, in Japan, a recent government vote passed a number of bills to prevent abuse of personal data, however, the bills have run into strong opposition from writers who say they could lead to infringement of media freedom.  


Japan’s Prime Minister tried to cool off the opponents’ anger after his government revised earlier bills in the face of media criticism and stated that the intent is not to limit the freedom of the press.  At the same time, the Prime Minister tried to justify the legislation in the name of protecting private information from badgering media organizations.  


Now that a House of Representative committee has approved the bills, the Lower House is set to pass legislation early in May and send them on to the House of Councillors before they come into law.  


Under the legislation, businesses handling private data are required to use such information only for pre-stated purposes, to notify people on whom the data are collected and to gain consent before passing the data to third parties.  


To alleviate media and opposition camp concerns, the coalition parties revised the earlier bills to spell out that news organizations, writers and academic research groups would be exempt from the legislation.  


Publishing houses, however, will be subject to the law. A prominent novelist, one of the most vocal opponents of the bills, said the requirements could gag authors and freelance writers.  


Companies that publish magazines are not exempt from the requirements meaning that freelancers who write stories for the magazines are subsequently regulated under the legislation.  


The EU Directive forces European countries to have very similar sets of rules.  For the rest of the world, depending on the stakeholder pushback in various countries, we see very different data protection laws.  This makes compliance challenging and complicated from international businesses.  

Spam Study in the United States Shows Deceptive E-mail is Prevalent

Two-thirds of unsolicited commercial e-mail is deceptive in some way, be it false information about the sender, the subject or the product being sold, according to a random survey by the U.S. Federal Trade Commission. That means most spam is probably already illegal and senders could be prosecuted by state or federal law enforcers in the United States, even without new anti-spam bills being introduced in Congress.  


For years, the perception has been that spam is a privacy problem and an economic problem, but this survey tells us that its also a fraud problem. Ferris Research estimates that spam will make up nearly half of all e-mail this year, and may cost U.S. companies and organizations $10 billion this year. The Ferris study also estimated that currently 30 percent of e-mail received by Internet service providers and 15 to 20 percent of e- mail received by U.S. corporations is spam.  


The FTC said it reviewed spam randomly selected from more than 11 million e-mails. One-third of the spam contained a false “from” line and of those messages 46 percent suggested a false prior personal or business relationship with the recipient. Spammers often falsify their e-mail addresses to evade filters.  


The study also found that 17 percent of e-mails that advertise X-rated Web sites contained pornographic images embedded in the messages. Such messages contained false headers 40 percent of the time, making it likely that recipients would open them without knowing they contained pornographic images, the FTC said.  


In addition, 96 percent of messages offering business opportunities contained false or misleading information.  


The messages were selected from databases the FTC complied from e-mail that consumers forward to the agency at a rate of 130,000 a day. The study also included 100 messages received by FTC e-mail addresses.  


Since 1997, the FTC has brought 49 cases alleging that spammers tried to defraud or deceive e-mail recipients and has obtained orders to stop false advertising and sometimes won disgorgement of ill-gotten gains.  


The FTC’s recent three-day “Spam Summit”, attended by a number of  Canadian delegates,  was used to solicit new ideas for curbing spam from industry leaders and legislators. The explosion of spam threatens to drive legitimate e-commerce into the ground. E-mail provides marketing opportunities for many companies, such as airlines that offer discount fares to subscribers or on-line booksellers. There are clearly many businesses that want to market through e- mail that fear doing so because the field is so populated by spammers.   


Anti-spam proposals in the U.S. include legislation by Senator Charles E. Schumer, a New York Democrat, that would require the government to set up a “do not spam” list similar to the “do not call” registry the FTC is compiling to help consumers fend off unwanted telemarketing calls. Schumer’s bill would carry jail time for repeat offenders. Industry officials are sceptical that such a registry would be as effective as “do not call” lists that 25 states have created. The problem is locating the spammers.  


The FTC and Internet service providers, such as EarthLink and other companies, have gone to court to try to put spam senders out of business. In November of last year, EarthLink, which has sued more than 100 spammers, obtained a $25 million judgment against one operator and a court order directing him to stop sending unwanted e-mail.  There seems to be no one solution to the spam problem – it’s all about litigation, legislation, technical solutions and customer education.    

Hippocratic Databases – Incorporating Privacy Protection into the Database Structure

Advances in networking and database technology have brought vast amounts of data together, and as search and querying technology improves, these vast stores of data become increasingly meaningful to even the casual user. Electronic patient records are a perfect example of such networked data that has become increasingly popular in the health sector.        


In late December 2002, the U.S. Department of Defense reported that its efforts to computerize the medical records of military personnel were set back when hard drives containing the records of half a million personnel were stolen. The records included names, social security numbers, and medical claims histories. According to the Associated Press, the Defence Department had seen the new computerized system “as a potential ‘data gold mine’ for military physicians and other healthcare professionals that will provide quick and easy access to military patient records worldwide.”  


While this is perhaps the most spectacular recent medical privacy breach, it is not the only one. In Canada and the United States, patient record information has been compromised over and over again in the past decade. Indeed, many would argue that, when it comes to medical records, any compromise is unacceptable and that every reasonable effort should be made to safeguard such data. To that end, the U.S. government is mandating the enforcement of new patient privacy rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA is a broad law that called upon Congress to delineate what rights patients have to control their own medical information, and what procedures and mechanisms would be followed for appropriate sharing of that information. The result is a broad set of regulations to be followed by healthcare providers, insurers, and related organizations such as medical researchers – anyone who handles patient information.  In Canada, Alberta and Manitoba have health privacy legislation in force, while health information is or will, as of 2004, be covered in the other provinces by Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).  PIPEDA suggests that sensitive information be afforded a higher degree of protection, but does not offer special rules for health information in particular, as opposed to other types of information.  


Given the complexity of maintaining patient privacy in an increasingly digital world, it’s reasonable to ask if technology can support the requirement for privacy while also giving clinicians access to the information they need. Researchers at IBM’s Almaden Research Center in San Jose, California think the eventual solution to the patient privacy issue may involve a new approach to database technology itself. They have been developing the technology behind “Hippocratic Databases”. IBM Fellow Dr. Rakesh Agrawal is widely recognized as a leading thinker in the field of data mining – the discovery of useful knowledge previously hidden in massive amounts of raw data – and has been writing about privacy issues for several years. Agrawal’s idea of Hippocratic Databases presumes a system where “contracts” are created between databases and users to ensure the privacy and integrity of data.  IBM’s model for privacy-savvy databases may well have been inspired by the Hippocratic oath, but the principles of how to handle private information are broadly understood and articulated around the world, having been established in 1980 by the Organization for Economic Co-operation and Development (OECD). For example, the Canadian Standards Association Model Code for the Protection of Personal Information is based on these principles. IBM’s principles of a Hippocratic database are as follows:  


Purpose Specification
For personal information stored in the database, the purposes for which the information has been collected shall be associated with that information.  


Consent
The purposes associated with personal information shall have consent of the donor of the personal information.  


Limited Collection
The personal information collected shall be limited to the minimum necessary for accomplishing the specified purposes.  


Limited Use
The database shall run only those queries that are consistent with the purposes for which the information has been collected.  


Limited Disclosure
The personal information stored in the database shall not be communicated outside the database for purposes other than those for which there is consent from the donor of the information.  


Limited Retention
Personal information shall be retained only as long as necessary for the fulfillment of the purposes for which it has been collected.  


Accuracy
Personal information stored in the database shall be accurate and up-to-date.  


Safety
Personal information shall be protected by security safeguards against theft and other misappropriations.  


Openness
A donor shall be able to access all information about the donor stored in the database.  


Compliance
A donor shall be able to verify compliance with the above principles. Similarly, the database shall be able to address a challenge concerning compliance.   Security and encryption technologies are also increasingly in use with databases. Agrawal notes that databases can apply multiple levels of security to database items, for example, top secret, secret, confidential, and so forth. To date, though, these techniques have been implemented in ways that can make query results uneven or inaccurate – a “top secret” query could leave “confidential” records unreported, for example. Many of the Research Center’s architectural ideas about Hippocratic databases have been inspired by such security issues.  


The principle underlying the hypocratic database architecture – which is a lab project rather than a product IBM is marketing – is to limit use of information based on the degree of consent a patient gives.  


But even technology’s biggest proponents agree that technology is only part of the solution. Regulation, marketing, financial incentive and culture change are all part of preserving some measure of privacy.