Home / Privacy Resources / Article Search / PrivaTalk - August 2003

PrivaTalk - August 2003

PrivaTalk

August 2003
Volume 3
Issue 8

Air Canada Gets Into Trouble with Privacy Once Again

Members of Air Canada’s frequent flyer program, Aeroplan, recently had crucial personal information – such as their phone number, e-mail address and recent account activity –made available on the plan’s Web site due to a technical glitch.  


Those who visited the Web site were able to view the profiles of other Aeroplan members. The information available included: the person’s name; home address; telephone numbers; date of birth; date of joining Aeroplan; the balance; and account activity, such as number of reward flights taken. However, credit card numbers and Web site passwords were not available.  


Air Canada said the problem resulted from a glitch in its technical network, and was not the result of hackers tapping into the system.  


Some Aeroplan members who were aware of the security breach and informed Air Canada are angry because they allege it took the airline roughly two hours before it shut down the Web site, which would be enough time for people to gather data for marketing purposes.  


According to Aeroplan, IBM Canada, which runs Aeroplan’s computer system, was aware of problems with the Web server. They endeavoured to correct the glitch in real time, but when it became apparent that was not possible, they actually shut down the site.  


The security breach raised concerns among privacy experts. When people join Aeroplan, they assume any information they give will be kept secure. It is quite surprising that Air Canada has one of the single largest repositories of personal information in the Canadian private sector, but does not have 24-7 technical support on their network systems.  


Aeroplan has about six million members, making it one of the biggest loyalty programs in the country. Members accumulate points either by flying on Air Canada or making purchases with certain credit cards. About 1.4 million round trips were redeemed for travel through Aeroplan, on either Air Canada or a Star Alliance partner, in the past year.  


A recent Statistics Canada study indicated that more than 75% of Canadians who use the Internet for shopping worry about privacy and security.  This is understandable given events such as Air Canada’s recent breach.  Inadvertently revealing personal information on-line may not be common, but it’s enough to scare those who actually submit personal information to companies on-line.  

Privacy Battles being Won and Lost by the Telephone Companies

On June 3rd, 2003, the Federal Court released the first full decision under the Personal Information Protection and Electronic Documents Act  (PIPEDA) based on an application for a hearing with respect to a report prepared by the Federal Privacy Commissioner.  The applicant Mathew Eglander, a lawyer residing in Vancouver, British Columbia and a customer of Telus Communications Inc., claimed that in charging him a monthly fee for maintaining an unlisted number, that is, charging him for withdrawing his consent to be listed, the phone company was in violation of the federal privacy legislation.  Eglander also claimed that Telus does not receive adequate consent to publish customers’ personal information in Telus directories in the first place.  


Eglander filed his compliant with the Commissioner’s office on January 1, 2001, the day the privacy legislation came into force for federally regulated companies such as Telus.  The Commissioner found that Telus’ practice of initiating services includes obtaining valid consent from its customers to publish their personal information in its publicly available directory, and that charging $2.00/month for an unlisted number, as allowed under a Canadian Radiotelevision and Telecommunication Commission (CRTC) Tariff, is not an unreasonable practice.  


In upholding the Commissioner’s decision, the Federal Court deferred to the CRTC, stating: “Given that the CRTC’s special expertise and mandate in the telecommunications sector requires the CRTC to balance social and economic imperatives and to actively regulate the telecommunications sector, the only reasonable conclusion is that Parliament intended that any privacy matter that has any effect on the rates, tariffs and regulations imposed by the CRTC remain in the exclusive jurisdiction of the CRTC.”  


The decision can be found at http://decisions.fct-cf.gc.ca/fct/2003/2003fct705.html  


Meanwhile, at the end of April, the Federal Privacy Commissioner found that the complaint of an individual claiming her telephone company had disclosed her name and unpublished telephone number, via its call display service, without obtaining her consent was well-founded.  The company did not believe that non-published number subscribers have a reasonable expectation that their number will not be displayed on a display screen of a party called who had subscribed to call display service.  


The Commissioner acknowledged that the company had taken steps to inform its customers of the privacy implications of its call display service. However, with the exception of the pamphlets it sent to its customers in 1992 and 1994, most of the company’s efforts have been focused on informing new customers of the blocking options available. It has instructed customer service representatives to inform individuals subscribing to the non-published number service about the implication of call display and blocking options. Since 1994, it has included information on this issue in its telephone directory.


Generally, the Commissioner was of the view that new subscribers are being reasonably informed of the privacy implications, and that by going forward with the non-published service, they are consenting to the possible disclosure of their number. When it comes to new subscribers, therefore, the requirements of the legislation appear to be met.


However, the same could not be said of long-time subscribers, such as the complainant, who clearly did not know that her non-published number would appear on call display screens.


He noted that a subscriber to a non-published number service but not to call display might not have read the pamphlets. For a similar reason, the same individual would not likely look in the telephone directory under call display or privacy issues to find out if their number would appear on the screen. As a result, the Commissioner determined that the company had not obtained the informed consent of subscribers who had non-published numbers when call display came into effect, and thus contravened Principle 4.3 of the law.  


Prior to the last approved tariff in 1994, the CRTC concluded that the introduction of call display with appropriate built-in safeguards would provide subscribers with the ability to select the most appropriate means of protecting their own privacy concerns. The CRTC observed that providing call blocking to all non-published number subscribers would significantly erode both the value of the call display service and the effectiveness in reducing annoying and offensive calls. The CRTC concluded that a net benefit would be achieved by such a service and that it was in the public interest to approve the service.  


While the Commissioner recognized that the company would have to return to the CRTC in light of its earlier decision, he nevertheless recommended that the company take steps to ensure that the personal information of non-published telephone number subscribers is automatically blocked from appearing on call display screens without requiring any action on the part of the subscriber.  Thus, the Commissioner showed little deference to the CRTC in this case.  Given the Federal Court’s recent decision in the Eglander case, and the Court’s comments on the CRTC’s mandate to balance privacy with social and economic imperatives, the Commissioner’s decision on non-published numbers may not hold up in court.

Identity Theft Insurance Gains Popularity

A growing number of insurance companies are starting to offer coverage for identity theft – the top consumer fraud complaint to federal regulators in the United States for the past three years.  We’re seeing more cases of identity theft in Canada as well, and insurance coverage is likely to follow.  


Identity theft insurance is offered by some credit card companies, credit bureaus and a handful of insurers.  At least five carriers in the States are offering such protection through their homeowner’s or renter's policies. The premiums typically cost $25 to $50 a year and provide $15,000 to $25,000 worth of protection.  


Identity theft can stop consumers from getting credit cards, car and education loans or mortgages. In extreme cases, it can take months or years and thousands of dollars to resolve. It is also possible that victims may be arrested for a crime they did not commit because a thief is using their identity.  


The Federal Trade Commission reported that last year of the more than 380,000 consumer fraud complaints it received, 43 percent, or more than 160,000, were about identity theft. Complaints about Internet auctions came in second in 2002 at 13 percent.  


Identity theft insurance cannot reduce the odds of becoming a victim, but what it does do is help pay for victims’ out of pocket expenses. After a deductible, perhaps $100, the insurance money could go toward expenses individuals incur on their own in efforts to restore their credit history. This may include lost wages because of time away from work to try to straighten out the situation, as well as legal fees. Insurance money may also go toward long-distance calls to merchants, payments to notaries and expenses for certified mailings. 


Some insurance companies offer identity theft insurance as a rider to an existing policy or as a standalone product. Others, such as the Chubb Group of Insurance Companies, includes identity-theft coverage as part of its homeowner’s policies at no additional cost, but does not sell such coverage separately.  


Identity theft insurance also reflects the trend of traditional insurance companies creating specialty products for very specific needs.  


In the United States, the Identity Theft and Assumption Deterrence Act enacted by Congress in 1998 makes identity theft a federal crime, and violations are investigated by federal law enforcement agencies, including the U.S. Secret Service and the FBI. Individuals found guilty could serve up to 15 years in prison.  


Consumers should be sure to study identity theft insurance policies carefully, and find out if the policy will cover things like reimbursement for lost wages, legal fees, or loan applications.    

U.S. Privacy Initiatives – the Patchwork Gets More Complicated

How many privacy-related laws can one country have? Without a general private sector privacy law, as most other countries have or are in the process of enacting, we will never see an end to the confusing patchwork of privacy legislation in the States.  This becomes clear when we look at recent legislative developments.


The newly released Safeguard Against Privacy Invasions Act would require companies using spyware to get permission from computer users before installing the software on their machines. Spyware is the software that companies secretly install to monitor people’s Internet habits and gather information about them. The software itself is not illegal, and many companies disclose their use of spyware in licensing agreements. However, few people read the fine print of those agreements, meaning the software is  often installed unknowingly on a person’s computer. Companies that utilize spyware can sometimes view everything from passwords to credit card numbers of unknowing consumers.


It is hoped that through the new bill, users will knowingly agree to the conditions under which spyware operates before it can be installed on their computers. The bill would require companies to post an agreement in a conspicuous location telling computer users that spyware is being installed. Companies also would be required to get the user’s permission. Businesses that collect personally identifiable information would have to post an additional notice warning people of their plans. Furthermore, companies that install spyware would have to disclose a valid name, street address and e-mail. The Federal Trade Commission would be in charge of regulating the process and imposing penalties on companies that do not comply.


The measure is the second permission-based technology bill introduced in Congress in the past little while.  Legislation aimed at curbing children’s access to porn on file-sharing networks was recently unveiled as well. That measure would require peer-to-peer companies to get permission from parents before installing software on a minor’s computer.


Congress has also seen numerous anti-spam initiatives recently.  Many feel such initiatives will destroy the commercial use of e-mail.  


Meanwhile, health care providers are struggling to meet the Health Insurance Portability and Accountability Act (HIPAA) rules.  Compliance requires detailed documentation when patients’ medical records are released.  The new rules give patients greater access to their health records and the chance to correct information themselves.  The privacy change is one of the most sweeping in the health care industry in many years.  


As privacy laws sprout weekly in the United States, companies operating in the U.S. are struggling with what laws apply to them and how these laws interact. 

Privacy and Security Concerns make Canadians Fearful of Purchasing On-Line

A recent study by Ipsos-Reid indicates that many Canadians are fearful about what’s going to happen with their credit card information when buying products or services on-line. In fact, contrary to the theory that such fears would collapse as familiarity with the Internet grew, Canadians are even more anxious about Web security and privacy than we were last year.  


So worried are Canadians about security, that only 42 per cent of Web users in Canada have ever made a purchase on-line, compared with 75 per cent of their counterparts in the United States.  


Here’s what the study said makes Canadians uneasy about buying things from e-tailers:  


- Sixty per cent are very concerned about the security of e-commerce computer databases that house their credit card numbers;  


- Fifty-eight per cent of Canadians fret that once their card numbers are in the database, they will be used to make unauthorized purchases;  


- Fifty-seven per cent worry that their credit card data will be intercepted as it flows from their computers to the e-tailer;  


- Forty-seven per cent are convinced that there’s potential for e-tailers to peer electronically into their home or office computer.  


Even further, 39 per cent of Canadians were also fretful that if there is a problem with an on-line purchase, they won’t be dealt with fairly by the e-merchant.  As well, the study found that 32 per cent of Canadian adults who use the Internet for at least one hour a week are more concerned about on-line security than they were a year ago.  Only 13 per cent are less concerned, while 54 per cent are neither more nor less concerned.  


Contributing to this anxiety are not only news reports of Internet security breaches, but also the fact that 35 per cent of Canadians surveyed report having had a breach of personal information they submitted on-line. That’s up from 21 per cent in June of 2001 and 18 per cent in December 2000.  While the breaches may seem relatively minor when compared with credit card information theft – 95 per cent say their e-mail addresses have been subscribed to unwanted e-mail; 29 per cent have had personal data sold and just six per cent have had personal information made public – they do contribute to a general climate of e-commerce fear.  


You would expect as people purchased their goods on-line and got them securely that they would change their attitude.  According to Ipsos-Reid, this is not the case because supposed minor breaches are being translated into more serious concerns.  That is, if people’s names are being passed on to third parties and they’re being spammed, they’re also questioning whether their credit card can be intercepted or whether it’s being housed properly.  


To make sure their on-line purchase is secure, individuals should:  


- Only shop with reliable e-commerce merchants.  


- Be careful about giving out personal details. Read the merchant’s privacy policy and check whether details required are truly needed to complete the transaction;  


- Make certain the online transaction is being transmitted in encrypted form (through what’s called a secure sockets layer). You can tell if this is the case by looking at the lower left side of your browser window. In the case of Internet Explorer, look for a locked padlock. In the case of Netscape look for an unbroken key. The URL should begin with https:// rather than the usual http://;  


- Make sure that the “secure document message” is working on your browser. This notice comes up when you are entering or leaving a secure page.  


- Keep a printout of your Internet payments so you can always know what purchases you have made.  


- Never give out your credit card number except when placing an order. Don't do it for any other reason.  


- When your Visa card-issuing institution begins to offer the Verified by Visa service – that lets you set up a personal password and authenticates online merchants – consider using it. This should be in effect at most institutions across Canada by the end of this year.  


Fears about entering credit card numbers on-line are likely also related to the drastic rise in identity theft south of the border.  A recent study conducted by Harris Interactive and funded by Privacy & American Business show 33.4 million Americans say they have been victims of identity theft or fraud since 1990, with over 13 million since January 2001 and rising.  The survey defined identity theft as a situation where someone assumes the identity of another and makes telephone calls or obtains merchandise, credit, or other valuable things in their name.  


Survey respondents provided actual stories of how they were victimized by identity thieves. Of those who knew how the identity theft or fraud was committed, 34% said someone obtained their credit card information, forged a credit card in their name, and used it to make purchases.  


E-commerce fears are here to stay as long as identity theft and on-line fraud continue.  Regardless, the prevailing sense that things are insecure on-line should make e-tailers and credit-card companies alike take more of a proactive approach to alleviating concerns.

IBM Introduces EPAL for Privacy Management

IBM has introduced a set of tools that will help companies automatically set and manage privacy policies that govern access to sensitive data stored in corporate applications and databases.  


IBM’s new XML-based programming language called Enterprise Privacy Authorization Language (EPAL) allows developers to build policy enforcement directly into enterprise applications. The move is another in a series by IBM to create a suite of tools and software to support identity management, a broad initiative that relies on user identity to control access and secure systems.  


EPAL allows companies to translate clearly stated privacy policies into a language a machine can read and act upon called XML. EPAL builds on current privacy specifications, namely the Platform for Privacy Preferences (P3P) that provide privacy controls for information passed between business applications and consumers with browsers. EPAL lets companies use those privacy controls internally with their corporate users.  


The language will be part of an infrastructure that will include monitors that are built into the interface of corporate applications and databases. IBM will use its Tivoli Privacy Manager as a hub that the monitors plug into to check policies. The Privacy Manager will store policies, as well as, log and audit access to data as a means to document policy enforcement.  


A group of North Carolina State University students working in conjunction with IBM have developed the Privacy Authoring Editor as an open source project that is available on SourceForge.net and that is used to author and edit privacy policies using EPAL.  


IBM also has two tools that help companies link existing applications to Tivoli Privacy Manager and other privacy management software. The Reference Monitor for Tivoli Privacy Manager and the Declarative Privacy Monitoring for Tivoli Privacy Manager allow companies to build privacy into applications without having to hard-code privacy features into each application. For example, Declarative Privacy Monitoring could be used to add privacy to a Java-based Web application without having to modify the Java code.  


As an example of EPAL’s use, an EPAL health-care application, for example, can include a policy that lets doctors see patient records only if they are the patient's primary-care physician and the patient is notified in advance. The application then enforces that policy by controlling the interactions between the application and the database with the patient records.  


IBM plans to submit its EPAL language to a standards body within the next few months, possibly the Organization for the Advancement of Structured Information Standards or the World Wide Web Consortium. IBM is testing the software with 25 of its largest customers, including eBay, Fidelity Investments and Marriott International.