Home / Privacy Resources / PrivaTips

PrivaTips

March 2010

Federal Privacy Commissioner is Taking Sobeys to Court

Canada's privacy commissioner is taking the national grocery chain Sobeys to court over its practice of collecting information about the age of customers who purchase tobacco products.

Commissioner Stoddart says Sobeys doesn't need to store in its cash registers the date of birth of customers who buy tobacco and who are clearly age 25. In an application filed this week, Stoddart's office asked the Federal Court of Canada to order Sobeys to develop alternative procedures that don't require collecting birth dates. Sobeys has yet to file a response.

The action comes after Stoddart's office investigated a complaint against Sobeys and found the chain was breaching the Personal Information Protection and Electronic Documents Act (PIPEDA).

The company told investigators that sales clerks in Ontario stores must enter the birth dates of all customers into the cash registers when tobacco is sold. Although names are not recorded, the birth dates become linked with their purchase history, according to Stoddart's application. The store said it followed this policy to comply with the Smoke Free Ontario Act, a provincial law that requires retailers ask for ID from anyone buying tobacco who looks under 25, the application said. The legal age to buy tobacco products in Ontario is 19.

Stoddart's office issued a preliminary report this summer recommending a new approach to customers who are clearly 25 or older, but the chain said it would not change its policy of asking all tobacco-buyers for ID. A report from the privacy commissioner contains only recommendations, which most respondents follow, but is not binding. To get the recommendations enforced, the commissioner must apply for a court order.

A spokeswoman for Stoddart's office said other retailers have faced similar issues with Ontario's tobacco law and found solutions without "over-collecting" personal information.

[The Ottawa Citizen, February 23, 2010]
 

Alberta Privacy Commissioner Orders a Stop to Pre-Employment Credit Checks

Alberta's privacy commissioner has ordered Mark's Work Wearhouse stop conducting pre-employment credit checks on job candidates.

The Office of the Information and Privacy Commissioner investigated the retailer after a job applicant filed a complaint and it found the retailer contravened the province's Personal Information Protection Act by running pre-employment credit checks.

The complainant applied for a job with Mark's Work Wearhouse as a sales associate and agreed to a credit check during the interview. He didn't get the job after the credit check revealed a credit issue, which he said was an error that he didn't have the resources to resolve.

The retailer told the investigator it conducted a pre-employment credit check because the information provides an assessment of how job applicants will handle financial responsibilities and whether job applicants have a probable risk of in-store theft or fraud. But the commissioner found the personal credit information collected by retailer was not reasonably required to assess the complainant's ability to perform the duties of a sales associate or to assess whether he might have a tendency towards committing in-store theft.

Mark's Work Wearhouse agreed to cease the collection of personal credit information of sales associate applicants as part of its hiring process.

[Canadian HR Reporter, February 24, 2010]

Durham Region Responds to Ontario Privacy Commissioner's Order

The Region is tightening up procedures and increasing staff training following the loss of a computer device that held personal information of more than 83,000 people immunized at H1N1 clinics.

The moves come after Ontario's privacy commissioner criticized Durham Region for lax privacy and security policies.

In December, a public health nurse lost a USB key in the parking lot at Regional headquarters. On the key was personal information of the 83,524 people who received a flu shot at an H1N1 clinic offered by Durham Region. Information included each person's name, address, phone number, date of birth, health card number, name of their primary physician, and personal health information provided when they got the vaccination.

In January, Privacy Commissioner Dr. Ann Cavoukian issued a four-part order that included a requirement that Durham use 'encrypted' data on mobile devices, such as USB keys and laptop computers.

As of Feb. 12, all health department mobile devices are encrypted, so anyone finding a device wouldn't be able to gain access to the information, noted Dr. Robert Kyle, the Region's medical officer of health. Corporate information systems staff will be undergoing mandatory security and privacy training in March as well. The idea is CIS staff would have ongoing security and privacy training, not simply a one-time session when hired.

A 90-page response to Dr. Cavoukian's orders is being sent to the commissioner.


[Newsdurhamregion.com, February 26, 2010]

_________________________________________

January 2010

Privacy Concerns over Virtual Strip Searches

Following the failed Christmas Day bombing of a Detroit-bound flight, the federal government announced that 44 full-body screening machines will be installed at major Canadian airports in the coming weeks. Described in the press as the “naked scanner” , these technologies have the ability to produce high quality images of the naked body beneath a passenger’s clothes. 

There are obvious privacy concerns, and it isn't clear that the new scanners will make air travel any safer. The scanners would not have detected the explosives carried by the alleged bomber who sparked the new security. Dr. Cavoukian, Ontario's Information and Privacy Commissioner, said that if privacy protections are built into the scanning systems from the start, then the machines could comply with personal information protection safeguards.  The images can be reduced to “chalk outline’, a depersonalized representation of the personl being scanned with threat objects, such as guns, outlined in the image. Other techniques include picture pattern analysis to identify material next toe body which is not made of skin.  The Office of the Privacy Commissioner of Canada has stated that virtual strip searching needs to be better scrutinized. The Office also wants to know more about the government's plans to probe passenger behaviour at Canadian airports. The Federal Commissioner plans to ask for details of the program in a coming meeting with federal officials on air security issues.  Since the behaviour program can only be based on the gathering of personal information, it raises privacy issues that must be examined very closely.

_________________________________________

November 2009

Legislative Updates: Alberta PIPA and the Criminal Code

There has been a recent flurry of activity when it comes to privacy-related legislation.

The Alberta government's Bill 54, as introduced in the legislature, fine tunes the Alberta Personal Information Protection Act, which regulates how private sector organizations can collect, use, disclose, protect and provide access to someone's personal information.

Frank Work, Alberta's Information and Privacy Commissioner, says he is pleased with many improvements introduced in the bill, including:

- Requiring organizations to notify his office of a privacy breach that could result in harm to an individual;

- Having companies notify individuals when they will be transferring personal information to a service provider outside of Canada (such as an international call centre or outsourcing of credit card transactions); and

- It will be an offence for organizations to fail to notify the commissioner's office of a privacy breach that poses a real risk to an individual.

However, Work is frustrated the province ignored the wishes of his office and recommendations of a Tory-led committee that called for more comprehensive protection of private information. Non-profit agencies not conducting commercial activities, which includes social service groups and most charitable organizations taking donations, won't be covered by the rules. They continue to be exempt from the Alberta PIPA, meaning many not-for-profit groups don't face requirements on how to safeguard information and aren't subject to the public complaints to the commissioner.

Meanwhile, with respect to the Criminal Code, Bill S-4 was recently given Royal Assent by Parliament. Thanks to the bill, entitled An Act to amend the Criminal Code (identity theft and related misconduct), there are now three new Criminal Code offences related to identity theft:

Obtaining and possessing identity information with the intent to use the information deceptively, dishonestly or fraudulently in the commission of a crime;
-  Trafficking in identity information, an offence that targets those who transfer or sell information to another person with knowledge of, or recklessness as to, the possible criminal use of the information; and
-  Unlawfully possessing or trafficking in government-issued identity documents that contain information of another person.

Before Bill S-4 came into effect, police had to use other Criminal Code provisions to target identity theft. This new development should help law enforcement officials attack a growing problem: the Canadian Council of Better Business Bureaus has estimated that identity theft may cost Canadians more than $2 billion annually.

_____________________________

October 2009

IT Security Breaches - Employees are the Fastest Growing Threat

The 2009 joint study on Canadian IT security practices - conducted by TELUS and the Rotman School of Management at the University of Toronto - surveyed more than 600 Canadian IT security professionals.

According to the study, IT security breaches almost doubled from the breaches reported in last year's study. As expected, the number of security breaches jumped during the financial downturn, as businesses and government organizations scaled back their IT budgets to save money. The average number of reported IT security breaches also soared to 11.3 per organization in 2009, compared to three per organization in 2008.

But lower security budgets aren't the only reason breaches tend to soar during tough economic times - employees themselves can often be the cause of such problems. As job losses mount, many leaving an organization take data with them.

About 33 per cent of reported security breaches this year came from within companies, and unauthorized access by employees represented the fastest-growing threat area, according to TELUS Security Labs managing director. Last year, about 17 per cent of Canadian organizations reported so-called "insider breaches." This year, that number has more than doubled to 36 per cent.

Of all the respondents surveyed, those in the government sector reported the biggest jump in security breach costs this year. Average annual security breach costs in the government sector more than tripled this year to $1,004,799, up from $321,429 in 2008.

New data security standards and legislation means government agencies are doing much more data monitoring than in previous years, inevitably leading to more reports of security breaches. It is clear that while threat levels have gone up during the economic downturn, organizations are also getting better at catching breaches that were happening anyway.

Federal Privacy Commissioner Reviews Six Popular Social Networking Sites

Think Facebook is the only social network site with privacy problems? Think again, says a study commissioned by Canada's Privacy Commissioner of popular social network sites.

The study found many of the sites have the same problems, ranging from not telling users enough about how their information is shared with advertisers and third parties to just how much of that information is shared.

Assistant Privacy Commissioner Elizabeth Denham said the study shows that users should be aware of how some social network sites are handling their information and their privacy. Denham wouldn't say if any sites appear to be violating Canada's privacy law. Nor could she say what changes may have been made by the sites since the report was written.

The report outlines the practices of six social network sites: Facebook, Hi5, Linked In, Livejournal, Skyrock and MySpace.

Among the problems is some information is viewable to non-users through public search engines. The Commissioner's office recommends that default settings on sites protect privacy. Users who want to be more public would have to make changes to do so.

You can access the report and its findings at www.priv.gc.ca/information/pub/sub_comp_200901_e.pdf.

Login Details for Thousands of Hotmail Accounts Breached

An anonymous user posted login details for more than 10,000 Hotmail accounts on pastebin.com, a site where software developers often share code. The list has now been removed. It showed accounts starting with the letters A and B, suggesting it is only a small slice of a much larger list. Addresses used @hotmail.com, @msn.com and @live.com domains.

Microsoft confirmed that the login details were stolen in a phishing scheme - not in any security breach of the company's own systems.

Phishing is large and growing problem on the Internet in which users are tricked into handing over their login details to unscrupulous actors. These schemes have become extremely sophisticated and often involve e-mail messages and Web pages that look like they come from legitimate companies but are entirely faked. Microsoft advised its customers "to exercise extreme caution when opening unsolicited attachments and links from both known and unknown sources" and to maintain up-to-date antivirus defenses.
 

Federal Privacy Commissioner Releases Annual Report

The Commissioner's 2008 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act (PIPEDA) was recently released and highlights the issue of youth privacy.  It also looks at 2008 privacy complaint investigations; technology and privacy issues; and the Commissioner's efforts to encourage the development of international privacy standards.

Commissioner Stoddart noted that many people have been fired, missed out on job interviews and academic opportunities, and been suspended from school for instant messages, wall posts and other types of online correspondence they mistakenly thought were private conversations with friends.

There is also a risk that unguarded personal information could be exploited by identity thieves.

The Office of the Privacy Commissioner recently completed an investigation into the privacy policies and practices of the popular social networking site Facebook.  While that investigation focused on Facebook's obligations under Canadian privacy law, the Commissioner emphasized at the time that, with nearly 12 million Canadians on Facebook, it's also important for users to adopt the appropriate privacy settings and to understand how their personal information may be used or shared online.

The Privacy Commissioner's Office has made online youth privacy a key priority, using contests, communications materials and a dedicated youth privacy website to reach out to young people and to encourage them to reflect on privacy issues and to "Think Before You Click."

The OPC received 422 new PIPEDA-related complaints for investigation in 2008, ending a downward trend that had lasted for several years. In 2007, there had been 350 complaints, fewer than half the 723 received in 2004.

The Commissioner's Annual Report to Parliament 2008 - Report on the Personal Information Protection and Electronic Documents Act can be found at http://www.priv.gc.ca/information/ar/200809/2008_pipeda_e.cfm


________________________

September 2009

Federal Privacy Commissioner Slaps Bell for Lack of Transparency

Canada's Privacy Commissioner, Jennifer Stoddart has ruled that Bell could better explain what it's doing with deep packet inspection (DPI), the technology it uses to slow traffic of high-bandwidth users.

Stoddart found Bell only collects the identifying Internet numbers of subscribers' routers or computers, which is included in every packet of information on the Internet. These dynamic IP addresses can't identify individuals. They can, however, be traced to a user's ID. Stoddart concluded IP addresses are personal information, and therefore the telco could do a better job of explaining what it does.

The privacy commissioner's investigation stemmed from a complaint that Bell uses DPI to collect personal information from its Internet customers without their consent, that it collects more personal information than is necessary to manage its network and that it doesn't adequately inform customers of the practice. 

While Stoddart concluded that Bell collects and uses the IP addresses she also found "no evidence to believe that they are retained after they are no longer needed for the purpose of real-time traffic flow management."

Stoddart apparently accepted Bell's evidence that its DPI devices don't capture any personal identification information of an individual user. Nor does it store or log any personally identifiable information including a user's real identity, browsing history, e-mail or any content. With a filter on any network element it could inspect content, but the telco said it doesn't.

However, the commission noted DPI can identify a user's computer or router from its dynamic IP addresses through a user ID, although not the name of the user. The commission has ruled before that an IP address is personal information. As a result, it concluded Bell can identify user addresses of not only its subscribers, but also of those who use Bell's network - for example, a non-Bell subscriber who sends an e-mail to a Bell subscriber.

As for whether subscribers know this, the commission noted that in its written agreements after August, 2008 Bell subscribers have been told only "in a general way" that the telco might monitor their traffic.

The commission noted there is specific information about how and why Bell uses DPI is available on the company website in the form of questions and answers, under the heading 'Network management.' However, Stoddart added, there is no direct link to this page from Bell's privacy statements meaning crucial information is spread out on Bell's Web pages.
___________________________________________

August 2009

Federal Privacy Commissioner Finds American Online Company in Violation of PIPEDA

Office of the Privacy Commissioner (OPC) Case Summary #2009-009:

An investigation by the Office of the Privacy Commissioner of Canada (OPC) has concluded that Accusearch, Inc., doing business as Abika.com, a Wyoming-based search services website, violates key provisions of Canadian privacy law in its collection, use and disclosure of the personal information of residents of Canada.

Abika.com provides a range of search services on individuals by engaging third-party researchers who search for and obtain personal information about individuals from a variety of public and private records and databanks. It also provides a service under which it compiles “psychological profiles” of the behaviour and personal traits of specifically identified individuals.

The U.S. Federal Trade Commission (FTC) separately investigated the activities of Abika.com, successfully bringing suit before the District Court for the District of Wyoming to curtail the sale of confidential consumer information. The U.S. Tenth Circuit Court of Appeals recently affirmed the lower court ruling. The OPC filed an amicus curiae (friend of the court) brief in that appeal in support of the FTC position, arguing that the online trade in personal information across international borders threatens the privacy rights of Canadians and the reputations of Canadian businesses.

In its decision, the Tenth Circuit Court of Appeals affirmed that Abika.com was in the business of soliciting customer requests for confidential information and then paying researchers to obtain it. The court also affirmed that the company knew that its researchers were obtaining the information through fraud or illegality. In so doing, Abika.com “knowingly sought to transform virtually unknown information into a publicly available commodity.” As a result of this important decision, Abika.com remains under an injunction prohibiting it from trading in confidential customer phone records, as well as other non-public “consumer personal information” without express written permission from the consumer.

This U.S. court decision clearly recognizes the harm to privacy resulting from unauthorized online trade in personal information and offers important new protection to citizens on both sides of the Canada-U.S. border.

Responding to a three-part complaint, the OPC conducted its own investigation of the information-handling practices of Abika.com.

Based largely on information provided by the FTC, the investigation determined that the American company disclosed the personal information of Canadians, without their knowledge or consent, to third parties. The Assistant Privacy Commissioner concluded that such actions contravene the Personal Information Protection and Electronic Documents Act, which governs private-sector companies.

Moreover, the Assistant Commissioner found that Abika.com typically accepts and fulfils requests for personal information without considering whether the request is for an appropriate purpose. In some cases, in fact, the company knowingly turned over the personal information of Canadians for purposes that a reasonable person would consider highly inappropriate in almost any circumstances.

A third element of the complaint, relating to the accuracy of the personal information that was disclosed about the complainant in a prepared “psychological profile”, was dismissed on the grounds of insufficient proof. The Assistant Commissioner did, however, underscore her suspicions that much of the psychological profile was highly questionable and inaccurate.

The Assistant Commissioner has recommended that Abika.com stop collecting, using and disclosing the personal information of people living in Canada without their knowledge and consent. The company did not provide a substantive response to the recommendations within the timelines set by the Assistant Commissioner. It was not considered reasonable in the circumstances to grant a request from American counsel representing Abika.com for a further time extension.

The Assistant Commissioner recognized and thanked the U.S. Federal Trade Commission for its invaluable assistance in this investigation. This is an important step in international co-operation and collaboration that will become increasingly necessary to adequately protect privacy rights on both sides of the border in years to come. The collaborative efforts of the OPC and the FTC in this case have enhanced and ensured consistency in approach between the two jurisdictions.

CLICK HERE for the complete report of findings.

Growth of Identity Theft in Canada

The Office of the Privacy Commissioner of Canada's blog post entitled "Who are these identity thieves?" states that based on a recent survey conducted by the Office, one Canadian out of six has been the victim of some form of identity theft and that more than 90% of Canadians report that they are concerned about identity theft. The Privacy Commissioner’s post cites a report by Benoit Dupont, the Canada Research Chair in Security, Identity and Technology at l’Université de Montréal, and his colleague Guillaume Louis, which offers an illuminating profile of identity thieves. Here are some highlights:

  • 1.7 million Canadians were affected by identity theft in 2008.
  • More than 45% of cases of identity theft involve Internet use. However, the way “offenders” use the Internet is not as significant as we might think in terms of acquiring the victim’s personal information. On the contrary, it plays a greater role in actually committing fraud.
  • “Women account for nearly 40% of offenders. We believe that this strong presence can be attributed to the absence of violence inherent to this sort of crime and the possibility of committing the crime without help from an accomplice.”
  • “Identity thieves are relatively older than other offenders; the average age is 33 years.”
  • “Offenders acted alone in the majority of cases (64.6%), which seems to contradict the theory of extensive involvement by organized crime in this type of offence.”


The Privacy Commissioner’s post also cites a 2008 report released by the McMaster eBusiness Research Centre that showed that victims spent more than 20 million hours and $150 million resolving problems associated with these crimes.

Identity theft has one of the fastest growing crime rates seen in recent years. An increasing number of measures are taken to give Canadians the tools they need to prevent identity theft and to encourage businesses and government organizations to properly protect the personal information they store. Nonetheless, in reality, as encouraged by the Privacy Commissioner's office, day-to-day vigilance is necessary above all else.

B.C. Commissioner Warns Bar and Nightclubs to Respect Privacy

B.C.'s Information and Privacy Commissioner, David Loukidelis, has issued a warning to all bar and club owners that they should pay attention to a recent ruling involving the Wild Coyote nightclub in South Vancouver.

Loukidelis ordered the club owner to stop collecting information from scanned photo identification and to destroy any information it has retained from this activity. In his ruling, Loukidelis declared that the bar could not force customers to furnish photo identification to be scanned as a condition to enter the premises, as this violated section 7.2 of the B.C. Personal Information Protection Act which states: "An organization must not, as a condition of supplying a product or service, require an individual to consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service".

Most of the bars and nightclubs in B.C. strongly disagree with the commissioner's ruling. Barwatch and the Vancouver Police Department have signed an agreement that allows police officers to remove undesirable customers from their premises who are pointed out by staff. The chairman of the Barwatch program has scheduled a meeting with Loukidelis in hopes that there is a common-sense route through the thorny intersection of public safety and personal privacy.
 

______________________

July 2009

U.S. Border Policy on Laptop Breaches

The United States Border Services’ practice of instituting suspicionless searches of travelers’ laptops is now being challenged by the American Civil Liberties Union. The ACLU has made a formal request under the U.S. Freedom of Information Act for records setting out or touching upon policies establishing and governing this search practice, as well as data as to the number of searches that have been made over the past year, and the characteristics of persons whose devices were searched. The official request is intended to support the ACLU argument that these searches may infringe the constitutional rights of travelers.

On July 16, 2008, the US Customs and Border Patrol ("CBP") published the Policy Regarding Border Searches of Information. The CBP policy asserts that in the course of a border search, even “absent individualized suspicion”, officers can “review and analyze the information transported by any individual attempting to enter, reenter, depart, pass through or reside in the United States.” The policy sets forth no criteria for determining who may be searched. CBP officers may examine, in addition to documents, books and other printed material, “computers, disks, hard drives and other electronic or digital storage devices.” They may detain documents and electronic devices, or copies thereof, “for a reasonable period of tim