#CyberFLASH: Using Big Data for targeted advertising could violate Canadian privacy law

 

BCE Beats Profit Estimates as Smartphone Subscribers GainOn April 7, 2015, the Privacy Commissioner of Canada ruled in its Report of Findings #2015-001 against Bell, one of Canada’s largest telecommunications companies. The Commissioner ruled Bell’s targeted advertising program violated federal privacy law, the Personal Information Protection and Electronic Documents Act(PIPEDA), since Bell did not obtain adequate consents for facilitating the delivery of third party behaviourally targeted ads to its customers. Following the release of the Commissioner’s Findings, Bell decided to withdraw its Relevant Ads Program and delete all existing customer profiles related to the program. It is important to note the decision did not take into account whether Bell was in compliance with the Telecommunications Act(Canada), and this issue is currently before the Canadian Radio-television and Telecommunications Commission (CRTC).

The purpose of PIPEDA is to establish rules to govern the collection, use and disclosure of personal information in a manner that recognizes: (a) the right of privacy of individuals with respect to their personal information; and (b) the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. In making its analysis, the Commissioner examined the sensitivity of the information and the reasonable expectations of Bell’s customers.

The decision establishes “Big Data” as sensitive personal information. Big Data is a broad term used to describe vast amounts of data, collected over time or from multiple sources. Using data analytics or other forms of computational interpretation, Big Data may reveal human preferences, behavior and patterns. Principle 4.3.6 of PIPEDA provides express consent is the appropriate form of consent when personal information is likely to be considered sensitive. The Commissioner found the breadth of information gathered from multiple sources would render the information, when compiled, more sensitive than the individual elements of that information. These multiple sources included:

  • Internet, television and telephone network usage information (such as websites visited and apps used on a mobile device);
  • demographic information (such as billing address, age, gender, language, credit score, average revenue, payment patterns, plan type and mobile device information); and
  • information generated or inferred (e.g. customer interest categories).

Read more here

#CyberFLASH: Sorry Bell, accessing U.S. Netflix is not theft: Geist

house-of-cards.jpg.size.xxlarge.letterboxBell Media president Mary Ann Turcke sparked an uproar this week when she told a telecom conference that Canadians who use a virtual private network (VPN) to access the U.S. version of Netflix are stealing.

Turcke is not the first Canadian broadcast executive to raise the issue – her predecessor Kevin Crull and Rogers executive David Purdy expressed similar frustration with VPN use earlier this year – but her characterization of paying customers as thieves was bound to garner attention.

Turcke’s comments provide evidence of the mounting frustration among Canadian broadcasters over Netflix’s remarkable popularity in Canada. Netflix launched in Canada less than five years ago, yet reports indicate that it now counts 40 per cent of English-speaking Canadians as subscribers. By contrast, Bell started its Mobile TV service within weeks of the Netflix launch, but today has less than half the number of subscribers.

While Canadian broadcasters may be unhappy with subscribers that access the U.S. service, the problem is primarily a competitive issue, not a legal one. Some estimate that 25 per cent of Canadian subscribers have used a VPN to access Netflix. That means 75 per cent of subscribers – millions of Canadians – are content with the Canadian service that offers the largest Netflix library of content outside of the U.S.

Turcke’s claim that the minority of Canadian subscribers who access U.S. Netflix through VPNs are “stealing” simply does not withstand legal scrutiny. Those subscribers might be breaching the Netflix terms and conditions, but that is not breaking the law.

Read more here

#CyberFLASH: Bell faces $750 million lawsuit over targeted ad program

bellThe battle over BCE Inc.’s contentious targeted advertising program is moving into the courtroom after a $750-million class action lawsuit was filed against its Bell Mobility and Bell Canada units.

Court documents filed with the Ontario Superior Court of Justice allege that the Mississauga, Ont.-based subsidiaries of BCE breached contractual obligations, privacy laws and the Telecommunications Act resulting from their “unauthorized use and disclosure of [clients’] personal information” to a third party without explicit consent. By doing so for a fee, Bell was “unjustly enriched” and ought to be financially liable for “the anguish, suffering and distress” caused by its “unlawful intrusion,” the filings state.

Bell spokesperson Jacqueline Michelis declined to comment on the lawsuit, filed Thursday.

Ted Charney of Toronto’s Charney Lawyers, one-half of the counsel representing plaintiff Settimo Tocco, a Bell Mobility client with data service who resides in Windsor, Ont., estimates as many as five million of Bell’s 7.9 million wireless customers were tracked under the so-called Relevant Advertising Program (RAP) through their use of Internet data, making this “the largest privacy breach ever ” in Canada.

“We think there’s going to be some damages awarded to each class member, and the real question is ‘what’s the amount going to be?’” Charney said in an interview Friday. “Could be anywhere from a couple hundred dollars to a couple thousand dollars, depending on the nature of the privacy breach and the circumstances of how the breach happened.”

Read more here

 

#CyberFLASH: FBI watched as hacker dumped Bell Canada passwords online

10712553When Bell Canada’s website was hacked last year — and the accounts and passwords of more than 12,000 Canadians posted online — the Federal Bureau of Investigation was not only watching, but letting the hackers stage the attack from what was secretly an FBI server.

The bureau had spent more than a year keeping tabs on the 15-year-old Canadian teenager, who discovered the vulnerability then passed it to an American counterpart. It was the American who carried out the cyberattack on behalf of a collective calling itself NullCrew.

The details emerged in an Ottawa courtroom last month after the Canadian teen pleaded guilty to a single count of unlawfully using a computer.

The 15-year-old teen, who used the online nickname “Null”, discovered a weakness in a Bell Canada login page. It allowed someone to gain access to the usernames and passwords of small and medium-sized business customers that were contained within a database maintained by a third-party supplier to Bell.

The teen didn’t post the data, but instead shared how to access it using what is known as a SQL injection attack with another NullCrew member named “Orbit.”

Read more here

#CyberFLASH: Why Bell’s opting-out approach isn’t good enough

BCE Beats Profit Estimates as Smartphone Subscribers GainBell’s targeted advertising program, which creates customer profiles that include age, gender, account location, credit score, pricing plan, and average revenue per user, generated controversy from the moment it was announced in October 2013. The communications giant maintained that it complied with Canadian privacy laws, yet many clearly disagreed as the Privacy Commissioner of Canada received an unprecedented barrage of complaints.

While concerns about tracking Internet usage and search queries garnered headlines, the fundamental legal issue was whether Bell was entitled to force its millions of customers to opt-out of the targeted advertising program if they did not wish to participate or if the law requires an explicit, opt-in approach in which consumers must proactively ask to be included before their tracking information is used for advertising purposes.

This week the Privacy Commissioner of Canada rendered his verdict: Bell’s targeted advertising program violates the law since the consumer data used by Bell is sufficiently sensitive such that an opt-out approach does not adequately protect user privacy. Bell argued that the information it collects is non-sensitive and that opt-out was therefore good enough.

If the consumer data is taken piece by piece, Bell might have been right. Yet in an era of “big data”, the Privacy Commissioner effectively concluded that the sum of personal information is more than the parts. In the case of Bell, he placed the spotlight on the remarkable scale of the company’s data collection and usage:

Read more here

#CyberFLASH: Privacy commissioner studies Bell ad tracking

Apple Hosts Event At Company's Town HallThe issue of Bell Canada tracking Internet use in order to deliver targeted online advertising remains unresolved even though the company has accepted a privacy commissioner’s recommendation that it first seek customer consent.

“I would just caution that the real issue is still in front of the CRTC, which is whether they are allowed to do this at all,” said John Lawford, executive director of the Public Interest Advocacy Centre.

Calling the practice an abuse of privacy, the consumer group has filed a complaint with the Canadian Radio-television and Telecommunications Commission, arguing Bell has gone beyond its role as a provider of telecom services.

Lawson says telecom legislation prohibits Bell from using confidential information to support a new business that secures revenues from selling to advertisers the interest profiles of its customers.

Bell tracks only customer Internet use by cellphone clients at present, but has indicated it would extend that to landlines and to TV viewing habits, having argued for more than a year that customers could opt out if they so wished.

Read more here

#CyberFLASH: Bell Canada Seeks Reversal Of CRTC’s Net Neutrality Ruling In Federal Court

BCE Beats Profit Estimates as Smartphone Subscribers GainBell Canada has gone to court to overturn a ruling from Canada’s telecom watchdog that requires the media giant to price competing streaming services at the same rates as its own.

The Canadian Radio-Television and Telecommunications Commission (CRTC) ruled last month that Bell had been “unlawfully” setting a double standard by exempting its $5-a-month Bell Mobile TV app from download limits it places on subscribers to its mobile network.

That ruling stemmed from a 2013 complaint to the CRTC by activist Ben Klass, which argued that Bell in effect was marking up prices for competing streaming services by as much as 800 per cent.

Bell filed a lawsuit Friday in the Federal Court of Appeal, the Globe and Mail reported, arguing that the CRTC was wrong to issue its decision under the authority of the Telecommunications Act, because its Bell Mobile TV app is a broadcasting service.

Read more here

#CyberFLASH: Why Bell’s targeted ad approach falls short on privacy: Geist

bell.jpg.size.xxlarge.letterboxIn October 2013, Bell announced the launch of a targeted advertising program that uses its customers’ personal information to deliver more “relevant advertising.” The announcement sparked hundreds of complaints with the Privacy Commissioner of Canada and a filing by the Public Interest Advocacy Centre over the same issue with the Canadian Radio-television and Telecommunications Commission.

Nearly a year and a half later, the complaints and filings remain unresolved. The CRTC case has succeeded in placing considerably more information on the public record, however, offering a better perspective on what Bell is doing and why its privacy approach falls short.

From Bell’s perspective, the targeted advertising approach, which it calls RAP or Relevant Ads Program, does not involve the collection of additional information (it already collects whatever is being used) and the company allows users to opt out of this use of their information if they so choose. Moreover, it argues that the program is similar to what telecom companies in the United States as well as Internet giants such as Google and Facebook offer.

Yet documents now available on the public record reveal that there are important differences, creating serious privacy concerns.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.