#CyberFLASH: Security vs. privacy: Technology changes, rights don’t

cpt107-securityprivacy201The stakes are considerable, which is why the folks who run the national security apparatus have quietly and not-so-quietly been laying down markers as Ottawa reviews their powers. The argument goes they need more tools, and more leeway, to do their important work.

Maybe. Maybe not.

Canada’s federal Privacy Commissioner Daniel Therrien and his provincial and territorial counterparts are sounding a much-needed note of caution in a joint brief submitted as part of the ongoing security review.

“It is important that we not forget the lessons of history. One of these lessons is that once conferred, new state powers are rarely relinquished,” the document reads.

That’s true, as is the fact the expansion of state powers of surveillance over the past 15 years has resulted in “too many cases of inappropriate and sometimes illegal conduct by state officials,” including violations of privacy and other civil rights.

If Bill C-51, the former Conservative government’s anti-terrorism legislation, was an overreach, the attempt to fix it ought not to make things worse.

Mr. Therrien and his colleagues rightly raise the alarm over Ottawa’s apparent willingness to widen, rather than restrict, things like the collection of metadata. They argue that authorizations to gather metadata ought to meet elevated standards and require judicial, not merely administrative, sign-off. They’re right.

The privacy commissioners’ submission also points out that increased monitoring of online activities has a “potential chilling effect” that could defeat the purpose of having more powerful snooping tools; when people think they’re being watched, they go further underground. We could end up diminishing the freedom of many, without increasing security against the violent few. It’s an important consideration in online anti-radicalization efforts.

Read more here

#CyberFLASH: Privacy watchdog to look at electoral reform survey amid privacy concerns

daniel-therrien-privacy-commissioner-20140603

Canada’s privacy watchdog intends to look into the Trudeau government’s new online survey on electoral reform after concerns have been raised about invasion of privacy.

Canadians must be willing to disclose detailed personal information if they want their views on electoral reform to be included in the results of the online questionnaire.

The MyDemocracy.ca survey does not ask respondents to reveal their names but it does ask them to disclose gender, age, highest level of education attained, occupational work area, combined household income, first language learned, level of interest in politics and current events and whether they identify as a member of a specific minority group.

Respondents are also asked to provide their postal codes so that their region of residence can be determined — a request that’s particularly raising eyebrows.

In many instances, supplying a postal code would be enough to identify the individual, according to Ottawa University technology law expert Michael Geist, the Canada Research Chair in Internet and E-commerce law.

A spokeswoman for privacy commissioner Daniel Therrien said Tuesday that his office can’t comment because it hasn’t yet looked into the survey in detail.

Read more here

#CyberFLASH: IP Addresses As Personal Information: The Canadian And EU Positions Contrasted

a-woman-uses-her-computer-keyboard-to-type-while-surfing-the-internet-in-north-v

The October 19, 2016 judgment of the European Court of Justice in the matter brought by Patrick Breyer against the Federal Republic of Germany (the “EU Decision”) raises the issue of whether an IP address is personal information under the EU Directive 95/46/EC and provides an interesting comparison with the Canadian perspective.

The EU Decision

As we have covered on this blog, in the EU Decision, Mr. Breyer claimed that the Federal Republic of Germany had no right to retain the IP address from the device he used to search for information on various government websites. He contended that his IP address is personal information that the website operator may keep only for the purpose of facilitating access to the site and not for general purposes such as safeguarding the security of the site or fending off cyber-attacks, such as denials of service.

The Court of Justice held that where third parties, such as internet service providers (“ISP”), have subscriber information that can be legally accessed by the website operator and used in conjunction with the IP address to identify the visitor, the IP address is personal information. The Court seemed to leave open the question of whether the IP address would constitute personal information if the holder of it could not reasonably or legally obtain the other information needed to identify the owner of the address. In so doing, it adopted a “relative” definition of personal information.

The Court also held that individual states could not pass legislation that forbids the use of an IP address for any purpose other than facilitating network access and billing.

The Canadian Perspective

The EU Decision provides an interesting contrast with the view of the Office of the Privacy Commissioner (“OPC”) in Canada. In a research paper published in May 2013, the OPC revealed that an IP address, combined with other publicly available information, even without any access to the ISP subscriber records, may permit identification of the owner and his or her web-browsing or other activities. Based on this finding, an IP address may in many circumstances be personal information regardless of whether the ISP subscriber records linking that address with an individual are legally accessible to the organization collecting the IP address. Thus, in Canada, IP addresses may be treated as personal information in more situations than in the EU.

Read more here

#CyberFLASH: AshleyMadison security protocols violated privacy laws, watchdog says

ashley-madison-hack-20150720AshleyMadison used inadequate privacy and security technology while marketing itself as a discreet and secure way for consenting adults to have affairs, the Office of the Privacy Commissioner of Canada says.

In a report Tuesday, the privacy watchdog says the Toronto-based company violated numerous privacy laws in Canada and abroad in the era before a massive data breach exposed confidential information from their clients to hackers.

The hack stole correspondence, identifying details and even credit card information from millions of the site’s users. At the time of the breach in July 2015, AshleyMadison claimed to have 36 million users and took in more than $100 million in annual revenue.

The resulting scandal cost the company about a quarter of its annual revenues from irate customers who demanded refunds and cancelled their accounts.

Working with a similar agency in Australia, the privacy group says the company knew that its security protocols were lacking but didn’t do enough to guard against being hacked. The company even adorned its website with the logo of a “trusted security award” — a claim the company admits it fabricated.

Read more here

CyberFLASH: The Internet of Things moving us toward connected homes

images-126It’s lunchtime at race car driver Alex Tagliani’s house, and there are no fewer than a dozen people buzzing around. Landscapers are putting in a new front yard, a curtain company employee is up on a ladder, wrestling with the motorized drapes for a product photo shoot and a toddler is running around, demanding to be fed.

Tagliani has made a name for himself on the Indy and NASCAR circuits. But, after years of living in Las Vegas and Indianapolis, he has returned to his native Quebec, settling down in an impressive $1.4(ish)-million home nestled in the scenic suburbs of Lorraine with his wife, Bronte, and their daughter Eva-Rose.

The house was custom built according to Tagliani’s vision of a modern smart home. He was the general contractor on the project, coordinating the architect, interior designers and a small army of independent contractors, including a home-automation team.

“I spent a year and a half messing around with the build,” Tagliani says.

From the moment he considered building a house, Tagliani knew he wanted it to be “smart” — a connected home that learns from and syncs to his family’s behaviours. He hired HomeSync, a Montreal-based home-automation installer that he’d previously worked with when customizing his last place, a condo in Laval. (HomeSync doesn’t manufacture its own hardware, but rather connects other companies’ components.)

Privacy concerns

Earlier this year, design flaws in Samsung’s SmartThings allowed people to remotely hack a front-door lock. There’s very little to stop a determined and tech-savvy criminal or mischief-maker to glean what your devices have learned about you and use it against you.

Gobi enjoys the convenience and novelty of the technology, but he is concerned about the SmartThings hack. He’s considering switching to Apple’s recently launched HomeKit because it offers high-security encryption. “The encryption they’re asking for is really, really high. If we think more about Big Brother issues with the Internet of Things and the smart home, I would be more comfortable to use high-security devices and I’m happy that Apple is now fighting a battle for privacy,” Gobi says.

Still, training connected devices to recognize your habits also means opting in to having an unprecedented amount of your deeply personal data compiled and kept on file by someone, somewhere, without knowing exactly if and how it’s used.

In 2016, Canada’s privacy commission published a guide on connected devices and IoT and concerns related to them, particularly as it pertains to data harvesting. “The full impact of the Internet of Things for our privacy may become more evident when its capabilities are combined with other innovations shaping our world today that track not only our activities, movements, behaviours and preferences, but our emotions and our thoughts,” the report concludes.

Read more here

#CyberFLASH: Do You Consent? Four Ways to Strengthen Digital Privacy

CPT500317455_highPrivacy laws around the world may differ on certain issues, but all share a key principle: the collection, use and disclosure of personal information requires user consent. The challenge in a digital world where data is continuously collected and can be used in a myriad of previously unimaginable ways is how to ensure that the consent model still achieves the objective of giving the public effective control over their personal information.

The Office of the Privacy Commissioner of Canada released a discussion paper earlier this year that opened the door to rethinking how Canadian law addresses consent. The paper suggests several solutions that could enhance consent (greater transparency in privacy policies, technology-specific protections), but also raises the possibility of de-emphasizing consent in favour of removing personally identifiable information or establishing “no-go” zones that would regulate certain uses of information without relying on consent.

My weekly technology law column (Toronto Star version, homepage version) notes that the deadline for submitting comments concludes this week and it is expected that many businesses will call for significant reforms to the current consent model, arguing that it is too onerous and that it does not serve the needs of users or businesses. Instead, they may call for a shift toward codes of practice that reflect specific industry standards alongside basic privacy rules that create limited restrictions on uses of personal information.

Suggestions from Canadian business that stronger consent rules are too difficult or costly is nothing new. During the heated debate over anti-spam legislation, the business community claimed that an “opt-in” model of consent that would require a more explicit, informed agreement from users would be expensive to implement and would create great harm to electronic commerce. Yet the reality is that the opt-in model is used in many other countries to provide better privacy protection and improve the effectiveness of electronic marketing.

Read more here

#CyberFLASH: Privacy commissioner to investigate data breach of public servants’ personal info

hi-istock-computers-852Canada’s privacy commissioner is launching a formal investigation into one of two data breaches linked to the federal government’s troubled computerized payroll program, called Phoenix.

The decision comes as new details are made public about the scope of both incidents involving sensitive information belonging to federal government employees.

The commissioner will probe the second breach, which took place earlier this year, and involved managers having access to information belonging to employees who did not work for them.

The number of employees who had their data exposed during this incident is not known.

“The information that could be seen included an employee’s name and personal record identifier (PRI) — the employee number assigned under the federal government’s human resources management system,” said Valerie Lawton, a spokesperson for the privacy commissioner’s office. “According to PSPC [Public Services and Procurement Canada], no other personal information could be viewed.”

In an email to CBC News, Lawton said news coverage of the breach led to a number of complaints, which prompted the commissioner to investigate.

The first breach involves highly sensitive data for 10,000 public servants that was “inadvertently transmitted” to the private contractor building the federal government’s Phoenix payroll system, according to the department responsible for the troubled program.

That incident happened sometime between March and July of 2015, when Phoenix was in the testing phase, and the department was not aware of the transfer of personal data until IBM alerted the government.

“The contractor alerted PSPC of the breach in June of 2015 and subsequently removed all of the sensitive data from its database,” Lawton said.

Read more here

#CyberFLASH: Phoenix pay system also breached federal workers’ privacy

the-pay-centre-satellite-office-ottawa-phoenix-payA dysfunctional compensation system that’s withholding paycheques from federal workers has also been breaching their privacy, CBC News has learned.

Newly released documents show senior officials were warned as early as Jan. 18 that the new Phoenix system has a flaw that allows widespread access to employees’ personnel records, including social insurance numbers.

Despite the warning, the faulty software was broadly implemented this spring — without alerting the unions or any employees that their private details were no longer secure.

The disclosure of a massive privacy breach appears in documents obtained by CBC News under the Access to Information Act, deepening a crisis that has already touched some 80,000 public servants and triggered a wave of hiring to patch the problems.

The briefing material prepared by Public Services and Procurement Canada indicates that up to 70,000 public servants had access to the personal details of all 300,000 employees covered by the system.

A spokeswoman for Canada’s privacy commissioner confirmed the department “has reported this matter to our office and we have followed up with them.” Valerie Lawton said she could provide no further details.

The minister in charge, Judy Foote, said she learned only this week of the internal breach of private information. “I am aware of it, and I’ve been told that none of the information became public,” she said in an interview.

Over to privacy commissioner

Foote said she has turned the matter over to the privacy commissioner for investigation, and will focus on getting people paid.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.