CIPPIC has joined an international coalition of civil society organizations including CDT, EFF, IGP and EDRi in a letter of protest (Spanish) sent to the International Telecommunications Union (ITU). The letter protests the secrecy and exclusivity surrounding its preparations for the World Conference on International Communications (WCIT). Slated for negotiation during WCIT-12 is a potential re-envisioning of the International Telecommunications Regulations (ITR), an international treaty that currently governs traditional telephone communications amongst the numerous countries who have signed on to it. While the current ITRs are limited in scope primarily to telephone systems, the renegotiated text (which will be up for discussion and adoption at WCIT-12) is rumoured to weigh in heavily on several aspects of Internet governance.
We say 'rumoured' because all the preparatory documents for WCIT-12 are sealed and civil society has been excluded from the discussions. The current ITU framework does not allow for open participation. Further, the ITU's business model (premised on the dubious concept of selling access to documents and decision-makers to corporate associates at prohibitive rates) is a significant barrier to civil society participation. While perhaps workable for regulation of telephone lines, this approach is antithetical to the distributed, multi-stakeholder governance model that has made the Internet the engine for innovation and freedom that it is today. The letter calls on the ITU to open the WCIT-12 preparatory documents up to public debate and to ensure all stakeholders, including civil society, the technical community, governments, and corporate interests are able to participate on equal footing.
CIPPIC recently intervened in A.B. v. Bragg Communications Inc., a case that puts at issue the amount of anonymity litigants can claim in judicial processes. A.B. was a 15 year old victim of an online cyberbullying campaign that included the creation of an allegedly fake Facebook profile of her that attributed to her licentious sexual preferences and attitudes. A.B. sued, but wished to proceed anonymously, claiming that proceeding under her real name would defeat the very reason for the lawsuit by subjecting her to further ridicule from her peers. It would further impact on her privacy rights, implicating her right to be left alone and her dignity and self-worth.
CIPPIC argued that, while care must be taken not to impact too heavily on freedom of expression and on the open court principle (which holds that justice must be seen to be done), conflicts between fundamental rights such as privacy and freedom of expression must be carefully weighed in context. In particular, the Court's historic aversion to permitting anonymous litigants except in isolated scenarios needs to be re-examined. In light of the growing permanence, accessibility and searchability of court judgments, the privacy concerns in such scenarios are heightened and must be carefully weighed against countervailing freedom of expression concerns, in context. Proceeding anonymoulsy, particularly in a civil lawsuit, will often impact only slightly on freedom of expression and the open court principle, as there will be little public interest in the identity of the specific individual.
CIPPIC, alongside a broad coalition of U.S. and Canadian civil society groups, is participating in a week long protest against online spying in the name of cybersecurity. 'Stop Cyber Spying Week' is a response to the impending legislative enactment of a U.S. cybersecurity strategy that is excessively overbroad and will have serious implications for online privacy and expression.
The development of an invasive U.S. cybersecurity strategy will have direct implications for Canadian civil liberties. We have, for one thing, committed to a 'Beyond the Borders' Initiative that seeks to harmonize Canada-United States approaches to a number of security issues, including cybersecurity. This means that a U.S. cybersecurity strategy adopted today may well become a Canadian cybersecurity strategy tomorrow. A comprehensive report published by the Rideau Institute in late 2011 suggests that the 'Shared Vision' espoused by the Canada-United States Initiative is very likely to involve a compromise on Canadian privacy. A Resolution issued last week by all of Canada's Federal/Provincial Privacy Commissioners expressed similar concern that programs adopted under the Initiative will lead to an unnecessary and unjustifiable loss of privacy for Canadians. All this does not bode well for Canadian privacy (or sovereignty) in general, but at the same time it makes the current U.S. cybersecurity debate particularly relevant to Canadians!
Electronic Freedom Frontiers (EFF) has issued a challenge aimed at spreading and strengthening the Tor Project -- a network of servers and routing points that aims to allow anonymous and encrypted online communications and expression. EFF is calling on individuals and organizations to operate relay points that will strengthen the Tor network and help make anonymous and private online browsing a reality.
EFF provides a great video detailing how to set up your Tor relay as well as some helpful legal advice for the operation of such a relay.
The Office of the Privacy Commissioner of Canada has released a report exploring many of the challenges posed by emerging technologies and business practices to protection of privacy in an interconnected world. The report is a result of a number of groundbreaking consultations held in cities across Canada which explored issues such as online and geolocational tracking,behavioural targeting, cloud computing, and emerging risks for online privacy of children.
Alongside its other conclusions, the Privacy Commissioner of Canada noted that people deserve to have access to the many benefits of an interconnected world, but that "this should not come at the expense of privacy rights".
In an open letter to the House of Commons Standing Committee on Access to Information, Privacy and Ethics, CIPPIC and a number of civil society organizations voice serious concerns with respect to Bill C-29, currently before the House and scheduled for second reading early next week. The Bill, ironically dubbed the 'Safeguarding Canadians' Personal Information Act', proposes a number of amendments to Canada's federal privacy protection statute, PIPEDA. Far from improving privacy, the Bill threatens to erode civil liberties in serious ways. Even where it attempts to improve privacy, it falls short by failing to provide any incentive for compliance.
Social networking websites allow individuals to form online social communities. To begin, individuals create profiles that describe themselves. Individuals often include personal information such as their contact information, gender, political and religious beliefs, relationship status, and interests.
Behavioural targeting has become a significant concern to privacy advocates. In the past, the ability of marketers to track, profile, and target individual consumers with specific advertising has been limited by marketers need for those consumers to browse to specific websites or use specific web services. Beginning in 2007, web marketing businesses began to introduce technologies that target the traffic streams of Internet Service Providers (ISPs) as a source of data for building profiles of individual ISP customers.
The workplace presents particular challenges to individual privacy for a number of reasons, including the power imbalance between employer and employee, the increasing technological capabilities of employers to monitor employee activity, and the strong incentives for employers to collect and use employee personal information for employment-related purposes, enhanced productivity, and reduced liability.
Resources on RFID technologies and their privacy implications.
The use of public video surveillance for policing, although common in the UK since the 1980s, has until recently not been politically palatable in other countries. The notion of the state being able to watch one while one is walking down the street conjures up comparisons with Nineteen Eighty-Four's telescreens.
With the continued growth of the internet and the ever increasing ability of online services to track and 'mine' personal information, the protection of personal information has become a hot topic.
The Internet has provided the public with an unprecedented ability to communicate and share ideas while keeping their identities private. Anonymity, or the ability to conceal one's identity, has opened the door to much freer communication than would otherwise be the case. Those who fear persecution, ostracism or embarrassment are able to communicate about topics and in ways they would not risk otherwise.
National ID cards are a hot topic in Canada and other countries thinking about introducing a nationwide uniform identification document. Especially since the terrorist attacks in Washington and New York and the ongoing 'fight against terrorism', national ID cards have risen to the top of the agenda in immigration and security departments all over the world.
Biometrics, or the use of biological properties (e.g., fingerprints, retina scans, voice recognition) to identify individuals, are increasingly popular methods of identification. They are no longer confined to criminal law enforcement and the imagination of science fiction writers dreaming of hand-recognition as an automatic door opener and remote eye-scanning while entering a shopping mall.
CIPPIC has been at the forefront of efforts to legislate a data security breach notification requirement in Canada. Beginning in March 2005, when the huge Choicepoint data breach in the USA became public, CIPPIC has advocated for laws requiring organizations to notify authorities and affected individuals when personal information is exposed to potential abuse. In January 2007, CIPPIC issued a White Paper on this issue, canvassing US data breach notification laws and proposing approaches for Canada to take. In 2008, CIPPIC argued for a public data breach registry to complement individual notifications and Privacy Commissioner monitoring.
PIPEDA is Canada's federal private sector data protection legislation. It applies to all federally regulated works and undertakings, as well as provincially regulated private sector organizations in provinces and territories other than Quebec, Alberta, and B.C. (that have their own, similar, laws).
Council of Europe's Privacy Framework (Modernizing Convetion 108)
The Council of Europe is undertaking a modernization process for its privacy framework (Convention 108). The objective is to account for changes in technologies and in privacy practices that have come about since the privacy framework was first adopted.
Resources
-
CIPPIC's response to the CoE's initial questionnaire
-
CIPPIC's comments on draft CoE proposals to amend Convetion 108
The Privacy Act is a federal statute governing the federal government's treatment of personal information. It was passed in 1983, before the revolutionizing effects of computer technology on information processing and privacy. Despite repeated calls by Privacy Commissioners, the Act has not yet been updated to take into account new privacy threats. The House of Commons Standing Committee on Access to Information, Privacy and Ethics began a review of the Privacy Act in the spring of 2008.
In the summer of 2005, the Prime Minister appointed retired Supreme Court Justice Gerard LaForest to assess the merits of merging the currently separate Offices of the Information and Privacy Commissioners of Canada. The rationale for such a merger was not made clear. Along with other privacy advocates, CIPPIC opposes the merger on the grounds that it would weaken privacy protection in Canada at a time when stronger privacy protection is needed. CIPPIC sent a letter to Justice LaForest in October 2005, opposing the merger.
A.B. v. Bragg Communications, SCC File No. 34240
Warman v. Fournier, 2010 ONSC 2126 (Ont. Div. Ct.), Online Anonymity in Judicial Processes
CIPPIC has filed an objection to the proposed Canadian settlement to the Sony BMG rootkit class action. Sony BMG offers Canadian consumers far less than it offered American consumers in the US class action settlement, and offered no rational explanation for the different treatment. CIPPIC will appear at the class proceeding's fairness hearing, currently scheduled for 9:00 a.m., 21 September, at 361 University Avenue, in Toronto.
On December 19, 2005, CIPPIC filed an application for judicial review in the Federal Court of Canada, challenging the Privacy Commissioner's determination that she lacks jurisdiction to investigate Abika.com. This finding was in response to CIPPIC's complaint against Abika.com.
CIPPIC's comprehensive complaint against the privacy practices of Facebook, Inc.
ISP use of behavioural targeting.
PIPEDA Complaints against Bell, Rogers, Shaw and Eastlink's use of DPI
CIPPIC asks the Privacy Commissioner to Audit Google to investigate the implicatios of its merger with online ad network DoubleClick
PIPEDA complaint that Canada.com's decision to outsource storage of customer emails to the United States failed to provide an adequate level of protection by exposing those emails to the risk of police access through invasive surveillance powers.
CIPPIC has assisted complainants in a number of cases involving alleged violations of privacy by banks, credit card companies, credit agencies, and other institutions. We have also provided advice to clients on issues involving workplace privacy, email privacy, children's privacy, and health records privacy.
In 2010, the Office of the Privacy Commissioner of Canada initiated consultations on privacy issues related to developing internet-related technologies: "Tracking, Profiling and Targeting", and "Cloud Computing". The OPC sought comment on the deployment of these technologies and their implications for individuals, organizations, and businesses. CIPPIC offered two submissions: one focusing on geolocational technologies and their use in targeted advertising, and a second addressing cloud computing more generally.
The CIPPIC ID Theft research project aims to develop well-informed and well-reasoned recommendations for law and policy reform designed to prevent, detect, and mitigate the effects of ID theft.
On July 25, 2007, CIPPIC filed a complaint with the Privacy Commissioner of Canada under s.29 of the federal Privacy Act about two federal tribunals that post full decisions online without redacting often highly sensitive personal information. In its letter, CIPPIC asked the Privacy Commissioner to establish guidelines for federal agencies regarding the online posting of decisions and other documents that contain personal data about individual applicants, appellants, or complainants. CIPPIC argued that openness and accountability do not require the identification of individual applicants/appellants/complainants.
RBC - invalid consent to secondary uses (August 2008)
By way of a formal complaint filed August 1, 2008, CIPPIC challenged the legality of bank policies that require clients to allow the bank to use their personal information for such purposes as "to determine your eligibility for products and services we offer". CIPPIC also argued that banks must obtain the express consent of clients to any such secondary uses of personal financial information; opt-out consent is not sufficient.
In response to a request by the Office of the Privacy Commissioner, CIPPIC agreed to put its complaint on hold while it pursues resolution of the issues with the Canadian Bankers' Association and the Investment Industry Regulatory Organization of Canada.
CIPPIC is participating in an effort by APEC economies to develop effective mechanisms for protecting data as it flows between countries. In September 2007, Philippa Lawson spoke at the Vancouver APEC Data Privacy Seminar on "Stakeholder Roles in the APEC Pathfinder and Beyond". In February 2008, she spoke at another APEC Data Privacy Seminar, on "Outsourcing and Data Privacy: A Citizen/Consumer Perspective", and participated in follow-up workshops along with colleagues from Privacy International and EPIC. Their report on the sessions can be accessed here.
In a submission filed with the Senate Committee on Legal and Constitutional Affairs in May 2007 on Bill C-31, CIPPIC objected to the expansion of personal information used for secondary purposes without the consent of electors. Under the Act, Elections Canada is required to share names and addresses from the National Register of Electors with political parties for fundraising and other campaign purposes. Bill C-31 would have added date of birth to the lists of electors shared for these purposes. As a result of opposing to this proposal by the Privacy Commissioner of Canada and CIPPIC, sharing of date of birth was removed from the bill before it was passed by the House of Commons.
Domain name registrants must provide contact and other information to their domain name registrars for administrative and operational purposes. Most domain name registrars make this information public, via the "Whois" database. Anyone can find out who is behind a website by consulting this online database (operated separately by each top level domain name registry).
On January 12, 2005, CIPPIC filed comments in response to a consultation by the Canadian Internet Registration Authority (CIRA) on its policy of publishing contact information for domain name holders through the publicly available WHOIS database. CIPPIC strongly supports CIRA's proposal not to disclose contact information for individual registrants unless the registrant so requests. CIPPIC also supports CIRA's proposal to permit organizational registrants to request that their contact information not be published in WHOIS, but notes that the criteria for CIRA deciding upon such requests need to be specified.
In response to planned outsourcing by the British Columbia government of certain database administrative duties to a U.S.-linked company, the British Columbia Privacy Commissioner invited public input by August 6, 2004 on the extent to which the USA Patriot Act allows US authorities to access the personal information of British Columbians, and the implications of such access for public body compliance with privacy legislation.
