Health Canada medical marijuana program mailing

In class this week, we discussed health law and the implications of breaching patient privacy. I saw this blog (which also includes a link to the judgement) and thought it an interesting note that the court has ruled to protect the plaintiffs identity, particularly given that the case is about Health Canada's error. Program mail was sent out to all medical marijuana program participants identified on the envelop as such, effectively identifying participants publicly. The claim includes among others: breaches of privacy and confidence, intrusion upon seclusion, and publicity given to private life. Should be interesting to see how this case develops.

Britain's GCHQ; Chatroom Images are Collected and Stored

Hi everyone, on the topic of serious breaches of personal privacy...

http://www.theguardian.com/world/2014/feb/27/gchq-nsa-webcam-images-internet-yahoo

Summary: 

Britain has a surveillance agency named GCHQ. A program used by this agency, called Optic Nerve, has been collecting images and 'metadata' through various internet sources, including Yahoo webcam chats. It appears that GCHQ, however, cannot control which are initially collected and stored by this system due to the massive influx of data. The collection is not unlimited; in respect to Yahoo chatrooms, one image per chatroom every 5 minutes is collected based on random selection. This is because GCHQ does not have databases big enough to store each of these video chats in their entirety, and also to protect user privacy (though the latter does not seem to have been fulfilled very effectively, since a very large number of explicit and lewd images have been captured and stored on GCHQ databases). 

Note that not only are these private images available to the agency, they were actually saved to the agency’s databases, regardless of whether the images in question had any relevance to initial ‘intelligence targets’. This includes sexually explicit communications and images from general users. Yahoo itself has denied any prior knowledge of the surveillance. 

Main issues: 

Collecting the images of an extremely high number of individuals without their awareness, and then subsequently storing those images indefinitely, warrants some serious concern about privacy interests online. This isn’t data that’s voluntarily been made publicly available, and is distinct from consenting to a ‘Terms of Agreement’ policy on a social media site before posting a profile that a user is aware will remain available until its removal. From a user perspective,  data such as a chatroom video feed is likely to be thought of as only momentarily available (if at all), because the kinds of images provided are fleeting rather than lasting, and are not saved by the host website. In reality, the GCHQ seems to have virtually unlimited access because of the way their collection technology works; though they have taken some steps to reduce the collection of such images, the randomized influx information is so massive that a great deal of what might be compromising personal information gets collected in the process. 

Thoughts to consider: 

Keep in mind that there are apparently no laws requiring the GCHQ agency to remove, or minimize, the information it collects from its databases even if the information is not relevant to intelligence targets. This means that the lewd images of civilians who believe themselves to be in a private (though virtual) context are legally able to be collected and stored, and there is no remedy available to parties who oppose these actions. Are users aware of the extent to which their images, even in a 'private' online context, are unprotected? Shouldn't they be made aware?
In this case, national security (surveillance for the purpose of identifying and monitoring intelligence targets) is presumably being weighed against national privacy interests. But if civilian safety is the ultimate justification to disregarding civilian privacy interests, it is disturbing that the GCHQ apparently cannot prevent the collection of this lewd civilian data, and yet has no legal obligation to remove or delete it. To further illustrate, this agency has the capability of sorting through these images using facial recognition software, so that while criminals and other intelligence targets could be identified through this data, so could unrelated, innocent and unsuspecting individuals. I am not arguing that there is some sort of larger conspiratorial agenda at play that is meant to monitor users' every move. However, the fact remains that there is a database which has captured and saved lewd images of  individuals, and these images are stored in a database which can be cross-referenced in its entirety with any other photo provided, because of the software's facial recognition capabilities. The potential ramifications in the case of a security breach or hacking of the database could be monumental for anyone whose images have been stored.

Overall, a large amount of personal data that is not restricted to intelligence targets and criminal targets of the GCHQ is still being collected and stored. The law as it currently stands has yet to provide any limitations on this morally-treacherous infringement upon personal lives. According to this technology, not only are our online personas available to be held against us in the future, so too are 'private' internet interactions.

Links to recent papers from Maine Law Privacy Symposium

Maine Law just wrapped up a symposium on privacy law. Papers discussed at the symposium are here. There is a piece on big data, and someone discussed cloud computing.

A secure mobile phone?

A cellphone that’s being marketed as the securest phone available made its debut at a trade show recently. The Blackphone is an Android smartphone that has encrypted operating software, cyber-security strengthening apps and a virtual private network for snoop-free web browsing. Despite these privacy-boosting measures, the phone’s manufacture isn’t ready to call it completely secure. Given our recent class discussion about how mobile phones are putting out information about us, I found the concept of the Blackphone interesting. I wonder if there will be a demand for it? Some people believe the first folks in line to buy it when it comes out in June will be criminals. 

http://www.pcmag.com/article2/0,2817,2453964,00.asp

The US position as a central internet data hub appears to be weakening.

A recent report interestingly demonstrates the role of economics and trade regulations playing a part in the rationale for attempting to gain access to data stored in Canada that US companies are blocked from. The BC Freedom of Information and Privacy Association (FIPA) has learned of mounting political pressure from US corporate lobbyists to effect change in British Colombia's data protection laws. US documents collected through a Freedom of Information request speaks of  "frustration with Canada limiting bids on information technology contracts to Canadian companies, or conditions in bids requiring local storage of personal information as opposed to, say, storage in a U.S.-based server or cloud."

As a side note, whereas Canada's laws are seen as a restrictionist barrier to trade in the eyes of the US, talks between Canada and the European Union for a NAFTA-like agreement but with the EU may have issues of its own to deal with. A re-examination by the European Parliament is planned to determine whether Canada's privacy laws are adequate to allow data transfer with Europe.

It will be interesting to follow the various and competing economic pressures on Canadian privacy and data protection policy.

Another article discusses German Chancellor Angela Merkel recently expressing a need to shift the bulk of data transfer that the internet patches through the US central internet hub. She declared plans to set up an independent European infrastructure that is intended to keep internet traffic that occurs within Europe to stay within Europe and away from the prying eyes of the NSA (and other FIVE EYES intelligence gathering agencies including CSEC).

Plug for a new course

Hey everyone,

This is tangential, but I am pleased to announce that Osgoode has accepted our proposal for a new course in legal information technology for the 2014/2015 academic year. The course focuses on technology and its application in legal practice. It is not a course in the law of technology (e.g., telecommunications law, IP, etc). We are going to be doing three things:

1. Giving students opportunities to use current applications (e.g., eDiscovery,  automated document generation) and to learn about upcoming software tools.
2. Teaching students the basics of (non-technical) application design.
3. Providing an opportunity for critical reflection on the role of technology in law, including its potential for transforming legal practice and access to justice.

The course is open to anyone, so you don't need a technical background. The evaluation scheme includes a final project, critical reflection piece, and hands-on exercises. It is a skill-building course at heart, and I think it will be markedly different from the standard law class. Lastly, it has been approved for purposes of the praxicum requirement.

All in all, I am excited, as this is the first offering of its kind in Canada. Legal tech is a hot topic in the US and UK, where technology and legal service delivery are really changing the legal landscape. I think that it is only a matter of time before we see similar changes here, with accompanying disruptions to the labour market. (Things are not so good here in the US for new graduates, as you may be aware). The practical portion of the course is intended to prepare law students for these changes, allowing them to access some of the emerging legal professions that are growing in popularity in other locales.

The course will be co-instructed with (new) adjunct professors Monica Goyal and Darin Thompson. They are fantastic and passionate about this area, and I'm excited to have them join the Osgoode community.

James

MIT and White House co-hosting workshop on privacy and big data

The MIT Technology Review has announced that it will co-host a workshop with the White House Office of Science and Technology on March 3.  The subject of the workshop will be using big data responsibly.  As analytical abilities and computational power continue to improve, big data will likely become a powerful tool that may present challenges to privacy law.  Specifically, large amounts of harmless or impersonal data could be used to churn out highly sensitive and personal information.  Here is the New York times article on Target's predictive abilities regarding pregnant shoppers.  It's a longer article and a bit dated now, but provides an interesting example of how invasive this practice can be sometimes.

UK sells medical records to insurance companies

A very worrying article here on the UK government's decision to sell patient medical records to third parties.

Pro-privacy smartphone to be released today

We have spoken a lot about the ‘internet of things’ where all kinds of appliances leave a data trail. In response to this phenomenon, a company called Silent Circle is releasing a pro-privacy smartphone called ‘Blackphone’. The device encrypts data sent by users. Recipients need to have an encryption app in order to access the data. Despite widespread concerns about consumer privacy, there has not been much consumer demand for this device. Nor is there much optimism within the tech community that this new phone will be hacker or NSA proof. See the full story here: http://www.cbc.ca/news/technology/anti-nsa-blackphone-commendable-but-will-consumers-buy-it-1.2544562

Dropbox and its Government Data Request Principles

This morning, I received an email from Dropbox. For those of you who may not be familiar with it, Dropbox is a cloud storage service provider, much like SkyDrive (Now called OneDrive) and Google Drive. The email is about some updates on Dropbox terms and conditions, as well as their privacy policy.


In particular, Dropbox provided some discussion on its recently launched Government Data Request Principles. Here is a summary:

• Be transparent: Currently, Dropbox discloses the number of data requests from the government and law enforcement in its Transparency Report. However, it’s been urging the court and government to allow it to report the specific details about those requests, as well as more information on the national security requests and accounts affected.
• Fight blanket requests: Dropbox believes that government data requests should be limited to specific people and investigations, and will resist blanket data request from the government as much as possible
• Protect all users: Dropbox aims to extend fundamental privacy protection to all users regardless of their location and citizenship. The data requests must be specific, and a neutral third party should evaluate and sign off on requests for content before they issue.
• Provide trusted services: Dropbox believes that government data request should go to online service providers directly, and that tapping into data traffic without permission of the service provider and users is not right.

A couple of thoughts on this:

1. I appreciate that Dropbox summarized the changes to me in natural languages in their original email. (I, for one, rarely read “terms and conditions” when I sign up for a service)
2. As an user, it is nice to see how the service provider is reacting to the data requests from government, and how it intends to resist requests that it considers inappropriate. 

Here is a link to a summary of the updates as posted on the Dropbox Blog:
https://blog.dropbox.com/2014/02/updating-our-terms-of-service/

And here is a direct link to Dropbox’s Government Data Request Principles: https://www.dropbox.com/transparency/principles

Recent Decision by Federal Court

TekSavvy has been told to hand over the names and addresses of their customers who have illegally downloaded Voltage Pictures' films (such as the Hurt Locker). The article comments about how this will tip the unbalanced pendulum in favour of rightsholders. It also discusses how some customers will choose to pay the settlement fee instead of litigate. It makes me wonder whether people will argue that their privacy has been infringed upon due to the unauthorized identification, and whether this has the potential to flood the legal system with various cases.

Heres's the link to the article:
http://business.financialpost.com/2014/02/21/teksavvy-names-downloading/?__lsa=2734-7ba4

Here is also a link to the decision:
https://cippic.ca/uploads/Voltage_v._Does-2014FC161.pdf

Whatsapp

Given that Whatsapp was recently sold to Facebook for a whopping 19 billion dollars, it is back in the limelight with the concerns surrounding its privacy policy. It has been criticized by the Canadian Privacy Commission for collecting too many phone numbers of non-Whatsapp users through scanning address books. Also, it is unclear as to whether they store all messages that get sent with their app. It will be interesting to see how all of this plays out, and whether these concerns will crystallize into changes with their privacy policy.

http://www.forbes.com/sites/andygreenberg/2014/02/21/whatsapp-comes-under-new-scrutiny-for-privacy-policy-encryption-gaffs/

Feb 21st 

http://www.oaic.gov.au/news-and-events/news/privacy-news/oaic-releases-app-guidelines

Hi there everyone,

So as has been a common theme in the class thus far, there seems to be a fairly sizable gap in what is considered ethical, or at least practical, uses of data and personal information, or what is considered private in an employer/governmental context. 

One of the issues I have personally identified with the current approach is that the law is not as flexible or interpretive as it makes itself out to be. I won’t deny that privacy interests and the effects of their interaction in jobs are being more readily addressed, such as the reality that the kinds of fundamentally necessary privacy protections are likely to become dated relatively quickly in society where technological advancements reflect a higher possible level of infringement, and unforeseeable new avenues for privacy infringements are consistently developed. However, I think that one of the major problems with having a legal system which supposedly reigns over personal interests and ‘rights’ in the context of privacy is that these interests are constantly being pushed in new a varied, and the qualifications for whether or not they have been ‘infringed’ is often subject to a rule or list of principles that becomes dated almost as quickly as the protected interests themselves. Thus, the supposed legal solution to the rapidly-advancing realm of privacy and is limited in precisely the same way as gives rise to these issues in the first place. 

Keeping that in mind, I think the problem is most likely a fundamental one, since one of the realities of the legal system, and particularly the dialogue between the judiciary and the legislative or executive branches, is that the law cannot be changed on a whim, and nor can the propose changes to it necessarily withstand this interactive system.

Following that idea, I wanted to call attention to the OAIC (Office of the Australian Information Commissioner), who just released the “Australian Privacy Principles” guidelines. I think lifting a quote would be the best illustration of what this is all about...

“The APPs are a single set of principles that will cover both the public and private sectors when amendments to the Privacy Act 1988 (Privacy Act) made by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 come into force.”

“The APP guidelines not only outline minimum compliance requirements, they also provide practical examples of best practice.”

What do you guys think of this more flexible set of ‘principles’ to guide legislation concerning privacy? Personally, I think Canada could benefit from something like this. I might be completely ignorant here but I believe that Canada seems to drive most of the areas which the law deals with through the same guiding principles (justice through balancing of interests, procedural fairness, public safety, etc.). Don’t you think that we might benefit from a set of guidelines particularly tailored to privacy, since privacy is such a fluid and rapidly-expanding field, while changes in law are overwhelmingly incremental?

Alright, that's all for now folks!

Essay Proposals

As pointed out to me today by Ashley, the course syllabus / schedule mentions an essay proposal. This is a chance for you to bounce your ideas off of us. You may not have a firm idea of what you want to write about at this stage, and that is fine. Even a general theme (e.g., surveillance, privacy in criminal cases) is enough to get you thinking about this exercise.

(Hopefully you will also be brainstorming a bit in the course of working on the mind map assignment)

For inspiration, I have a list of sample essay topics here. (We were supposed to have a few engineering students in this class, so some of the suggested projects are technical in nature). I would also take a look at the posts on recent symposia, some of which will contain up-to-date papers.

Once you find a compelling topic, it is useful to see what has been published on it. You can search the online library catalogue, SSRN, Google Scholar and other databases. Papers that haven't been published yet often appear in conferences first. Those are more difficult to access, particularly the best conference in the field (the Privacy Law Scholars Conference, which is invite-only).

As for what you have to hand in:

Format:

• one page, 12 point font, single spaced.

Content:

• Header, with your name (important, as some of you forgot this on your memos), the date, the course number and title.
• Topic. Outline the general subject area (e.g., privacy and technology), as well as the topic of interest (e.g., home genetic testing kits). You do not have to have a thesis statement, but it helps to have an idea of what you find interesting.
• Rationale: a paragraph on why you think this is an interesting topic worthy of your time and effort. Why did you choose this, and why should people be interested in it?
• Scope: a sentence or two on how you will make sure that your treatment is suitable for a term paper. Being overly ambitious is a surefire way of making this term uncomfortable.
• Previous Treatment: has anyone written on this topic in the past? If so, how will your paper differ?
• Sample References: give 4-10 sample references pertaining to your topic. You can grab these from the online York library catalogue.

Once you hand this in, we will arrange a time to chat with you (e.g., in class, after class, skype, voice) about your proposed topic. We want to make sure that your paper is interesting to you, feasible, and properly scoped. 

Citation Reference Assignment

Good evening fellow classmates,

I just wanted to bring to your attention that if you are using Mendeley for the reference manager assignment, the journal abbreviations generated for the citation may not correspond exactly to the ones in our McGill Guide, despite both being 7th edition. Other than that, Mendeley is actually a very useful tool - don't forget to download the Word PlugIn if you use it!

Ashley

Assignments 2 and 3

Assignment 2: Mind Map

At this point in the course you should have a high level view of what topic you may wish to write a paper on (e.g., surveillance, privacy in the workplace, etc)

1. Create a mind map using a method of your choice (e.g., hand drawn, Microsoft Visio, MindMeister, etc). 
2. Put the mind map into PDF format. (MindMeister and other tools should support export to PDF).
3. Email it to us.

We will not judge your mind map based on its substantive content. (For instance, we will not check to see if you really understand employee privacy). Rather, this is an opportunity to play around with a way of mapping out concepts. We want to see a good effort at experimenting. It will pay off.

Assignment 3: Reference Management

Make sure you can log in to the general York University library catalogue.

1. Choose a reference manager. I recommend Mendeley. You can use refworks, endnote (etc).
2. Search for the papers below in York's library catalogue.
3. Add the references for these papers into your reference manager.
4. Create a Word or OpenOffice document with the title "Reference Manager Exercise", as well as your name.
5. In four bullet points, cite each paper in McGill Guide format. Most reference managers will support citations in different formats.

Papers:

• Volokh, Freedom of speech and information privacy: The troubling implications of a right to stop people from speaking about you.
• Kukathas, Cultural privacy
• Dourish, Collective Information Practice: Exploring Privacy and Security as Social and Cultural Phenomena
• Solove, A Taxonomy of Privacy

Repurposing the Darknet for lighter purposes

With the daily news reporting ever increasing mass surveillance and data collection by alphabet soup agencies it is not surprising that many online users are interested in considering alternative modes of connectedness and communication while retaining the utility and convenience of a much beloved internet. Darknets (a hidden but very real parallel internet), when used in socially acceptable ways, are suggested by some as a means of avoiding the “spynet” (aka regular internet). The idea is that rather than relegating the vast anonymous cyberspace of darknets as synonymous for a haven of miscreants, and until more data protection and privacy promoting laws are enacted, people may at least in part decide to develop a community presence or otherwise utilize the net (e.g. personal web searches) in more securely encrypted and anonymized settings. This can also be used to encourage anything from a peer-to-peer early internet community feel to setting up a Tor service to allow a safe and secure venue for whistleblowers to reveal misdeeds of their employers without threat of retaliatory measures, as news agencies such as The New Yorker has done. It is interesting seeing these active processes that can be taken to maintain privacy, although the fact that Darknet is also being used for nefarious ways (e.g. drug dealings, pedophilia, etc) raises the tensions of where to maintain the balance between privacy and surveillance.

http://www.smh.com.au/technology/technology-news/darknet-bright-ideas-lurk-in-the-internets-dark-places-20140214-32rb8.html

For those interested in the decision out of Peterborough that I mentioned last week, the decision can be found here: http://canlii.ca/en/on/onsc/doc/2014/2014onsc321/2014onsc321.html.

Hopkins v. Kay involves a nice mix of PHIPA, the tort of intrusion upon seclusion and class action law. Not something you see everyday!

Lecture on Legal Research and Writing

Hi everyone. I have posted a narrated slideshow on legal research and writing. (I am having problems with YouTube, which was my first choice of streaming platform). The file is 51 MB, so you should be able to download it easily.

Legal Research and Writing Lecture, plus Assignments

Hi all,

My apologies, as I was hoping to have a narrated slideshow on legal research and writing completed by this wednesday. I was unable to hit that, largely due to working group duties for a couple of external organizations.

I'll have a lecture online as of tonight or tomorrow afternoon. The topic is legal research and writing. Those of you with experience in the topic matter may wish to skim the material. I highly recommend putting in a bit of effort to learn about various methodologies early in your law school careers, as writing and research are essential skills. There are some recommended books listed in both the syllabus and in the narrated lecture.

Lastly, there are a couple of simple assignments that I will be handing out. These are due after the break. (See the 'assignment schedule' blog post for more info). Both are fairly simple exercises that are designed to get you using a couple of very useful tools.

I'll send out an update when the material is online.

Thanks!

James

Security and breach of health information in Alberta

Keeping in mind, from our discussion, the “special” nature of health information, it appears that there have been recent problematic processes found in Alberta. In light of the upcoming topic on security and breaches of information, it turns out that Alberta Health Services has been sending faxes of health information to recipients rather than encrypted emails and other more secure processes. Wrong fax numbers have been entered, meaning that confidential health information has been received by people other than the intended recipient. According to Alberta's Health Information Act ss 60(1) and (2), the question is if reasonable steps are being taken to ensure that the personal health information was sent to the intended recipient, and if adequate measures are taken for security and confidentiality. It appears that there may have been safeguards in place with the regard to the health information, yet perhaps they were not adequately implemented.

Another issue in relation to the data protection is that patients are not being informed of these (admittedly inadvertent) releases of personal information. The situation raises the issue that there is no legal obligation to inform the patients of the data breaches. However, great care should be taken to maintain a high level of accountability especially in regards to the protection of sensitive information. 

This is only the latest in a long list of problems in Alberta health information protection, where there has been an investigation recently because a laptop with birth dates, health card numbers, and billing codes was lost or stolen. There were also other mishaps such as health employees leaving files on top of cars and driving away. 

The article can be found here:

http://www.cbc.ca/news/canada/edmonton/unsecure-faxes-put-health-data-of-albertans-at-risk-1.2530539

McKinsey report on information safety at organizations

In the past year, McKinsey, one of the largest consulting companies in the world, collaborated with the World Economic Forum in a research on information safety at both public and private organizations. In the report that was just published, it focused on the impacts of cyber attacks on the operational strategies of organizations, and provided a list of recommended procedures to improve organizations’ resilience to such risk. Further, the report provided a glimpse into how different sectors perceived the role played by regulations in this matter. While many agree that organizations should not be left alone in fending for themselves, opinions split on the value of regulations on cyber security. Whereas health and insurance professionals were more likely to hold a positive view on regulations, as they forced management to devote more resources into compliance, financial institutions were more likely to consider such policies as harmful and would even undermine their effort to safeguard information.

Full article and report can be found at:

http://www.mckinsey.com/insights/business_technology/risk_and_responsibility_in_a_hyperconnected_world_implications_for_enterprises

Impact of Collection of Biometric Data

Lawyers and policy analysts from the Electronic Frontier Foundation (EFF) have collaborated with the Immigration Policy Center to produce a report on the social impact of collection of biometric data. They argue that collection and use of this data (for example: fingerprints, DNA, face-recognition ready photographs, iris scans, and voice recordings) disproportionately impact immigrant communities in the United States. The authors worry that misuse could lead to racial profiling, discrimination, and could affect the employment and residency status of millions of documented and undocumented immigrants in the US.

The Fourth Amendment provides some protection for fingerprints and blood samples, yet has broad exceptions for searches conducted at borders. The report therefore calls for stricter legislative requirements for the use and collection of biometric data. Most interestingly, the report advocates a limitation on the combination of biometric data (eg: matching facial recognition technology with licence plate identification). Is there support for this kind of suggestion in the privacy law we have today?

Full report can be found here:
https://www.eff.org/document/fingerprints-dna-biometric-data-collection-us-immigrant-communities-and-beyond

Domestic Privacy Laws and Cloud Services

These two articles offer an interesting assessment of how domestic privacy laws affect the behavior of multinational businesses - especially cloud service providers.

1) A new Finnish company proposes hosting a data center in Chicago - but plans to store 'personal information' in Finland. The article notes, however, that services like this may be less helpful than advertised. U.S. intelligence laws give less protection to data stored outside the U.S., and personal information stored in Finland would be subject to Finnish and EU data protection laws.http://gigaom.com/2014/02/07/upcloud-reckons-finnish-privacy-laws-can-protect-data-hosted-in-us/

2) Australia is instituting even more stringent privacy laws which impose vicarious liability on Australian companies for third party breaches of offshore data. (ie: "If there is a breach at your cloud computing provider, it is treated as your breach.")http://www.mondaq.com/australia/x/291472/data+protection/The+Privacy+Act+and+the+Cloud

Conservative party election plans for social media

I read an interesting blog by professor Michael Geist regarding the planned use of social media by the Conservative party before and during the next election. The role that social media plays in communications with voters increases each election, yet I was surprised to learn they weren't just planning timely conversation and announcements. They can use the "likes" from posts on Facebook to determine who might have an ear for the Conservative party, identify them personally, and approach them for support. It doesn't seem much stretching is required, and yet it's definitely feels to me like a misuse of the information.  I don't want to inadvertently subscribe to email spam, let alone be contacted by a local political group. I thought it was a different slant of the government's use of personal information, but tied in well to our discussion last week.  The blog is linked below (it's the 2nd posting) and is much more interesting than the article in the Star, to which it's tied. http://www.michaelgeist.ca

Privacy in our Education

I thought this was a very relevant conversation topic that hits close to home! This is an article from the U of T paper that references an open letter written by post-doctoral fellow, Christopher Parsons, that calls out Canadian phone and internet service providers to disclose the extent of consumer information they hand over to the law enforcement/intelligence agencies. This push towards transparency is exactly what we discussed in class last week, and in our first discussion at the beginning of the semester. It will be interesting to see to what degree phone and internet service providers respond. The article also mentions how U of T's online class organization service, Blackboard Portal, gives professors the ability to monitor student engagement with the materials posted online. It makes you wonder if professors have the same ability through Moodle!

http://thevarsity.ca/2014/02/10/u-of-t-steps-into-internet-privacy-conversation/

France punishes Google for breaching privacy laws

After recent discussions in class about companies tracking the web activity of users, the following article caught my interest.

Basically, French authorities ruled Friday that the way Google collects and stores information about its users is a violation of the law and punished the company with a monetary fine. Adding insult to injury, Google was required to post the fine for 48 hours on its website for French customers to see. 

The country's data protection watchdog isn't the only one that thinks Google's activities are problematic. Other European countries including Italy, Britain, Germany, Spain and the Netherlands are going after the company in court, accusing it for breaching their respective privacy laws. 

Wonder if Canadian officials are paying any attention? I hope so because I use Google a lot! If it's happening over there, might it be happening here? 

http://www.dailymail.co.uk/news/article-2554806/Google-forced-advertise-125-000-fine-French-homepage-court-rules-search-giant-violated-users-privacy.html

Here is an interesting article from the Globe about a privacy issue brought up in B.C last week.  Basically, some environmental and aboriginal groups that are opposed to the Enbridge oil pipeline are accusing federal law enforcement of spying on them.  The B.C. Civil Liberties Association filed complaints with oversight agencies for the RCMP and Canadian Security Intelligence Service (CSIS).  The concern is that this information was shared with the oil industry and National Energy Board.  By contrast, the Natural Resources Minister stated that he understood why police might be interested in the actions of protest groups.

I think this highlights one of the bigger difficulties with privacy as it concerns government actors.  It may need to be balanced against other concerns like civil order and national security, but because privacy violations generally aren't known to the victim, it seems to be the data collector that gets to decide where that line is drawn.  Enter the whistleblower, I guess.

Employment Background Checks

I found this article from CBC really interesting. It's short and sweet, but raises a privacy concern that I had never really thought about. Basically, "background checks" when you are applying for a job don't necessary only include your criminal history. At least in British Columbia, a "background check" is better characterized as a "police information check," which can yield the following information:

• 
  
• Warrants for arrest.
• Information about adverse police contact.
• Investigations that do not result in charges.
• Information related to the Youth Criminal Justice Act.
• Information about an individual's mental health.
• 
  

BC's privacy commissioner is launching an investigation to see whether the practice violates privacy laws.

Here's a link to the online article: http://www.cbc.ca/news/canada/british-columbia/background-checks-for-jobs-raise-privacy-concerns-1.2524956

Latest SCC decision on privacy

The following is a news report from Canadian Lawyer on the SCC decision in Bernard v. Canada. Given our discussions about the meaning of "personal information", you may find it of interest.

http://www.canadianlawyermag.com/legalfeeds/1927/union-can-collect-non-members-info-scc.html

Reading

As a reminder, please ensure you read Chapter 6 of the text. We will discuss security and breach notification in greater detail.

Assignment Clarification

As discussed in class, this assignment is a two-page exercise designed to give the class exposure to a significant privacy-related case, the concepts found it in and to get you “writing”. Because of the size of the assignment, it is more of a “brief” than a “memo”. James and I did not, between ourselves, speak to this distinction in terminology used in law school (as between “memo” and “brief”). In non-law school terms, I would have asked for a “memo” giving me a synopsis of the case as opposed to a “memo” on an issue, an area of law or specific question. James’s examples are useful but we did limit the class to a two-page assignment which means one must adjust accordingly. We are not assessing analytical skills in this small assignment but  rather your writing skills.


Please note that:

1. Your submission is due no later than 14h29 (2:29 pm) on 12 February 2014; and 
2. It is to be in electronic format (i.e. Word or .pdf).

Australian amendments to Privacy Act

An interesting article about amendments to Australia's Privacy Act is discussed on the UK's The Guardian website today. It highlights some of the issues we discussed in class, specifically personal awareness of data collection, notification of information being transported overseas, and an individual's right to know what is being collected. I was intrigued particularly with the idea that an individual would have the right to request access to a private company that had gathered information on them, to see both the quantity of data and the purpose of its collection. The idea of knowing what type of information Google or Facebook might have acquired as linked directly to you, or more concerning to me what exactly that information is used for, or who else then gains access to the information, strikes a chord with our discussion of balance between consumer knowledge and service providers' hidden collection of personal data. The article also reminds us that despite improvements to the legislation, there remains both vague terms for companies to work with, and a difficulty with enforcement.

Assignment 1: Legal Memo

Michael will be discussing the first assignment for the course in the February 5th class. It consists of a two page legal memorandum on the following case:

Canada (Information Commissioner) v. Canada (Canadian Transportation Accident Investigation and Safety Board), NAV Canada and Canada (Attorney General) 2006 FCA 157 (Court files: A-165-05, A-304-05), May 1, 2006.

The administrative details are as follows:

• Due Date: February 12th.
• Submission: electronically (emailed to one of us), or handed in to Michael. 
• Format: 2 pages, 12 point Times font, 1.5 spacing.

I'm sure that some of you have done a memorandum in the past. For those who haven't, there are some pointers here and here. Remember to keep in mind the following:

• Clearly identify the legal issues in the case.
• Recount only those facts that are necessary for understanding the issue.
• Review your work for brevity and accuracy. Picture yourself as a client receiving the memo.
• The page limit is a ceiling. You may find you need less space. If so, that's a good thing.

Michael will discuss legal memos in class on the 5th, spending the rest of the time on privacy and data protection. 

Berkeley Journal of Law and Technology Writing Contest (for JD students)

Hi all,

Berkeley announced its latest student writing competition. Prizes are:

• 1st Prize: $2,000 & Publication in the Fall 2014 Issue of BTLJ*
• 2nd Prize: $750
• 3rd Prize: $500

Deadline is March 1st, which is very tight for those of you in first year. However, keep this competition in mind going forward. Privacy and data protection is in scope for this journal, which is one of the best law and technology venues in the world. 

There should be a summer and fall competition as well, so the paper that you write for this course is a candidate for entry at a later date. 

James

Special report recommends more accountability from Canadian spy agencies

The Office of the Privacy Commissioner of Canada (OPC) released a report last week that calls on Canadian spy agencies like CSEC and CSIS to be clearer about what they do with the personal information they collect on Canadians. The special report is called Checks and Controls: Reinforcing Privacy Protection and Oversight for the Canadian Intelligence Community in an Era of Cyber-Surveillance. It appears the OPC is saying that the cloak of "national security" should no longer provide a carte blanche for collecting personal data without any oversight or accountability. Some recommendations from the report:

• Require CSEC to produce annual non-classified reports about its activities
•  Expand reporting requirements on use of surveillance and electronic monitoring  
•  Reform privacy legislation like the Privacy Act and PIPEDA to control over-collection of    information. Key suggestions include requiring agencies to explain the need for collecting personal   information and conducting assessments on how data collection may impact individual privacy 
•  Increase parliament's oversight role, including regularly calling on members of the intelligence community to appear before committee

     

      It will be interesting to see if Parliament and the spy agencies are receptive to the recommendations and if any of the recommendations are implemented.

Link to the special report:

http://www.documentcloud.org/documents/1009919-privacy-commissioners-office-report-2014.html

CBC Article: 

http://www.cbc.ca/news/politics/social-media-may-become-spies-main-channel-privacy-watchdog-warns-1.2513782

Hotels hit with credit card fraud scheme

White Lodging, the operator of several hotel franchises such as Marriott, Sheraton and Westin, has confirmed that some of its guests were victims in a recent credit card fraud scheme. The unique pattern occurred in this scheme – cards affected were used at hotel restaurants and gift shops across different states – led experts to suspect that the intrusion likely occurred through emails to employees at a payment processing center. Further, it was suggested that the fraud was made possible in the U.S. because many customer there still use credit cards without the chips or PINs.

This also lead to the issue of remedy. In the article, it was mentioned that while the card issuers were usually the ones absorbing the losses, they were now under pressure to recover the funds. In light of this issue and our upcoming class on data protection, I wonder if the hotels would also be held liable in cases like this, given that their systems are likely the ones that were hacked and compromised.

Original article on the Globe and Mail:

http://www.theglobeandmail.com/technology/marriott-hotel-hit-with-massive-credit-card-fraud-scheme/article16661461/