Privacy - News

  • – 2015-05-18 –

    CIPPIC has joined over 65 civil society organizations from around the world in an open letter to Mark Zuckerberg regarding its Internet.org initiative. Internet.org is Facebook's portal for mobile Internet access in developing countries. The portal is essentially a mobile app through which individuals can access other Internet sites, after first passing through Facebook's servers. The portal is zero rated, meaning that Facebook has entered into deals with wireless providers around the world that exclude Internet.org usage from data charges. While Facebook presents this as an altruistic initiative designed to get the next 3 billion Internet users connected, many have questioned whether it is truly altruistic or simply an attempt to place Facebook at the centre of the future Internet, establishing it as gatekeeper to downstream content and innovation. Meanwhile, the initiative detracts from other charitable efforts designed to provide true connectivity capacity in developing countries and, as domestic telcos are forced to shoulder the costs of the initiative, it is not clear what benefit Facebook provides to developing countries at all.

    Regardless of its motivation, Facebook's Internet.org leaves much to be desired. Where it is active, individuals already think of Facebook as 'the Internet'. However, the Internet provided by Facebook is a highly curated environment, which only allows sites pre-approved by Facebook that operate on Facebook's terms. In this sense, it threatens the expressive and innovative force of the Internet, which has always relied on the capacity to innovate and express without permission. It is, indeed, this 'innovation without permission' model that allowed Facebook itself to supplant MySpace as the world's leading social networking site - Facebook's ability to reach its audience was not dependent on MySpace's (or anyone else's) permission. Additionally, all Internet.org traffic passes through Facebook's servers, raising concerns it will in time feed into Facebook's broader profiling activities while acting as a one-stop hub for state censorship initiatives. Internet.org simply comes with too many strings attached.

  • – 2015-03-24 –

    Bill S-4, the Digital Privacy bill, introduces amendments to PIPEDA, Canada's federal commercial sector privacy law. The Bill, a result of PIPEDA's first five year review conducted in 2006, introduces some far overdue improvements to Canada's privacy protection toolset at a time when privacy has never faced greater challenges. These include the adoption of a breach notification regime which would obligate companies to notify customers (as well as the Privacy Commissioner) whenever a privacy breach can place affected individuals at risk of significant harm, and the adoption of more robust consent obligations. However, as CIPPIC pointed out in its testimony and response to follow-up questions, the framework adopted by Bill S-4 in addressing these issues is flawed. The data breach notification regime in particular will fail to instill incentives for better security safeguards as it only applies to breaches that pose a significant threat of harm to affected individuals. Yet the reality of security breaches is that it will often be highly uncertain whether data was even exposed, meaning many serious breaches will go unreported. Moreover, even trivial breaches that do not pose a specific risk to individuals are often indicative of a general laxity in technical safeguards. These too will remain unreported.

    Of greater concern, the Bill also includes a number of troubling exceptions that would expand the conditions under which organizations can hand over sensitive customer information to third parties. One exception would allow ISPs, online blogging discussion fora, social media sites and others to help companies trying to sue their customers by handing over sensitive customer information. It also allows for nigh unlimited information-sharing in the context of a cybersecurity breach. Such breaches often implicate immense amounts of sensitive data. The PIPEDA amendments fail to impose any obligations for companies dealing with a breach to minimize privacy impact when handing over these data troves. Additionally, our national security agencies are increasingly implicated in domestic security breaches, yet Bill S-4 does nothing to prevent them from repurposing the data troves they receive for security breaches into general security information and keeping it indefinitely. As such, there is serious concern that the emails, financial/banking information, health data, and other sensitive information that is commonly implicated in data breaches will simply be rolled in to these security agencies general profiling activities and ultimately used against the individuals who the data breach notification regimes is supposed to protect. Indeed, Bill C-51, currently being rushed through both houses of parliament at once, will make it even easier by removing barriers to 'all of government' information sharing for cybersecurity purposes.

  • – 2015-01-29 –

    Data Privacy Day (a.k.a. Data Protection Day) 2015 marked a range of developments - some good, some bad, all significant. Data Privacy Day is celebrated annually to commemorate the world's first data protection treaty: the Council of Europe's Convention 108. This year, the day began with a series of startling revelations from CBC, which released documents acquired through former NSA Analyst Edward Snowden detailing a comprehensive electronic surveillance program that monitored various file upload sites around the world. The program, implemented by Canada's foreign intelligence agency, CSEC, involved combing through its comprehensive meta-data-bases in order to identify individuals uploading or accessing 'questionable' documents on sites such as MegaUpload and Rapidshare. Visitors to such documents are then subjected to intense meta-data-scrutiny in order to find their identity through such things as Facebook and email login cookies. Aside from the millions of documents tracked by the program daily, the program demonstrates an immensely invasive capacity that can emerge from mere analysis of the metadata held by CSEC and its Five EYEs partners. Far from acknowledging these concerns, we expect more of the same, with State promises to introduce expanded lone wolf surveillance powers this Friday.

    Some tentatively promising developments from APEC also came this week. CIPPIC had endorsed a letter sent by a number of privacy groups in late December pointing to several issues with APEC's certification of TRUSTe as an accountability agent capable of overseeing compliance with APEC obligations for the purpose of receiving personal data transfers from other APEC member states such as Canada. This week, APEC and TRUSTe addressed a number of the concerns, but left a few (particularly those relating to conflicts of interest between TRUSTe board members and some of the commercial organizations it is tasked with overseeing) outstanding. In brighter news, the Mexican data protection authority announced it would be officially signing the International Principles on the Application of Human Rights to Communications Surveillance (IPAHRCS-es for short!), designed to provide comprehensive suggestions on how to conduct electronic surveillance in a targeted and privacy respective manner. The IPAHRCS have now been endorsed by over 480 international organizations, experts and government officials. An eventful data privacy day, for better or worse!

  • – 2014-06-03 –

    CIPPIC testified today before the House of Commons Standing Committee on Access to Information, Privacy & Ethics on the growing problem of identity theft. As CIPPIC highlighted in its testimony, identity theft is, in many ways, the crime of the digital age. It exploits the immense amounts of information about individuals that is available on digital networks in order to exploit them through an increasingly profitable range of fraudulent activities. The cost, time and trauma inherent in the identity recovery process make identity theft a serious social problem. CIPPIC's testimony highlighted the need for stronger privacy laws as a means of minimizing identity theft. PIPEDA, Canada's data protection law, is the primary mechanism for empowering individuals to better control their personal information. It also obligates organizations to properly safeguard their customers' personal information. However, PIPEDA lacks the most basic features of any effective regulatory regime -- enforceability and compliance incentives. These shortcomings must be addressed as part of any meaningful attempt to address the problems of identity theft. In addition, attention entities such as the Canadian Identity Theft Support Centre, which play a crucial role in the victim recovery process, need to be fostered and developed further. Overall, CIPPIC called for the development and adoption of a national strategy on identity theft that would adopt these and other measures in a comprehensive response to this growing problem.

  • – 2014-05-30 –

    A large coalition of Canada's leading privacy experts and civil society groups wrote to Prime Minister Stephen Harper Friday regarding the federal government's increasing failure to protect the privacy of Canadians. The letter points to the government's efforts to increase the ability of law enforcement and other state agencies' ability to exploit new technologies in order to invade Canadians' privacy (pointing specifically to Bill C-13, currently being rushed through parliamentary committee under the guise of 'cyber bullying' legislation), while steadfastly refusing to address long-standing privacy problems raised by the same technological developments. The letter specifically points to the unchecked surveillance activities of Canada's foreign intelligence agency, CSEC, and the steadfast refusal to update ageing but central privacy and transparency statutes as indication of some of the long-standing privacy problems the government has refused to act on. It calls on the government to take its review of the privacy-invasive elements of Bill C-13 seriously, and to establish a commission to examine privacy and state surveillance in the digital age. Finally, the letter decries the controversial nomination of a government official as Privacy Commissioner of Canada, a nomination which was made in direct contradiction to the government's own selection committee. Specifically, the letter noted the problematic timing of this appointment, which arrives at a time when fundamental decisions that will affect the privacy of Canadians for decades are being made and leaves Canada without a privacy watchdog to weigh in on these formative debates.

  • – 2013-03-30 –

    CIPPIC participated in a consultation held by the Assemblée nationale du Québec on the Province's data protection and right to information framework. The consultation sought input on a set of recommendations issued by the the Commission d'accès à l'information du Québec and designed to update Québec's freedom of information statute and privacy statute in light of technological changes.

    CIPPIC's submission addressed a number of the Commission's recommendations, including issues arising from risks of re-identification, the need for data minimization obligations, the need for a right to information that extends to data that must be processed before it can be released, and the need to impose an obligation on the government to proactively disclose data useful to the public in interoperable formats.

  • – 2013-02-27 –

    CIPPIC welcomed the announcement of private member's Bill C-475, which proposed amendments to Canada’s federal privacy legislation, PIPEDA. The proposals will bring long overdue privacy protections for Canadians, including a comprehensive data breach notification regime and, critically, much needed enforcement powers for Canada’s privacy laws. A long-enduring and central gap in Canada’s privacy protections is the ongoing inability of the Privacy Commissioner to force non-compliant organizations to meet their privacy obligations. Even as our Courts, our provincial legislatures, and most of our international counterparts have recognized the increasing need to protect privacy in a digital era, our federal privacy regime remains toothless and our federal Privacy Commissioner lacks the basic power to enforce her own compliance orders. 

    In addition, the lack of a comprehensive data breach notification regime puts Canadians personal information at great risk. Experience from jurisdictions around the world has demonstrated that a legal obligation to notify individuals when their data has been put at risk is an essential component of any privacy protection regime. Not only does this notification requirement provide an opportunity for individuals to take protective measures against privacy harms ranging from identity theft to great embarrassment, but it also provides a poignant incentive for organizations to put in place the practical and technical mechanisms necessary to avoid such breaches in the first place.

  • – 2013-01-28 –

    Data Privacy Day and its European counterpart, Data Protection Day, commemorates the signing of the world's first international treaty on data protection -- the Council of Europe's Convention 108. Data protection is rapidly becoming an international norm, as recent developments have brought the number of countries with data protection legislation to 89, globally. Additionally, 2012 saw an unprecedented commitment by lawmakers in one of the largest data markets -- the United States, a long-time adherence of a sectoral approach to privacy protection -- committing to the enactment of data protection laws. Our courts have similarly advanced the cause of privacy with landmark decisions that recognized the right to anonymity in judicial proceedings, a constitutional right to individual notification when police intercept communications in an emergency, and the right to privacy in our work computers. In addition, our Federal Privacy Commissioner released a sweeping (but yet to be enforced) Finding on the privacy practices of a youth-based social networking site, Nexopia. Finally, advances in transparency have helped us better understand how our information is being accessed by the government, as more organizations began publishing statistics on government access, and Google, who pioneered the transparency reporting model, has increased the scope of their own reports so that the public can better assess the nature of government requests.

    At the same time, the challenges have never been greater with online surveillance legislation, long over-due updates to our federal privacy statutes (PIPEDA and the Privacy Act) still nowhere in sight, and legislative initiatives that will allow our online service providers to hand over our data to litigants and copyright trolls alike -- all on the horizon. More after the jump.

  • – 2012-12-17 –

    Last week, Voltage Pictures filed a motion to identify approximatel 2,000 IP addresses allegedly belonging to individuals who have infringed its copyrights by means of peer-to-peer file sharing mechanisms. CIPPIC is seeking to intervene in this matter to ensure that procedural safeguards and the privacy rights of the anonymous Does are respected.

    On December 14, 2012, CIPPIC filed a letter with the Federal Court seeking to delay the hearing of Voltage's motion to compel Internet Service Provider Teksavvy Solutions to disclose the identities of its subscribers alleged to have downloaded movies the copyright to which Voltage owns. Although supporting evidence for the motion was only filed on Tuesday, December 11, it was scheduled to be heard today (only 6 days later). While CIPPIC is not yet a party to this proceeding, its letter was intended to ensure the Court was aware of the nuemrous legal and policy issues raised by Voltage's request. The letter asked the Court to provide more time for defendants to respond to the motion, as well as to provide time for CIPPICs own intended intervention. Today, in court, Teksavvy similarly asked the Court to extend timelines for this process, which it did. The next hearing date will be January 14, 2013.

  • – 2012-09-27 –

    The Supreme Court of Canada recently issued A.B. v. Bragg Communications Inc., 2012 SCC 46, in which it reasserted the need to protect privacy, as well as the sensitivities of cyberbullying victims within the discovery process. Historically, the ever-important principle that justice must be public prevented victims of certain wrongs from protecting their identity when pursuing lawsuits. In its intervention, CIPPIC argued that in an age of heightened privacy concerns, the impact of forcing litigants to air their dirty laundry in a public, permanent online record will in many cases exceed what is typically a narrow public interest in knowing the identity of a litigant. Further, in scenarios involving cyberbullying, preventing litigants from proceeding pseudonymously will in many cases prevent access to the law, as a desire to avoid re-victimization may push the objects of cyberbullying to forgo enforcement of their rights altogether.

    While reaffirming the vital importance of the open court principle, the Court, in a unanimous judgement penned by Madam Justice Abella, held that the relationship between this principle and the right to privacy, as well as the realities of cyberbullying, requires elaboration. The Court particularly emphasized the importance of respecting the privacy of youths, the need to avoid discouraging litigation by exposing victims of cyberbullying to revictimization as a result of litigation. Allowing broader scope for anonymous litigants would advance privacy rights and allow victims of cyberbullying to access the justice system. Furthering these values outweigh the minimal harm that may result to the open justice principle if the identity of litigants is protected from the public eye.