Holistic strategy is better for privacy laws

Posted on May 6, 2013 by David Canton

For the London Free Press – May 6, 2013 – Read this at lfpress.com

There has been controversy in the United States in the last few weeks about their patchwork of privacy laws in contrast to the holistic approach favoured by Canada and the European Union. This matters as commerce and cloud services become more borderless.

The U.S. approach to privacy has been to enact laws that apply to narrow areas as problems are perceived, rather than to look at privacy as a broader subject to regulate.

For example, in 1988 the United States Congress passed the Video Privacy and Protection Act to prevent wrongful disclosure of videotape rental or sale records. Though such laws may be effective in the short term, they have a narrow focus, fail to address future technology and leave gaps. And the process to change existing laws is typically glacier slow.

Some privacy regulation is the U.S, isn’t based on privacy laws at all, but on regulatory action and class-action lawsuits based on notions such as the breach of a company’s privacy policy. In other words, the wrong was a breach of a privacy promise, not a breach of a legal privacy requirement.

In contrast, the Canadian and European model deals with privacy on a holistic basis. The holistic approach allows for existing privacy laws to adapt to new technologies rather than having to create new privacy laws in response to new technologies.

In any given Canadian province there are likely no more than two privacy statutes that apply to the private sector.

One applies to personal information generally, and there’s often a separate one that applies to medical records. This is a far more stable, all-encompassing and technology-neutral approach to privacy issues than the U.S. model.

Peter Fleischer, global privacy counsel at Google, recently commented on this issue and his desire to see the United States enact better privacy laws. He notes not a single country has followed the U.S. model.

Fleischer praises European privacy laws for their simplicity and warns if changes aren’t made to the U.S. approach “privacy will prove a serious roadblock to any such future trade back (with the European Union), as long as some people in Europe can argue that the U.S. has not-effective privacy laws.”

Fleischer provides the example of Uruguay that has looked to Spain. as opposed to the U.S., when drafting its recent privacy laws.

In the long run, the holistic approach is a far better and more effective model to protect privacy interests. The holistic approach makes it easier for businesses to understand their obligations and comply, easier for individuals to know where they stand, has less risk of leaving privacy gaps, and makes it easier to deal internationally when other countries require privacy protection as a condition of personal information crossing borders.

As the world continues to emerge from the global economic crisis and the trend toward global integration continues, Canada’s holistic privacy framework will help us take advantage of global opportunities while a less-effective framework could damage U.S. efforts.

http://harrisonpensa.com/lawyers/david-canton

Perspective is an important element of Privacy

Posted on April 17, 2013 by David Canton

Todays Slaw post:

One thing I find consistent about privacy issues is an inconsistency in approach and viewpoint. What is and is not deemed acceptable seems to change dramatically based on several factors, including geographic location (which I suppose is really more of a cultural issue than a geographic one), whether it is about one’s own information or you are doing something with someone else’s information, and whether the party with the information is government or business.

Many times it comes down to issues of trust, understanding, surprise, and how public one wants their life to be.

An example is in this article entitled Eric Schmidt is using the same argument against drones that others use against Google Glass.

One of the most common concerns raised about Google Glass (other than looking like a nerd) is the potential for privacy invasion. The more of these there are around, the more likely each one of us is going to be captured on the video they can take whether we like it or not. And where is all this video going to end up? That issue has also been raised about drones. Google’s Eric Schmidt has apparently stated that drones should be strictly regulated for privacy reasons, which seems inconsistent with their approach to Google Glass.

Perhaps one explanation for this could be that privacy in the United States is viewed differently than in Canada and other parts of the world. In the US, privacy is not approached as a holistic discrete topic to be regulated by general principles. Instead, it is regulated on a piecemeal basis, such as a privacy law that applies only to movie rentals.

http://harrisonpensa.com/lawyers/david-canton

Anti-spam Q&A

Posted on April 11, 2013 by David Canton

I recently presented a webinar on the anti-spam law that was hosted by Andrew Schiestel of TBK Creative.

That webinar can be viewed here. Also see the 5 part article series I recently wrote on the topic.

A number of questions came up on the webinar that we did not have time to answer. Some of those questions are answered below, and are also available on the TBK Creative site.

Attendee: Is this new law in effect? If not, when do you think it will be?

David: The law is not yet in effect. We are still waiting for some regulations to be finalized. It is not known when it will be in effect, but expectations are late 2013.

Attendee: Can you contact people as a result of info they provided on a raffle ballot or a survey?

David: That would not amount to consent unless there was an explicit, clear statement to that effect when the address was provided.

Attendee: Do opt-ins apply for “life”, unless they opt-out at a later date? Or does the two year term apply to opt-ins?

David: Opt-ins have no automatic expiry date. The two year concept applies only to certain implied consents.

Attendee: Are there any exceptions for educational institutions? eg. Universities.

David: The Act focuses on the commercial nature of the message, not the nature of the person or entity sending it.

Attendee: I work for a non-profit that sells training programs and learning products. When someone buys or attends training, is there an implied permission that we can contact them about future related trainings?

David: The Act refers to the nature of the activity rather than the nature of the organization. So if someone buys training, it is considered an “existing business relationship” for the purposes of implied consent, and the 2 year rule applies. If they attend but have not purchased it, it is not considered an “existing business relationship”. If the training is free, it may be that it is not of a “commercial character”, and thus not considered spam. But what is and is not included in “commercial activity” is not clear at this point, and may be broader than one might think.

Attendee: Will the 2 years be retroactive from the law taking effect? Or only moving forward?

David: The various 2 year implied consent rules relate to when the activity triggering the start of the 2 year rule happens. So for that purpose the date the Act comes into force is not relevant, and such activities occurring before the Act comes into force would apply.

Attendee: What about member associations and member lists. As a member association, is the association responsible for communication from one member to another, or is the sender accountable?

David: The person responsible is the person sending the message (or the person on whose behalf the message is sent). So if members email each other, the association is not responsible under the Act.

Attendee: Is “liking” or “following” someone on Facebook and Twitter a form of consent?

David: The Act’s application to social media is not totally clear. Any messages that are received by whomever is following you ought not to be caught by the Act. But a direct message sent from one user to another does seem to fall into the definitions. Since consent has to be for an explicit purpose, it is unlikely that “liking” or “following” someone would suffice as consent.

Attendee: Just got a monthly report email from my MP. Would this fall into the definition of a spam email?

David: It would probably not be considered to be commercial activity, and thus not considered spam.

Attendee: How are RSS feeds handled under this Act? Most require a sign-up to receive them.

David: RSS feeds are not caught. An RSS feed is just a way to follow what someone publishes. The “sender” has no control over who receives it, and it would not be a message “…sent to an electronic address…”

Attendee: You say to get compliant consents now. Given the uncertainty of how the law will be implemented, would it not be appropriate to wait until the regulations are published and then get the consents during the ‘grace period’ before the regulations are enforced?

David: Yes. In the meantime, you can sort out the nature of your messages, how you got the email addresses in the first place, and how you will record consents.

Gadgets encroach on privacy

Posted on April 8, 2013 by David Canton

For the London Free Press – April 8, 2013 – Read this at lfpress.com

Machines that become self-aware and rebel against their human creators is a popular science fiction theme. A threat more immediate than Terminator’s Skynet or BSG’s rebelling “toasters” is that of our belongings spying on us.

As technology becomes more sophisticated, it enables more intrusion into individual privacy. Our belongings increasingly generate information about us, and the Internet will make more of our belongings — such as our homes and appliances — connected and able to share that information.

The use of data tracking and collecting by cars and smartphones are good examples.

Our smartphones and the applications we use every day are collecting more and more information about us. The inclusion of “black boxes” in cars also allows this same intrusion.

Many of us have smartphones. This new terminology provides an accurate description of how powerful these devices have become. Most people are focused, and understandably excited, about the capabilities they have provided. But there is a less of a focus on the sheer amount of personal information they can provide to various third parties and what potential impact this could have in the future.

The average smartphone user would likely use their phone for e-mail, Facebook, Twitter, GPS and even personal banking. With simple access to a person’s phone, organizations would be able to obtain almost a complete profile of a person and have access to all of their personal data. Modern smartphones contain little in terms of disclosing who and where this information is held and what steps are being taken to protect it.

Personal data collection has also increased considerably in cars. Though the concept of a talking car in Knight Rider seemed to be a ridiculous idea when the show first aired, we are closer to that day than ever.

For example, some car insurance companies offer discounts to people who provide them with black-box information about their cars, such as where and when they drive and how fast they drive. Though this information can be useful assisting insurance adjusters and the police to determine liability in the event of a crash, this also can be viewed as extremely intrusive.

This is not meant to suggest technological developments should be stopped, but there does need to be a real effort to think things through. What information is collected? Is that information really needed? Is it stored on the device or somewhere else? For how long is it stored? Who has access to it? For what purpose can they use it? If others have access, is it made anonymous or tied to an individual? What choices do we as individuals have over this information?

Do we feel comfortable with cellphone providers, car manufacturers, insurance companies and police knowing our every move?

How the dissemination of this information will be controlled by the courts and balanced with individual rights will develop over time. The Ontario Court of Appeal recently held that police can access, without a warrant, a phone of a person being arrested that does not contain a passcode.

On the other hand, the Supreme Court of Canada recently ruled a wiretap warrant is needed for police to obtain access to text messages in the possession of a cell company.

Some argue this collection and sharing of information should be OK for those who have “nothing to hide”, but it is a much more complex matter than that.

www.harrisonpensa.com/lawyers/david-canton

Cloud storage, privacy, and Megaupload

Posted on March 20, 2013 by David Canton

Today’s Slaw post:

The ongoing Megaupload case is a controversial lightning rod case for issues on cloud storage, privacy and copyright. Megaupload basically ran a file storage and viewing service. The US Department of justice shut them down, seized assets, and launched criminal prosecutions alleging that it is an organization dedicated to copyright infringement.

Ben Schorr mentioned the case on Slaw recently, starting with the comment that “One thing has become clear in the last few months: Hollywood has declared war on the Internet.”

Wikipedia summarizes the situation well, and points out that:

Techdirt argued that while the founder of Megaupload had a significant history of “flouting the law”, evidence had potentially been taken out of context or misrepresented and could “come back to haunt other online services who are providing perfectly legitimate services”.^[81] Eric Goldman, a professor of law at Santa Clara University, described the Megaupload case as “a depressing display of abuse of government authority”. He pointed out that criminal copyright infringement requires that willful infringement has taken place, and that taking Megaupload offline had produced the “deeply unconstitutional effect” of denying legitimate users access to their data.^[5]

Concerns include the arbitrary way the site was shut down, leaving the files of legitimate users stranded. Also the possible over-reaching effect on legitimate cloud storage sites and file sharing.

The fight has come to Canada as well. US prosecutors asked the Canadian AG to obtain a court order to send mirror imaged copies of 32 servers in Canada to US prosecutors. The Ontario Superior Court of Justice refused to give the order based on the notion that the request was overly broad, and encouraged counsel to try to agree on the scope of material that would be relevant.

I find it interesting that the same Department of Justice that has been unrelenting and perhaps over reaching in the Megaupload case, is, according the the CIO blog:

giving a qualified endorsement of an update to a 1986 privacy law that leading cloud-service providers, public-interest groups and others argue is woefully out of step with the current methods of sending and storing communications.

In testimony before a House subcommittee on Tuesday, Elana Tyrangiel, acting assistant attorney general at the DoJ’s Office of Legal Policy, affirmed the Obama administration’s support for an overhaul of the Electronic Communications Privacy Act (ECPA) to provide stronger privacy protections for Webmail, documents stored online and other cloud services.

Cloud storage can be a useful tool – but be careful what you put there, use services with a good reputation, and keep duplicates elsewhere. If your data is sensitive, consider your own encryption so no one else can see the contents.

Google Glass – The Creepy Intrusive Privacy Perspective

Posted on March 13, 2013 by David Canton

Today’s Slaw post

Google Glass is a cool concept. The thought of having a real-time augmented reality display brings interesting possibilities. In addition to possible courtroom use, take a look at 10 Compelling Ways People Plan To Use Google Glass, and 11 Kickass Ways Normal People Will Use Google Glass. Possibilities include surgery, education, gaming, and navigation.

One of the hurdles to adoption is the practical aspect of whether people will want to wear them. Especially those who have gone to great length and expense to not to have to wear glasses in the first place. And when having a conversation when using them, is your interaction with the glasses going to be unsettling to the person you are talking to? How long will it take before people who walk around with them won’t be looked on as being weird?

One aspect to ponder is the creepy intrusive privacy perspective, which is discussed in this article entitled Google Glass: Our Lives Are Not Reality TV which refers to this article entitled The Google Glass feature no one is talking about. The issue is that the more of these there are around, the more likely each one of us is going to be captured on the video they take whether we like it or not. We will have no idea when we are being recorded. And unlike security video which is kept locally for only short periods of time (at least that’s what is supposed to happen), that video could end up anywhere. What happens to all that video, especially if much of it gets stored back in a mothership somewhere? Who can get access to it? It conjures thoughts of surveillance states and surveillance societies where privacy is eroded even further.

So what do readers think? Is this issue being overstated? Is there something we can do about it? Are we headed to a place where we have and are incrementally losing every last bit of privacy?

Police can search unprotected cellphone without warrant

Posted on February 21, 2013 by David Canton

News reports say that the Ontario court of Appeal ruled that if a cellphone is not password protected, police making an arrest can search it without a warrant. While I have not yet read the actual decision to understand the nuances, this approach strikes me as wrong from a privacy perspective.

As I said in a post some time ago, to call a smart-phone a phone is really a misnomer. We need to think of them as computers with internet connections that we carry around in our pockets. Looking at a person’s phone may be the equivalent of walking into their house and looking at their bank statements, credit card bills, reading material, photo albums, and mail, and while they are there, nosing around on their computer to see all the files, email and whatever else is there including the sites they visit.

So in my view, saying that police can look at a cellphone if it is not password protected, but cannot if it is password protected is like saying that police can enter your home to search without a warrant if the door isn’t locked, but need a warrant if it is locked.

UPDATE: Here is a link to the decision.

Sharing private information brings legal issues with it

Posted on February 4, 2013 by David Canton

For the London Free Press – February 4, 2013

Read this at lfpress.com

Social media has opened the floodgates for the public dissemination of information about our private lives. Websites such as Facebook, Twitter, Instagram and Pinterest provide an unprecedented ability to share our thoughts, photographs, activities, interests and relationship status with thousands of users around the world.

This sharing brings legal issues with it when unintended users are able to access one’s apparent “private” information.

Recent Ontario court decisions illustrate the uncertain state of the law as to whether social media content should be available as evidence in legal proceedings.

In the case of Stewart v. Kempster, the plaintiff was in a car crash that she claimed caused significant and permanent physical injuries. The plaintiff alleged her enjoyment of life had decreased greatly since the accident.

The plaintiff had regularly posted photographs on Facebook for her friends and family to see. The defendant wanted those photographs admitted as evidence in the trial to rebut the plaintiff’s claim that the crash reduced her activities. Although the plaintiff had an expectation that the Facebook photographs would not be seen by unintended viewers, the court had to consider whether the interests of justice outweighed such privacy interests.

The court refused to order production of the plaintiff’s Facebook photographs. It reasoned that the plaintiff did not have any photographs that were publicly accessible, did not intend to rely on any photographs to demonstrate her pre-collision health, and had only allowed 139 “friends” (out of approximately one billion Facebook users) to access the photographs. Before deciding that, the court reviewed the photographs to determine whether they were even relevant.

In making its decision, the court referred to an earlier decision in Murphy v. Perger where the court did order a plaintiff’s Facebook photos to be produced. The plaintiff in Murphy had also been involved in a car crash and claimed she suffered significant reductions to her enjoyment of life. The court considered the privacy interests involved and ultimately ordered production of the photographs for several reasons:

The plaintiff had posted photographs on the publicly accessible portion of her Facebook account that led the court to infer that similar photographs would be posted on the private portion of her account.

The plaintiff relied on photographs taken prior to the crash to demonstrate the impact of the crash on her prior lifestyle. It would therefore have been unfairly prejudicial to not show photographs depicting her post-collision condition.

The plaintiff didn’t have a reasonable expectation of privacy in her photographs because she permitted 366 people to access her private content and allowed public access to other photographs.

These decisions show that the law evolves to address new technologies. Social media sites allow users to set security settings, but this does not automatically ensure that “private” content will be forever sealed away.

Social media users should take a moment to think before they post because they may run the risk of exposing their private lives to the public spotlight — or at the very least to someone on the opposite side of a lawsuit.

www.harrisonpensa.com/lawyers/david-canton

Police want your texts

Posted on December 5, 2012 by David Canton

Today’s Slaw post

A CNET article entitled Cops to Congress: We need logs of Americans’ text messages says that “State and local law enforcement groups want wireless providers to store detailed information about your SMS messages for at least two years — in case they’re needed for future criminal investigations.”

This issue keeps coming up – the Canadian lawful access attempts are another example.

Attempts to force the preservation of this type of communication is tremendously invasive and wrong on many levels. To me, it is no different than asking phone companies to record and save phone conversations or the post office to copy mail – “in case they’re needed for future criminal investigations.”

http://harrisonpensa.com/lawyers/david-canton/

David Canton

Technology law blog by a Canadian information technology and intellectual property law lawyer and trade-mark agent dealing with issues including software, copyright, privacy, the Internet, electronic commerce, computers

Tag Archives: privacy