Tag: Personal Information

Categories
Writing

Intelligence Commissioner Raises Concerns About Canada’s Federal Cybersecurity Legislation

Earlier this week the Intelligence Commissioner (IC) appeared at the Standing Senate Committee on National Security, Defence and Veterans Affairs on Bill C-26, along with federal Privacy Commissioner. The bill is intended to enhance the cybersecurity requirements that critical infrastructure providers must adopt.

The IC’s remarks are now public. He made four very notable comments in his opening remarks:

  1. The IC warned that the proposed amendments to the Telecom Act would allow the minister to essentially compel the production of any information in support of orders. This information could include personal information – which under broad exceptions, could then be widely disclosed.
  2. Part 2 allows for the regulators to carry out the equivalent of unwarranted searches – where again, personal information could be collected.
  3. The CSE will play a vital role and will be the holder of this information, in a technological form or otherwise, which will contain elements for which we have a reasonable expectation of privacy.
  4. In light of the invasive nature of the Bill, he asserted that it is important that meaningful safeguards be part of the legislation so that Canadians have confidence in the cybersecurity system.

His responses to comments at committee — not yet available through Hansard — made even more clear that he believed that amendments are needed to integrate appropriate oversight and accountability measures into the legislation. The IC’s comments, combined with those of the federal Privacy Commissioner of Canada and civil society representatives, constitute a clear warning to senators about the potential implications of the legislation.

It will be interesting to see how they respond.

Categories
Aside Links

Highlights from TBS’ Guidance on Publicly Available Information

The Treasury Board Secretariat has released, “Privacy Implementation Notice 2023-03: Guidance pertaining to the collection, use, retention and disclosure of personal information that is publicly available online.”

This is an important document, insofar as it clarifies a legal grey space in Canadian federal government policies. Some of the Notice’s highlights include:

  1. Clarifies (some may assert expand) how government agencies can collect, use, retain, or disclose publicly available online information (PAOI). This includes from commercial data brokers or online social networking services
  2. PAOI can be collected for administrative or non-administrative purposes, including for communications and outreach, research purposes, or facilitating law enforcement or intelligence operations
  3. Overcollection is an acknowledged problem that organizations should address. Notably, “[a]s a general rule, [PAOI] disclosed online by inadvertence, leak, hack or theft should not be considered [PAOI] as the disclosure, by its very nature, would have occurred without the knowledge or consent of the individual to whom the personal information pertains; thereby intruding upon a reasonable expectation of privacy.”
  4. Notice of collection should be undertaken, though this may not occur due to some investigations or uses of PAOI
  5. Third-parties collecting PAOI on the behalf of organizations should be assessed. Organizations should ensure PAOI is being legitimately and legally obtained
  6. “[I]nstitutions can no longer, without the consent of the individual to whom the information relates, use the [PAOI] except for the purpose for which the information was originally obtained or for a use consistent with that purpose”
  7. Organizations are encouraged to assess their confidence in PAOI’s accuracy and potentially evaluate collected information against several data sources to confidence
  8. Combinations of PAOI can be used to create an expanded profile that may amplify the privacy equities associated with the PAOI or profile
  9. Retained PAOI should be denoted with “publicly available information” to assist individuals in determining whether it is useful for an initial, or continuing, use or disclosure
  10. Government legal officers should be consulted prior to organizations collecting PAOI from websites or services that explicitly bar either data scraping or governments obtaining information from them
  11. There are number pieces of advice concerning the privacy protections that should be applied to PAOI. These include: ensuring there is authorization to collect PAOI, assessing the privacy implications of the collection, adopting privacy preserving techniques (e.g., de-identification or data minimization), adopting internal policies, as well as advice around using attributable versus non-attributable accounts to obtain publicly available information
  12. Organizations should not use profile information from real persons. Doing otherwise runs the risk of an organization violating s. 366 (Forgery) or s.403 (Fraudulently impersonate another person) of the Criminal Code
Categories
Links Writing

Apple Logs Your iMessage Contacts — and May Share Them With Police

The Intercept:

Every time you type a number into your iPhone for a text conversation, the Messages app contacts Apple servers to determine whether to route a given message over the ubiquitous SMS system, represented in the app by those déclassé green text bubbles, or over Apple’s proprietary and more secure messaging network, represented by pleasant blue bubbles, according to the document. Apple records each query in which your phone calls home to see who’s in the iMessage system and who’s not.

This log also includes the date and time when you entered a number, along with your IP address — which could, contrary to a 2013 Apple claim that “we do not store data related to customers’ location,” identify a customer’s location. Apple is compelled to turn over such information via court orders for systems known as “pen registers” or “trap and trace devices,” orders that are not particularly onerous to obtain, requiring only that government lawyers represent they are “likely” to obtain information whose “use is relevant to an ongoing criminal investigation.” Apple confirmed to The Intercept that it only retains these logs for a period of 30 days, though court orders of this kind can typically be extended in additional 30-day periods, meaning a series of monthlong log snapshots from Apple could be strung together by police to create a longer list of whose numbers someone has been entering.

That Apple has to run a lookup to see whether to send a message securely using Messages or insecurely using SMS isn’t surprising. And the 30 day retention period is likely to help iron out bugs associated with operating a global messaging system: when things go wonky (and they do…) engineers need some kind of data to troubleshoot what’s going on.

Importantly, Apple is not logging communications. Nor is it recording if you communicate with someone who is assigned a particular phone number. All that is retained is the lookup itself. So if you ever type in a wrong number that lookup is recorded, regardless of whether you communicate with whomever holds the number.

More troubling is the fact that Apple does not disclose this information when an individual formally requests copies of all their personal information that Apple retains about them. These lookups arguably constitute personal information, and information like IP addresses etc certainly constitute this information under Canadian law.

Apple, along with other tech companies, ought to release their lawful access guides so that users know and understand what information is accessible to authorities and under what terms. It isn’t enough to just disclose how often such requests are received and complied with: customers should be able to evaluate the terms under which Apple asserts it will, or will not, disclose that information in the first place.

Categories
Links

Jawbone reportedly tried to sell itself

Jawbone reportedly tried to sell itself:

Jawbone’s hunger to sell itself is evidence of how dire the situation has become for one of leading wearable tech companies in the industry. Competitor Fitbit has managed to increase sales of its fitness trackers even with Apple participating. Jawbone, on the other hand, has seen its relevance in the market wither with time, as it’s transitioned from bluetooth audio products to wrist-worn fitness bands. Many other wearable makers, including Misfit and Basis, have sold themselves to large tech or apparel companies, and even giants like Nike have gotten out of the wearable hardware business. Jawbone’s fate may be similar, but it’s running out of time. According to The Information, Jawbone delayed payment to one of its business partners this month.

Jawbone is sitting on a lot of user information. While they sell physical things, I’m mostly interested in knowing the value of all the fitness information that will presumably be sold as part of the business.

Categories
Writing

Skype Discloses Subscriber Info to Private Investigators

In a not-particularly-surprising move, Skype handed over a 16 year old’s subscriber information to a firm hired by Paypal. No warrant was required, as the information was provided to a private party, and that party subsequently gave it to police. In essence, a very large telecommunications service provider (TSP) made available personally identifiable information that, ultimately, led to an arrest without authorities having to convince a judge that they had legitimate grounds to get that information from the TSP.

At a talk I recently attended, a retired Assistant RCMP Commissioner emphasized time and time again that Canadians need to be more worried about corporations like Skype, Google, and Facebook than they do the federal or provincial governments. He correctly, I believe, spoke to the social harms that these companies can and do cause to individuals who both subscribe and do not subscribe to the companies’ service offerings.

Non-controversially, we know that many large companies can take actions that are harmful to individuals, as can states themselves. What is less recognized, however, is that there are more and more cases where private intermediaries are acting as one or two degrees of separation between public institutions and large private data stores. Such ‘intermediary protection’ often lets states access and use personal data that they otherwise cannot access without considerable difficulty. Worse, where authorities refuse to bring intermediary-provided data to court it can be challenging for accused persons to argue that an investigation was predicated on inappropriate access to their personal data. More time has to be spent considering the role of these data intermediaries and thinking through how to prevent the disclosure of personal data to state authorities in the absence of judicial oversight. Failure to tackle this problem will simply lead to more and more inappropriate access to corporate data by authorities, and critically to access without adequate or necessary judicial oversight.

Categories
Links Writing

App Developers Face Fines for Lacking Privacy Policies

To be clear and up front: privacy policies suck. I’m currently analyzing the policies of major social networks and if the policies were merely horrific then they’d be massively better than they actually are today.

That said, a privacy policy at least indicates that an organization took the time to copy someone else’s policy. For the briefest of moments there was some (however marginal) contemplation about how the organization’s actions related to privacy. While most companies will just hire a lawyer to slap legalese on their websites, a few will actually think about their data collection and its implications for individuals’ privacy. That’s really all you can hope for privacy policies to generally accomplish unless the company out-and-out lies in their policy. If they do lie then you can get the FTC involved.

The potential for ‘enjoying’ a $2,500 fine per download if a company lacks a privacy policy is a massive stick and, hopefully, will get developers to at least consider how their collection of data implicates users’ privacy. The California approach is not the solution to the problem of people’s data being collected without their genuine consent but at least it’s a start.

Categories
Aside

How long American telcos hold onto customer data