Privacy

Enforcing Canadian Privacy Laws Against American Social Networking Companies

/ Christopher Parsons

Photo by Jimmy Emerson

As mentioned previously, I’ve been conducting research with academics at the University of Victoria to understand the relationship(s) between social networking companies’ data access, retention, and disclosure policies for the past several months. One aspect of our work addresses the concept of jurisdiction: what systems of rules mediate or direct how social media companies collect, retain, use, and disclose subscribers’ personal information? To address this question we have taken up how major social networking companies comply, or not, with some of the most basic facets of Canadian privacy law: the right to request one’s own data from these companies. Our research has been supported by funding provided through the Office of the Privacy Commissioner of Canada’s contributions program. All our research has been conducted independently of the Office and none of our findings necessarily reflect the Commissioner’s positions. As part of our methodology, while we may report on our access requests being stymied, we are not filing complaints with the federal Commissioner’s office.

Colin Bennett first presented a version of this paper, titled “Real and Substantial Connections: Enforcing Canadian Privacy Laws Against American Social Networking Companies” at an Asian Privacy Scholars event and, based on comments and feedback, we have revised that work for a forthcoming conference presentation in Malta. Below is the abstract of the paper, as well as a link to the Social Science Research Network site that is hosting the paper.

Abstract:

Any organization that captures personal data in Canada for processing is deemed to have a “real and substantial connection” to Canada and fall within the jurisdiction of the Personal Information Protection and Electronic Documents Act (PIPEDA) and of the Office of the Privacy Commissioner of Canada. What has been the experience of enforcing Canadian privacy protection law on US-based social networking services? We analyze some of the high-profile enforcement actions by the Privacy Commissioner. We also test compliance through an analysis of the privacy policies of the top 23 SNSs operating in Canada with the use of access to personal information requests. Most of these companies have failed to implement some of the most elementary requirements of data protection law. We conclude that an institutionalization of non-compliance is widespread, explained by the countervailing conceptions of jurisdiction inherent in corporate policy and technical system design.

Download the paper at SSRN

Lawful Access is Dead; Long Live Lawful Intercept!

/ Christopher Parsons

Honest PhoneLawful access was a contentious issue on the Canadian agenda when it was initially introduced by the Martin government, and has become even more disputed as subsequent governments have introduced their own iterations of the Liberal legislation. Last year the current majority government introduced Bill C-30, the Protecting Children from Internet Predators Act. In the face of public outcry the government sent the bill to committee prior to a vote on second reading, and most recently declared the bill dead.

Last year I began research concerning alternate means of instituting lawful access powers in Canada. Specifically, I explored whether a ‘backdoor’ had been found to advance various lawful access powers: was Industry Canada, through the 700MHz spectrum consultation, and Public Safety, through its changes to how communications are intercepted, effectively establishing the necessary conditions for lawful access by compliance fiat?

In this post I try to work through aspects of this question. I begin by briefly unpacking some key elements of Bill C-30 and then proceed to give an overview of the spectrum consultation. This overview will touch on proposed changes to lawful intercept standards. I then suggest how changes to the intercept standards could affect Canadians, as well as (re)iterate the importance of publicly discussing expansions to lawful access and intercept powers instead of expanding these powers through regulatory and compliance backdoors.

Continue reading

Graph Search and ‘Risky’ Communicative Domains

/ Christopher Parsons

Photo by Lynn Friedman

There have been lots of good critiques and comments concerning Facebook’s recently announced “Graph Search” product. Graph Search lets individuals semantically query large datasets that are associated with data shared by their friends, friends-of-friends, and the public more generally. Greg Satell tries to put the product in context – Graph Search is really a a way for corporations to peer into our lives –  and a series of articles have tried to unpack the privacy implications of Facebook’s newest product.

I want to talk less directly about privacy, and more about how Graph Search threatens to further limit discourse on the network. While privacy is clearly implicated throughout the post, we can think of privacy beyond just a loss for the individual and more about the broader social impacts of its loss. Specifically, I want to briefly reflect on how Graph Search (further?) transforms Facebook into a hostile discursive domain, and what this might mean for Facebook users.

Continue reading

Smart Chip, Simple Illusions: NFC and the BC Services Card

/ Christopher Parsons / 2 Comments
This is a guest post from my colleague, Adam Molnar, who has been conducting research on the BC Services Card. Adam is a PhD Candidate in the Department of Political Science at the University of Victoria and a member of the New Transparency Project. His dissertation research focuses on security and policing legacies associated with mega-events. You can find him on Twitter at @admmo

Image by Pierre Metivier

In just two weeks, the province of British Columbia will be launching the new BC Services Card. If you haven’t already heard about the new province-wide identity management initiative, it’s not your fault; the government only began its public relations campaign for the Services Card initiative six weeks before the card was set to hit wallets and hospitals across the province. In fact, the government’s been so unforthcoming about the new Cards that, just six weeks before it’s release, the British Columbia Office of the Information and Privacy Commissioner is racing to adequately review the program. To be clear: this isn’t a new initiative, but one going back several years. The unwillingness to disclose the documents necessary for the Commissioner’s review is particularly troubling since the Services Card is just one component in a much larger transformation of the province’s movement to its integrated identity management program. Will similar tardiness to assist the province’s privacy czar pervade this entire transition? Will the public be as excluded from future debates as they have from the Services Card development and deployment regime?

The Services Cards feature a host of security enhancements, including layered polycarbonate plastics, embedded holography, laser etchings for images and text appearing on the card, and the integration of a Near Field Communications (NFC) chip. For this post, I focus exclusively on the NFC chip, that is meant to ‘secure’ your identity when presenting the card to government agencies, either in person or online.

The BC government has been touting NFC as an enhanced security feature in the Services Card initiative. While this technical feature might enhance the perception of privacy (especially when buttressed by official provincial political rhetoric), they actually entail serious flaws. These flaws could leave the personal information of BC residents and government databases vulnerable to attack; the security ‘features’ could be the beachhead that leads to serious privacy breaches.

Continue reading

Biometrics and the BC Services Card

/ Christopher Parsons / 3 Comments

Image by kentkb

Anti-fraud capabilities are touted as a major component of the proposed BC Services Card. While the government is almost certainly overstating the issue of fraud, the political rhetoric around fraud doesn’t inherently mean that proposed anti-fraud mechanisms will be similarly overstated. Indeed, many of the Services Card’s suggested changes could be helpful in limiting the issuance of fraudulent identity documents; adding a card holder’s photo, an expiry date, and anti-counterfeiting technologies to new medical CareCards could be quite helpful in ascertaining, and addressing, fraud levels. Unfortunately, the biometric systems that will also be linked to the Services Cards are unlikely to significantly defray fraud.

In this post I continue my analysis of the BC Services Card, this time with a focus on the cards’ integration with biometric analysis technologies. I begin by giving a primer on the origins of biometric analysis for identity documents in BC, and then move to outline how the government asserts that the biometric analyses should work. I then explain why adopting biometric identifiers matters: why don’t they tend to work? what is at stake in their inclusion? I conclude by (re)suggesting some entirely reasonable security processes that might defray fraud without needing the cards’ proposed biometric properties.

Continue reading

Another Step Closer to Reining in ALPR in BC

/ Christopher Parsons / 1 Comment

Photo by Vince Alongi

For the past several years I’ve had the privilege of working with excellent colleagues, Rob Wipond and Kevin McArthur, in opposing how Automatic License Plate Recognition (ALPR) systems are deployed in BC. It’s been a long slog, and taken a long time, and led to an awful lot of writing, but after a favourable decision by the BC Privacy Commissioner about the technology (short: it’s permissible, in limited circumstances, so long as local police don’t upload innocent license plates snapped by the cameras, and confirm the validity of algorithmically identified guilty plates) it looked like the tides had turned.

And then we learned that the Commissioner’s decision wouldn’t necessarily apply to the RCMP. In response, Vincent Gogolek of the BC Freedom of Information and Privacy Association wrote piece about the limits of the BC Commissioner’s mandate, titled “It Takes Two To Kill Illegal Police Licence Surveillance.” His argument was that stopping the worst surveillance practices linked with ALPR would require ruling by the provincial and federal privacy commissioners. We also learned that some provincial police forces – which fell under the purview of the BC Commissioner – were refusing to comply with the Commissioner’s decision. This latter issue led Wipond to publishing an article titled “So it’s illegal surveillance, so what?

Continue reading