leaky websites, encryption keys & mobile trackers: demystifying privacy laws & obligations
DESCRIPTION
In this presentation, Michael Beairsto and Timothy Banks discuss Leaky Websites, Encryption Keys & More: Demystifying Privacy Laws & Obligations. Topics include: Quick Primer on Privacy Basics Ad Networks and Analytics Geolocation Moving Data Hither and Yonder Encryption – What is Solves; What it Doesn’tTRANSCRIPT
Leaky Websites, Encryption Keys & Mobile Trackers: Demystifying Privacy Laws & Obligations
Waterloo Region Law Association June 12, 2013
Dentons Canada LLP
Agenda
June 12, 2013 Dentons Canada LLP 2
1. Quick Primer on Privacy Basics
2. Ad Networks and Analytics
3. Geolocation
4. Moving Data Hither and Yonder
5. Encryption – What is Solves; What it Doesn’t
Canadian Environment
June 12, 2013 Dentons Canada LLP 3
• Personal Information Protection and Electronic Documents Act (PIPEDA) • Applies to an organization’s commercial activities • Does not apply to employee data
• Alberta Personal Information Protection Act • Applies to Alberta-based employees, contractors, consumers, etc.
• British Columbia Personal Information Protection Act • Applies to B.C.-based employees, contractors, consumers, etc.
• Quebec Act respecting the protection of personal information in the private sector • Applies to Quebec-based employees, contractors, consumers, etc.
• Common law
• Public Sector Acts • Interaction with Private Sector – Nova Scotia & British Columbia
The Basics of Canadian Privacy Law
June 12, 2013 Dentons Canada LLP 4
• Protects the personal information through lifecycle
• Overarching Principles • Consent: Must have the express or implied consent to the collection, use and
disclosure of personal information; AND • Reasonableness: may collect, use or disclose personal information only for
purposes that a reasonable person would consider are appropriate in the circumstances
• Additional Important Principles • Limit Collection to what is necessary for Stated Purposes • Limit Use, Retention and Disclosure to fulfill Stated Purposes for Collection • Accountability throughout lifecycle • Safeguards • Openness and Individual Access
Personal Information
June 12, 2013 Dentons Canada LLP 5
• Information about an identifiable individual
• But does not include business contact information
• Provided that the business contact information is being used for the purpose related to that business
• Aggregated information
Obvious Personal Information
• Name
• Home Address
• Birth date
• SIN
• Credit card #
• Salary
• Purchase history
• Image
• Gender
June 12, 2013 Dentons Canada LLP 6
Debatable
• IP (Internet Protocol) Address
• MAC (Media Access Control) Address – mobile devices
• Location
• Activities offline
• License plate
June 12, 2013 Dentons Canada LLP 7
Online Advertising Terminology
June 12, 2013 Dentons Canada LLP 8
• Broadcast: Not targeted to user or interest
• Contextual: Tailored to the content of the webpage
• First Party: User only tracked on the website or families of websites
• Ad Network: Networked websites serving up ads from the same organization
• Online Behavioural Advertising: User tracked across unrelated websites and activities
How Ad Networks Operate
June 12, 2013 Dentons Canada LLP 9
• Website rents space on its webpage
• Ad Network sends cookie to user’s device
• Cookie provides Ad Network with information so that visitor doesn’t see same content each time, remembers pages you have already visited
• Ad Network can track user through cookie across networked websites
• Can engage in online behavioural advertising (OBA)
• Can use other information – MAC address or other Unique Device Identifier or IP address instead of cookie
Analytics
June 12, 2013 Dentons Canada LLP 10
• Important trend is predictive analytics
• Predicting personal information about you before you disclose it
• Famous case was the Target “pregnancy ad” (wasn’t online)
• Like the Ad Network, information collected about behaviour online and then mined to make predictions
It is Personal Information
June 12, 2013 Dentons Canada LLP
• MAC address / IP address, website history, search terms, App activities and transactions, coarse location
• PIPEDA, s. 2 • “personal information” means information about an identifiable individual, but
does not include …
• Ontario Privacy Commissioner (OPC) says given the context and the purpose of OBA, the information collected will be treated as personal information and it is up to organizations to prove otherwise
11
Reasonable Purpose Test
June 12, 2013 Dentons Canada LLP
• Consent is a necessary but not sufficient condition in Canada
• PIPEDA, s. 5(3) • An organization may collect, use or disclose personal information only for
purposes that a reasonable person would consider are appropriate in the circumstances.
• OBA can be a reasonable purpose but not a condition of service for accessing and using the Internet generally (OPC’s OBA Guidance)
12
Consent – Opt-In / Opt-Out
June 12, 2013 Dentons Canada LLP
• Opt-Out if: • User has clear notice • User is able to opt-out without difficulty • Notice is given before collection
• Consent should be contextual (“just in time”) – at the point of collection
• Information should not be “sensitive” information
• Information should be destroyed “as soon as possible” or effectively de-identified
• No tracking children (in U.S., get parental consent)
• Warning: Advertising to children in Québec
13
Leaky Websites
June 12, 2013 Dentons Canada LLP 14
• Office of the Privacy Commissioner of Canada tested websites
• Noticed that during the process of making an “ad call” personal information was being sent to advertiser
• Also sent to analytics companies
• In some cases, information included names and email addresses
• Lack of knowledge and consent
• Need to be able to opt-out
• Unclear how this is going to play out in the long run
Location, Location, Location
June 12, 2013 Dentons Canada LLP
• Location awareness
• IP address, GPS, cell phone towers, Wifi, sensors on device to determine inside or outside
• Where you are and where you aren’t is information about you
• Mobile devices are personal devices
• Location information is, therefore, likely to be information about an identifiable individual because the location of the device generally correlates with the individual’s location
15
Emerging Canadian Approach to Geolocation?
June 12, 2013 Dentons Canada LLP
• Previously the OPC has taken the position that the existence of a legitimate security objective does not automatically justify the use of a surveillance technology (work environment)
• Four-part test • Is the use of the technology demonstrably necessary to meet a specific need? • Is the use of the technology likely to be effective in meeting that need? • Is the loss of privacy proportional to the benefit gained? • Is there a less privacy-invasive way of achieving the same end?
16
Moving Data Hither & Yonder
June 12, 2013 Dentons Canada LLP 17
• Typical Cross Border Scenarios • Storage of data on servers in USA – e.g. SAP installation • Email service provider has no Canadian data centre • SPAM service provider located in USA or UK • Email run through USA • Data processed in USA
Distinguish Between Disclosure and Sharing
June 12, 2013 Dentons Canada LLP 18
• Disclose to third party for their use
• Sharing — disclosure to third party to fulfill the purpose and provide services on your behalf
• Outsourcers and service providers – confidentiality obligations
Key Privacy Issues
June 12, 2013 Dentons Canada LLP 19
• Accountability • Organization remains responsible and must have contractual means to ensure
comparable level of protection
• Safeguards • Technical, Administrative and Physical security • Controlled IDs and strong passwords for access to the system • Testing of the system for intrusion. • Transfer of data over a private network or encryption of sensitive data in transit over a
public network • Sensitive data encrypted at rest. • Access to data by any employee limited to what is necessary to fulfill a specific
delineated function and access is authenticated and logged • Secure data centre employing industry-standard IT security protections
• Openness • Advise customers
USA Patriot Act and Other U.S. Privacy Issues
June 12, 2013 Dentons Canada LLP 20
• Section 215 allows FBI to access records held in USA by applying for an order of the Foreign Intelligence Surveillance Act Court
• Company subject to a Section 215 order cannot reveal that the FBI has sought or obtained information from it
• US has Safe Harbor accord with EU (2000) • Companies can opt in
• US has sector specific laws and some US States have enacted laws
• Previously various Privacy Commissioners in Canada have concluded that storage or processing of data in the U.S. is not an impediment
• Could this change?
CIBC VISA
June 12, 2013 Dentons Canada LLP 21
• CIBC VISA card case • VISA credit card information to be processed in US • Canadian customer data stored on U.S. based system • VISA cardholder agreement amended • No opt-out • US authorities may access the data
• Ruling • Bank had contract with U.S. data processor to maintain comparable level of
security and protection • Bank appropriately notified customers
Ontario Hunting & Fishing Licences
June 12, 2013 Dentons Canada LLP 22
• Outsourced to US Based Organization
• Ontario Privacy Commissioner – No problem
• Different in British Columbia & Nova Scotia
Encryption Basics
June 12, 2013 Dentons Canada LLP 23
• Message + Algorithm + Key = Encrypted Message
• Algorithm + Key + Encrypted Message = Message
• The complexity of the Algorithm prevents guessing of the Key
• Need to keep the Key separate
• If you lose the Key and the Algorithm is strong – Your Data is Junk
What Encryption Solves
June 12, 2013 Dentons Canada LLP 24
• Encryption facilitates safe transfer of information
• Encryption protects mobile data
• Keeping key in Canada can prevent foreign access to data while residing abroad or routing through other countries
What Encryption Doesn’t Solve
June 12, 2013 Dentons Canada LLP 25
• Increasing movement to “lawful access” legislation
• Inspection of header information – required to route message - metadata
• Operating systems tend to leave behind lots of information
• Malware
• Hacking and snatching the key
Thank you – Questions?
Michael Beairsto Dentons Canada LLP [email protected] 416-862-3412
Timothy M Banks Dentons Canada LLP [email protected] 416-863-4424
www.datagovernancelaw.com @TM_Banks
Dentons Canada LLP June 12, 2013 26
The preceding presentation contains examples of the kinds of issues companies dealing with Privacy could face. If you are faced with one of these issues, please retain professional assistance as each situation is unique.
27