[ISN] Inadequate laws hobble privacy chief

[InfoSec News]

http://www.thestar.com/NASApp/cs/ContentServer?pagename=thestar/Layout/Article_Type1&c=Article&cid=1133133016362&call_pageid=968350072197&col=969048863851

By MICHAEL GEIST
Nov. 28, 2005

In a year dominated by almost daily privacy and security violations
that have placed the personal information of millions at risk, a
privacy breach that affected just one person ranks as 2005's most
shocking incident.

With the recent disclosure that a national magazine obtained Canadian
privacy commissioner Jennifer Stoddart's phone records with relative
ease, the inadequacies of Canada's current privacy law framework and
the desperate need for reform to provide Canadians the privacy
protection they deserve has been exposed.

Two weeks after the story hit the newsstands, the Maclean's
investigation continues to resonate throughout the privacy community.

Requiring only easily obtainable, publicly available information and a
couple of hundred dollars, a U.S-based Internet data broker supplied a
reporter with the Commissioner's detailed records of her home phone
and BlackBerry cellphone usage, including precise information on who
she called and when.

Although major telecommunications providers such as Bell sought to
characterize themselves as "victims" of fraudulent activity and claim
that a rapid response to the incident is proof that Canada's privacy
laws are working as intended, the reality is that the current
legislative framework is simply ill-equipped to deal effectively with
such incidents.

The potential for a phone-records privacy breach, which the
telecommunications providers claim occurred due to "subterfuge and
misrepresentation," should have been well known to the Canadian
carriers.

Reports suggest that the Ontario privacy commissioner raised concerns
about the potential disclosure of phone records to U.S.-based data
brokers in a complaint to the Canadian Radio-television and
Telecommunications Commissioner (CRTC), Canada's telecommunications
regulator, seven years ago. Nothing was done in response.

In fact, this summer the Electronic Privacy Information Center, a U.S.  
privacy advocacy group, identified 40 online data brokers who brazenly
advertise the availability of personal phone records. The privacy
information centre has filed complaints with U.S. regulators, yet
telecommunications companies have opposed their proposals to beef up
the security surrounding customers' phone records.

In light of the privacy breach, the public might naturally expect that
the privacy commissioner of Canada has the powers to address the
issue. She does not.

The investigation will naturally focus on both the telecommunications
providers that disclosed the phone records as well as the U.S.-based
data broker that obtained and later sold the information.

The privacy commissioner has little recourse against the
telecommunications providers. Although she can investigate the
incident, without possessing order-making power, the commissioner is
reduced to issuing a non-binding "finding" that must be pursued in
federal court in order to levy any financial penalties.

Indeed last week it was the CRTC that was better able to immediately
address the issue. Within days of the report, it sent a letter to the
telecommunications providers demanding an internal investigation and
imposing a strict 10-day deadline to furnish a host of information,
including descriptions of the safeguards that were in place when the
breaches occurred, explanations of how the companies verify customer
identity, and new measures being taken to improve security.

The situation with respect to the U.S.-based data broker is even
bleaker.

Last week the privacy commissioner declined to investigate a complaint
against another U.S. data broker, arguing that Canada's privacy laws
do not provide sufficient powers to investigate out-of-country
operators.

The implications of that decision are stunning, suggesting that
Canadians enjoy no privacy protection for personal information that is
disclosed to non-Canadian entities.

Although the commissioner's interpretation of the limits of the law
are subject to challenge — there is a good argument that the
jurisdictional limitations on investigation should not act as a
barrier to issuing a finding against a foreign entity — it is
increasingly clear that Canadian law is not up to the challenge of
providing effective privacy protection in a world of global data flows
that do not respect national borders.

Tackling this challenge will not be easy, particularly as the
commissioner is asked to address a growing number of concerns
including spam, spyware, and the threat of secret disclosures
compelled by U.S. law enforcement.

A starting point, however, is to provide the commissioner with order
making power, the unquestioned ability to name the names of privacy
violators, and the resources necessary to meet her mandate.

While a statutory review of Canada's national privacy legislation is
slated for 2006, there is no need to wait for the review. With an
imminent national election call, Canada's political leaders should be
required to answer a simple question: How are they prepared to reform
Canadian law to provide meaningful privacy protection in the Internet
era?

-=-

Michael Geist holds the Canada Research Chair in Internet and
E-commerce Law at the University of Ottawa, Faculty of Law. He can
reached at mgeist at uottawa.ca or online at http://www.michaelgeist.ca.