See a Drug Deal on Google Street View – Well, Maybe

By: Omar Ha-Redeye · October 25, 2009 · Filed Under Privacy · Add Comment 

Simon Fodden predicted that the privacy complaints would begin once Google Maps Street View was launched.  The maps have proven popular in Canada, with over 150 million views of other countries by Canadians in 2009 alone.

Google recognizes privacy concerns, but claims to address them through their collection and processing approach:

  • public access images, no different than what would normally be seen walking down the street
  • not in real time, so images can be months old before going live
  • blurring of license plates and faces
  • allowing removal requests, through the “Report a Problem” option in the bottom-left of all images

Assistant Privacy Commissioner Elizabeth Denham raised these concerns Thursday to MPs in the House of Commons privacy and ethics committee, pointing out that at times Colonel Sanders‘ face was blurred in ads, while people were not.

She said that Google’s collection may fall under an exception of the Personal Information Protection and Electronic Documents Act, 2000, c. 5 (PIPEDA,),

Collection without knowledge or consent
7. (1) …an organization may collect personal information without the knowledge or consent of the individual only if

(c) the collection is solely for journalistic, artistic or literary purposes;

However, she notes that if other providers use the same argument to start collecting street-level information under the same exception, they might try to disseminate it without blurring technology, thereby posing a risk to children by predators.

Jonathan Lister of Google Canada claimed that they offer more privacy controls than mainstream-media,

If I’m inadvertently captured on the front page of a newspaper, the same way I might be inadvertently captured on Street View, I don’t have the recourse that Google offers if I’m captured in a pan shot on broadcast news. I don’t have my image blurred and I don’t have the ability to have that image taken down. So I think Google is really trying to lead by example and set the industry standard on privacy-protection practice.

Minutes from the meeting are not yet available, nor are documents from the Jan. 26, 2009 study on the implications of camera surveillance such as Google.   Maybe they’re considered too private.

Meanwhile, some Canadians are wondering how many bloopers are in the new Street View maps.  It’s become a popular past-time in America, where the maps were launched May 2007.

The only thing I’ve been able to find so far is Robert Jago of A Dime A Dozen Blog claiming this shot of East Hastings Street in Vancouver is a drug deal caught on camera.  I have to squint really hard to see it, and use a bit of my imagination, but if that’s the extent of privacy concerns with Google Street View, frankly, I’m not that concerned.

Cross-Posted from Slaw


View Larger Map

Post tags: , , , , , , , , , , , , ,

Using a Norwich Order to Reveal Gmail Accounts

By: Omar Ha-Redeye · September 13, 2009 · Filed Under Civil Procedure, Privacy Law, Technology · Add Comment 

The Ontario Superior Court of Justice released its decision on an application in York University v. Bell Canada Enterprises this Friday.  The case is based on an allegedly defamatory e-mail about the President of York University, Mamdouh Shoukri, saying he had “perpetrated an outrageous fraud.”

A group calling itself “York Faculty Concerned About the Future of York University” protested the appointment of Martin Singer of the new Faculty of Liberal Arts and Professional Studies, questioning his credentials and attaching a letter from other academics who did disclose their names.

But the University is more interested in the identity of the unsigned e-mail, presumably by York faculty, sent from a Gmail account, yfcfyu@gmail.com.

G.R. Strathy J. approved a Norwich order against Bell Canada Enterprises and Rogers Communications Inc. to disclose the identity of the account owners.  A previous order had been approved against Google back in May, which identified the two ISPs as the holders of the information.

A Norwich order is a pre-action discovery mechanism that is described by Spence J. in Isofoton S.A. v. The Toronto-Dominion Bank,

Requests for Norwich relief are largely unfamiliar to Canadian courts.  A Norwich order essentially compels a third party to provide the applicant with information where the applicant believes it has been wronged and needs the third party’s assistance to determine the circumstances of the wrongdoing and allow the applicant to pursue its legal remedies.

The 5 elements identified in this case for granting such an order include:

(i) Whether the applicant has provided evidence sufficient to raise a valid, bona fide or reasonable claim;
(ii) Whether the applicant has established a relationship with the third party from whom the information is sought such that it establishes that the third party is somehow involved in the acts complained of;
(iii) Whether the third party is the only practicable source of the information available;
(iv) Whether the third party can be indemnified for costs to which the third party may be exposed because of the disclosure, some [authorities] refer to the associated expenses of complying with the orders, while others speak of damages; and
(v) Whether the interests of justice favour the obtaining of disclosure.
[emphasis added]

The privacy interests of the alleged wrongdoer were overcome by the last element, the interests of justice, because of the applicant’s equitable right to information.  Spence J. pointed to Alberta v. Leahy and Bankers Trust Orders (from Bankers Trust Co. v. Shapira) indicating that court orders can override confidential information, even for financial records, and Glaxo-Wellcome PLC v. M.N.R. that the privacy interests of alleged wrongdoers is somewhat diminished.

What is troubling about the latter citation is that the rationale used by the Federal Court of Appeal was that the information could not be considered especially sensitive since it had passed through several hands.  Although the York case does demonstrate that multiple parties may be involved in identifying a defendant, many privacy watchdogs would be concerned that IP information loses its privacy value simply because it is shared.

However, Spence J. did point to other reasons why the privacy expectation may be overridden, because the information is limited by terms of the order for specific purposes and the use of this information is not absolute.  Additionally, a strong case of fraud removes the possibility of a frivolous or vexatious application of the order.

G.R. Strathy J. also discussed the necessity of granting the order for York by citing GEA Group AG v. Ventra Group Co,

…there is no suggestion in the established jurisprudence that [necessity] is a stand-alone requirement for the granting of a Norwich order…

In my opinion, the precise placement of the necessity requirement in the inventory of factors to be considered on a Norwich application is of little moment. The important point is that a Norwich order is an equitable, discretionary and flexible remedy. It is also an intrusive and extraordinary remedy that must be exercised with caution. It is therefore incumbent on the applicant for a Norwich order to demonstrate that the discovery sought is required to permit a prospective action to proceed, although the firm commitment to commence proceedings is not itself a condition precedent to this form of equitable relief.

…The crucial point is that the necessity for a Norwich order must be established on the facts of the given case to justify the invocation of what is intended to be an exceptional, though flexible, equitable remedy.

G.R. Strathy J. then pointed to a number of other ways that this information could be obtained without the Norwich order, including the pre-action disclosure in the now-infamous Cohen v. Google Inc. Although both ISPs had privacy policies for the customers, these could be overridden by s. 7(3)(c) of PIPEDA to comply with a court of law.

Given the recently ruling, and assuming it’s not overturned in the future, it’s likely were going to see more Norwich orders used for the purposes of identifying Internet activity.

Post tags: , , , , , , , , , , , , , , , , , , , , ,

Court: No Expectation of Privacy in our Online Identity

By: Lawrence Gridin · February 14, 2009 · Filed Under Civil Rights, Criminal Law, Evidence, Privacy Law, Technology · 2 Comments 

Internet PrivacyThe Ontario Superior Court of Justice has ruled that Canadians have no expectation of privacy in their online identity.

In a St. Thomas-area child porn case, the police asked Bell Canada for a customer’s name and home address based on that customer’s IP address. Bell Canada complied and handed over the information.

The customer’s husband was allegedly using the family computer to search for child porn. He was arrested.

The accused argued that the police search of Bell’s records should have required a warrant. Obtaining his details without a warrant, he claimed, was a violation of his s. 8 Charter right to be free from unreasonable search and seizure.

Justice Lynne Leitch disagreed, writing that:

“One’s name and address or the name and address of your spouse are not biographical information one expects would be kept private from the state.”

Her decision, though it represents an erosion of internet privacy, appears to be well founded. In a moot competition concerning s.8 of the Charter, Omar Ha-Redeye and I argued the exact same point on behalf of the Crown. (Ironically, Justice Leitch was one of the judges of our competition.)

In the appropriately named R. v. Plant, [1993] 3 S.C.R. 281, a marijuana grower sought s. 8 protection for his electricity consumption records. Justice Sopinka held:

… in order for constitutional protection to be extended, the information seized must be of a “personal and confidential” nature. In fostering the underlying values of dignity, integrity and autonomy, it is fitting that s. 8 of the Charter should seek to protect a biographical core of personal information which individuals in a free and democratic society would wish to maintain and control from dissemination to the state. This would include information which tends to reveal intimate details of the lifestyle and personal choices of the individual. The computer records investigated in the case at bar while revealing the pattern of electricity consumption in the residence cannot reasonably be said to reveal intimate details of the appellant’s life since electricity consumption reveals very little about the personal lifestyle or private decisions of the occupant of the residence. [emphasis added]

If you’re interested, see also R. v. Tessling, 2004 SCC 67 at paras. 59-62.

In R. v. A.M., 2008 SCC 19 however, the Supreme Court tempered the “biographical core of personal information” requirement. Binnie J. explained that even where the information sought by police is not aimed at revealing intimate details of the lifestyle of the accused, the analysis does not end there. Simply, the privacy of the contents of a communication is protected if it was reasonably intended by its maker to be private [para 68].

In the present child porn case, Justice Leitch held that the information sought by the police was nothing more than a name and an address.  She likened it to information in a telephone book. There were no contents of communications which were worthy of protection.

Ultimately, she found that a customer could not have expected such information to be kept private from the state.

Tech blog Ars Technica criticized the decision:

“Though it’s clear that the ruling in the case (which is still ongoing) was made with good intentions, privacy advocates know what the road to hell is paved with. Critics fear that such a precedent could open the doors to police asking for information on all manner of Internet activities, ranging from the embarrassing to the questionable-but-legal, without judicial oversight.”

Prof. James Stribopoulos, who teaches criminal law and evidence courses at Osgoode, joined the chorus of criticism:

“There is no confidentiality left on the Internet if this ruling stands…”

The reasoning of the judge misses the context of what police are seeking, suggested Mr. Stribopoulos.

“It is not just your name. It is your whole Internet surfing history. Up until now, there was privacy. An IP address is not your name; it is a 10-digit number. A lot more people would be apprehensive if they knew their name was being left everywhere they went.”

This information should require a search warrant by police if there is suspected criminal activity, said Mr. Stribopoulos. Judges are accepting the argument that this is “just your name” because “everyone wants to get at the child abusers,” he said.

The case itself is still ongoing after this Charter ruling.

Post tags: , , , , , , , , , , , , , ,

LSAT Thumbprinting a Privacy Violation

By: Omar Ha-Redeye · July 11, 2008 · Filed Under Law School, Privacy Law · 1 Comment 

I always felt like I was a criminal when LSAC, the organization that offers the LSAT exam, required mandatory thumbprints on entry.

Weren’t we the ones defending the criminals (or prosecuting them)? Why are we being treated like them?

This commenter says,

When I was a psychology student I used to administer the LSAT. One thing I always found amusing is that you have to leave your thumbprint to take the test. What does that mean? Other professional or graduate tests do not require this.

Then there is the fact that it’s an American company, meaning the American government would have access to my prints if they so chose.

Should Canadian law students be forced to provide prints to a foreign country as a requirement to entry into a Canadian law school?

And I’m not the only one with these concerns.

Canadians Aren’t so Patriotic about the U.S.

In 2006, Daniel Gervais, acting dean of the common-law section at the University of Ottawa expressed to the CBC his apprehension over the U.S. Patriot Act,

The act gives the power to agencies such as the FBI to get access to information that is sent to the U.S.

Michael Geist, also of UofO, elaborates further,

Test takers in B.C. and Alberta have raised objections to the mandatory thumb-printing, expressing concern sensitive personal information could find its way into the hands of U.S. law enforcement. Empowered by provisions in the U.S. Patriot Act, authorities could compel the LSAC to surrender the data.

Patriot Act fears stem from the secretive nature of the law since authorities can compel disclosures with minimal oversight and without opportunity for the affected person to challenge the disclosure.

Critics also point to the statute’s potential misuse. Those fears were exacerbated last week with reports U.S. counter-terrorism databases contain an astonishing 325,000 names.

There has been swift reaction to the thumb-printing story, with the federal, B.C., and Alberta privacy commissioners joining forces in a combined privacy investigation. The Canadian Council of Law Deans, which represents law schools across the country, has expressed concern over the practice, acknowledging that the data could be subject to a Patriot Act request. The Council raised questions about whether the practice might violate federal and provincial privacy statutes.

Phillipa Lawson, Executive Director – Canadian Internet Policy & Public Interest Clinic at UofO added,

In the LSAT case, the stated purpose of collecting thumbprints (to deter fraud) is clearly reasonable. But is the collection of thumbprints necessary to achieve this purpose? Do other, less intrusive but equally effective methods of deterring fraud exist? And is the fraud-deterrent value of thumbprinting proportional to its privacy invasiveness? The privacy commissioners now investigating this matter will have to answer these questions.

And Mark Lewis weighed in, quipped,

Personally, I think it is time for a cage match pitting the Patriot Act vs. PIPEDA.

Recent developments indicate that round 1 may have just begun.

Non-Profit Status of LSUC Will not Provide Immunity

David Canton of eLegal wrote in the London Free Press recently that the Privacy Commissioner of Canada has found the thumbprinting to be a violation of privacy.

The recommendation came following a complaint by University of Victoria philosophy Professor Eike-Henner Kluge.

The Commissioner used a 4-part test:

  1. Is the measure demonstrably necessary to meet a specific need?
  2. Is it likely to be effective in meeting that need?
  3. Is the loss of privacy proportional to the benefit gained?
  4. Is there a less privacy-invasive way of achieving the same end?

Their conclusion is that thumbprinting were never intended for their expressed purpose, let alone meeting their purpose.

Canton said,

LSAC took the position that since it was a Delaware corporation headquartered in the United States, the privacy commissioner had no jurisdiction over its activities.

The privacy commissioner found, however, that there were sufficient Canadian connections to make LSAC subject to the provisions of PIPEDA, at least to the extent it operates in Canada.

The Commissioner also stated,

LSAC’s status as a non-profit, non-stock, membership-based organization is not determinative. The Act applies to organizations, defined in section 2 as including “an association, a partnership, a person and a trade union.” There is no exemption for non-profit or member-oriented organizations. To the contrary, the definition of “commercial activity,” namely, “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists,” makes clear Parliament’s intention that the Act apply to commercial transactions that non-profit, membership-based organizations might engage in.

Ding, Ding, Ding

So it seems law students, who are in training to defend the rights of others, might finally realize these privacy rights that many have been complaining about for years.

Let the fight begin.

Post tags: , , , , , , , , , ,

Law is Cool – Podcast #9

By: Law is Cool · June 13, 2008 · Filed Under Podcasts · Add Comment 

Show Notes

Total running time 21:15

0:16 Jacob Kaufman and Omar Ha-Redeye introduce themselves.

0:44 Jacob and Omar discuss final exams.

2:10 Omar introduces Lisa Feinberg of UofO Law and the Canadian Interest and Public Policy Clinic (CIPPC), who is one of the law students that filed a complaint with the Privacy Commissioner over Facebook.

3:19 Lisa describes the 22 violations of PIPEDA that the students identified.

4:12 Lisa explains the effort that went into developing the project

5:01 Lisa tells us how the Privacy Commissioner creates and issues recommendations

5:50 Lisa relates the implications for Facebook users, even outside of Canada

7:39 Even though Lisa uses Facebook, she tells us how much more she learned about the site through the project.

9:11 Lisa expresses her interests in social networking, and how she got involved in the project.

11:23 Jacob shares some Facebook policies that demonstrate their attitude to privacy.

11:45 Jacob quotes James Grimmelman, who likens Facebook to a virus. Omar says it sounds like something out of The Matrix.

12:24 Omar introduces an interview with Khurrum Awan, complainant in a case against Maclean’s.

13:30 Khurrum describes the turnout at the Tribunal by members of the media, and the importance of independent coverage.

15:10 Khurrum explains the procedural elements of the Tribunal, when we can expect a decision, and where the case can potentially go from here.

16:32 Jacob talks about the different ways that law students apply their legal education towards advocacy work in real life.

17:08 Jacob shares some of the things he learned from the Facebook complaint, such as how applications can obtain your information without your explicit consent.

17:45 Jacob mentions Robert J. Sawyer’s theory in Maclean’s that notions of privacy are themselves outdated, and that we should have chips implanted in us at all times to track our movements.

18:40 Jacob mentions David Lat, a former American prosecutor who left the law to blog on Above the Law, and how he documented his weight-loss program online. Omar relates how this could be used in the potential trend of obesity lawsuits we could see in the future.

19:54 Jacob describes a New Brunswick case on the disclosure of Facebook materials, Knight v. Barrett, [2008] N.B.J. No. 102.

20:34 Omar and Jacob sign off.

(Look for an upcoming post on a recent Ontario decision regarding Facebook)

 
icon for podpress  Standard Podcast: Play Now | Play in Popup | Download
Post tags: , , , , , , , , , , , , ,

Development of Privacy Law in Canada

By: Omar Ha-Redeye · December 26, 2007 · Filed Under Civil Rights, Legal Research, Torts · 1 Comment 

Privacy Common Law in Canada

A tort action exists in the U.S. for the invasion of privacy exists in only four situations:

  1. Unreasonable intrusion
  2. Appropriation of personality (an intentional economic tort)
  3. Unreasonable publicity of private info
  4. Unreasonable placing another in a false light

In addition to the U.S., Germany has recognized a tort for the invasion of privacy. The United Kingdom and Australia however, have not.

There is no such thing as a widespread, generally-recognized action called “Invasion of Privacy” in Canada, but it is covered by a number of different civil actions and legislation, and increasingly recognizes actions for appropriation of personality and inappropriate or unwanted media attention.

Contemplating a Separate Tort for Privacy

In the landmark case in Canada, Motherwell et al. v. Motherwell (1976), a mentally ill defendant harassed her family members through telephone and mail.

This harassment escalated to up to 60 calls a day, until they sued for invasion of privacy and nuisance seeking nominal damages and,

… an interim and a permanent injunction against the Defendant or anyone acting on her behalf enjoining her or anyone else acting on her behalf from contacting, telephoning, writing, visiting or in any other way communicating with the Plaintiffs or their children.

The court reviewed a form of nuisance,

unduly interfering with his neighbour in the comfortable and convenient enjoyment of his land.

But they then commented on its inadequacy in addressing privacy issues due to the emergence of newer communications technology. Specifically, they cited a difference where the receiver has no control over the incoming communications,

The rule of stare decisis operates, as it seems to me, to regulate the application of precedents to cases which can be said to fall within a category. When the circumstances of a case do not appear to bring it fairly within an established category, they may lie sufficiently within the concept of a principle that consideration of a new category is warranted…
I think that the interests of our developing jurisprudence would be better served by approaching invasion of privacy by abuse of the telephone system as a new category…

The court also pointed out that the frequency or volume of the communication can itself constitute harassment,

I have pointed out above that in my opinion there may be harassment even although the subject‑matter of the telephone calls would otherwise be agreeable in nature.

Motherwell did not clearly develop the creation of a new tort, despite these contemplations.

Although a claim for invasion of privacy was then dismissed in Capan v. Capan (1980), Hunter v. Southam Inc. (1984) acknowledged in the Supreme Court of Canada a “right to be let alone by other people” independant of “the notion of trespass.”

By 1995, MacKay v. Beulow awarded damages specifically for invasion of privacy in Ontario. Yet Somwar v. McDonald’s in 2006 stated,

In light of the trial decisions listed in this brief survey of Ontario jurisprudence, and the absence of any clear statement on the point by an Ontario appellate court, I conclude that it is not settled law in Ontario that there is no tort of invasion of privacy.

Still, the court cited advancements in technology that allowed the collection and dissmemination of personal information and said,

…the foregoing analysis leads me to conclude that the time has come to recognize invasion of privacy as a tort in its own right. It therefore follows that it is neither plain nor obvious that the plaintiff’s action cannot succeed on the basis that he has not pleaded a reasonable cause of action.

Most of the case law concerning privacy seems to focus on establishing what a ‘‘reasonable expectation of privacy’’ is. The courts appear to be increasingly recognizing its application, but this still varies across jurisdictions.

Melanie C. Samuels and Sara Gregory explain in Privacy issues in the workplace: Employer monitoring of employee technology use,

…no Canadian appellate level court has endorsed a common law tort of invasion of privacy, the existence of such a tort has not been denied.

Rapidly Developing Areas

Because the application of privacy law is so rapidly developing, it is useful to list some sources that monitor and report developments.

There is considerable discussion of the privacy applications in text books for s. 7 of the Charter, “protection of life and liberty,” and s. 8 for “unreasonable search,” including business documents, border searches, and emergency powers.

But publications as recent as 2004 still have not addressed Internet search engines, and issue that will definitely come up in the future.

The Office of the Privacy Commissioner of Canada provides these legislative resources:

And more legislative resources can be found here.

The Canadian Privacy Law Blog provides an excellent resource for ongoing developments, as does Michael Geist, who circulates a monthly publication, the Canadian Privacy Law Review.

International Concerns

Patricia J. Wilson and Michael Fekete dedicate a chapter to privacy law in Osler, Hoskin & Harcourt LLP’s Doing Business in Canada, which includes concerns over the USA PATRIOT Act.

In response to these concerns, British Columbia ammended its Freedom of Information and Protection of Privacy Act (FOIPPA). Both the federal and provincial privacy commissioners want to enhance protections against sharing of personal information with the U.S.

And this challenge, of protecting Canadian personal data from foreign nations, might prove the most difficult privacy issue of them all.

Post tags: , , , , , , , , , , , , , , , ,