Slashdot Mirror

Since this is being used for demographics information, and in turn sold/given to a 3rd party to determine who's buying/visiting/etc. It's automatically illegal in Canada under the privacy act, which requires informed consent from the individual.

You can file a complaint here.

I’m taking notes on your approximate gender and age based on your post history, without your consent, so there’s another complaint for you to file.

Ryan Fenton

Since this is being used for demographics information, and in turn sold/given to a 3rd party to determine who's buying/visiting/etc. It's automatically illegal in Canada under the privacy act, which requires informed consent from the individual.

You can file a complaint here.

Yes, I'm telling you, Canada and the US are the same here. It's still not your data. You control the access, but that's about it. It's "your" data, not your data.

The law is telling you it's not. The privacy act makes that fundamentally clear. So do things like PHIPA and so do things like PIPEDA. "Your" data is yours, PHIPA even goes further allowing patients to "lock box" personal information from ALL parties except those directly disclosed.

The Bill of Rights has nothing about privacy: http://laws-lois.justice.gc.ca/eng/acts/C-12.3/FullText.html

The privacy commissioner herself had her cellphone records sold to a reporter because there were no such protections in law.

https://www.priv.gc.ca/cf-dc/2007/372_20070709_e.asp

It's my understanding that postal services and landlines have protections in law, but there is no such thing for "new" mediums. I.e., you need a warrant to open mail or wiretap a landline, but before the privacy act, you could sell somebody's cellphone records to whomever you wanted without telling them.

You're probably also talking about the Charter of Rights and Freedoms, not the Bill of Rights. But neither contain anything about privacy other than protections against search and seizure.

Details on the current state of privacy law in Canada can be found on the Privacy Commissioner's website... https://www.priv.gc.ca/resource/fs-fi/02_05_d_15_e.asp

Please., please correct me if I'm wrong. I would love to see this Supreme Court decision.

The Bill of Rights has nothing about privacy: http://laws-lois.justice.gc.ca/eng/acts/C-12.3/FullText.html

The privacy commissioner herself had her cellphone records sold to a reporter because there were no such protections in law.

https://www.priv.gc.ca/cf-dc/2007/372_20070709_e.asp

It's my understanding that postal services and landlines have protections in law, but there is no such thing for "new" mediums. I.e., you need a warrant to open mail or wiretap a landline, but before the privacy act, you could sell somebody's cellphone records to whomever you wanted without telling them.

You're probably also talking about the Charter of Rights and Freedoms, not the Bill of Rights. But neither contain anything about privacy other than protections against search and seizure.

Details on the current state of privacy law in Canada can be found on the Privacy Commissioner's website... https://www.priv.gc.ca/resource/fs-fi/02_05_d_15_e.asp

Please., please correct me if I'm wrong. I would love to see this Supreme Court decision.

There are a bunch of cases out there in Canada/UK/US (like the Microsoft/Ireland case posted by taustin)

Here's a nice summary by a law firm from a privacy standpoint: http://www.nixonpeabody.com/fi... which is based on rulings like: https://www.priv.gc.ca/cf-dc/2...

You would be incorrect.
The Canadian firm is responsible for ensuring that a breach doesn't happen when the data is in possession of the foreign firm, but it's not illegal to send it there at all.
Considering the Canadian firm's responsibilities, it can certainly be argued that it's rarely, if ever, a good idea, but it's certainly not illegal.

Contact the privacy commissioner.

I think a lot of this is consumer attitudes.

Look at how the SSN is used in the US. Its a great identifier as there is a direct 1:1 mapping between a person and their SSN.
In the US almost everyone asks for it and they are normally given the number.


In Canada (and i lived in both countries for a while) I think the privacy laws are tougher to protect the privacy of the citizens. Look at all the fighting the Canada privacy commission did with Facebook, or other examples of US based services encountering problems with them.
Privacy commission vs Facebook: http://www.priv.gc.ca/media/nr-c/2009/nr-c_090827_e.asp

In Canada i dont have to give my SIN to anyone other then banks, employers and the government and i they normally cant deny servicing me because of my refusal to provide my SIN.

When I call any US credit card agency one of the first things they ask for is my SSN.

From WIKI:

Through functionality creep, the SIN has become a national identification number, in much the same way that the Social Security Number has in the United States. However, unlike in the US, in Canada there are specific legislated purposes for which a SIN can be requested. Unless an organization can demonstrate that the reason they are requesting a person's SIN is specifically permitted by law, or that no alternative identifiers would suffice to complete the transaction, they cannot deny or refuse a product or service on the grounds of a refusal to provide a SIN. Examples of organizations that legitimately require a SIN include employers, banks and investment companies, and federal government agencies. Giving a SIN when applying for consumer credit, such as buying a car or electronics, or allowing it to be used as a general purpose identification number, such as by your cable company, is strongly discouraged

I am not going to say Canada doesnt spy (we have CSIS, something like the NSA), but we also have a privacy commission with some bite.

I am drafting my complaint to the Privacy commissioner, and you should too. The commissioner has real teeth and Bell will definately have to defend what they're doing. As a regulated utility they do not have right to unilaterally foist this upon people. It's repugnant and evil.

http://www.priv.gc.ca/index_e.asp

The terms are really horrible. Also, the fine print says they're going to collect and use it anyway - you can opt out of the ads. I don't have Bell TV or Phone - just internet - so how, exactly, do they intend to serve me ads?

Get angry about this. The commisioner can't do anything without complaints. Give them some.

3 years ago Facebook was perfectly willing to "add significant safeguards" to comply with Canadian privacy laws.

I guess becoming a publicly traded company means they think they're big enough to push countries around, instead of the other way around.

This is Canada's response on DPI from the privacy commissioner. For what it's worth, this won't fly here.

Starting with Android for a privacy device is planning to design a prison by choosing cheesecake as building material..

Google made it very clear that they no longer needed Streetview WiFi slurping because the Android handsets would now do it - see item 47, which kinda suggests the Wifi thing was no accident after all, just a beta test that leaked..

So thanks, but no thanks. I am rather more interested in the attempts by some ex Nokia people to revive Meego..

When I send a text-message to a bunch of friends using my mobile phone via my telco, the telco is certainly not allowed to inspect the contents of the message, let alone to share it directly or indirectly with 3rd parties, such as advertisers.

Well, that's why clever people invented Whatsapp. It conveniently supports a global data tap on user SMS - and they all are happy to do it because it does so much more (read: the user also provides all those nice images). And because Apple didn't wanted to be left out, it created iMessage. Oh, and Siri, which conveniently supplies voiceprints of every user on the planet - especially with HD voice now making its way into mobiles it's really good intelligence, so I reckon they must be glad with all that effort to get a Siri-alike going on Android. Ah, yes, Android - have a look at point 47..

This is done by companies subject to the practically uncontrolled Patriot Act..

Paranoid, me? No - realistic. Privacy really needs some shoring up..

Yup, that is the delusion du jour. However, I have found Android to be unusable without setting up a Google account. The problem is that even without using Google, you're still spying for Google - on others. Google admitted as much, also in Canada, right after the Streetview scanning scandal (read point 47, it's nicely tucked away).

I had to choose between Android and Apple, and I picked the latter exactly because they are so "rear end retentive" with their app admission policy. They will not catch everything that way, but it needs less checking than the Wild West of the Android market. However, I respect that others *want* that complete freedom, which is probably why *both* markets do well.

Oh, I almost forgot. I also make calls with that phone. I know, I'm old fashioned :)

If the clients affected by this include Canadians, the privacy office can legitimately look into your concern about the company. The privacy commissioner has teeth in Canada and can reach out of country. Remember facebook??? http://www.priv.gc.ca/media/nr-c/2010/nr-c_100922_e.cfm She can and does similar things with companies that process payments.

She was the first data protection authority in the world to conduct a comprehensive investigation of the privacy policies and practices of the popular social networking site, Facebook.

The provinces that have enacted similar enabling information also allow for you to request the data. In Quebec, for example, they have to *print it out*. That could get VERY expensive to print and send by mail. When the Journal de Montreal ran a full-page "coupon" that people could clip out, fill in and email to the federal govt requesting a copy of the Fed's "all-in-one-consolidate-all-govt-data-on-U" HRDC database, 29,000 people made the request, and HRDC ended up having to delete the database instead.

I'm not telling you anything, but the law tells companies: (http://www.priv.gc.ca/information/guide_e.cfm) which requires commercial entities to follow certain best practices in collecting information that may contain Personally Identifiable Information (including consent for the specific uses to which it is going to be put, retention, encryption, etc)

If you're doing business in Canada it is your responsibility to know this law and Google violated it. Its not about how easy it is to collect the information, it is about ensuring you have the legal authorization to do so. Just because you CAN do something does not make it legal to do so.

Min

Min

I believe what the OP was referring to was:
http://www.priv.gc.ca/media/nr-c/2010/nr-c_101019_e.cfm

In this case it was Google street view cars driving by. obviously in this case the people's whose privacy was impacted had no opportunity to agree to a EULA

Now I will agree that the cases may be completely different, but I think thats what the OP was getting at.

Umm - you do know that Android is actually the new WiFi snooping tool for Google (you'll want to read point 47, and I am willing to bet that nobody has bothered yet with point 48).

It's free as in "I'll let you use my car for free, but you then agree to let me look at everything and everyone in your house, including your young daughter"

But hey, they said they would do no evil, so that's alright then. I bet Microsoft executives are kicking themselves for not having discovered that joke themselves years ago.

Google has done some fantastic things with search technology. Unfortunately, the MBAs in that company have taken over, and I am not sure the company will survive what they are doing to it right now, it is morphing into another Microsoft..

Do you *really* think the Canadian government stands firm on the high moral ground of solidarity in the matter of privacy?

Facebook breaches Canadian privacy law: commissioner

Can you not see that the end result of this conflict would not be Facebook cleaning up their act, but rather Facebook banning Canadian users?

They already did clean up their act, actually. There was even a slashdot story about that too, even.

Human readable version of the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)

A Guide for individuals.
http://www.priv.gc.ca/information/02_05_d_08_e.cfm

A Guide for businesses
http://www.priv.gc.ca/information/guide_e.cfm

Human readable version of the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)

A Guide for individuals.
http://www.priv.gc.ca/information/02_05_d_08_e.cfm

A Guide for businesses
http://www.priv.gc.ca/information/guide_e.cfm

All that is expensive and has no return for your government. The government will of course choose the punishment that nets them the greatest possible amount of money, so they can go on spending it on weapons and wiretapping initiatives.

I'm in Canada. We don't spend that much on weapons, and the courts have already ruled that plastering CCTV cameras all over public places in the hopes of catching Random J Offender are an unconstitutional invasion of privacy (we have a concept of "the anonymity of the crowd" - that people going about their own business in public should be able to do so without being spied upon).

We're also the country whose privacy commissioner forced Facebook to change its' operations wrt user data. The recent "memorializing of the dead" policy (item #3 in the link) is part of that process, just as making it clear to users that they can both deactivate AND delete their accounts (item #2). They have a year to get into full compliance, and they probably realized that if they didn't, other countries would start making the same demands, since they're reasonable.

Going after Facebook wasn't about getting money from them, but of making sure they respected people's rights.

Yes, because that's worked out so well before:

"Privacy commissioner probes PM's list":
http://www.thestar.com/News/article/265982

Or did you fail to read this story the first time it was posted, particularly the parts where Facebook has been working with the Privacy Commissioner for months to resolve the issues through technical and other changes?
http://www.priv.gc.ca/cf-dc/2009/2009_008_0716_e.cfm

I actually didn't know we were the toughest. I'mnot sure if I should or should not be proud of that. But either way, it's respectable.

The privacy act(federal legislation), is a pretty interesting bit of work. Applies to everyone, no matter what. Applies to all levels of government, law enforcement and the rest. If businesses want something they have to grovel for it, if you want it removed they have to do it. If the police want something, they have to show just cause(which can make it really hard to get some types of warrants). Then there's provincial legislation as well, which builds on top.

Personally I'm quite happy with it. Now if we could just get some of our regulatory bodies working as well as the privacy commissioner we'd be doing better in other areas.

One place to start is to look at best practices of other governments.
I'm un-characteristically proud of what the government of Canada did in the Privacy Act, and the creation of the Office of the Privacy Commissioner.

Of course, it's not perfect, but It's pretty good. Especially compared to what I see in the rest of the world.

I'm still reading all the essays Canada's deep packet inspection education site, but this one seems very topical:

Objecting to Phorm

Bonus - Phorm's 'essay' submission (but more like marketing drivel):

Phorm: A New Paradigm in Internet Advertising

I'm still reading all the essays Canada's deep packet inspection education site, but this one seems very topical:

Objecting to Phorm

Bonus - Phorm's 'essay' submission (but more like marketing drivel):

Phorm: A New Paradigm in Internet Advertising

D.I. is neither good or bad, it is the illegal or immoral application of the technology that is the problem.

It's a technology that almost no one wants except for those who are in a position to abuse it. That makes it difficult or impossible to view it as a "neutral" thing.

What about this? http://dpi.priv.gc.ca/index.php/what-is-deep-packet-inspection/

DPI has been used for several years to maintain the integrity and security of networks, searching for signs of protocol non-compliance, viruses, malicious code, SPAM and other threats.

Are you suggesting people don't want a less SPAMy, more secure internet? There's more to it than "oh noes, the isp's are spying my internets!" I'm not saying I want them to, there's just more to it than some people realize.

You and another person suggested using it to thwart spam or worm attacks. I am replying to you since the other person was more reasonable. That is, he did not say "are you suggesting people don't want a less spamy [sic], more secure internet" as though that's the same thing as criticising another wrong solution that cannot solve our problems. The way you did that reminds me of people who say "you mean you don't want to be safe from terrorists?" when you point out that it's wrong to infringe on civil liberties. It's an intimidation tactic that's designed to shut down healthy debate. It won't work on me or anyone else who can see that for what it is.

I am not a fan of "solutions" that don't address the actual causes of problems. They inevitably open up more problems, many of which can be unanticipated. It may be obvious, but we should get one thing out of the way: the presence of many insecure Windows machines is what enables the modern spam problem and the modern malware problem. If I ever see successful worms thriving "in the wild" for Unix-like operating systems, I'll gladly revise that statement, but for now, that's the reality.

The solution to that is to secure those Windows machines. Any other proposed solution is aimed at symptoms of the problem and not the actual problem which is why it will fail. Whether the users should secure those machines by obtaining a clue or whether Microsoft should do that as part of taking care of its customers is the debatable part. This is the part I want to emphasize: nothing other than securing those insecure machines, and perhaps their users, is going to solve this problem. Our efforts and our ability to create novel solutions should be directed towards that goal. Deep packet inspection is a network operation and does not constitute host security. What you are referring to there is damage control, which is about detection and containment. It is emphatically not security, which is about prevention.

If you start using DPI to target spam and worms, you'll run into all of the problems we currently have with filters and virus/malware scanners. The reason why there is not a final ultimate solution for those problems is that this approach does not address the real cause. It only treats the immediate symptoms of that cause. That's why there isn't going to be a final ultimate solution to those problems. What you will end up with is an arms race where it will be a contest between those who maintain the DPI systems and those who produce spam and malware. The contest will consist of how quickly spammers and malware authors can modify their traffic to be "missed" by the DPI filters and at some point will also consist of how well they can disguise their traffic to make it look legitimate. To be successful, the DPI filters would need to catch every possible spam/malware pattern; to be successful, the attackers would only need to find one that was missed. Thus, this scenario favors the attacker.

The arms race that this will trigger is predictable be

D.I. is neither good or bad, it is the illegal or immoral application of the technology that is the problem.

It's a technology that almost no one wants except for those who are in a position to abuse it. That makes it difficult or impossible to view it as a "neutral" thing.

What about this? http://dpi.priv.gc.ca/index.php/what-is-deep-packet-inspection/

DPI has been used for several years to maintain the integrity and security of networks, searching for signs of protocol non-compliance, viruses, malicious code, SPAM and other threats.

Are you suggesting people don't want a less SPAMy, more secure internet? There's more to it than "oh noes, the isp's are spying my internets!"

I'm not saying I want them to, there's just more to it than some people realize.