Slashdot Mirror

In Canada although it is not illegal for merchands to ask for your Social Insurance Number you are not legally required to give it. If they refuse the sale, you can make a complaint to the Privacy Commissioner of Canada.

is that Canadian legislation?

Yes.

Also most provinces have similar legislation.

p.s. Google is not that hard to use.

I often wonder why the SSN in the US is so dreadfully pervasive as 'proof of identity' (which it's not), and why people insist on using it. Sure, it's globally unique, but that doesn't mean anything.

In Canada, our equivalent, the Social Insurance Number (SIN), has somewhat evolved into a de facto ID, the same way the SSN has, but there are restrictions. Unless a company is asking for your SIN for a reason specifically permitted by law (or no other ID would suffice), it may not refuse products or services as a result of refusal to provide your SIN.

The Office of the Privacy Commissioner of Canada has a fact sheet on the SIN and its use in Canada, which is worth reading for any Canadians with a SIN, or any Americans who wish their governments had a clue.

I often wonder why the SSN in the US is so dreadfully pervasive as 'proof of identity' (which it's not), and why people insist on using it. Sure, it's globally unique, but that doesn't mean anything.

In Canada, our equivalent, the Social Insurance Number (SIN), has somewhat evolved into a de facto ID, the same way the SSN has, but there are restrictions. Unless a company is asking for your SIN for a reason specifically permitted by law (or no other ID would suffice), it may not refuse products or services as a result of refusal to provide your SIN.

The Office of the Privacy Commissioner of Canada has a fact sheet on the SIN and its use in Canada, which is worth reading for any Canadians with a SIN, or any Americans who wish their governments had a clue.

The issue is that in order for a company to do business in Canada it must respect this nation's privacy laws. In this case, it's about notifying people how their information will be used. Check it out: "[PIPEDA is] an Act to support and promote electronic commerce by protecting personal information that is collected..." http://www.privcom.gc.ca/legislation/02_06_01_01_e.asp Facebook is being accused of not following the law of the land. The interesting legal test will be to see whether or not a US-hosted site is required to conform to this law, and how this will impact application developers inside and outside of Canada.

The Patriot Act is only half the issue. Contrary to the implications in the cited article it isn't really a nationalistic issue (i.e. trying to keep business in Canada). That's more of a side effect. The biggest issue is the Privacy Act in Canada, which provides a variety of privacy guarantees for Canadian citizens when they are doing business with companies and other organizations, including the government. These include such things as the requirement for a clear declaration of the purpose for collecting the information, who it will (or won't) be disclosed to, how it will be disposed of when the use is finished, etc.

For example, a company can not collect personal information from a Canadian citizen for one reason, and then turn around and sell it or give it to some other company to be used for a different reason. Many types of information collection require consent for its collection (health information especially). Not all information is considered "personal" (e.g., what's on a business card usually isn't), but a great deal is.

More details are available in various forms from this Canadian government site. The most relevant part for the implications of the Privacy Act on businesses is this summary. The closest thing to an FAQ for businesses is this guide.

To do business in conformance with the Act isn't especially difficult. When you read the list of things to do, they are the kind of obvious things you would expect or hope a business would do anyway, if they actually care about their customers and their personal information. The only difference is that here in Canada it has been put into law because of many past abuses.

You would therefore need to understand the implications before you decided to move your whole data centre full of personal information on Canadian citizens into the US or some other country. You would still have to abide by the Privacy Act, and if some law existed in the host country that prevented that (e.g., the Patriot Act), well, then you'd be set for a special kind of legal conundrum. Break the law at home or break it in another country? Hmmm...

It might be easy say "who cares about conforming with Canadian law?" if you aren't in Canada, but, obviously, the Canadian government doesn't have the luxury of such an attitude. Well, not overtly, anyway :-) Thus, they probably have it as a matter of policy not to allow database hosting outside Canadian borders. It's nothing nefarious. With storage inside Canada the database will be unambigously subject to Canadian law and the Privacy Act.

The Patriot Act is only half the issue. Contrary to the implications in the cited article it isn't really a nationalistic issue (i.e. trying to keep business in Canada). That's more of a side effect. The biggest issue is the Privacy Act in Canada, which provides a variety of privacy guarantees for Canadian citizens when they are doing business with companies and other organizations, including the government. These include such things as the requirement for a clear declaration of the purpose for collecting the information, who it will (or won't) be disclosed to, how it will be disposed of when the use is finished, etc.

For example, a company can not collect personal information from a Canadian citizen for one reason, and then turn around and sell it or give it to some other company to be used for a different reason. Many types of information collection require consent for its collection (health information especially). Not all information is considered "personal" (e.g., what's on a business card usually isn't), but a great deal is.

More details are available in various forms from this Canadian government site. The most relevant part for the implications of the Privacy Act on businesses is this summary. The closest thing to an FAQ for businesses is this guide.

To do business in conformance with the Act isn't especially difficult. When you read the list of things to do, they are the kind of obvious things you would expect or hope a business would do anyway, if they actually care about their customers and their personal information. The only difference is that here in Canada it has been put into law because of many past abuses.

You would therefore need to understand the implications before you decided to move your whole data centre full of personal information on Canadian citizens into the US or some other country. You would still have to abide by the Privacy Act, and if some law existed in the host country that prevented that (e.g., the Patriot Act), well, then you'd be set for a special kind of legal conundrum. Break the law at home or break it in another country? Hmmm...

It might be easy say "who cares about conforming with Canadian law?" if you aren't in Canada, but, obviously, the Canadian government doesn't have the luxury of such an attitude. Well, not overtly, anyway :-) Thus, they probably have it as a matter of policy not to allow database hosting outside Canadian borders. It's nothing nefarious. With storage inside Canada the database will be unambigously subject to Canadian law and the Privacy Act.

The Patriot Act is only half the issue. Contrary to the implications in the cited article it isn't really a nationalistic issue (i.e. trying to keep business in Canada). That's more of a side effect. The biggest issue is the Privacy Act in Canada, which provides a variety of privacy guarantees for Canadian citizens when they are doing business with companies and other organizations, including the government. These include such things as the requirement for a clear declaration of the purpose for collecting the information, who it will (or won't) be disclosed to, how it will be disposed of when the use is finished, etc.

For example, a company can not collect personal information from a Canadian citizen for one reason, and then turn around and sell it or give it to some other company to be used for a different reason. Many types of information collection require consent for its collection (health information especially). Not all information is considered "personal" (e.g., what's on a business card usually isn't), but a great deal is.

More details are available in various forms from this Canadian government site. The most relevant part for the implications of the Privacy Act on businesses is this summary. The closest thing to an FAQ for businesses is this guide.

To do business in conformance with the Act isn't especially difficult. When you read the list of things to do, they are the kind of obvious things you would expect or hope a business would do anyway, if they actually care about their customers and their personal information. The only difference is that here in Canada it has been put into law because of many past abuses.

You would therefore need to understand the implications before you decided to move your whole data centre full of personal information on Canadian citizens into the US or some other country. You would still have to abide by the Privacy Act, and if some law existed in the host country that prevented that (e.g., the Patriot Act), well, then you'd be set for a special kind of legal conundrum. Break the law at home or break it in another country? Hmmm...

It might be easy say "who cares about conforming with Canadian law?" if you aren't in Canada, but, obviously, the Canadian government doesn't have the luxury of such an attitude. Well, not overtly, anyway :-) Thus, they probably have it as a matter of policy not to allow database hosting outside Canadian borders. It's nothing nefarious. With storage inside Canada the database will be unambigously subject to Canadian law and the Privacy Act.

Here in Canada this has been a big deal now for the last couple of years. I've been at many IT meetings where tracking down what was hosted on US-based servers and removing it back to Canada has been on the agenda. We're not perfect here but we do have PIPEDA, the protection of privacy act, binding our ISPs. You need access to data, convince a judge and get a warrant. That's the rule of law.

That this US government data free-for-all has not been a big deal to American sysadmins has been a source of more than a little concern and confusion to us here north of the border. As long as there remains an Emperor in the White House rather than a President I guess there will be no movement on this.

Erased White House email, backups, and hard drives without penalty despite a legal court order? That's some government you guys have running there. You might want to do something about it.

Over my dead body? Ha! Not even then!

Fortunately, this sort of activity is illegal in Canada (PIPEDA), so I for one won't ever have to welcome your google overlords.

... the consumers would be correct.

This was not just an academic study, this was funded by the federal privacy commissioner , and CIPPIC is a group of lawyers who submitted their findings to the commissioner. The PIPEDA violations will now be investigated by the privacy commissioner.
I'm not sure why, but the original submitted left out the link to the actual report .

"The truth is that we all do have something to hide, not because it's criminal or even shameful, but simply because it's private. We carefully calibrate what we reveal about ourselves to others. Most of us are only willing to have a few things known about us by a stranger, more by an acquaintance, and the most by a very close friend or a romantic partner. The right not to be known against our will - indeed, the right to be anonymous except when we choose to identify ourselves - is at the very core of human dignity, autonomy and freedom.

..If we allow the state to sweep away the normal walls of privacy that protect the details of our lives, we will consign ourselves psychologically to living in a fishbowl. Even if we suffered no other specific harm as a result, that alone would profoundly change how we feel. Anyone who has lived in a totalitarian society can attest that what often felt most oppressive was precisely the lack of privacy.

But there also will be tangible, specific harm. [..Examples given...]

If information that is actually about someone else is wrongly applied to us, if wrong facts make it appear that we've done things we haven't, if perfectly innocent behavior is misinterpreted... we will be at risk of finding ourselves in trouble in a society where everyone is regarded as a suspect. By the time we clear our names and establish our innocence, we may have suffered irreparable financial or social harm...If we have to live our lives weighing every action, every communication, every human contact, wondering what agents of the state might find out about it, analyze it, judge it, possibly misconstrue it, and somehow use it to our detriment, we are not truly free..."

" One of the clearest lessons of history is that the greatest threats to liberty come not when times are tranquil and all is well, but in times of turmoil, when fidelity to values and principle seems an extravagance we can ill afford. History also teaches us that whenever we have given in to that kind of thinking, we have lived to regret it. At the time, the loss of freedom might seem small, trivial even, when place

You need to read the 2002 report of the Canadian Privacy Commissioner. It's not nearly as dull as it sounds.

And it explains very clearly what "privacy in public" really means, and what its loss implies.

In Canada, we have PIPEDA http://www.privcom.gc.ca/legislation/02_06_01_01_e .asp, as well as provincial and industry related privacy legislation that is useful. If you have a violation, you can submit it to the privacy commissioner, as well as http://www.cippic.ca./

I could be wrong, I'm not that familiar with American laws, but I didn't think Americans were entitled to privacy, really.

I'm thrilled to see a senator seeming to hint at maybe moving in the direction of perhaps legislating something vague that might be seen as protecting personal privacy without offending all the entrenched institutions devoted to the opposite (FBI/CIA/NSA/DIA, probably most corporations, financial institutions, the neo-cons, the latter-day Republicans, etc.)...

For instance, Canada has a privacy commissioner, federal laws (PIPEDA, Privacy Act) and a range of provincial legislation which strictly regulates the use of personal information in the hands of both government and private enterprise. PIPEDA is especially of interest to slashdotters since it regulates personal information in electronic form.

Hard to imagine that sort of thing in the US, though I hope someone will correct me.

I could be wrong, I'm not that familiar with American laws, but I didn't think Americans were entitled to privacy, really.

I'm thrilled to see a senator seeming to hint at maybe moving in the direction of perhaps legislating something vague that might be seen as protecting personal privacy without offending all the entrenched institutions devoted to the opposite (FBI/CIA/NSA/DIA, probably most corporations, financial institutions, the neo-cons, the latter-day Republicans, etc.)...

For instance, Canada has a privacy commissioner, federal laws (PIPEDA, Privacy Act) and a range of provincial legislation which strictly regulates the use of personal information in the hands of both government and private enterprise. PIPEDA is especially of interest to slashdotters since it regulates personal information in electronic form.

Hard to imagine that sort of thing in the US, though I hope someone will correct me.

Well, in Canada, they may have some problems. PIPEDA says that "the law requires an organization to ... supply you with a product or a service even if you refuse consent for the collection, use or disclosure of your personal information unless that information is essential to the transaction"

I'm not sure if this would apply to collecting personal information off your computer (and browsing history and such could definitely be considered personal information) after the transaction, but hopefully someone will bring this up before the privacy commissioner. With any luck, she could cause some serious headaches for EA.

The bottom line is this: If we have to live our lives weighing every action, every communication, every human contact, wondering what agents of the state might find out about it, analyze it, judge it, possibly misconstrue it, and somehow use it to our detriment, we are not truly free.

My own blog has a chilling example of serious damage from a grocery store loyalty card.

Back in January, related to the story on how the DoJ demands and gets ISP data, AOL had said that "We did not comply with the request made in the subpoena," spokesman Andrew Weinstein said. "Instead, we gave the Department of Justice a list of aggregate anonymous search terms that did not include results or any personally identifiable information."

AOL- you need to rethink that phrase personally identifiable, because it doesn't seem to mean what you think it means. You're hiding behind one technical definition of PII, without concern about whether or not the results actually have PII. If you're releasing results with personally identifying information, then you cannot say you're not releasing PII. I'd written in January I'd writen "I question this assumption by Yahoo, AOL, etc. that search terms, by themselves, have no privacy considerations because they've been separated from personal info. What if the search itself contains personal information? Are the search companies deleting the timestamps and randomizing the order of the search terms themselves? Because otherwise I could see personal info showing up." Obviously, half a year later, they still think that replacing a name with a number takes away the PII. They need to have a talk with, say, the Census Department, about why the department will withhold data about *groups* of businesses in a region. Grouped data can easily become PII data if you can tease out characteristics. AOL didn't even group the data!

As always, relevant quotes from the best.essay.evar on why privacy is a fundamental human right: "If information that is actually about someone else is wrongly applied to us, if wrong facts make it appear that we've done things we haven't, if perfectly innocent behavior is misinterpreted as suspicious because authorities don't know our reasons or our circumstances, we will be at risk of finding ourselves in trouble in a society where everyone is regarded as a suspect. By the time we clear our names and establish our innocence, we may have suffered irreparable financial or social harm..."

"...agents of the state in Canada cannot order Canada Post to photocopy the address on every envelope we send, nor can they order bookstores to keep a record of every book we buy, let alone of every page of every magazine we leaf through. There is no reason why they should be able to exercise such powers with regard to every e-mail someone sends or every Web site he or she visits."

"I do not see any reason why e-mails should be subject to a lower standard of privacy protection than letters or telephone calls. And I do not see why Internet browsing should be subject to a lower standard of protection than book purchasing or researching in a reference library. Canadians should not be subject to greater state monitoring or scrutiny just because they choose to use new communication technologies."

Ironic that Bell Security Solutions (a division of the very same Bell Canada) has been funding Tor development. No, put your tin foil hats away: there is no way for Bell to get any sort of "backdoor access" nor is there any indication that they want to. Probably Bell's legal department just wanted to be up-front with their customers for when (if?) the Modernization of Investigative Techniques Act gets revived in the autumn. PIPEDA privacy legislation probably makes such open disclosure obligatory, even when the third party requesting the information is the government.

That was exactly my thought. I checked the website but there is nothing up yet about it. I would assume at this point she is aware of and looking into the issue. Simply put, in Canada, you cannot just collect, browse, or distribute private information without permission of the person, or without a warrant to do so. I belive if you look closely at the act, you'll see that you have to give express consent for them to do so, they can't just assume you have because you've been notified of the condition, or because you are using the service.

I understand that some things are logged and that given a warrant, they can and will tap my line, but this is the ISP proactively watching what your doing and reporting wrong doing, without cause!

All ISPs cache data to a certain extent. And all governments can strong-arm or bribe companies... It's just that this particular ISP is being honest and saying, "Yea, we'll hand your stats over."

Okay, but the article makes it sound like Bell is going to be watching your traffic and snooping through it, if they see something that looks bad, they'll hand it over to the Government. So, you are not being investigated by any agency. You are not considered suspicious or dangerous in any way. A request from your DSL line (or whatever) comes in for a site that contains or contained [copyrighted marterial|child porn|explosive making instructions|pro-terrorist progaganda|etc] and they are going to send you personal information and details of your visit to the government. No warrants, no due process. If this isn't an invasion of privacy I don't know what is. I certainly hope our privacy commissioner is aware of and looking into this.

"record" includes any correspondence, memorandum, book, plan, map, drawing, diagram, pictorial or graphic work, photograph, film, microform, sound recording, videotape, machine-readable record and any other documentary material, regardless of physical form or characteristics, and any copy of any of those things.

They're simply NOT allowed to do this without a warrant if you refuse to consent to it. Simply send them an email stating that you do not consent to their unlawful search, and cc the privacy commissioner.

If they say "these are our TOS, don't like it, leave" - that's not good enough. Their contract is a contract of adhesion, and as such, unconscionable and onerous clauses can be struck from it. Certainly claiming a right to violate PIPEDA is one such clause.

One of the main issues on this matter is that the United States has repeatedly failed to put together effective legislation to manage privacy rights. Over the past 5 years the US has fallen substantially behind the EU and most notably Australia and Canada with respect to privacy legislation. While these Commonwealth nations still have work to do, they have built a framework that the US could and should build upon.

http://www.privcom.gc.ca/legislation/index_e.asp

In many cases the organization doesn't need the information, so don't give it.
Make it illegal for them to ask.
FYI it isn't clearly illegal to ask for a SIN in Canada. But organizations can't collect information unless they have a legitimate reason to use it.

http://www.privcom.gc.ca/cf-dc/2001/cf-dc_011105_0 2_e.asp
http://laws.justice.gc.ca/en/p-8.6/258076.html see 4.4.1

That same law has a series on data protection, and your right to see the information they hold. A little vague, but I think the intent is clear. It would be interesting to see how many cases have proceeded.

I would like to see them add a notification requirement.

Institutions from which you earn interest or income, such as banks, credit unions and trust companies, must also ask for your SIN.

The Best...Essay...Ever...on privacy rights comes from the former privacy commissioner of Canada's 2003 overview of privacy in Canada. He shows why privacy is a fundamental human right, and he warns Canada not to give away rights now eroded or gone in the U.S., especially if its at the U.S. government's request. The sad part about the proverbial frog in the stovetop bath is that everyone thinks that if you know about the frog in the pot, you can't possibly be the frog in the pot.
So, pretend he's writing about some other country- Acirema. Boy, I feel sorry for the Aciremans. Quoting (but read the whole overview- sharp, short, relevant):

" The truth is that we all do have something to hide, not because it's criminal or even shameful, but simply because it's private. We carefully calibrate what we reveal about ourselves to others. Most of us are only willing to have a few things known about us by a stranger, more by an acquaintance, and the most by a very close friend or a romantic partner. The right not to be known against our will - indeed, the right to be anonymous except when we choose to identify ourselves - is at the very core of human dignity, autonomy and freedom.

" One of the clearest lessons of history is that the greatest threats to liberty come not when times are tranquil and all is well, but in times of turmoil, when fidelity to values and principle seems an extravagance we can ill afford. History also teaches us that whenever we have given in to that kind of thinking, we have lived to regret it.

At the time, the loss of freedom might seem small, trivial even, when placed in the balance of the security we seek. And yet these incremental threats are the ones we must be most vigilant in resisting. The 18th Century political philosopher Edmund Burke understood this danger when he wrote, "The true danger is when liberty is nibbled away, for expedience, and by parts."

U.S. Supreme Court Justice Thurgood Marshall eloquently made the same point much more recently when he said: "History teaches that grave threats to liberty often come in times of urgency, when constitutional rights seem too extravagant to endure."

...And we must guard against the eagerness of law enforcement bodies and other agencies of the state to use the response to September 11 as a Trojan horse for acquiring new invasive powers or abolishing established safeguards simply because it suits them to do so.

Perhaps it will be necessary to accept some new intrusive measures to enhance security. But these choices must be made calmly, carefully and case by case. The burden of proof must always be on those who suggest that some new intrusion or limitation on privacy is needed in the name of security.

[Balance of privacy and security defined]... Now we face having that successful balance changed, by having Canada transformed into a society where the state is much more intrusive and where individual rights and freedoms are correspondingly reduced. And we face having this transformation occur without the analysis, debate or even understanding that it deserves.

...If we allow the state to sweep away the normal walls of privacy that protect the details of our lives, we will consign ourselves psychologically to living in a fishbowl. Even if we suffered no other specific harm as a result, that alone would profoundly change how we feel. Anyone who has lived in a totalitarian society can attest that what often felt most oppressive was precisely the lack of privacy.

But there also will be tangible, specific harm. [..Examples given...]

If information that is actually about someone else is wrongly applied to us, if wrong facts make it appear that we've done things we haven't, if perfectly innocent

We've been limiting that for years in Canada. Social Insurance Numbers cannot be used to track people in a database legally in Canada.

http://www.privcom.gc.ca/legislation/02_06_01_01_e .asp

The law in Canada makes it illegal to store people's credit card numbers. The store doesn't need your number per se and they can't ask for it (or swipe your card twice to get it). Your card is swiped and the number goes directly to the card company. That's all that's necessary to complete the transaction and that's all the store is entitled to.

Wow, the equivalent Social Insurance Number (in Canada) should not be used for account numbers. In fact, there's a section of the privcy legislation regarding your SIN http://www.privcom.gc.ca/fs-fi/02_05_d_02_e.asp. You'll see that insurance companies are not among those authorized to use your SIN. Bascially, its only used for income tax purposes. So, if they're not providing you income, they don't get it. And paying for healthcare is not considered income.

"If we have to live our lives weighing every action, every communication, every human contact, wondering what agents of the state might find out about it, analyze it, judge it, possibly misconstrue it, and somehow use it to our detriment, we are not truly free..."

"...If someone intrudes on our privacy - by peering into our home, going through the personal things in our office desk, reading over our shoulder on a bus or airplane, or eavesdropping on our conversation - we feel uncomfortable, even violated.

Imagine, then, how we will feel if it becomes routine for bureaucrats, police officers and other agents of the state to paw through all the details of our lives: where and when we travel, and with whom; who are the friends and acquaintances with whom we have telephone conversations or e-mail correspondence; what we are interested in reading or researching; where we like to go and what we like to do.

A popular response is: "If you have nothing to hide, you have nothing to fear."

By that reasoning, of course, we shouldn't mind if the police were free to come into our homes at any time just to look around, if all our telephone conversations were monitored, if all our mail were read, if all the protections developed over centuries were swept away. It's only a difference of degree from the intrusions already being implemented or considered.

The truth is that we all do have something to hide, not because it's criminal or even shameful, but simply because it's private. We carefully calibrate what we reveal about ourselves to others. Most of us are only willing to have a few things known about us by a stranger, more by an acquaintance, and the most by a very close friend or a romantic partner. The right not to be known against our will - indeed, the right to be anonymous except when we choose to identify ourselves - is at the very core of human dignity, autonomy and freedom.

If we allow the state to sweep away the normal walls of privacy that protect the details of our lives, we will consign ourselves psychologically to living in a fishbowl. Even if we suffered no other specific harm as a result, that alone would profoundly change how we feel. Anyone who has lived in a totalitarian society can attest that what often felt most oppressive was precisely the lack of privacy.

But there also will be tangible, specific harm.

The more information government compiles about us, the more of it will be wrong. That's simply a fact of life. ...But if our privacy becomes ever more systematically invaded by the state for purposes of assessing our behavior and making judgments about us, wrong information and misinterpretations will have potential consequences.

If information that is actually about someone else is wrongly applied to us, if wrong facts make it appear that we've done things we haven't, if perfectly innocent behavior is misinterpreted as suspicious because authorities don't know our reasons or our circumstances, we will be at risk of finding ourselves in trouble in a society where everyone is regarded as a suspect. By the time we clear our names and establish our innocence, we may have suffered irreparable financial or social harm... [go ahead, read the rest, its well-worth it.]

"If we have to live our lives weighing every action, every communication, every human contact, wondering what agents of the state might find out about it, analyze it, judge it, possibly misconstrue it, and somehow use it to our detriment, we are not truly free..."

"...If someone intrudes on our privacy - by peering into our home, going through the personal things in our office desk, reading over our shoulder on a bus or airplane, or eavesdropping on our conversation - we feel uncomfortable, even violated.

Imagine, then, how we will feel if it becomes routine for bureaucrats, police officers and other agents of the state to paw through all the details of our lives: where and when we travel, and with whom; who are the friends and acquaintances with whom we have telephone conversations or e-mail correspondence; what we are interested in reading or researching; where we like to go and what we like to do.

A popular response is: "If you have nothing to hide, you have nothing to fear."

By that reasoning, of course, we shouldn't mind if the police were free to come into our homes at any time just to look around, if all our telephone conversations were monitored, if all our mail were read, if all the protections developed over centuries were swept away. It's only a difference of degree from the intrusions already being implemented or considered.

The truth is that we all do have something to hide, not because it's criminal or even shameful, but simply because it's private. We carefully calibrate what we reveal about ourselves to others. Most of us are only willing to have a few things known about us by a stranger, more by an acquaintance, and the most by a very close friend or a romantic partner. The right not to be known against our will - indeed, the right to be anonymous except when we choose to identify ourselves - is at the very core of human dignity, autonomy and freedom.

If we allow the state to sweep away the normal walls of privacy that protect the details of our lives, we will consign ourselves psychologically to living in a fishbowl. Even if we suffered no other specific harm as a result, that alone would profoundly change how we feel. Anyone who has lived in a totalitarian society can attest that what often felt most oppressive was precisely the lack of privacy.

But there also will be tangible, specific harm.

The more information government compiles about us, the more of it will be wrong. That's simply a fact of life. ...But if our privacy becomes ever more systematically invaded by the state for purposes of assessing our behavior and making judgments about us, wrong information and misinterpretations will have potential consequences.

If information that is actually about someone else is wrongly applied to us, if wrong facts make it appear that we've done things we haven't, if perfectly innocent behavior is misinterpreted as suspicious because authorities don't know our reasons or our circumstances, we will be at risk of finding ourselves in trouble in a society where everyone is regarded as a suspect. By the time we clear our names and establish our innocence, we may have suffered irreparable financial or social harm... [go ahead, read the rest, its well-worth it.]

Absolutely. There is a general unwillingness to deal with privacy as a major issue here. I would claim that privacy is a basic right that citizens should demand, and it should be legislated into government. There is a privacy commissioner in Canada and associated legislation that can be enforced; similar governmental structures exist in Europe. For all of the free-market talk and general wish for lack of interference in personal life, wouldn't it make sense for American government to serve the people in a manner that everyone can agree with, by creating safeguards and services that protect our privacy?

• Alice.Geekotourist and cryptography (searching for a relative's paper)
• Geekotourist 212 (then their phone number and address)
• Model.rocket.supplies near 742.Evergreen.Terrace, Springfield (buying hobby supplies)
• postal.regulations rockets (learning why I can't buy model rocket engines )

So now a block of searches associates the name Geekotourist with rockets and with one or two addresses. Does this affect my privacy if these searches are clumped together?

Did Yahoo/AOL include any white pages or yellow pages searches while doing the government's homework? Does the government expect Google to keep all Google Local searches out of the "1 week of searches"? The white page and local style searches leak personal info like mad.

Or what if a search was designed to check on one's personal privacy, for example:

• Geekotourist and Bob.Aliceson (checking to see if anyone has linked "Geekotourist" with the nickname "Bob.Aliceson)
• Geekotourist and 212.313.4114 (seeing if my old phone number is linked to me)
• Geekotourist and bobalice@yahoo.com (seeing if I'm connected with an old email address or to a blog, say)

And while Y/AHOOL didn't provide "the results of the searches" to the gov't, I assume the gov't will be re-running them. The searches 'Cameras near 742 Evergreen Terrace' combined with 'photographing children' may have just been me helping with photos at a birthday party or finding a portrait studio. But its going to be analyzed by people who think 15-degrees-of-separation is a reasonable search.

From the prescient (and unfortunately being used as an anti-guidebook) best essay this century on Why Privacy is a Fundamental Human Right [just substitute 'Porn' for 'September 11' as the excuse the gov't gives, it comes out the same]:

"But though we tend to take it for granted, privacy - the right to control access to ourselves and to personal information about us - is at the very core of our lives. It is a fundamental human right precisely because it is an innate human need, an essential condition of our freedom, our dignity and our sense of well-being.

"If someone intrudes on our privacy - by peering into our home, going through the personal things in our office desk, reading over our shoulder on a bus or airplane, or eavesdropping on our conversation - we feel uncomfortable, even violated.

"Imagine, then, how we will feel if it becomes routine for bureaucrats, police officers and other agents of the state to paw through all the details of our lives: where and when we travel, and with whom; who are the friends and acquaintances with whom we have telephone conversations or e-mail correspondence; what we are interested in reading or researching; where we like to go and what we like to do.

"If we allow the state to sweep away the normal walls of privacy that protect the details of our lives, we will consign ourselves psychologically to living in a fishbowl. Even if we suffered no other specific harm as a result, that alone would profoundly change how we feel. Anyone who has lived in a totalitarian society can attest that what often felt most oppressive was precisely the lack of privacy.

But there also will be tangible, specific harm.

"The more information government compiles about us, the more of it will be wrong. That's simply a fact of life.

"...But if our privacy becomes ever more systematically invaded by the state for purposes of assessing our behavior and making judgments about us, wrong information and

Two months ago, Macleans (Canadian magazine) ran a story on this, but they took it one step further: they bought the cell phone records of Canada's Privacy Commisssioner, Jennifer Stoddart. It was remarkably embarassing. Reading the Maclean's article was entertaining, so if any Canadian's missed it, check it out.

The Department of Homeland Security has a Privacy Assessment of this program. Guess what? It has no privacy implications.

• The information can only be shared with "...other agencies at the federal, state, local, foreign, or tribal level, who are lawfully engaged in collecting law enforcement information (whether civil or criminal) and national security intelligence information and/or who are investigating, prosecuting, enforcing, or implementing civil and/or criminal laws, related rules, regulations, or orders." "The Privacy Act SORNs for the systems on which US-VISIT draws provide notice as to the conditions of disclosure and routine uses for the information collected by US-VISIT. Any disclosure by DHS must be compatible with the purpose for which the information was collected."
• The tag only contains an unencrypted number, and only the very limited number of groups above would have access to the information.
• The tag can't be used to ID someone as a visitor because the DHS has contemplated this problem. Thus problem solved... "it is contemplated that the unencrypted RFID tag number will not be structured in such a way that it can be used to identify the individual as a non-immigrant."(pg 15)How exactly? Will everyone soon be carrying an RFID, so the visitor won't stand out?
• And of course it can't be used for surveillance, as "There is also a low risk that the RFID tag could be used to conduct surreptitious locational surveillance of an individual; i.e., to use the presence of the tag to follow an individual as he or she moves about in the U.S. However, ensuring that RFID tag numbers do not exhibit properties that can be readily attributed to US-VISIT and using a limited radio frequency range effectively mitigates this risk. The design process is also taking into account methods of reducing eavesdropping and skimming possibilities." (pg 15). Reducing the "possibilities" by sticking their fingers into their ears and singing "La la la" each time a new tech groups shows them ever longer read ranges.
• And most importantly it doesn't affect US Citizens, because the document doesn't mention them. Never mind that every traveler in the car must be identified in order to separate the residents and citizens from visitors (by definition). They'll now know who you're associating with as you travel.

I'm now going to "contemplate" that being asked for "your papers, please" and being tracked every time I enter and leave my country, that there is no more "If" in "If we have to live our lives weighing every action, every communication, every human contact, wondering what agents of the state might find out about it, analyze it, judge it, possibly misconstrue it, and somehow use it to our detriment, we are not truly free." doesn't change our rights (4th Amendment anyone? it says "Persons") in the US. Whooohoo, I'm ever so much safer! [btw, that's one of the best essays on why privacy is a necessary and fundamental right in a free society. He warns Canadians not to give up what the U.S. has already lost. Worth reading.]

• It applies to every visiting person in the car- it is the new I-94 documentation for aliens.

• It is extremely private, in that "The information may also be shared with other agencies at the federal, state, local, foreign, or tribal level, who are lawfully engaged in collecting law enforcement information (whether civil or criminal) and national security intelligence information and/or who are investigating, prosecuting, enforcing, or implementing civil and/or criminal laws, related rules, regulations, or orders." "The Privacy Act SORNs for the systems on which US-VISIT draws provide notice as to the conditions of disclosure and routine uses for the information collected by US-VISIT. Any disclosure by DHS must be compatible with the purpose for which the information was collected." Yup, limited purposes.

• But really, the tag is safe, as "The RFID tag number will not contain or be derived from any personal information." (pg 14) Its just an unencrypted number. And only those very few groups listed above have the right to connect the number back to your personal info.

• ...therefore removing the possibility that a person can be found out as a visitor just because they carry an RFID: "it is contemplated that the unencrypted RFID tag number will not be structured in such a way that it can be used to identify the individual as a non-immigrant."(pg 15) Uh-huh. Because we all carry RFIDs, so one person carrying one can't stand out. I am comtemplating that my social security number will never be used as an identifier: it says so right on the card.

• And the RFID can't be used for surveillance, as "There is also a low risk that the RFID tag could be used to conduct surreptitious locational surveillance of an individual; i.e., to use the presence of the tag to follow an individual as he or she moves about in the U.S. However, ensuring that RFID tag numbers do not exhibit properties that can be readily attributed to US-VISIT and using a limited radio frequency range effectively mitigates this risk. The design process is also taking into account methods of reducing eavesdropping and skimming possibilities." (pg 15) Yup, if you take it into account you're solving it.

• There are no risks to U.S. citizens, because this document doesn't mention them at all. Sure they'll have checked and scanned everyone's documents in the car- citizens or not- so now know exactly which so called "U.S. citizens" have the audacity to travel with others, but nothing to worry about.

I'm now going to "contemplate" that being asked for "your papers, please" and being tracked every time I enter and leave my country, that "If we have to live our lives weighing every action, every communication, every human contact, wondering what agents of the state might find out about it, analyze it, judge it, possibly misconstrue it, and somehow use it to our detriment, we are not truly free." doesn't change the privacy rights (4th Ammendment anyone? it says "Persons") in the US. Whooohoo, I'm ever so much safer! [btw, that's one of the best essays on why privacy is a necessary and fundamental right in a free society. He warns Canadians not to give up what the U.S. has already lost. Worth reading.]

Q. What is the role of the Privacy Commissioner of Canada?

A. According to the Privacy Act and the Personal Information Protection and Electronic Documents Act, the Privacy Commissioner of Canada is responsible for ensuring that the federal government and companies in the private sector collect, use or disclose personal information in a manner that is responsible and transparent. These Acts governing personal information provide the Privacy Commissioner of Canada with the authority to ensure organizations and federal departments are held accountable for their information handling practices.

Within the federal public sector, the Privacy Commissioner of Canada can initiate audits of information practices randomly. In conducting an audit, the Commissioner has the power to summon any person before her. She also has the authority to administer oaths, receive evidence and, enter the premises of an organization, after fulfilling security requirements. The Commissioner can also examine or obtain copies of any records found.

The Commissioner is impartial and nonpartisan, which means she can act independently to investigate complaints from individuals. This mandate extends to both the federal public sector and the private sector. As such, the Privacy Commissioner of Canada can make recommendations to improve how personal information is handled. She can also publicize recommendations and reports. In some cases, the Commissioner can refer cases to the Federal Court. At this level, the Court can award damages to a complainant, including damages for humiliation.

As ombudsman, the Commissioner doesn't issue orders or impose penalties, but rather arrives at her decisions through a process of inquiry and persuasion, a process which underlines her impartiality and dedication to problem resolution.

However, it is a criminal offence to obstruct the Commissioner during an investigation or audit or to knowingly dispose of personal information that could be subject to a request. The legislation also makes it a criminal offence for employers to take retaliatory actions against employees.

The Privacy Commissioner of Canada's mandate also includes research, education and promotion of privacy issues in Canada. As an Officer of Parliament, the Privacy Commissioner of Canada reports directly to the House of Commons and to the Senate.

There ought to be a law that if you are going to retain someone's personal information then you are responsible for keeping it safe. Same as I'm responsible for keeping my PIN number safe.

I Canada we have this thing called PIPEDA (http://www.privcom.gc.ca/legislation/02_06_01_01_ e.asp) which is designed to prevent these sorts of things, and carries fines up to $100,000 (which I don't think is enough to convince some companies to care)

Information can't be collected without your consent, and can only be used for the purpose for which it was collected. The fine us up to $100,000.00 per INCIDENT, so keeping excessive data on just 10 people could in theory cost a company a million bucks.

If you felt relieved or happy about this ruling, you were probably concerned about the legality of your actions already.

True, but being concerned about the legality of an action is not the same thing as being concerned about the ethics of an action. You can be worried... that doesn't mean you feel guilty.

I mean, imagine if someone stole your stuff, but the police told you that they would get it back, but they aren't allowed to find out where they live.

As a matter of fact, lots of evidence is thrown out of court cases because it was acquired in a way that did not respect the rights of an accused. The police are not allowed to just randomly search whoever they want. There are rules. If these rules are broken, the information is not admissable, even if it proves someone is guilty of a crime. This is done so that the authorities do not feel compelled to abuse the rights of citizens. These protections are good for citizens. This is a privacy issue: if ISPs give away IP logs without there being a good reason, then the privacy of the users is not being respected. There are laws in Canada regarding privacy protection.

If you obtain a copy of a song without providing compensation to the copyright holder, your are breaking law and stealing from the copyright holder.

In some countries, not all. There are many countries where the copyright won't apply. In Canada, the courts ruled that because we are paying a tax on media (like blank CDs), it is legal to make copies onto these media. So in fact downloading and making a copy of a copyrighted work is legal in Canada. No law is being broken. (Although distribution would be illegal in Canada.)

if you aren't stealing the song, you are stealing the "right" to make copies

Nice try. You can perform semantic acrobatics all you like, but ultimately it is a copyright violation and not theft. Rights can be ignored or violated, but they can't be stolen. I don't know how to "steal a right" anymore than I know how to "steal a belief."

If you have a chance, read through some of the site especially some of the findings. Actually, in getting you that second link, I saw a new finding posted regarding SPAM - guess what, the complaint was well founded. So, any Canadians out there spamming better pay attention to this. The precedent has been set. If I haven't expressed an intrest in your product, you have no right to email me about it.

If you have a chance, read through some of the site especially some of the findings. Actually, in getting you that second link, I saw a new finding posted regarding SPAM - guess what, the complaint was well founded. So, any Canadians out there spamming better pay attention to this. The precedent has been set. If I haven't expressed an intrest in your product, you have no right to email me about it.

If you have a chance, read through some of the site especially some of the findings. Actually, in getting you that second link, I saw a new finding posted regarding SPAM - guess what, the complaint was well founded. So, any Canadians out there spamming better pay attention to this. The precedent has been set. If I haven't expressed an intrest in your product, you have no right to email me about it.

Just move north. Our Privacy Commissioner isn't too likely to let something like identity cards happen up here, at least not without a hell of a fight.

Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) expressely forbids the external transmission of client data, which would no doubt include the documents on our firm's computers, without their consent.

I can't see too many of our clients agreeing to let the confidential contents of their documents be sent to Microsft to figure out why our PCs crashed.