Leaky Websites, Encryption Keys & Mobile Trackers: Demystifying Privacy Laws & Obligations

Leaky Websites, Encryption Keys & Mobile Trackers: Demystifying Privacy Laws & Obligations

Waterloo Region Law Association June 12, 2013

Dentons Canada LLP

Agenda

June 12, 2013 Dentons Canada LLP 2

1. Quick Primer on Privacy Basics

2. Ad Networks and Analytics

3. Geolocation

4. Moving Data Hither and Yonder

5. Encryption – What is Solves; What it Doesn’t

Canadian Environment


• Personal Information Protection and Electronic Documents Act (PIPEDA) • Applies to an organization’s commercial activities • Does not apply to employee data

• Alberta Personal Information Protection Act • Applies to Alberta-based employees, contractors, consumers, etc.

• British Columbia Personal Information Protection Act • Applies to B.C.-based employees, contractors, consumers, etc.

• Quebec Act respecting the protection of personal information in the private sector • Applies to Quebec-based employees, contractors, consumers, etc.

• Common law

• Public Sector Acts • Interaction with Private Sector – Nova Scotia & British Columbia

The Basics of Canadian Privacy Law


• Protects the personal information through lifecycle

• Overarching Principles • Consent: Must have the express or implied consent to the collection, use and

disclosure of personal information; AND • Reasonableness: may collect, use or disclose personal information only for

purposes that a reasonable person would consider are appropriate in the circumstances

• Additional Important Principles • Limit Collection to what is necessary for Stated Purposes • Limit Use, Retention and Disclosure to fulfill Stated Purposes for Collection • Accountability throughout lifecycle • Safeguards • Openness and Individual Access

Personal Information


• Information about an identifiable individual

• But does not include business contact information

• Provided that the business contact information is being used for the purpose related to that business

• Aggregated information

Obvious Personal Information

• Name

• Home Address

• Birth date

• SIN

• Credit card #

• Salary

• Purchase history

• Image

• Gender


Debatable

• IP (Internet Protocol) Address

• MAC (Media Access Control) Address – mobile devices

• Location

• Activities offline

• License plate


Online Advertising Terminology


• Broadcast: Not targeted to user or interest

• Contextual: Tailored to the content of the webpage

• First Party: User only tracked on the website or families of websites

• Ad Network: Networked websites serving up ads from the same organization

• Online Behavioural Advertising: User tracked across unrelated websites and activities

How Ad Networks Operate


• Website rents space on its webpage

• Ad Network sends cookie to user’s device

• Cookie provides Ad Network with information so that visitor doesn’t see same content each time, remembers pages you have already visited

• Ad Network can track user through cookie across networked websites

• Can engage in online behavioural advertising (OBA)

• Can use other information – MAC address or other Unique Device Identifier or IP address instead of cookie

Analytics


• Important trend is predictive analytics

• Predicting personal information about you before you disclose it

• Famous case was the Target “pregnancy ad” (wasn’t online)

• Like the Ad Network, information collected about behaviour online and then mined to make predictions

It is Personal Information

June 12, 2013 Dentons Canada LLP

• MAC address / IP address, website history, search terms, App activities and transactions, coarse location

• PIPEDA, s. 2 • “personal information” means information about an identifiable individual, but

does not include …

• Ontario Privacy Commissioner (OPC) says given the context and the purpose of OBA, the information collected will be treated as personal information and it is up to organizations to prove otherwise

11

Reasonable Purpose Test


• Consent is a necessary but not sufficient condition in Canada

• PIPEDA, s. 5(3) • An organization may collect, use or disclose personal information only for

purposes that a reasonable person would consider are appropriate in the circumstances.

• OBA can be a reasonable purpose but not a condition of service for accessing and using the Internet generally (OPC’s OBA Guidance)

12

Consent – Opt-In / Opt-Out


• Opt-Out if: • User has clear notice • User is able to opt-out without difficulty • Notice is given before collection

• Consent should be contextual (“just in time”) – at the point of collection

• Information should not be “sensitive” information

• Information should be destroyed “as soon as possible” or effectively de-identified

• No tracking children (in U.S., get parental consent)

• Warning: Advertising to children in Québec

13

Leaky Websites


• Office of the Privacy Commissioner of Canada tested websites

• Noticed that during the process of making an “ad call” personal information was being sent to advertiser

• Also sent to analytics companies

• In some cases, information included names and email addresses

• Lack of knowledge and consent

• Need to be able to opt-out

• Unclear how this is going to play out in the long run

Location, Location, Location


• Location awareness

• IP address, GPS, cell phone towers, Wifi, sensors on device to determine inside or outside

• Where you are and where you aren’t is information about you

• Mobile devices are personal devices

• Location information is, therefore, likely to be information about an identifiable individual because the location of the device generally correlates with the individual’s location

15

Emerging Canadian Approach to Geolocation?


• Previously the OPC has taken the position that the existence of a legitimate security objective does not automatically justify the use of a surveillance technology (work environment)

• Four-part test • Is the use of the technology demonstrably necessary to meet a specific need? • Is the use of the technology likely to be effective in meeting that need? • Is the loss of privacy proportional to the benefit gained? • Is there a less privacy-invasive way of achieving the same end?

16

Moving Data Hither & Yonder


• Typical Cross Border Scenarios • Storage of data on servers in USA – e.g. SAP installation • Email service provider has no Canadian data centre • SPAM service provider located in USA or UK • Email run through USA • Data processed in USA

Distinguish Between Disclosure and Sharing


• Disclose to third party for their use

• Sharing — disclosure to third party to fulfill the purpose and provide services on your behalf

• Outsourcers and service providers – confidentiality obligations

Key Privacy Issues


• Accountability • Organization remains responsible and must have contractual means to ensure

comparable level of protection

• Safeguards • Technical, Administrative and Physical security • Controlled IDs and strong passwords for access to the system • Testing of the system for intrusion. • Transfer of data over a private network or encryption of sensitive data in transit over a

public network • Sensitive data encrypted at rest. • Access to data by any employee limited to what is necessary to fulfill a specific

delineated function and access is authenticated and logged • Secure data centre employing industry-standard IT security protections

• Openness • Advise customers

USA Patriot Act and Other U.S. Privacy Issues


• Section 215 allows FBI to access records held in USA by applying for an order of the Foreign Intelligence Surveillance Act Court

• Company subject to a Section 215 order cannot reveal that the FBI has sought or obtained information from it

• US has Safe Harbor accord with EU (2000) • Companies can opt in

• US has sector specific laws and some US States have enacted laws

• Previously various Privacy Commissioners in Canada have concluded that storage or processing of data in the U.S. is not an impediment

• Could this change?

CIBC VISA


• CIBC VISA card case • VISA credit card information to be processed in US • Canadian customer data stored on U.S. based system • VISA cardholder agreement amended • No opt-out • US authorities may access the data

• Ruling • Bank had contract with U.S. data processor to maintain comparable level of

security and protection • Bank appropriately notified customers

Ontario Hunting & Fishing Licences


• Outsourced to US Based Organization

• Ontario Privacy Commissioner – No problem

• Different in British Columbia & Nova Scotia

Encryption Basics


• Message + Algorithm + Key = Encrypted Message

• Algorithm + Key + Encrypted Message = Message

• The complexity of the Algorithm prevents guessing of the Key

• Need to keep the Key separate

• If you lose the Key and the Algorithm is strong – Your Data is Junk

What Encryption Solves


• Encryption facilitates safe transfer of information

• Encryption protects mobile data

• Keeping key in Canada can prevent foreign access to data while residing abroad or routing through other countries

What Encryption Doesn’t Solve


• Increasing movement to “lawful access” legislation

• Inspection of header information – required to route message - metadata

• Operating systems tend to leave behind lots of information

• Malware

• Hacking and snatching the key

Thank you – Questions?

Michael Beairsto Dentons Canada LLP [email protected] 416-862-3412

Timothy M Banks Dentons Canada LLP [email protected] 416-863-4424

www.datagovernancelaw.com @TM_Banks

Dentons Canada LLP June 12, 2013 26

http://www.dentons.com/michael-beairsto

mailto:[email protected]

http://www.dentons.com/en/timothy-banks

mailto:[email protected]

http://www.datagovernancelaw.com/

The preceding presentation contains examples of the kinds of issues companies dealing with Privacy could face. If you are faced with one of these issues, please retain professional assistance as each situation is unique.

27

Leaky Websites, Encryption Keys & Mobile Trackers: Demystifying Privacy Laws & Obligations

Business

Transcript of Leaky Websites, Encryption Keys & Mobile Trackers: Demystifying Privacy Laws & Obligations