Leaky Websites, Encryption Keys & Mobile Trackers: Demystifying Privacy Laws & Obligations


Published on

In this presentation, Michael Beairsto and Timothy Banks discuss Leaky Websites, Encryption Keys & More: Demystifying Privacy Laws & Obligations. Topics include:

Quick Primer on Privacy Basics
Ad Networks and Analytics
Moving Data Hither and Yonder
Encryption – What is Solves; What it Doesn’t

Published in: Business, Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Leaky Websites, Encryption Keys & Mobile Trackers: Demystifying Privacy Laws & Obligations

  1. 1. Leaky Websites, EncryptionKeys & Mobile Trackers:Demystifying Privacy Laws &ObligationsWaterloo Region Law AssociationJune 12, 2013Dentons Canada LLP
  2. 2. AgendaJune 12, 2013 Dentons Canada LLP 21. Quick Primer on Privacy Basics2. Ad Networks and Analytics3. Geolocation4. Moving Data Hither and Yonder5. Encryption – What is Solves; What it Doesn’t
  3. 3. Canadian EnvironmentJune 12, 2013 Dentons Canada LLP 3• Personal Information Protection and Electronic Documents Act (PIPEDA)• Applies to an organization’s commercial activities• Does not apply to employee data• Alberta Personal Information Protection Act• Applies to Alberta-based employees, contractors, consumers, etc.• British Columbia Personal Information Protection Act• Applies to B.C.-based employees, contractors, consumers, etc.• Quebec Act respecting the protection of personal information in theprivate sector• Applies to Quebec-based employees, contractors, consumers, etc.• Common law• Public Sector Acts• Interaction with Private Sector – Nova Scotia & British Columbia
  4. 4. The Basics of Canadian Privacy LawJune 12, 2013 Dentons Canada LLP 4• Protects the personal information through lifecycle• Overarching Principles• Consent: Must have the express or implied consent to the collection, use anddisclosure of personal information; AND• Reasonableness: may collect, use or disclose personal information only forpurposes that a reasonable person would consider are appropriate in thecircumstances• Additional Important Principles• Limit Collection to what is necessary for Stated Purposes• Limit Use, Retention and Disclosure to fulfill Stated Purposes for Collection• Accountability throughout lifecycle• Safeguards• Openness and Individual Access
  5. 5. Personal InformationJune 12, 2013 Dentons Canada LLP 5• Information about an identifiable individual• But does not include business contact information• Provided that the business contact information is being used for thepurpose related to that business• Aggregated information
  6. 6. Obvious Personal Information• Name• Home Address• Birth date• SIN• Credit card #• Salary• Purchase history• Image• GenderJune 12, 2013 Dentons Canada LLP 6
  7. 7. Debatable• IP (Internet Protocol) Address• MAC (Media Access Control) Address – mobile devices• Location• Activities offline• License plateJune 12, 2013 Dentons Canada LLP 7
  8. 8. Online Advertising TerminologyJune 12, 2013 Dentons Canada LLP 8• Broadcast: Not targeted to user or interest• Contextual: Tailored to the content of the webpage• First Party: User only tracked on the website or families of websites• Ad Network: Networked websites serving up ads from the sameorganization• Online Behavioural Advertising: User tracked across unrelated websitesand activities
  9. 9. How Ad Networks OperateJune 12, 2013 Dentons Canada LLP 9• Website rents space on its webpage• Ad Network sends cookie to user’s device• Cookie provides Ad Network with information so that visitor doesn’t seesame content each time, remembers pages you have already visited• Ad Network can track user through cookie across networked websites• Can engage in online behavioural advertising (OBA)• Can use other information – MAC address or other Unique DeviceIdentifier or IP address instead of cookie
  10. 10. AnalyticsJune 12, 2013 Dentons Canada LLP 10• Important trend is predictive analytics• Predicting personal information about you before you disclose it• Famous case was the Target “pregnancy ad” (wasn’t online)• Like the Ad Network, information collected about behaviour online andthen mined to make predictions
  11. 11. It is Personal InformationJune 12, 2013 Dentons Canada LLP• MAC address / IP address, website history, search terms, App activitiesand transactions, coarse location• PIPEDA, s. 2• “personal information” means information about an identifiable individual, butdoes not include …• Ontario Privacy Commissioner (OPC) says given the context and thepurpose of OBA, the information collected will be treated as personalinformation and it is up to organizations to prove otherwise11
  12. 12. Reasonable Purpose TestJune 12, 2013 Dentons Canada LLP• Consent is a necessary but not sufficient condition in Canada• PIPEDA, s. 5(3)• An organization may collect, use or disclose personal information only forpurposes that a reasonable person would consider are appropriate in thecircumstances.• OBA can be a reasonable purpose but not a condition of service foraccessing and using the Internet generally (OPC’s OBA Guidance)12
  13. 13. Consent – Opt-In / Opt-OutJune 12, 2013 Dentons Canada LLP• Opt-Out if:• User has clear notice• User is able to opt-out without difficulty• Notice is given before collection• Consent should be contextual (“just in time”) – at the point of collection• Information should not be “sensitive” information• Information should be destroyed “as soon as possible” or effectively de-identified• No tracking children (in U.S., get parental consent)• Warning: Advertising to children in Québec13
  14. 14. Leaky WebsitesJune 12, 2013 Dentons Canada LLP 14• Office of the Privacy Commissioner of Canada tested websites• Noticed that during the process of making an “ad call” personalinformation was being sent to advertiser• Also sent to analytics companies• In some cases, information included names and email addresses• Lack of knowledge and consent• Need to be able to opt-out• Unclear how this is going to play out in the long run
  15. 15. Location, Location, LocationJune 12, 2013 Dentons Canada LLP• Location awareness• IP address, GPS, cell phone towers, Wifi, sensors on device todetermine inside or outside• Where you are and where you aren’t is information about you• Mobile devices are personal devices• Location information is, therefore, likely to be information about anidentifiable individual because the location of the device generallycorrelates with the individual’s location15
  16. 16. Emerging Canadian Approach to Geolocation?June 12, 2013 Dentons Canada LLP• Previously the OPC has taken the position that the existence of alegitimate security objective does not automatically justify the use of asurveillance technology (work environment)• Four-part test• Is the use of the technology demonstrably necessary to meet a specific need?• Is the use of the technology likely to be effective in meeting that need?• Is the loss of privacy proportional to the benefit gained?• Is there a less privacy-invasive way of achieving the same end?16
  17. 17. Moving Data Hither & YonderJune 12, 2013 Dentons Canada LLP 17• Typical Cross Border Scenarios• Storage of data on servers in USA – e.g. SAP installation• Email service provider has no Canadian data centre• SPAM service provider located in USA or UK• Email run through USA• Data processed in USA
  18. 18. Distinguish Between Disclosure and SharingJune 12, 2013 Dentons Canada LLP 18• Disclose to third party for their use• Sharing — disclosure to third party to fulfill the purpose and provideservices on your behalf• Outsourcers and service providers – confidentiality obligations
  19. 19. Key Privacy IssuesJune 12, 2013 Dentons Canada LLP 19• Accountability• Organization remains responsible and must have contractual means to ensurecomparable level of protection• Safeguards• Technical, Administrative and Physical security• Controlled IDs and strong passwords for access to the system• Testing of the system for intrusion.• Transfer of data over a private network or encryption of sensitive data in transit over apublic network• Sensitive data encrypted at rest.• Access to data by any employee limited to what is necessary to fulfill a specificdelineated function and access is authenticated and logged• Secure data centre employing industry-standard IT security protections• Openness• Advise customers
  20. 20. USA Patriot Act and Other U.S. Privacy IssuesJune 12, 2013 Dentons Canada LLP 20• Section 215 allows FBI to access records held in USA by applying for anorder of the Foreign Intelligence Surveillance Act Court• Company subject to a Section 215 order cannot reveal that the FBI hassought or obtained information from it• US has Safe Harbor accord with EU (2000)• Companies can opt in• US has sector specific laws and some US States have enacted laws• Previously various Privacy Commissioners in Canada have concludedthat storage or processing of data in the U.S. is not an impediment• Could this change?
  21. 21. CIBC VISAJune 12, 2013 Dentons Canada LLP 21• CIBC VISA card case• VISA credit card information to be processed in US• Canadian customer data stored on U.S. based system• VISA cardholder agreement amended• No opt-out• US authorities may access the data• Ruling• Bank had contract with U.S. data processor to maintain comparable level ofsecurity and protection• Bank appropriately notified customers
  22. 22. Ontario Hunting & Fishing LicencesJune 12, 2013 Dentons Canada LLP 22• Outsourced to US Based Organization• Ontario Privacy Commissioner – No problem• Different in British Columbia & Nova Scotia
  23. 23. Encryption BasicsJune 12, 2013 Dentons Canada LLP 23• Message + Algorithm + Key = Encrypted Message• Algorithm + Key + Encrypted Message = Message• The complexity of the Algorithm prevents guessing of the Key• Need to keep the Key separate• If you lose the Key and the Algorithm is strong – Your Data is Junk
  24. 24. What Encryption SolvesJune 12, 2013 Dentons Canada LLP 24• Encryption facilitates safe transfer of information• Encryption protects mobile data• Keeping key in Canada can prevent foreign access to data while residingabroad or routing through other countries
  25. 25. What Encryption Doesn’t SolveJune 12, 2013 Dentons Canada LLP 25• Increasing movement to “lawful access” legislation• Inspection of header information – required to route message - metadata• Operating systems tend to leave behind lots of information• Malware• Hacking and snatching the key
  26. 26. Thank you – Questions?Michael BeairstoDentons Canada LLPmichael.beairsto@dentons.com416-862-3412Timothy M BanksDentons Canada LLPtimothy.banks@dentons.com416-863-4424www.datagovernancelaw.com@TM_BanksDentons Canada LLPJune 12, 2013 26
  27. 27. The precedingpresentation containsexamples of the kinds ofissues companies dealingwith Privacy could face. Ifyou are faced with one ofthese issues, please retainprofessional assistance aseach situation is unique.27