understanding the importance and impact of anonymity and authentication in a networked society
navigation menu top border

.:home:.     .:project:.    .:people:.     .:research:.     .:blog:.     .:resources:.     .:media:.

navigation menu bottom border
main display area top border

« August 2005 | Main | October 2005 »

For The Sake Of Productivity...

posted by:Sara Azargive // 08:24 PM // September 27, 2005 // ID TRAIL MIX

Good value in terms of productivity, service and the protection of an employer’s interests seem to be the pervasive rationale behind workplace surveillance. A poll conducted by Accountemps, a temporary staffing service, reported that 70 percent of large Canadian companies monitor employee computer activity (Globe and Mail, August 19, 2005). It is estimated that most employees spend an average of 40 minutes a day on non-work related email, instant messaging and Internet use. A majority of the companies polled indicated that they monitor Internet use, with 27 per cent saying that they observe activity very closely, 43 per cent saying somewhat closely and 19 percent saying not very closely. Only 9 percent said that computer use was not monitored and the remaining 2 percent said they did not know.

In a decision released this summer by Commissioner Frank Work, the issue of workplace privacy was revisited. Commissioner Work ruled that a library in Alberta that electronically monitored an employee’s computer use collected the personal information in contravention of the Freedom of Information and Protection of Privacy Act. The library had installed keystroke logging software on the employee’s computer, concluding that this was the only way the productivity of their employee, a computer technician, could be measured. They relied on a provision of the Freedom of Information and Protection of Privacy Act (section 33(c)) which permits collection of information that relates directly to and is necessary for an operating program or activity of a public body. The Commissioner’s office concluded that a less intrusive means to get the required information was available to manage the employee.

The information that was collected through the use of the keystroke logging software was found to have a personal aspect, since it was used to determine how much work the employee did, the style or manner of doing it and/or the choices that were made when prioritizing the work. The public body had argued that they used the software to ensure that its resources were being used for the purposes of the public body and that the personal use of the computers were limited. The public body felt that by doing this they were protecting the public interest.

In Eastmond v Canadian Pacific Railway, 2004 FC 852, the Federal Court of Canada considered an application brought by a Canadian Pacific Railway (CP) employee for an order requiring CP to comply with the Federal Privacy Commissioner's report which recommended the removal of video cameras from the mechanical facility area of CP’s Toronto Yard. The Federal Court dismissed the application. CP had installed six digital video recording surveillance cameras for security purposes. An employee filed a complaint with the Federal Privacy Commissioner’s office alleging that the cameras were violating employees' rights to privacy. The Federal Privacy Commissioner issued a report holding the complaint was well founded and recommended the removal of the cameras.

The court used the same four factors used by the Federal Privacy Commissioner to determine whether CP's purposes for collecting personal information are those a reasonable person would consider appropriate:

• Is camera surveillance and recording necessary to meet a specific CP need;
• Is camera surveillance and recording likely to be effective in meeting that need;
• Is the loss of privacy proportional to the benefit gained;
• Is there a less privacy-invasive way of achieving the same end?

The Federal Court of Canada held that CP had identified a number of past incidents which justified the need to have surveillance cameras. In addition it also held that video surveillance was useful to deter theft, vandalism and trespassers, and to enhance the security of its employees. The collection of personal information was not surreptitious or continuous nor was it intended to measure an employee's work performance. The court concluded that there was no less privacy-invasive way of achieving the same end in a cost effective manner that did not unduly disrupt CP’s operation.

The court further ruled that the collection of the information without knowledge and consent of those under surveillance was permissible pursuant to section 7(1)(b) of the Personal Information Protection and Electronic Documents Act which permits an organization to collect personal information without knowledge or consent of the individual if it is reasonable to expect that the collection with the knowledge or consent of the individual would comprise the availability or accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province.

For the purposes of deterring theft and vandalism and enhancing the security of employees, video surveillance was found to be reasonable and also useful as a tool for investigation. The Eastmond decision offers support to employers in determining how video surveillance can be used in compliance with privacy legislation.

CP’s purposes for collection: deterrence of theft; vandalism; and security of employees and investigation of reported incidents were found to be appropriate. How would the Federal Court’s decision have been different if the collection of personal information was used to measure productivity and an employee’s work performance? The court did state that CP could not have used the video images to measure an employee's productivity since such a use of the information would be a use for a purpose other than that which prompted its collection as a security measure. Unfortunately, no further direction was given from the court on workplace surveillance in the context of productivity and work performance. However, the distinction made by the court between surreptitious and open surveillance methods illustrates a need for the implementation of best practices in relation to the least privacy invasive tool to be used by employers when managing employees.

| Comments (0) |


Handbook for Bloggers and Cyber-Dissidents

posted by:Alison Gardner Biggs // 02:21 PM // September 22, 2005 // Digital Activism and Advocacy

Reporters Without Borders has released a free Handbook for Bloggers and Cyber-Dissidents, downloadable as a PDF. Aimed at citizens in countries where media and expression are censored, the handbook gives tips and advice on how to remain anonymous and avoid censorship, and also gives practical tips for setting up and promoting a blog.

For commentary and a review of the handbook, check out the article at Global Voices.

| Comments (0) |


ANONYMISATION: A STRANGE CASE OF IDENTITY THEFT

posted by:Carole Lucock // 08:24 PM // September 20, 2005 // ID TRAIL MIX

Often the ID Trail Mix presents an opinion or editorial on a specific topic. In this piece I’ve taken a slightly different approach by raising two questions that have received very little attention in the literature. I hope to highlight the fact that there are questions to be asked as well as to generate discussion. My own thoughts will be forthcoming in an upcoming paper that analyses the issues in some depth.

The use of information in anonymised form is increasingly represented and understood as a win-win privacy/access solution. On this account, those seeking access get what they need – namely, the information. At the same time, the ‘data subject’s’ privacy is not diminished. In fact, his or her privacy right or interest, is not engaged, much less infringed.

There are many questions raised by this touted solution: How shall we interpret the meaning of the term ‘anonymous’, or ‘anonymised’? What operational definitions shall we assume? To what standard shall we assess whether information has been rendered anonymous? Anonymous with respect to whom – to everyone and anyone – or only to some?

However before getting to these questions, first the assumption that if information is anonymous, then the person has no privacy right or confidentiality interest with respect to this information must be carefully examined. Implicit in this assumption is the idea that, once information has been anonymised – its link to the subject of the information (supposedly) severed – the subject no longer has a privacy or other right in the information. It is premised on the notion that anonymised information is no longer private, confidential or under a duty of confidentiality.

The “no longer” is important. It indicates that the subject did at some point have a privacy right or confidentiality interest with respect to the information, which becomes erased with the erasure of identity. To say that one no longer holds a privacy right or interest may be to say too much. However, something peculiar is going on here, and the assumption that nothing is here lost for privacy is no less dubious, and perhaps even more so.

To examine these assumptions it is important to focus on the anonymisation of information. This process or act, for the most part, is hidden in the shadow land and barely noticed at all. It occurs between two points in time and in virtue of this act or process, between one time and another – a before and after – information goes from being identifiable to being not so. Another thing also seems to happen between these two points in time: at one point the subject has rights in the information and at the following point s/he does not.

Thus, the act of anonymisation not only transforms the information. It also transforms the nature of the subject’s relationship to it! Along with the removal of identity, the information loses or is stripped of the character of being under the jurisdiction of the person to whom the information originally attached. Given this significant consequence, does or should the scope of the rights that a person has in information prior to anonymisation include the right to control whether the act of anonymisation is undertaken at all? A second, related, question is whether a person does or should have continuing rights with respect to his or her anonymised information?

| Comments (1) |


MIT REAL ID FORUM

posted by:Ian Kerr // 07:21 PM // September 19, 2005 // Digital Activism and Advocacy

According to the organizers of an upcoming event at MIT, US citizens' digital and physical identities may be about to merge under a new US federal law that requires a standard federally controlled identity card.


Consequently, the MIT Media Lab and MIT E-Commerce Architecture Program are hosting a two part Real ID Forum that aims to explore. the Real ID Act of 2005 [which sets up a new federally controlled driver license that can be read by computers according to common national standards, raising many public policy, technical and business problems and prospects].

The first forum is on online discussion, facilitated by experts in the relevant fields, and taking place from Monday, September 19th at 3pm Eastern Time through Friday, September 23rd. It addresses Qs such as:

>Is the Real ID going to be a National Identity for the USA?
>Does it represent the ultimate convergence of physical identity cards and your digital log in?
>Are the privacy, civil liberties and administrative issues addressed adequately?
>How should the various competing interests surrounding implementation of the Real ID Act be balanced?

There will also be a face to face meeting, held at the MIT Media Lab in November, 2005.

To find out more information and to register for this free program, CLICK HERE

| Comments (0) |


Industry Canada makes RFID deployment easier

posted by:Philippa Lawson // 12:26 PM // // Digital Democracy: law, policy and politics

According to Decima Reports ICT Update Industry Canada has adopted new rules regarding RFID (RSS-210), making it easier for the deployment of RFID equipment in both Canada and the United States. The rule changes involve modifications to RSS-210 that will align with the technical standards currently in force in the U.S., and that will permit the development of RFID devices which can operate in other countries.

The Decima Reports ICT UPDATE is published by:

Decima Reports Inc.
160 Elgin Street, Suite 1800
Ottawa, Ontario CANADA
K2P 2P7
Tel. (613) 230-1984
Fax (613) 230-3793
Email: newsdesk@decima.com
Web site: www.decima.com/reports

| Comments (0) |


Isn't this my property?

posted by:Shannon Ramdin // 10:34 AM // September 16, 2005 // Commentary &/or random thoughts

Recently Yahoo! came under fire for providing information that helped jail a journalist; supporting companies that spawn pop-up ads; and changing preferences on PCs users when they download Yahoo software.

Despite these issues, COO Daniel Rosenweig states that "users can put their trust in us because that is what we're built on."

Read the full article here.

Is it possible that Google could become even more popular?

| Comments (0) |


Negotiating Privacy Decisions: Roadblocks and Detours on the Information Highway

posted by:Jacquelyn Burkell // 08:35 PM // September 13, 2005 // ID TRAIL MIX

I was getting a tour of MSN Messenger the other day – thanks to my research assistant. Of course, I know that MSN Messenger collects and uses personal information, and before signing on as a member I carefully read the Terms of Use to see what I was agreeing to. Things were pretty much as I anticipated until I reached this language:

• HOW WE MAY MODIFY THIS CONTRACT.

We may change this contract at any time. You must review this contract on a regular basis. You can find the most recent version of the contract at http://messenger.msn.com/Help/Terms.aspx. The changed contract is in effect right away. If you do not agree to changes in the contract, then you must stop using the Service. If you do not stop using the Service, then your use of the Service will continue under the changed contract.

Although I was not completely surprised to learn the degree of my personal responsibility in ensuring that my privacy needs continue to be met, to read it in such clear language was a bit disconcerting. It seems that MSN reserves the right to change our agreement whenever they want – and the responsibility is mine to figure out when or if that has happened. It makes me feel a little better to read this language in the MSN Privacy Policy (as opposed to Terms of Use, above):

Changes to this Statement

We will occasionally update this Privacy Statement to reflect changes in our services and customer feedback. When we posts changes to this Statement, you will see the word "updated" next to the MSN Privacy Statement link on the front page of MSN. If there are material changes to this Statement or in how Microsoft will use your personal information, we will prominently post such changes prior to implementing the change. We encourage you to periodically review this Statement to be informed of how Microsoft is protecting your information.

But I must admit to a pretty high degree of confusion. If the Privacy Policy changes, will they tell me, or won’t they? If they do ‘tell me’, what form will it take? How much notice will I have? How do I go about revoking my consent if I decide to do so?

This last issue is particularly difficult to navigate, and represents a real tension between marketers and consumers. Obviously, for marketers the point is to have ongoing access to your information, and to retain the right to market to you. Web sites want your information now, and they want to continue to have access to that information in the future. From their perspective, if you say ‘no’ to information release, it hurts them:

"Whenever a customer unsubscribes from future marketing messages, it has a measurable impact on the bottom line. Losing permission limits your ability to market your products or services to the customer. It also limits your ability to manage the relationship with this customer. We call this dynamic "permission churn.""

Lyons, D., & Fletcher, W. (2002, June). Ask for permission and keep your customers. Customer Inter@ction Solutions. 20(12), 40-44.

They respond by making privacy policies complex and difficult to understand, by assuming consent and requiring consumers to ‘opt out’ in order to protect information, and by making it difficult to revoke consent once offered.

We are currently examining the privacy policies on the web sites that kids use, and we’re finding that most web sites don’t make it easy – in fact, quite the opposite. On many sites, privacy policies are difficult to find, difficult to understand, and difficult to navigate (requiring the user to follow a large number of links to get the full policy). There are, of course, exceptions, where the link to the privacy policy is evident, the language is clear and understandable, and the document itself is self-contained and complete. But these exceptions are relatively few and far between.

In some cases, initial consent is assumed, and consumers are required to ‘opt out’ if they want their private information protected. In the U.S., for example, the Financial Services Privacy Act requires that consumers have the option of ‘opting out’ of the sale of their personal information to other parties. Financial institutions, however, want to maintain this right, and there are explicit strategies for doing so:

“DO include unsubscribe information in every communication you send. HOWEVER, this information does not have to be a direct hyperlink, nor should you feel you need to make it too easy to opt-out. It's a fine line you walk here - you don't want folks opting-out on a whim, just because they got up on the wrong side of the bed that morning. By the same token, you must make it possible for them to say "Thanks, but no thanks." One or two extra steps to the opt-out procedure are acceptable”

It is no surprise that organizations such as the Privacy Rights Clearinghouse have taken the step of creating information sheets such as ‘Financial Privacy: How to Read Your Opt-Out Notices’ – opt-out notices are not written to be clear, understandable, and easily executable. They are written to minimize opt-out. It gets worse, of course. Not only do companies make it difficult to exercise an ‘opt out’ option, they may in fact share the information they collect from you for the purpose of opting out.

Even in the case of exemplary privacy policies, requirements for opting out or revoking consent are unclear and difficult to follow (read the ‘your choices’ section in this otherwise exemplary privacy policy and see if you understand how you would cancel your registration). The Direct Marketing Association offers “Consumer Assistance – how and where to find help”. One link on this page ostensibly tells you “How to get your name off e-mail lists” – but when you follow the link it is ‘not found’.

In the vast majority of cases, privacy policies, opt-out procedures, and procedures for revoking consent are designed to be difficult to understand and, in the latter two cases, difficult to implement. It isn’t that the problems couldn’t be resolved – in fact, just the opposite. Marketers are using their knowledge of consumer motivation and psychology to design policies that maximize information release – consumers need to get into the act and demand policies that make it easier both to understand what their consent means, and to withdraw that consent if they wish.

Thanks to Melissa Cheater and Jackie Strandberg for their research assistance.
| Comments (0) |


The regulation of young offenders’ private information in the Canadian youth criminal justice system: the semantics of repression

posted by:Veronica Pinero // 08:32 PM // September 06, 2005 // ID TRAIL MIX

In 1918, George Mead drew a significant distinction between the adult criminal court and the juvenile criminal court. He noted that:

[i]t is in the juvenile court that we meet the undertaking to reach and understand the causes of social and individual breakdown, to mend if possible the defective situation and reinstate the individual at fault. This is not attended with any weakening of the sense of the values that are at stake, but a great part of the paraphernalia of hostile procedure is absent. (George Mead, “The Psychology of Punitive Justice” (1918) 23 Am. J. Soc. 577 at 594)

Part of the above mentioned “paraphernalia of hostile procedure” was the resort to open criminal trials and the possibility of making available to the public the name of the convicted offenders. In order to prevent the young offender from the undesirable outcomes attached to those practices, for instance social exclusion, marginalization, and stigmatization, in the year 1892 Canadian parliamentarians passed legislation to regulate such an issue.

Section 550 of the 1892 Canadian Criminal Code stated that “[t]he trials of all persons apparently under the age of sixteen years shall, so far as it appears expedient and practicable, take place without publicity, and separately and apart from that of other accused persons and at suitable times to be designated and appointed for that purpose” (Criminal Code, 1892, Statutes of Canada, 1892, c. 29 at s. 550). The reason for that regulation was to avoid the undesirable outcomes attached to criminal procedures in an attempt to facilitate the reintegration of the young offender in society.

Such a section was amended in the year 1894 in order to strengthen the restriction on the publicity of the private information of young persons: “[the trials of young persons apparently under the age of sixteen years, shall take place without publicity and separately and apart from the trials of other accused persons, and at suitable times to be designated and appointed for that purpose.” (An Act respecting Arrest, Trial and Imprisonment of Youthful Offenders, 1894, c. 58, s. 1).

The above mentioned philosophy continued with the enactment of the Juvenile Delinquents Act (An Act Respecting Juvenile Delinquents, S.C. 1908, c. 40, s. 10). Moreover, the legislation enacted in the year 1929 introduced more restrictions to the possibility of making available to public the private information of young offenders involved in criminal procedures (An Act respecting Juvenile Delinquents, S.C. 1929, c. 46, s.12).

On July 7, 1982 the Young Offenders Act received Royal Assent. With regard to the privacy of young offenders, this act introduced important changes to the regulation of the Juvenile Delinquents Act that would completely modify the system. First of all, concerning the privacy of youth court proceeding, this new piece of legislation opened up youth court hearings to “ensure public scrutiny and monitoring of the youth court system.” It seems that in this case the notions of “due process” and “accountability” had priority to the protection of private information of young people involved in criminal procedures. In addition, the Young Offenders Act allowed the publication of information concerning a young person who had been transferred to an ordinary court and found guilty of the alleged offence. On the other hand, except the situation mentioned above, the Young Offenders Act criminalized the reporting by the press that did not respect the anonymity of the young person involved, whether as an accused, as a victim, or as a witness (Young Offenders Act, S.C. 1980-81-82-82, c. 110 at s. 38(2)).

On June 27, 1986, Parliament passed An Act to amend the Young Offenders Act, the Criminal Code, the Penitentiary Act and the Prisons and Reformatories Act (, S.C. 1986, c. 32.). This Act introduced several amendments to the Young Offenders Act, among them, an amendment to the regulation of privacy of young persons. This amendment increased the circumstances under which identifiable information of a young offender could be made public:

38 (1.2) A youth court judge shall, on the ex parte application of a peace officer, make an order permitting any person to publish a report described in subsection (1) that contains the name of a young person, or information serving to identify a young person, who has committed or is alleged to have committed an indictable offence, if the judge is satisfied that (a) there is reason to believe that the young person is dangerous to others; and (b) publication of the report is necessary to assist in apprehending the young person.

As mentioned above, the Young Offenders Act introduced a marked shift to the regulation of private information of young persons involved in criminal procedures. Such a shift in the area of youth privacy would be more evident after each subsequent amendment to the Young Offenders Act. On April 9, 1992 Parliament enacted another piece of legislation that would set up new changes to the regulation of the privacy of young offenders: An Act to amend the Young Offenders Act and the Criminal Code (, S.C. 1992, c. 11). This piece of legislation introduced amendments to the regulation of privacy of young offenders by increasing the number of situations under which youth court information could be disclosed to third parties, such as schools and other authorities.

On February 19, 2002, the Youth Criminal Justice Act received Royal Assent. Even though the rhetoric of this act recognizes the importance of protecting the privacy of young offenders, it allows open youth court proceedings (s. 132). In addition, although this piece of legislation prohibits the publication of identifying information about youths involved in the justice system, it permits the publication of information that identifies young offenders that have received an adult sentence, who have been convicted of very serious offences, or who pose a serious risk to the public:

110.(1) Subject to this section, no person shall publish the name of a young person, or any other information related to a young person, if it would identify the young person as a young person dealt with under this Act. (2) Subsection (1) does not apply (a) in a case where the information relates to a young person who has received an adult sentence; (b) subject to sections 65 (young person not liable to adult sentence) and 75 (youth sentence imposed despite presumptive offence), in a case where the information relates to a young person who has received a youth sentence for an offence set out in paragraph (a) of the definition “presumptive offence” in subsection 2(1), or an offence set out in paragraph (b) of that definition for which the Attorney General has given notice under subsection 64(2) (intention to seek adult sentence); and (c) in a case where the publication of information is made in the course of the administration of justice, if it is not the purpose of the publication to make the information known in the community. [...]

Although the rhetoric of the Youth Criminal Justice Act in the area of privacy of young offenders is slightly different to the rhetoric of the Young Offenders Act, the underlying normative regulation has not changed. To present (September 2005), the Youth Criminal Justice Act has been amended three times; however, none of these amendments has modified the regulation of privacy of young offenders as stated on the 2002 version.

In the origins of the Canadian youth criminal law intervention, the protection of private information of young persons involved in criminal procedure was seen as a compelling matter for preventing issues such as marginalization, social exclusion, and stigmatization. There was a generalized perception that making available to public young offenders’ information would jeopardize their reintegration into society. In addition, the “protection” of such information was seen as one of the most important instruments for assuring the “social inclusion” of former young offenders.

Even though the above mentioned “perceptions” about the undesirable effects of making public young offenders’ information have not changed, legislators have been able to “tolerate” this effect, in an attempt to protect society from the “dangerous young offenders.” My question is the following: is it possible to affirm that current regulation of young offenders’ private information does protect society? Up to present, the efficiency of such an intervention policy has not been assessed. Nevertheless, the infringement of young offenders’ privacy rights is notorious, and even more notorious is how this infringement to privacy rights allows society to “exclude” such offenders. Besides, current regulation of young offenders’ private information is actually reinforcing the “paraphernalia of hostile procedure.” Nice paradox to Mead.

| Comments (0) |


Bluetooth Blues

posted by:Chris Young // 10:33 PM // September 01, 2005 // TechLife

Bluetooth is an exciting and promising technology for simplifying interaction between electronic devices of all kinds. Applications as diverse as connecting to wireless headsets, synchronizing data (which we need to do whether we like it or not), and even romance are all enabled by Bluetooth. However, it brings with it both inherent security concerns (as any networking technology does), and ones that come about from poor craftsmanship, as it were. This article, by an independent IT security analyst, gives a great overview of contemporary security concerns in Bluetooth devices. Among other things, it seems that a hacker equipped with any Linux-powered, Bluetooth-equipped laptop can force nearby mobile phones to send SMS messages without the phone owners knowing about it. As the article author remarks, what situation is a phone owner in if his or her phone sends a bomb threat to a local government office?

This page, by trifinite.org, displays a list of known Bluetooth vulnerabilities, and may be the most complete online. Among others, it details how a hacker can listen in on phone conversations being conducted over Bluetooth car-phone systems. This project from trifinite.org was also reported in this piece in the International Herald Tribune.

| Comments (0) |


main display area bottom border

.:privacy:. | .:contact:.


This is a SSHRC funded project:
Social Sciences and Humanities Research Council of Canada