IT.CAN Newsletter – September 5, 2012

Releasing Video Image of Jail Guard’s Face Would be Invasion of Privacy

In [Re] Ministry of Justice (Order F12-12), adjudicator Catherine Boies Parker of the Office of the Information and Privacy Commissioner for British Columbia (OIPC) dealt with a phase of a request by an inmate of the Vancouver City Jail for video footage taken during her incarceration there. A previous decision had ordered disclosure of the footage with some redactions, but upon judicial review of that decision the court found that the facial image of the correctional officer depicted in the footage constituted the private information of a third party. The court had remitted to the OIPC the question of whether the release of the image would be an unreasonable invasion of the depicted officer’s privacy.

Neither the applicant nor the Ministry of Justice took a position on the remitted question. However, in the earlier proceeding the applicant had argued that any harm that might come to the officer from disclosure of her image was purely speculative, and that since she had already named the officer as a party in a civil action there was little privacy left to be protected; additionally, her allegation was that she had been assaulted in the jail and this was a matter of great public interest. The Ministry of Justice, in the earlier proceeding, had argued that the video merely reported on the activities of the correctional officers and that, in the context of this inquiry, releasing the footage would not be an unreasonable invasion of the officer’s privacy. The officer herself argued on the remitted question that she was suffering from workplace stress (to the point of being on medical leave for PTSD) due to several threats she had received arising from the execution of her duties, and the release of the footage would both aggravate her PTSD and possibly endanger her. She also argued that the applicant had not discharged her burden of proof, which was to prove that the release of the image would not be an unreasonable invasion of privacy.

The Adjudicator dealt with the need to characterize the evidence. This was pressing, given that s. 22(4)(e) of the B.C. Freedom of Information and Protection of Privacy Act provides that release of information about an individual’s employment “function” as an employee of the provincial government cannot constitute an unreasonable invasion of the employee’s privacy (due to the need for public scrutiny of government activities), while s. 22(3)(d) provides that releasing information about a third party’s employment history is presumed to be an unreasonable invasion of privacy. She noted that previous cases have resolved the tension between these two sections by releasing information regarding the employee’s “function” or “tangible activities in the workplace,” while retaining identifying information as private under ss. 22(3)(d). Here, while the video recording of the officer’s activities was part of the ordinary course of employment, the facial image of the officer was not information “about” her employment by the Ministry and thus did not fall under s. 22(4)(e). Moreover, the officer’s facial image was in the possession of the Ministry because of the circumstances of her employment with the Ministry, and thus in this case related to her employment history. Thus, s. 22(3)(d) applied.

The Adjudicator then applied the criteria in s. 22(2) of the Act, setting out relevant circumstances which might rebut the presumption raised by s. 22(3). She noted that the section encouraged the public and transparent scrutiny of the activities of public bodies, and there might be circumstances in which disclosure of an employee’s identity was highly desirable. However, she felt it was not clear that disclosure of the employee’s picture would necessarily promote this purpose. Moreover, the applicant had other avenues through which to gain any information she needed regarding the officer’s identity, which in any event was well-known to the applicant. Finally, given the officer’s state of health, the Adjudicator found that disclosure of the image could cause her harm, which also militated against disclosure and against rebutting the presumption in s. 22(3). Accordingly, the applicant had failed to meet her burden of proving that releasing the image would not be an unreasonable invasion of the officer’s privacy, and no order issued.

U.S. Court Refuses to Link IP Address with Identity

In the case of In Re: BitTorrent Adult Film Copyright Infringement Cases, Judge Gary R. Brown of the U.S. District Court for the Eastern District of New York was faced with cross-motions in several underlying copyright infringement actions, which he characterized as being part of “a nationwide blizzard of actions brought by purveyors of pornographic films alleging copyright infringement by individuals utilizing a computer protocol known as BitTorrent.” These particular four actions had been brought against 80 John Doe defendants identified only by their IP addresses. In three of them the plaintiffs were seeking to subpoena various ISPs in order to obtain identifying information about subscribers linked to the named IP addresses—specifically the “true name, address, telephone number, e-mail address and Media Access Control (“MAC”) address of
the Defendant to whom the ISP issued an IP address.” In the fourth, some of the defendants were seeking to quash similar subpoenas.

Judge Brown noted that various of the John Doe defendants had pleaded individualized and fact-specific defences to the allegations, e.g. that the defendant was at work at the time of the alleged download, or denying the download and noting that the defendant had an unsecured wireless router and lived near a public parking lot. He also expressed grave doubts about the plaintiffs’ allegation that “IP addresses are assigned to ‘devices’ and thus by discovering the individual associated with that IP address will reveal ‘defendants’ true identity’.” In a fairly substantial discussion of the point, the court noted that the assumption that the subscriber to the ISP is the same person who utilized the IP address to download material has grown increasingly tenuous, given that wireless routers can be connected to any number of devices in a particular location. He quoted an earlier decision:

The Court is concerned about the possibility that many of the names and addresses produced in response to Plaintiff's discovery request will not in fact be those of the individuals who downloaded “My Little Panties # 2.” The risk is not purely speculative; Plaintiff's counsel estimated that 30% of the names turned over by ISPs are not those of individuals who actually downloaded or shared copyrighted material. Counsel stated that the true offender is often the “teenaged son ... or the boyfriend if it's a lady.” Alternatively, the perpetrator might turn out to be a neighbor in an apartment building that uses shared IP addresses or a dormitory that uses shared wireless networks. This risk of false positives gives rise to the potential for coercing unjust settlements from innocent defendants such as individuals who want to avoid the embarrassment of having their names publicly associated with allegations of illegally downloading “My Little Panties # 2.”

In this case, the judge noted that while such concerns might not be an entirely sufficient basis on which to deny the plaintiffs access to the requested discovery, it certainly did “not establish a reasonable likelihood it will lead to the identity of defendants who could be sued,” and thus the court could not conclude that the plaintiffs had overcome the defendants’ reasonable expectation of privacy. Moreover, there was evidence of abusive tactics by the plaintiffs which seemed designed to “shake down” the defendants rather than simply to vindicate the plaintiffs’ copyright claims. Also, the identifying information sought was more than was needed to advance the claims.

In the result, the court recommended that all of the actions be dismissed except as against the party identified as “John Doe #1” in each.

Ontario Privacy Commissioner faults Elections Ontario for inadequate protection of personal information

Over the course of the summer, the Chief Electoral Officer of Ontario notified the Information and Privacy Commissioner of that province that Elections Ontario had apparently lost two USB mobile data storage devices which appeared to contain the personal information of 1.4 to 2.4 million registered voters. The USB devices had been used to move portions of the electors list to laptop computers which were being used as part of a project to keep the electors list updated in the event of an election. This particular project was to be carried out at a leased warehouse space, outside of the usual offices of Elections Ontario.

The Commissioner concluded in her report, Elections Ontario’s Unprecedented Privacy Breach: A Special Investigation Report [PDF], that Elections Ontario fell short of its obligations to protect individual privacy in a number of respects. To begin with, the Commissioner found that Elections Ontario completely failed to take into account the impact on security and privacy of moving the project off-site; inadequate thought was given to identifying any privacy risks and what measures may be implemented to mitigate those risks.

Additionally, the Commissioner found that though there were policies in place to address privacy within the organization, they were not adequately implemented. For example, the organization had policies that required the use of encryption when personal information is stored on portable electronic devices, and this was communicated to project participants, those participants had no idea how to implement this. Though the IT department was involved in registering the USB devices, they did not provide any guidance. The project participants tried to find out on their own how to protect the data:

It was her understanding that zipping a file and adding a password was the equivalent of encryption. She conducted a Google search to find out how to do that, and once satisfied that she knew how, she instructed the team leaders how to zip and password protect files loaded on the USB keys. The coordinator stated that it was not part of her routine to check to see whether the team leaders were following the protocol of zipping and password protecting the files, although she subsequently discovered on April 24, 2012 that this was not being done. This begs the question – who was responsible for ensuring the encryption took place?

It is important to note that the act of zipping a file does not result in the data being encrypted. To zip a data file is to compress the data so that more data can be stored on a device. Therefore, once zipped, the data is easier to transmit, and takes up less computer memory and bandwidth. Once the file is zipped, it can be password protected. However, password protection and zipping do not offer the strong security features of encryption. The difference between these two processes was not well known at Elections Ontario, if understood at all, particularly among front-line staff who were expected to ensure the security of the data. [p. 17]

Even with this information, the Commissioner found that the information was not consistently zipped and password protected, nor were the USB devices consistently locked away in a drawer as they were supposed to be.

This shortcoming was seen to be even more egregious since the Commissioner found that senior IT personnel were aware of the risk of using USB devices:

Finally, the Director, Technology Services responded by noting the danger inherent in the use of USB keys:

My point is what is a ‘protected area’ – is that a safe? An office? Someone’s car? My concern is not with outside people getting in, but with the contract staff helping themselves to a key. That is why the data needs to be encrypted and stored in a place that they do not have access to.

In the end, these concerns were overridden by management, who authorized the use of the devices.

The Commissioner drew a number of conclusions related to the inadequacy of privacy protection in connection with this particular project:

The failure to ensure that encryption was properly deployed on the USB keys simply highlights the failure of Elections Ontario to put in place reasonable measures to protect the personal information of Ontario voters. Much-needed, essential planning did not take place to mitigate the privacy risks inherent in the Strike-off Project. Some specifics:

  • I am not satisfied that the Strike-off Project required the use of USB keys at all…
  • The purpose to which the USB keys were to be put was not well defined…
  • It appears that little or no thought was given as to how the completed electoral districts would be transferred from the Birchmount warehouse to the Rolark headquarters…
  • There was a general failure of senior staff to take responsibility to ensure that the USB keys, once deployed, were encrypted. Technology Services noted the need for encryption, but failed to follow up with EES to ensure that this requirement was understood, and that the devices deployed were, in fact, encrypted.
  • EES accepted the risk of using USB keys, but did not take any steps to ensure that frontline staff engaged in the Strike-off Project understood what encryption actually meant, and that the information on the keys was encrypted.
  • The thought that one particular department could “accept” the responsibility for taking a privacy risk is unacceptable. Privacy is a corporate responsibility, especially for Elections Ontario. In this case, the failure to appreciate that a privacy breach affected not just one division, but the entire organization, was an inherent organizational weakness.

In summary, I have found that Elections Ontario did not have reasonable measures in place to protect the privacy and security of the personal information of Ontario voters. Elections Ontario must develop and implement a comprehensive corporate privacy policy. At a minimum, the privacy policy must provide that personally identifiable information will not be stored on USB keys, laptops or other mobile electronic devices unless absolutely necessary. If it is absolutely necessary to transfer personal information to a mobile device, personal information stored on that device must be encrypted. The need to then explain what that means and how it can be achieved is critical. [pp. 19-20]

The Commissioner made a number of recommendations to Elections Ontario and to the Government of Ontario more generally. She recommended that Elections Ontario retain a third party to conduct a thorough audit of their personal information management policies and practices and to provide it to the Commissioner within six months. In conjunction with this audit, the organization should develop more robust policies and training that address, in particular, mobile data storage devices. Elections Ontario should also appoint a Chief Privacy Officer. The Government, the Commissioner recommended, should ask the Auditor General of Ontario to audit the privacy practices of selected public sector agencies and should look at amending the Election Act to ensure that it adequately protects privacy.

The emphasize her points more broadly and to take the lessons of the Elections Ontario breach to a wider range of organizations, the Commissioner released on September 5, 2012 a publication entitled “A Policy is Not Enough: It Must be Reflected in Concrete Practices” [PDF]. The Commissioner is quoted in the media release that accompanied the publication as saying:

Privacy policies alone, without a proper strategy for implementation and ongoing compliance procedures, will not protect an organization from privacy risks. The seven recommendations presented in this paper will provide organizations with concrete guidance on how to effectively execute an appropriate privacy policy, and have it reflected in actual practice. This information will be helpful to organizations of any size, and in any sector.

This newsletter is intended to keep members of IT.CAN informed about Canadian legal developments as well as about international developments that may have an impact on Canada. It will also be a vehicle for the Executive and Board of Directors of the Association to keep you informed of Association news such as upcoming conferences.

If you have comments or suggestions about this newsletter, please contact Professor Robert Currie, Director of the Law & Technology Institute, at robert.currie@dal.ca.

Disclaimer: The IT.CAN Newsletter is intended to provide readers with notice of certain new developments and issues of legal significance. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information in the IT.CAN Newsletter without seeking specific legal advice.

© 2012 by Robert Currie, Stephen Coughlan and David Fraser. Members of IT.CAN may circulate this newsletter within their organizations. All other copying, reposting or republishing of this newsletter, in whole or in part, electronically or in print, is prohibited without express written permission.

Le présent bulletin se veut un outil d´information à l´intention des membres d´IT.CAN qui souhaitent être renseignés sur les développements du droit canadien et du droit international qui pourraient avoir une incidence sur le Canada. Le comité exécutif et le conseil d´administration de l´Association s´en serviront également pour vous tenir au courant des nouvelles concernant l´Association, telles que les conférences á venir.

Pour tous commentaires ou toutes suggestions concernant le présent bulletin, veuillez communiquer avec le professeur Robert Currie á l´adresse suivante : robert.currie@dal.ca.

Avertissement : Le Bulletin IT.CAN vise á informer les lecteurs au sujet de récents développements et de certaines questions á portée juridique. Il ne se veut pas un exposé complet de la loi et n´est pas destiné á donner des conseils juridiques. Nul ne devrait donner suite ou se fier aux renseignements figurant dans le Bulletin IT.CAN sans avoir consulté au préalable un conseiller juridique.

© Robert Currie, Stephen Coughlan et David Fraser 2012. Les membres d´IT.CAN ont l´autorisation de distribuer ce bulletin au sein de leur organisation. Il est autrement interdit de le copier ou de l´afficher ou de le publier de nouveau, en tout ou en partie, en format électronique ou papier, sans en avoir obtenu par écrit l´autorisation expresse.