News

The Maclean’s Story

Given that the government will be introducing its lawful access bill today, there is something eerily appropriate about the timing of this week’ s Maclean’s cover story on the shocking privacy invasion of Privacy Commissioner Jennifer Stoddart’ s phone and cellphone records. For those that have not seen the story (it is not yet freely available online update: the article is now online), Maclean’s was able to obtain detailed phone records from U.S. data providers on the Commissioner’ s use of her home phone and blackberry cellphone (the details include precise information on who she called and when).  According to the story, all it took was a bit of publicly available information regarding her name and home address.

As the privacy community faces a new challenge with the lawful access bill, this incident provides a stunning reminder of the privacy and security risks inherent in telecommunications with our without lawful access.  It is appalling that such information can apparently be so easily obtained, regardless of the means by which the U.S. company was able to do so.

Bell has responded with a release noting that the information was obtained by "subterfuge and misrepresentation".  It adds that "Bell, other telecommunications companies and the customers involved were victims of fraudulent and unethical activity."  While no one is suggesting that Bell was actively disclosing such information, it hardly stands as victimized as the Privacy Commissioner.

With the Telecommunications Policy Review and PIPEDA Review either underway or upcoming, the Canadian government has a unique opportunity to reconfirm its commitment to privacy by strengthening Canadian privacy legislation.  

The Telecommunications Policy Review Panel should reject Bell’ s recommendation that the privacy provisions in the Telecommunications Act be dropped.  As the Maclean’s article notes, those provisions actually carry tougher penalties than PIPEDA.

Meanwhile, PIPEDA needs some teeth.  A revamped statute would address the jurisdictional limitations in the law, grant the Privacy Commissioner order making power much like her provincial counterparts, and free the Commissioner to start naming names so that Canadians can better judge who is doing what with their personal information.

No one should experience a privacy invasion such as the one on the cover of Maclean’s.  It is time for Canada to get serious about privacy protection.   

3 Comments

  1. This shocking breach of privacy points to the need for companies to take greater steps to authenticate any individual seeking access to any records held by the company. US data brokers often use “free-lance” agents skilled in the art of pretexting – claiming to be relatives, attorneys, law enforcement officers or whatever, who con unsuspecting and naive company employees into handing over personal data. They can also glean enough personal information from other public sources to fool companies into believing it is, in fact, their own data to which they are entitled to access. A standard such as a requirement for bona fide photo ID or a credit card in the person’s name before any data is handed over on the basis of a phone call woud help thwart such activity. Phone companies need to do much more to tighten their efforts and, perhaps, you are right that the enforcement regime of the CRTC, provided there are real penalties, is better suited to dealing with this kind of breach than the PIPEDA regime. If this happened under FTC rules, these phone companies would be subject to significant financial penalties and a long-term “privacy watch” like Eli Lily is subject to.

  2. This shocking breach of privacy points to the need for companies to take greater steps to authenticate any individual seeking access to any records held by the company. US data brokers often use “free-lance” agents skilled in the art of pretexting – claiming to be relatives, attorneys, law enforcement officers or whatever, who con unsuspecting and naive company employees into handing over personal data. They can also glean enough personal information from other public sources to fool companies into believing it is, in fact, their own data to which they are entitled to access. A standard such as a requirement for bona fide photo ID or a credit card in the person’s name before any data is handed over on the basis of a phone call woud help thwart such activity. Phone companies need to do much more to tighten their efforts and, perhaps, you are right that the enforcement regime of the CRTC, provided there are real penalties, is better suited to dealing with this kind of breach than the PIPEDA regime. If this happened under FTC rules, these phone companies would be subject to significant financial penalties and a long-term “privacy watch” like Eli Lily is subject to.