Introduction to Telecommunications

(COMN 3510)

Fall 2015

Tamir IsraelStaff Lawyer, CIPPICTel: (613) 562-5800 ext. 2914Email: tisrael@uottawa.ca

Privacy & Telecommunications: The View from Ottawa

November 18, 2015

What is Privacy????

“Privacy is a protean concept” – Justice Binnie, Supreme Court of Canada

Privacy is… ! Public

determined by social norms relating to respect for others’ space or information

‘right to be left alone’

the revelation of public information in ways that impact on autonomy dignity, individual autonomy or self-determination

there is no privacy (it has no independent or modern existence)

contextual integrity

controlling information about you

Protection of information as necessary for participating in democratic life

R. v. Tessling, [2004] 3 S.C.R. 432 (S.C.C.) <http://csc.lexum.umontreal.ca/en/2004/2004scc67/2004scc67.html>

Further reading: Judith DeCew, “Privacy”, The Stanford Encyclopedia of Philosophy (Spring 2015 Edition), Edward N. Zalta, ed, <http://plato.stanford.edu/entries/privacy/>

"By placing an order via this Web site on the first day of the fourth month of the year 2010 Anno Domini, you agree to grant Us a non transferable option to claim, for now and for ever more, your immortal soul. Should We wish to exercise this option, you agree to surrender your immortal soul, and any claim you may have on it, within 5 (five) working days of receiving written notification from gamesation.co.uk or one of its duly authorised minions.“ …

"we reserve the right to serve such notice in 6 (six) foot high letters of fire, however we can accept no liability for any loss or damage caused by such an act. If you a) do not believe you have an immortal soul, b) have already given it to another party, or c) do not wish to grant Us such a license, please click the link below to nullify this sub-clause and proceed with your transaction."

In 2010, 7,500 customers agreed to the following online terms by purchasing software from GameStation:

88% did not opt-out (likely did not read TOU)

The company noted it would not be enforcing the TOU

FOXNews, “7,500 Online Shopers Unknowingly Sold Their Souls”, FoxNews.com, April 15, 2010, <http://www.foxnews.com/scitech/2010/04/15/online-shoppers-unknowingly-sold-souls/>

Earlier this week, in signing up for a free wifi hotspot, a number of individuals in the UK unwittingly agreed to a hand over their first born child in exchange for Internet access.S. Griffiths, “Would YOU Give Up Your Children for WI-Fi?”, September 30, 2014, Daily Mail, <

http://www.dailymail.co.uk/sciencetech/article-2775062/Would-YOU-children-Wi-Fi-British-parents-accidentally-agree-swap-child-internet-access-ignoring-T-Cs.html

>

‘Notice’ & ‘Choice’Key concepts, issues & challenges:

Carnegie Mellon study: if the average person read every single online privacy policy that affects them once over the course of a year, it would take them about 244 hours. The opportunity cost for this in the United States would be about $781 billion / year

A.M. McDonald and L.F. Cranor, “The Cost of Reading Privacy Policies”, (2008) I/S: A Journal for Law and Policy for the Information Society, 2008

Privacy Year in Review Issue,, <https://www.cylab.cmu.edu/files/pdfs/news/CostofReading.PDF>

Last Week Tonight with John Oliver, September 30, 3015, YouTube, <https://www.youtube.com/watch?v=Fmy6M1oHrAo>

Contract of Adhesion

Key concepts, issues & challenges:

90% of Canadians ‘concerned’ about privacy, 73% felt they have less capacity to protect their personal information than they did ten years ago, 60% indicated the privacy threats they face in the world today have left them with minimal expectation of privacy.

2014 Survey of Canadians on Privacy, Office of the Privacy Commissioner of Canada,<https://www.priv.gc.ca/information/por-rop/2015/por_2014_12_e.asp>.

Graphic: The Opte Project, CC-BY-NC-SA 1.0, 2003online: http://www.opte.org/maps/

Telecommunications Carriers as Intermediaries

Types of Legal Protections

REGULATORY:Personal Information Protection and Electronic Documents Act

(PIPEDA)Provides fair information practices for commercial entitiesApplies to most Internet and Wireless service providers

Telecommunications Act: CRTC overseesCRTC regulations should “contribute to the protection of the

privacy of persons”TORT LAW:Lawsuits, class actionsCRIMINAL LAW:Penalty will be jail or fine

ConsentKey concepts, issues & challenges:

1. Accountability2. Identifying purposes3. Consent4. Limiting Collection5. Limiting use, disclosure and retention

PIPEDA

Consent must be meaningful Whether you can presume an individual has consented or not will depend on

the context and the sensitivity of the data in question You cannot force someone to consent to something unnecessary as a

condition of service Purpose of collection, use or disclosure plays an integral role in assessing

reasonableness and adequacy of consent

6. Accuracy7. Safeguards8. Openness9. Individual access10. Challenging compliance

Privacy issues

PIPEDA only applies to ‘information about an identifiable individual’ Bell uses DPI to throttle peer-to-peer file-sharing applications To do so, its equipment needs to track and act on personal information that it

would not otherwise have, but its equipment does not connect ‘IP address’ to ‘name’ automatically

Is Bell collecting or using ‘personal information’? Bell must notify customers before tracking them

<http://www.priv.gc.ca/cf-dc/2009/2009_010_rep_0813_e.cfm> <https://www.priv.gc.ca/cf-dc/2015/2015_001_0407_e.asp>

DPI Part II: Bell suddenly announces it will repurpose its DPI repurposed to track and profile mobile and home customers in order to sell targeted advertisements

Justifications: people want this; ‘gmail for your internet’

OPC: Needs to be opt-in

ISPs increasingly motivated to collect, organize & monetize more

Information collected by mobile ISPs ‘in the name of product improvement’

Key Loggers Carrier IQ, inserted by ISPs into end mobile devices, capable of logging everything Smartphone OS – Legitimate purpose to keylog?

Privacy issues

https://www.schneier.com/blog/archives/2015/02/samsung_televis.html

Information collected by mobile ISPs ‘in the name of product improvement’

Set top boxes Samsung smart TV, includes right and tech capability to record everything and

anything in its vicinity at any time, to improve functionality of voice control IP TV / set top boxes will soon have voice control

Privacy issues

Collateral impact on privacy, encryption?

STARTTLS, Enhanced email transmission encryption; Initiated by STARTLS flag

“In recent months, researchers have reported ISPs in the US and Thailand intercepting their customers' data to strip a security flag—called STARTTLS—from email traffic.” https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks

VPNs: traffic is wrapped in an encrypted ‘tunnel’ and is then routed through another location, so that origin and content cannot be determined. Your ISP also cannot tell what it is.

Canadian ISPs throttle P2P and capture lots of VPN traffic. Response ‘use proper ports’

Videotron zero rating unlimited music

Cannot identify if encrypted. TBD

Privacy issues

Voltage v. Doe, 2014 FC 161: Plaintiff sought identity of over 2,000 Canadian ISP customers alleged to have used P2P networks to download films in violation of copyright. Because online identification information is private, court can impose conditions on its releaseCourt imposes 14 conditions, including court monitoring of demand letters to ensure: a.) that demand letters do not mislead recipients into believing their guilt has been established; and b.) that demand letters don’t over-state potential for damagesDid NOT require demonstration of basic factual and legal grounds

Leveraging ISP-held information to facilitate lawsuits

Lawsuits Copyright trolls? Fibe TV ?????

Privacy issues

Leveraging ISP held data to facilitate state investigations

Government Any limits? Foreign governments?

Canada: customer data voluntarily disclosed by ISP attracted lower expectation of privacy because of third party control:

In 2011: Internet intermediaries responded to close to 1.2 million requests for data on close to 800,000 customers, most w/out court orders

Per capita, many more requests than in the US In 2013, 1 agency (CBSA) made 19,000 telco data requests, 99% voluntary

R v Spencer: Supreme Court of Canada reverses this, finding that online anonymity needs protection and ISPs cannot voluntarily disclose without a court order

Privacy issues

FIN

Questions? Tamir Israel, Staff Lawyer, CIPPIC

tisrael@cippic.ca