Tuesday, December 14, 2010

American Appeals Court says cops need warrants (with probable cause) to get e-mails

This is great news, both for e-mail users and for greater adoption of cloud computing. Contrary to Department of Justice lawyers (and too many precedents on their side), the US Court of Appeals for the Sixth Circuit has found that stored e-mails can't be accessed by law enforcement without a valid warrant.

The court struck down portions of the Stored Communications Act, which had permitted law enforcement to get their hands on e-mails over 180 days old with only a subpoena.


This may have big implications for cloud computing. One of the problems with US law on this is that the Fourth Amendment has been interpreted to say it doesn't protect the privacy of information held by a third party. So if you hand info over to someone like a bank, a cloud provider, an e-mail provider, etc. the protection is very different than if you have it in your personal possession. Finally the courts may be seeing that handing over data to service providers is the modern reality and privacy protections should keep up.

This is a victory for The Digital Due Process Coalition and its supporters in the United States who are advocating for bringing due process into line with modern technology.

Check out some interesting commentary:

And the decision is here: http://www.ca6.uscourts.gov/opinions.pdf/10a0377p-06.pdf.

Sunday, November 28, 2010

Privacy in the cloud for Canadian universities

This past week, I was invited to speak at the annual get-together of The Canadian University Council of CIOs (CUCCIO) in Toronto on the topic of cloud computing. Many universities in Canada are struggling with the legal and privacy issues of adopting cloud computing, particularly when Google and Microsoft are both offering very attractive (and free!) offerings that would relieve universities of the costs and burdens of administering student and alumni e-mail.

Universities in Alberta, British Columbia and Nova Scotia are particularly hampered by legislation that was designed to thwart the boogeyman represented by the USA Patriot Act.

BC and Nova Scotia have each adopted legislation that either categorically prohibits the "export" of personal information by public bodies, or put in place administrative hurdles. Alberta joins this pack by making it an offense under their public sector privacy law to disclose personal information in response to a "foreign demand for disclosure".

Part of the problem is that the legal framework is not particularly nuanced, as each decision about whether to outsource a service should be guided by a detailed risk assessment and privacy impact assessment instead of ham-fisted categorical rules that don't take particular circumstances into account.

Here is my presentation, which was well received.


If the embedded slideshow isn't showing you the love, click here: https://docs.google.com/present/view?id=ddpx56cg_320fx7rkbhh&interval=30

Monday, October 25, 2010

Privacy Commissioner releases draft report on 2010 consumer privacy consultations

The Privacy Commissioner of Canada has released her draft report on her 2010 Consumer Privacy Consultations that focused on "Online Tracking, Profiling and Targeting and Cloud Computing." You can get to the report here: http://www.priv.gc.ca/resource/consultations/index_e.cfm.

Privacy Commissioner releases draft report on 2010 consumer privacy consultations

The Privacy Commissioner of Canada has released her draft report on her 2010 Consumer Privacy Consultations that focused on "Online Tracking, Profiling and Targeting and Cloud Computing." You can get to the report here: http://www.priv.gc.ca/resource/consultations/index_e.cfm.

Wednesday, October 6, 2010

Ontario Commissioner releases paper on cloud computing

Ontario Commissioner, Anne Cavoukian, has released a new paper on privacy and cloud computing. Here's a summary:

Modelling Cloud Computing Architecture Without Compromising Privacy: A Privacy by Design Approach

As the Internet has evolved, we have seen the emergence of “Cloud computing.” Organizations have begun to leverage the connectivity created by the Internet to optimize the utility of computing. Ever-cheaper and more powerful processing and storage capabilities are allowing data centres to act as viable, large scale central computing hubs. Simultaneously, increasing network bandwidth and reliable yet flexible network connections make it possible for clients – both individual and enterprise – to utilize high quality services which reside solely on these remote central hubs. These services will often include data storage (and real time access) or processing (by remote software and computing resources). This possibility, however, forces clients to re-think the data protection schemes developed for the point-A-to-point-B data flow.

Friday, September 24, 2010

US Senate considers update to Electronic Communications Privacy Act

This past week, the United States Senate Judiciary Committee held hearings on the possible update of the American Electronic Communications Privacy Act. The statute, passed in the 1980s, is in urgent need of an overhaul in an age of cloud computing. The law has its origin in (in my view, perverse) caselaw that says you have no expectation of privacy from the government once you've handed your information over to a third party. The law provides different standards (subpoena vs search warrant) based on the age of the message and whether it has been previously read by the intended recipient. In an age of cloud computing and the widespread use of text messaging, one high standard is required.

From the industry side, the effort for reform is led by the Digital Due Process Coalition, made up of industry leaders such as Google and Microsoft. For a great overview of the issue and the hearings, see here: Senate considers update to Electronic Communications Privacy Act | Gov 2.0. The Google Public Policy blog has information on Google's position, including the written statement by Richard Salgado, their senior lawyer responsible for this area: Digital Due Process: The Time is Now.

The Judiciary Committee page has a webcast link if you want to see the hearing.

Monday, June 21, 2010

Privacy in the Clouds presentation

Below is my slide deck that I presented at the Privacy Commissioner's public consultation on cloud computing in Calgary on June 21, 2010.



Let me know in the comments or by e-mail if you have any problems with the slides.

Saturday, June 19, 2010

Privacy Commissioner's consumer consultation (cloud computing) continues on Monday in Calgary

I've been honoured to be invited as one of the keynote speakers at the Privacy Commissioner's consumer consultations taking place in Calgary on Monday. I'm speaking on the topic of Cloud Computing. The full agenda is here.

The proceedings will be webcast: http://welcome2theshow.com.previewyoursite.com/priv2010/index_calgary.html, starting at 9:00 Mountain time. I think you'll be able to watch it later from the same address if you miss it the first time. Or you can watch it over and over again.

The roster of speakers is very impressive, including:

  • Mr. Joseph H. Alhadeff, Vice President for Global Public Policy and Chief Privacy Officer, Oracle Corporation
  • Mr. Shane Schick, Editor-in-Chief, ITWorldCanada (moderator)
  • Mr. Declan McCullagh, Senior Correspondent, CBS News web site
  • Mr. Brad Templeton, Director, Electronic Frontier Foundation
  • Mr. Doug Jones, Cloud Computing Unit Executive, IBM Canada
  • Mr. Daniel Koffler, Chief Technology Officer, Syntenic
  • Dr. Andrew Patrick, IT Research Analyst, Office of the Privacy Commissioner of Canada (moderator)
  • Mr. Scott Morrison, CTO, Layer 7 Technologies
  • Dr. Tomas Sander, Research Scientist, HP Labs
  • Mr. Brian O'Higgins, Consultant and Entrepreneur (Founder of Third Brigade), Assistant to the CTO, Trend Micro
  • Dr. Thomas Keenan, Professor, University of Calgary
  • Mr. Carman Baggaley, Senior Policy and Research Analyst, Office of the Privacy Commissioner of Canada (moderator)
  • Ms. Kathryn Ratté, Senior Attorney, Division of Privacy and Identity Protection, Federal Trade Commission
  • Mr. Mike Hintze, Associate General Counsel, Microsoft
  • Mr. Adam Kardash, Partner, Heenan Blaikie
  • Ms. Janet Lo, Legal Counsel, Public Interest Advocacy Centre