Monday, March 31, 2014

Charmaine Borg MP introduces private members bill to add breach notification to the federal Privacy Act

Charmaine Borg, the NDP's digital issues critic and the most activist MP in the area of privacy has tabled Bill C-580 to update the federal Privacy Act to require breach notification and a mandatory 5-year review of the Act. More info here: LEGISinfo - Private Member’s Bill C-580 (41-2).

In the wake of so many privacy breaches by federal government departments, I can get onboard with this.

Friday, March 28, 2014

Cloud Computing FAQ for Canadian In-house Counsel

The Canadian Corporate Counsel Association Magazine (CCCA Magazine) Spring 2014 edition had a strong focus on privacy, "Managing your Privacy Risk: An In-house Guide." The edition included a version of my Cloud Computing and Privacy FAQ, focused at in-house counsel. Click the image (or here) to get the full article:

Wednesday, January 22, 2014

Microsoft to agree to local storage of foreign users' data

According to the Financial Times, Microsoft is going to break from the pack of other cloud service providers by agreeing to store data locally. FT.com content is behind an annoying paywall, but here's the gist of it along with some commentary.

Microsoft to shield foreign users’ data - FT.com

By James Fontanella-Khan in Brussels and Richard Waters in San Francisco

Microsoft will allow foreign customers to have their personal data stored on servers outside the US, breaking ranks with other big technology groups that until now have shown a united front in response to the American surveillance scandal.

Brad Smith, general counsel of Microsoft, said that although many tech companies were opposed to the idea, it had become necessary following leaks that showed the US National Security Agency had been monitoring the data of foreign citizens from Brazil to across the EU.

“People should have the ability to know whether their data are being subjected to the laws and access of governments in some other country and should have the ability to make an informed choice of where their data resides,” he told the FT. ...


This decision seems to be based on (or appealing to) the fiction that the location of data is somehow determinative of whether law enforcement or national security folks can get access to data. As I said, it's mostly a fiction. Governments can assert control over things, or people, or entities on a number of bases. One of them is the presence of the thing (a server) in the physical jurisdiction, but most importantly is the presence of the person who can obtain and hand over the data.

... Some critics of the idea have questioned whether such a move would be effective in putting the personal data of non-Americans outside the reach of the NSA, since US tech companies have to hand over information about specific users when ordered to by a secret US court, regardless of where it is held.

However, keeping the information off US soil and under local data protection rules should make it harder for the NSA to tap into illicitly, Mr Chester said. “If the data are not being transported, then it does stop that kind of access.” ...


While this isn't really a solution to the principal problem that many people associate with the USA Patriot Act and the FISA Amendments Act, it may be an economically rational decision since many customers will only ask where the data is, rather than what it really means.

Mr Smith acknowledged that it would be expensive but added “does it mean that you ignore what customers want? That’s not a smart business strategy.” ...

I do agree, however, that the big question which is the driver behind all of this needs to be addressed at a government-to-government level.

Mr Smith also said that the US and EU should consider signing an international agreement that ensures they will not try to seek data in each other’s territory via technology companies.

“If you want to ensure that one government doesn’t seek . . . to reach data in another country, the best way to do it is . . . an international agreement between those two countries. Secure a promise by each government that it will act only pursuant to due process and along the way improve the due process.”

He argued that the existing “Mutual Legal Assistance Treaty” mechanism used by the US and EU to protect individuals’ rights from the two blocs is outdated: “It needs to be modernised or replaced.”

Tuesday, January 14, 2014

Privacy Commissioner of Canada offers outsourcing guidance

Today, the Office of the Privacy Commissioner of Canada posted a "Fact Sheet: Privacy and Outsourcing", which leads to two resources depending on whether you're looking at the public sector (Privacy Act) or the private sector (PIPEDA).

The fact sheets are mostly a collection of useful links and resources, though there are some general statements. The one the I find most interesting is the following:

Organizations need to make it plain to individuals that their information may be processed in a foreign country and that it may be accessible to law enforcement and national security authorities of that jurisdiction. They must do this in clear and understandable language. Ideally they should do it at the time the information is collected. Once an informed individual has chosen to do business with a particular company, they do not have an additional right to refuse to have their information transferred.

When personal information is in the hands of a third-party service provider operating on foreign soil, it is subject to the laws of that country and no contract can override that. This could mean, for instance, that the organization may be obliged to respond to a subpoena or other mechanism that would give law enforcement officials access to personal information.


This has consistently been the position of the OPC, starting with a PIPEDA finding from 2005 when the Commissioner said that a bank should (not must) advise customers that the processing of data will be outsourced to a US service provider. I have to note, though, that PIPEDA doesn't contain any actual obligation to provide such notice. So I'm not sure where the obligatory language from the OPC's new fact sheet comes from.

In any event, the fact sheets do provide useful information about the OPC's take on cross-border outsourcing.

Monday, December 16, 2013

US congressional group calling out Canada on trade protectionism under the banner of national security

The National Post is reporting that a group of powerful US lawmakers are calling out Canada on the frivolous use of "National Security" as a thinly-veiled effort at protectionism. In an number of very large scale procurement contracts, regardless of the security classification of the information, the government has disqualified any vendor where the data may cross the Canadian frontiers.

I have seen this first-hand where government paranoia about the cloud simply leads bureaucrats to the risk-averse decision of keeping data exclusively in Canada under the banner of "data sovereignty." This is one of the reasons why Canada lags behind in the adoption of cloud computing and why Canadian governments spend hundreds of millions of dollars on operating and maintaining thousands of little data centres instead of taking advantage of the massive savings offered by cloud computing.

The Treasury Board of Canada has long-standing guidelines that require a risk assessment in every case that takes into account the sensitivity of the data and the risk of exposure, but Public Works appears to have adopted a one size fits all "no-can-do" attitude.

It will be interesting to see if this turns into a proceeding before the international trade tribunals.

See: John Ivison: Powerful U.S. Congress group accuses Canada of trade protectionism under guise of national security | National Post.

Thursday, May 9, 2013

UK Government announces "Cloud First" policy

The Government of the UK has just announced its "Cloud First" policy.

Government announces 'Cloud First' procurement policy - Government Computing Network:

Government announces 'Cloud First' procurement policy

Charlotte Jee

Published 05 May 2013

Mandates central government to consider cloud solutions before all others when buying IT



The government has confirmed that it has adopted a 'Cloud First' policy, making it mandatory for buyers of IT products and services in central government to consider purchases through the cloud as their first option.

Cabinet Office minister Francis Maude said that the policy will drive wider adoption of cloud computing in the public sector, boosting business through the G-Cloud programme's CloudStore, and ensuring the public sector buys IT in a 'quicker, cheaper, more competitive way'.

According to the Cabinet Office, as of now, when they buy new or existing services, public sector organisations should consider and fully assess potential Cloud solutions first, before looking at any other option.

A statement explained, "This approach is mandated to central government and strongly recommended to the wider public sector. Departments will remain free to choose an alternative to the Cloud if they can demonstrate that it offers better value for money."

Alongside today's announcement, the third iteration of G-Cloud (G-Cloud III) is going live today, with 708 firms offering over 5,000 services listed on the new framework- up from the 458 suppliers and 3,000 services on G-Cloud II when it went live last October .

Maude said, "Many government departments already use G-Cloud, but IT costs are still too high. One way we can reduce them is to accelerate the adoption of Cloud across the public sector to maximise its benefits.

"The Cloud First policy will embed the skills a modern civil service needs to meet the demands of 21st-century digital government and help us get ahead in the global race."

The policy has been under consideration for some time, with G-Cloud programme director Denise McDonagh suggesting at a roundtable in March that Maude was likely to give it the go-ahead.

McDonagh, who has long advocated a 'Cloud First' policy, said, "Sales from G-Cloud are rising steadily, with cumulative spend now over £18 million - two-thirds of it with SMEs. This is still small relative to overall government IT spend, and the transition to widespread purchasing of IT services as a commodity won't happen overnight.

"The adoption of a Cloud First policy will give added impetus for Whitehall and the wider public sector to move in this direction - complementing our ongoing work to encourage Cloud adoption and to help buyers adapt to this way of purchasing IT, which is already showing results."

US federal agencies have been operating with a cloud first policy since December 2010, and a number of other countries are believed to be considering instituting similar directives.

Friday, March 15, 2013

US federal district court judge rules National Security Letters are unconstitutional

The Electronic Frontier Foundation is reporting that a US Federal District Court judge in San Francisco has ruled that National Security Letters are unconstitutional as a violation of the First Amendment of the US Constitution and the separation of powers. The Judge's order has been stayed for 90 days to permit the federal government time to appeal.

National Security Letters (NSLs) are a form of administrative subpoena that can be issued by a senior official of the FBI, which requires the recipient to provide non-content or transactional information and is usually accompanied by a gag order.

According to EFF's media release, Judge Susan Illston ordered that the FBI stop issuing NSLs and cease enforcing the gag provision in this or any other case.

From the EFF: National Security Letters Are Unconstitutional, Federal Judge Rules | Electronic Frontier Foundation

A copy of the Judge's decision is available here, also on the EFF website.

Monday, February 11, 2013

New Zealand Privacy Commissioner offers cloud guidance

The Privacy Commissioner of New Zealand has released a checklist for businesses and a guidance document [PDF] to about cloud computing. Here is the Commissioner's summary of the two documents: Cloud computing guidelines.

From the Checklist:

  1. Figure out which cloud services will work for you and what your current risk level is
  2. Know what information you'll be sending to the cloud
  3. Recognise that the responsibility is ultimately yours
  4. Security - lock it down
  5. Check out your provider
  6. Know exactly what you're signing up for
  7. Be as up front with your clients as you can
  8. Location - where will the information be?
  9. Use and disclosure - who sees the information and what will it be used for?
  10. Ability to exit, and deleting information

Monday, January 14, 2013

Note to HRSDC: Cloud computing and remote access dramatically reduces the risk of portable device data breaches

The Canadian news has been full of reports related to two significant privacy breaches emanating from the federal ministry of Human Resources and Skills Development Canada. The first to be reported was the loss of a USB thumb drive containing the personal information (including personal health information) of more than 5,000 disabled Canadians who were receiving benefits under programs administered by HRSDC. In the course of investigating that first breach, a second came to light. Apparently someone at HRSDC thought it would be wise to backup the data of over half a million student loan recipients onto a portable USB hard-drive, which could be easily lost or misplaced. Guess what happened ... it was lost or misplaced.

Problems with storing sensitive personal information on USB storage devices are not unknown. The Information and Privacy Commissioner of Ontario, Ann Cavoukian, has recently been on a tear over a USB-related breach by Elections Ontario resulting from poorly understood policies, bad training and a lack of accountability. In fact, she's published reams of reports on the breach, its root causes and what should be done to prevent it from happening again. (The TL;DR version: Employees were engaged in a project where they had to clean up electoral lists at an off-site location. They decided to transfer the data using USB thumb drives and didn't even do that well.)

The HRSDC Minister's media release says that, as a response to the second breach, employees will be given training on a new information security policy. That suggests to me that the reckless practice of placing unencrypted personal information on portable storage devices was A-OK. Well, it's not. Never has been and never will be.

The full facts of the HRSDC breaches are still very sparse, but we know that the second breach was caused by an employee or employees who wanted to make a backup of data (probably a good idea) and put the backup on a small portable device (a very bad idea). It may be that the first breach was caused by an employee who either needed to work offsite with the data or needed to move it from one computer to another. Both are reasonable things to want to do. And in some computing environments, can only be accomplished by making a copy of the data and USB devices are a handy way of accomplishing that.

A large part of my practice is advising clients on cloud computing. And I also often get invited to speak to groups of IT professionals and fellow lawyers on legal issues related to cloud computing. For the past few years, the majority of questions about the risk of cloud computing have focused on the fact that the data may be outside of Canada and that the customer is trusting someone else to secure the data. Those are both important questions to ponder, but few turn their minds to the fact that, in most cases, cloud computing is much safer for the data and significantly lowers the risk to data.

If Elections Ontario or HRSDC were using a cloud computing model, none of these breaches would have happened in any of the scenarios outlined above. Cloud computing keeps the data on a server or series of servers in highly secured data centres. There's no need to copy or move the data to get access to it remotely. This is accomplished through secured connections between an authorized computer or browser and the data centre. If you want it backed up, that's usually done on tapes in the data center and the data seldom has to leave the secured premises. In any data centre worth its salt, disk inventory is carefully controlled and audit tools are used to keep track of who has accessed what data. If tapes are moved offsite for redundancy's sake, there is usually a much higher level of diligence exercised as it follows documented processes.

When questions are being asked about how this happened and what can be done to prevent such breaches from happening again, the government should carefully consider how cloud computing or other remote access models dramatically reduce the risk of such breaches.

Wednesday, December 19, 2012

Keeping data in Canada provides illusory protection against foreign government access

I was invited by CATA to give a presentation on cloud computing, privacy and cross border data flows for a number of its members and stakeholders who are involved with the fledgling Shared Services initiative coming out of the Government of Canada.

Here is the presentation, in case it is of interest:

IT World Canada was in attendance and has posted the following article:

Keeping data here no protection against US: Lawyer:

Ottawa may not allow cloud providers to store citizens' data across the border. But a lawyer says a better protection against US law is risk mitigation

By: Howard Solomon

ComputerWorld Canada (19 Dec 2012)

The refusal of some federal government departments to allow outsourcers to store personal data of citizens outside Canada won’t keep foreign governments from getting legal access to it, says a lawyer who specializes in cloud computing.

“Data sovereignty is a bit of an illusion because we’re so interconnected (with law enforcement agencies) and there’s so much data sharing taking place,” David Fraser told an audio conference call Tuesday sponsored by the Canadian Advanced Technology Alliance (CATA).

In particular, fears that the USA Patriot Act acts as a “huge vacuum cleaner” for American law enforcement agencies to get at personal data is baseless, he said.

The Patriot Act is a “boogey man,” he said.

The fact is most developed countries have legal tools that allow their law enforcement agencies to make legal claims on data held in their countries or outside their borders, Fraser said.

Fraser, a partners with the Halifax firm McInnes Cooper, argued the real issue for Ottawa when considering outsourcing that includes storing data in the U.S. should be assessing the risk that data can be lost or unlawfully accessed and taking steps to lower the risk.

The teleconference is part of a campaign by CATA, which represents IT manufacturers, solution providers, system integrators and consultants trying to sell products and services to governments, to get Ottawa to clarify its position on outsourcing data.

In an interview John Reid, CATA chief executive officer, said that since the creation last year of Shared Services Canada, an agency trying to consolidate federal IT services, the government has suggested it may mandate that personal data of citizens must be held in data centres here.

There isn’t a formal federal policy on cross-border data storage, Fraser told the conference call. Nor is there federal law that prohibits it. Instead, it is up to individual departments to do a risk assessment if they decide cross-border data storage is justified and take appropriate privacy measures. Only two provinces, British Columbia and Nova Scotia, have policies forbidding cloud providers from storing provincial data outside Canada.

Shared Services Canada has been trying to create new buying and outsourcing policies, setting up several committees on which CATA and other private sector groups sit. It is those committees, Reid said, that CATA is getting signals of SSC’s only-in-Canada intent.

Earlier this month CATA sent a letter to SSC asking for the department’s intentions, but Reid said he hasn’t had a reply yet.

The department didn’t respond to a request Tuesday from IT World Canada for clarification

One person on the conference call said some government departments already demand in requests for proposals (RPFs) her organization that any outsourced solution has to keep data in Canada.

Reid wants to persuade Ottawa to be more open to cloud solutions where data is stored outside the country in part so his members get opportunities to bid on business, and in part, he said, because the government shouldn’t turn aside possible solutions that will make it more efficient.

Fraser noted that according to international law, U.S. law enforcement authorities have the right to subpoena data even if the data is held outside its borders, as long as there are connecting factors. (The same is true for police here, he added.)

For example, he said, if the data is held in Canada the U.S. could subpoena it through a person working for a company there.

For that reason, he said, a Canadian data centre owner might be able to safeguard data here if none of its executives ever crossed the border.

More practically, he said the Canadian government could take a number of steps to reduce the odds of the personal data of its citizens being misused by U.S. authorities.

The first is to encrypt the data – which should be a standard procedure anyway, he said ---- and make sure control of the encryption keys is held here.

Second, the government could decide that only “low risk” data can be sent out of the country.

Third, the government could demand certain contractual provisions with a service provider, such as clauses that says the data belongs to the customer, not the data centre, that the service provider won’t turn data over unless legally required to so, and that it will notify the customer of any subpoenas.

There could also be a requirement the provider to go a U.S. court to resist a subpoena, although Fraser admitted there’s no guarantee will be successful.

“There isn’t a shortage of ideas of how to mitigate risk,” he said.

Fraser didn’t say, but these risk mitigation options also apply to private sector companies who have been shy about adopting American cloud-based solutions.