Cloud Computing FAQ for Canadian In-house Counsel

The Canadian Corporate Counsel Association Magazine (CCCA Magazine) Spring 2014 edition had a strong focus on privacy, "Managing your Privacy Risk: An In-house Guide." The edition included a version of my Cloud Computing and Privacy FAQ, focused at in-house counsel. Click the image (or here) to get the full article:

US federal district court judge rules National Security Letters are unconstitutional

The Electronic Frontier Foundation is reporting that a US Federal District Court judge in San Francisco has ruled that National Security Letters are unconstitutional as a violation of the First Amendment of the US Constitution and the separation of powers. The Judge's order has been stayed for 90 days to permit the federal government time to appeal.

National Security Letters (NSLs) are a form of administrative subpoena that can be issued by a senior official of the FBI, which requires the recipient to provide non-content or transactional information and is usually accompanied by a gag order.

According to EFF's media release, Judge Susan Illston ordered that the FBI stop issuing NSLs and cease enforcing the gag provision in this or any other case.

From the EFF: National Security Letters Are Unconstitutional, Federal Judge Rules | Electronic Frontier Foundation

A copy of the Judge's decision is available here, also on the EFF website.

Privacy and Security in the Cloud

Today I participated in a webinar with Sheepdog Inc. and Google on Privacy and Security in the cloud. Below is my presentation, in case it's of interest:

Legal issues in cloud computing contracts

Yesterday, IT World Canada published a very lengthy article on the manifold legal issues that need to be considered when a company moves its data to the cloud, including a lengthy interview with me given a little while ago.

Here's the first part ...

Canadian cloud contracts: Liabilities and limitations - Page 1 - Leadership

More companies in Canada are turning to the cloud — or, at least, thinking about it — for flexibility, agility and cost savings. But there is often the perception that using cloud-computing services could compromise corporate and customer data, or may even be against the law.

But there’s no law that prevents most Canadian businesses from exporting personal information, said David Fraser, partner with McInnis Cooper, president of the Canadian IT Law Association and chair of the National Privacy and Access Law Section of the Canadian Bar Association.

“Once you move into a real cloud computing model, all of a sudden you don’t know where your data is — where in Canada or where in the world — and we’ve seen a big privacy-related backlash against cloud computing,” he said. So a large part of his job is telling people they’re wrong, since there’s a huge amount of misinformation out there.

Private-sector privacy laws require that you ensure a comparable level of security for personal information, regardless of whether you permit it to be managed by a Canadian company or a non-Canadian company. And some highly regulated industries, such as banking, have special rules that may include additional regulation for outsourced services.

“The Patriot Act is the big thing that people freak out about,” he said, “but we have a Canadian version of the Patriot Act, which is just as offensive.”

Here’s the deal: In 2001, the U.S. Congress passed the USA Patriot Act, which expanded the powers of law enforcement and national security agencies to carry out investigations and obtain intelligence in connection with anti-terrorism investigations.

But the provisions that have attracted the most criticism, said Fraser, have equivalents under Canadian law. Regardless of where information resides, it will always be subject to lawful disclosure to law enforcement or national security bodies. In Canada, he said, this includes search warrants under the Criminal Code of Canada and the Canadian Security Intelligence Service Act. Many European countries also permit broader law enforcement and national security access to information than in both the U.S. and Canada.

Of course, where the data sits can have an impact on that data. If it’s in North Korea or China, it’s at high risk, said Fraser. In the U.S., it may in some cases be significant, but in most cases it won’t be. “How interested would the FBI be in getting their hands on that data and would they be able to justify getting a subpoena? In most cases no,” he said. “And if it’s a person of interest they can get it in Canada.”

Many people are surprised to learn there’s a secret court in the U.S. where judges hear applications made by Department of Justice lawyers for search warrants (and other such things) and there’s nobody on the other side to oppose those applications.

“We have a secret court in Canada,” said Fraser. “We have a bunker in Ottawa where judges hear lawyers from the Department of Justice and CSIS for warrants to do things as potentially offensive as break into your house and install wiretapping equipment. These orders can specifically provide for authorities to go back in and change the batteries. So people don’t often think that Canada is engaged in these types of cloak and dagger things, and we are. Our definition of anti-terrorism is as broad and offensive as the U.S.”

Canadian authorities have virtually identical powers under the Canadian Security Intelligence Service Act, he said, which permits secret court orders that authorize CSIS to intercept communications or to obtain anything named in the warrant.

On top of that, Canada has a mutual legal assistance treaty with the U.S. (as well as informal agreements), so if the FBI wants data and it’s in the hands of a Canadian company, the FBI calls the RCMP or CSIS. “So when you dig into it, that cross-border issue, at least in most cases, really is not the large issue that many people are led to believe it is,” he said, adding that the Patriot Act has become shorthand for just saying no.

Only British Columbia and Nova Scotia have laws strictly regulating the export of personal information from Canada by public bodies, said Fraser. For all other jurisdictions, including the federal jurisdiction, export is permitted, but the public body must ensure a comparable level of security for personal information, regardless of whether it’s managed by a Canadian or non-Canadian company.

What businesses need to do is benchmark their existing privacy infrastructure and compare it to the privacy infrastructure of the proposed cloud provider. What are the real risks to the data, and to privacy and security? A lot of businesses have significant existing vulnerabilities — from insecure desktops, to playing catch-up with security patches, to mobile employees running around with laptops. Or thumb drives. “Nothing is more stupid or dangerous,” said Fraser. “In a cloud model if the computer is lost you lose nothing.”

Very often, this benchmark leans heavily in favour of the cloud provider that has squadrons of security people. Small businesses, in particular, are vulnerable to power outages and basic continuity issues. A reputable large-scale cloud provider will have multiple data centres, so things will stay up and running.

Read more ...

Cloud computing presentation to University of Windsor

On May 26, 2011, I had the pleasure of speaking at the University of Windsor's annual Campus Technology Day. Windsor has just recently made the decision to "Go Google" for student e-mail services.

My topic was cloud computing and privacy (with a little bit on copyright thrown in for good measure). Here is the presentation:

There were many active tweeters using #uwctd, in case you're looking for play-by-play commentary.

Cloud Computing and Privacy FAQ

[Printer Friendly Version]

Cloud Computing and Privacy FAQ^[1]

David TS Fraser

In Canada, there is often a perception that using cloud computing services may be against the law or may undermine privacy. This is often not the case, but the perception remains. The purpose of this frequently asked questions is to dispel some of the mythology and to provide the reader with a framework so that cloud computing and privacy can be properly assessed.

One important consideration for anyone contemplating a cloud computing solution is that the “baseline” from which you should measure any potential decision is your existing information system, warts and all. As objectively as possible, you will need to consider the security and privacy risks that are inherent in your corporate infrastructure. This may include insecure desktop systems, users with unencrypted mobile devices and constantly playing catch-up with patches and security updates. When making comparisons about the different options, keep your eyes as open as you can. Also, factor in the cost of bringing your existing system up to your desired standards as a matter of comparison.

Is it illegal for a Canadian business to outsource services, such as cloud computing, to a non-Canadian company?

No. There is no law that prevents most Canadian businesses from “exporting” personal information. Private sector privacy laws require that you ensure a comparable level of security for personal information, regardless of whether you permit it to be managed by a Canadian company or a non-Canadian company. (Some highly regulated industries, such as banking, have special rules which may include additional regulation for outsourced services.)

Is it illegal for a Canadian public sector or government body to outsource services, such as cloud computing, to a non-Canadian company?

It depends on the jurisdiction of the public sector or government body. Only British Columbia and Nova Scotia have laws strictly regulating the export of personal information from Canada by public bodies. For all other jurisdictions, including the federal jurisdiction, export is permitted but the public body must ensure a comparable level of security for personal information, regardless of whether you permit it to be managed by a Canadian company or a non-Canadian company.

Alberta has enacted legislation that makes it an offense for a public body or a service provider to disclose personal information in response to an order that does not have jurisdiction in Alberta.

What is all the fuss about privacy and cloud computing?

In 2001, the United States Congress passed the USA Patriot Act, which expanded the powers of law enforcement and national security agencies to carry out investigations and to obtain intelligence in connection with anti-terrorism investigations. Investigative powers that had been restricted to counter-intelligence (spy vs. spy stuff) were extended to anti-terrorism investigations. In Canada, attention was focused on the USA Patriot Act when the British Columbia government proposed to outsource processing of medicare claims to the Canadian subsidiary of a US company. Public sector unions who opposed the outsourcing focused on the fact that the company was American and suggested that sensitive health information would be readily available to US authorities. The British Columbia Information and Privacy Commissioner carried out an inquiry into the impact of this outsourcing on the privacy of British Columbians and recommended wide prohibitions on the “export” of personal information by BC’s public bodies.

British Columbia amended its Freedom of Information and Protection of Privacy Act to prohibit the export of personal information. (It is notable that the government did outsource the processing to the Canadian subsidiary of the US company and the legislature has had to amend the Act to scale back some of the unworkable provisions.) For more information, see below.

Nova Scotia followed suit with the passage of the Personal Information International Disclosure Protection Act. For more information, see below.

What does British Columbia’s anti-export law say?

Amendments to the Freedom of Information and Protection of Privacy Act require that information under the custody and control of a public body be stored only in Canada and accessed only in Canada unless the individual has consented to its storage or disclosure outside of Canada or one of a number of narrow exceptions apply. The public body and any of its service providers are under a legal obligation to  report any foreign demands for disclosure. Violating any of these provisions is an offense.

What does Nova Scotia’s anti-export law say?

The Personal Information International Disclosure Protection Act requires that information under the custody and control of a public body be stored only in Canada and accessed only in Canada unless the individual has consented to its storage or disclosure outside of Canada or one of a number of narrow exceptions apply. Importantly, the head of a public body may authorize the storage of personal information or access to personal information from outside of Canada if the head of the public body determines it is for the necessary operations of the public body. The head is obliged to report these exceptions to the Minister of Justice after the year end in which these decisions are made.

The public body and any of its service providers are under a legal obligation to  report any foreign demands for disclosure. Violating any of these provisions is an offense.

Is information better protected from law enforcement and national security access in Canada than in the United States?

Not necessarily. The provisions of the USA Patriot Act that have attracted the most criticism have equivalents under Canadian law. Regardless of where information resides, it will always be subject to lawful disclosure to law enforcement or national security bodies. In Canada, this includes search warrants under the Criminal Code of Canada and the Canadian Security Intelligence Service Act, and administrative subpoenas such as those issued under the Income Tax Act.

It should also be noted that many European countries permit broader law enforcement and national security access to information than in both the United States and Canada.

Secret Court Orders - The Foreign Intelligence Surveillance Act (amended by the USA Patriot Act) permits a specialized court - the Foreign Intelligence Surveillance Court - to issue secret court orders for the production of “any tangible thing” in connection with terrorism investigations. These orders are accompanied by a “gag order”, which prevents the recipient of the order from telling anyone other than legal counsel about the order. Canadian authorities have virtually identical powers under the Canadian Security Intelligence Service Act, which permits secret court orders that authorize CSIS to intercept communications or to obtain any thing named in the warrant.

Warrantless Wiretapping - The Foreign Intelligence Surveillance Act law permits the American government to intercept foreign communications and international communications without a warrant. Canada’s National Defence Act has essentially the same powers.

National Security Letters - National Security Letters are a form of administrative subpoena that permits a senior official of the Department of Justice to compel a third party (such as a bank, a telecom provider or an Internet service provider) to hand over information about a person’s use of the third party’s services. For example, they can require a telephone company to provide information about a customer’s use of the telephone, such as phone numbers called and the phone numbers of callers to the target of surveillance. It does not authorize the provision of the contents of any communications. Canada does not have an equivalent, but authorities in Canada can obtain this information by use of production orders.

Does keeping data in Canada keep it away from American law enforcement and national security agencies?

In short, no. Canada, the United States and most western democracies engage in a very high level of cooperation that includes mutual legal assistance treaties^[2] and ad hoc information sharing. If US agencies are interested in an individual who has ties to Canada, the Federal Bureau of Investigation can make a formal request of the Royal Canadian Mounted Police or CSIS to obtain the relevant information on their behalf. Most Canadian privacy laws actually permit this sort of information sharing under treaties or informal arrangements. And if you are concerned about covert access to this sort of data, American laws do not prohibit federal agencies from seeking the information covertly if it is not in the United States. Some have suggested that information is safer from US authorities in the US because of this.

If we go with a cloud solution, should we give notice of this to our customers/users?

Under most Canadian laws, you technically do not need to seek consumer consent or provide notice. However, the Privacy Commissioner of Canada has taken the position that businesses that propose to have personal information processed outside of Canada should give notice of this to customers. This is not required under the statute, but probably represents a best practice. If you are required to give notice or elect to as a best practice, you should be mindful of how it is presented to your customers so that it does not appear to be a request for consent that they can “opt out” of or that raises concerns. Under the Alberta and Quebec private sector laws, you are required to give notice of this to your customers.  

What are the legal security requirements for Canadian companies considering cloud computing?

Canadian legislation is silent about what particular security practices should be adopted when using cloud computing. The Personal Information Protection and Electronic Documents Act, for example, only says that safeguards must be adopted that are commensurate with the sensitivity of the information. The more sensitive the information, the greater the precautions that should be taken. The general prevailing view is that you should insist on at least the industry best practices for the sort of data at issue.

The original organization remains legally responsible for the safeguarding personal information even if it is outsourced. It is up to the organization to make sure that any service provider implements adequate protections.

One must be mindful of any additional risks introduced by cloud computing, which is principally related to having data in transit over the open Internet. These risks can generally be mitigated by the use of SSL, VPN or other encryption technologies to make the information safe in transit.

When evaluating the security and privacy implications of outsourcing services, you should benchmark the provider against the status quo at your organization. If the provider you are considering is compliant to a national or international standard such as ISO27001 or FISMA/FIPS or SAS 70, consider whether your current systems would be compliant.

Provided a reputable provider is used, information is generally safer when in the custody of a cloud service provider.  This is generally because cloud providers have greater resources to devote to security and because mobile users will no loner have to carry data with them in vulnerable devices, such as laptops and USB/thumb drives.

What role should jurisdiction play in a decision about whether to adopt cloud computing?

Jurisdiction is not irrelevant, but is less relevant that many people believe. For example, you should be very wary of any situation that casts doubt over whether your contract with your service provider will be enforceable. Afterall, their obligations to secure your data are set out in the contract. This means, at a minimum, you should be sure that your service provider is based in a jurisdiction with a mature and fair legal system. You should be aware that data may fall under the jurisdiction of any country that is reasonably connected to, so this would include at a minimum where you are located, where the service provider is based and where the data resides (which may be difficult for the customer or any third party to determine). For each of these jurisdictions, you should consider whether any them introduce any significantly meaningful increase in risk to your data. Expert legal advice should be sought as it is very difficult to determine and measure this risk.

What should I be looking for in the contract with my service provider?

Below is a list of what you should be asking for. Not every service provider will negotiate these terms and some are simply difficult or impossible to deliver depending on the model of cloud computing the provider uses, but you should ask for them and consider any response.

1.        Limit service provider to only using your data for your purposes and for no other purpose

Depending on the service, it is reasonable that your provider will want to gather analytics about how users use the service so  they can improve it, but the provider should be limited in what possible secondary uses they can make of your own data. In most cases, they should not make any use of this data for their own purposes unless you explicitly consent.

2.        Include provision that data is held “in trust” for customer

The purpose of this stipulation is to make it clear that the data remains yours and their role is to process/store/manage it on your behalf. In addition, if the data is held for you in trust, their obligations with respect to the data are increased as they are a legal fiduciary.

3.        No disclosures of information without your consent

The provider should not permit -- and should be legally responsible for -- any disclosures of your data other than as expressly set out in the service agreement.  The service agreement should contemplate what the provider should do to respond to a legal order for access.

4.        Liquidated damages for any disclosure without consent

It is often difficult to quantify the harm resulting from disclosure of information, so it is a good idea to try to set out in the agreement a reasonable sum of damages that the service provider should pay in the event of a disclosure without your consent. It should not be a fixed sum, but rather a multiplier connected to the extent of the disclosure. And make sure that it is “general damages”, so that you are not precluded from claiming additional damages for the out-of-pocket costs associated with any claims made by your customers against you, any fines that may be levied and your costs associated with notifying your customers.

5.        Obligation to resist – to the extent lawful – orders to disclose information without consent

If the service provider receives legal process that would require them to hand over the data and they are  not able to tell anyone about it, this would make it mandatory for them to resist the disclosure to the extent that they can. For example, if they receive a subpoena or a production order, they should not just hand it over but apply to the issuing court to have the subpoena quashed. (There is never any assurance that it will be successful, however.) It should be noted that some orders, such as search warrants, cannot be resisted at the time but an application can be made to have the warrant set aside and the data returned.

6.        Obligation to cooperate with you in any regulators’ investigations

In the event of any investigation by the Privacy Commissioner or some other regulator, your service provider should be obliged to assist you with such an investigation.

7.        Will not deal with any regulators related to your information without your participation

In the event of any investigation by the Privacy Commissioner or some other regulator, your service provider should not be dealing directly with the investigators. It is your data and you are ultimately responsible for it, so the job of addressing any complaints should be yours alone.

8.        Implement safeguards to protect information – Set minimums but shift as much responsibility to the service provider

Cloud computing agreements are complicated, technologies are subject to constant change and security standards shift over time, so it is better to have the service provider agree to abide by well-known information security standards instead of dictating particular technologies to use. Make sure your provider is regularly audited against these standards and make sure that you will have the right to obtain copies of the audit reports. It is unlikely that you will be able to audit them yourselves (which is a good thing, because you don’t want other customer’s auditors going through the systems on which your data resides).

Make sure they warrant that they will abide by these standards and that they will cover all of your costs in the event of any breach that results from their lapse.

If possible, you should make sure that you are able to audit your users’ access of the data, which may be necessary if there is a breach of security that originates within your systems.

9.        Do not accept any limitations of liability related to privacy and security – full indemnity

One of the reasons for choosing a cloud provider is because of their expertise in securing your data. The agreement should not limit their liability to a nominal amount if they fail to safeguard the data. Their warranty and indemnity should cover all of your costs and any remedies you have to offer your customers due to a security breach. The service provider should have adequate insurance for incidents such as these and the provider should be obliged to keep their insurance in force and to provide you with certificates of insurance evidencing this.

10.        No retention of your information after the contract is finished (and make sure you get all your data back!)

You should make sure that any contract with your service provider permits you to get all our data out if you choose to terminate the agreement or if it expires and that the provider cannot retain or use any of your data (other than general analytics information that is used to improve the service) after that point. It just makes sense.

What are the best practices for decision-making around cloud computing?

As with any new program that involves the handling of personal information, the organization should undertake a privacy impact assessment (also known as a “PIA”). PIAs are a systematic way of canvassing all of the privacy issues inherent in a project so they can be identified and hopefully mitigated. PIAs are widely done in the public sector and should be undertaken by private sector organizations who are considering moving customer or employee data to a service provider. The author has considerable experience with PIAs and can provide training and additional information.

About the author

DAVID FRASER is a partner with McInnes Cooper, working with a range of private and public sector clients to implement compliance programs for Canadian privacy legislation. He regularly provides opinions related to Canadian privacy law for both Canadian and international clients and is a frequently invited speaker on this topic. He is the author of the popular Canadian Privacy Law Blog (http://blog.privacylawyer.ca) and the Canadian Cloud Law Blog (http://www.cloudlawyer.ca).

David is widely recognized as one of Canada’s foremost experts on privacy law and other legal issues associated with cloud computing. He regularly advises vendors and customers in connection with implementing cloud computing projects, in both the public and private sectors. David is particularly known for his ability to cut through the rhetoric often associated with cross-border outsourcing to implement clear risk-based assessment of such projects.

In addition, David is the Past President of the Canadian IT Law Association and the former Chair of National Privacy and Access Law Section of the Canadian Bar Association. David was honoured to be included in the inaugural (2006) and each subsequent edition of The Best Lawyers in Canada in the category of Information Technology law. He is listed among the world’s leading lawyers in Internet and eCommerce Law in the International Who’s Who of Business Lawyers. In the spring of 2006, David was a recipient of an Outstanding Young Canadian Award by the Junior Chamber of Commerce International - Halifax Chapter.  In 2009, David was named as one of Canada’s “Top 40 Lawyers Under 40” by Lexpert.

He is a member of the faculty of Dalhousie Law School, where he teaches Internet and Media Law, Law and Technology, and Law and Policy for Electronic Commerce. He is on the editorial board of the Canadian Journal of Law and Technology. Active in the Halifax technology community, David is secretary and director of advocacy for Digital Nova Scotia, the IT industry association of Nova Scotia.

---

[1] This document is intended to be a summary of common questions along with brief answers. It is meant to provide a brief guide so that the reader is able to seek relevant legal advice and is not intended to be a substitute for competent legal advice.

[2]See the Mutual Legal Assistance in Criminal Matters Act (R.S.C., 1985, c. 30 (4th Supp.)) athttp://laws-lois.justice.gc.ca/eng/acts/M-13.6/. For a list of the countries with which Canada has mutual legal assistance treaties, see http://www.treaty-accord.gc.ca/index.asp?lang=eng.

Ontario access to information decision may affect cloud computing decisions

Dan Michaluk has a great summary of a recent and important access to information case from Ottawa, City of Ottawa v. Ontario (Information and Privacy Commissioner) (13 December 2010, Ont Div. Ct.): Case Report – Personal e-mails not subject to FOI legislation « All About Information.

I think this is probably one of the most important access decisions of the past year. It's similar to Johnson v Bell Canada, but seems to go even further. It will have a big impact in universities, where professors have generally been wrangling for exclusion of their e-mail from access legislation.

Most importantly, I think: This case may also have an impact on cloud computing for universities and USA Patriot Act-blocking statutes, because these statutes only apply to information under the "custody or control" of the public body. This case can be interpreted to support the proposition that student e-mail, at least, is not under the custody or control of the public body for the purposes of such statutes.

Update (30 December 2010): Canadian Privacy Law Blog: Ontario Commissioner to appeal personal email decision.

American Appeals Court says cops need warrants (with probable cause) to get e-mails

This is great news, both for e-mail users and for greater adoption of cloud computing. Contrary to Department of Justice lawyers (and too many precedents on their side), the US Court of Appeals for the Sixth Circuit has found that stored e-mails can't be accessed by law enforcement without a valid warrant.

The court struck down portions of the Stored Communications Act, which had permitted law enforcement to get their hands on e-mails over 180 days old with only a subpoena.

This may have big implications for cloud computing. One of the problems with US law on this is that the Fourth Amendment has been interpreted to say it doesn't protect the privacy of information held by a third party. So if you hand info over to someone like a bank, a cloud provider, an e-mail provider, etc. the protection is very different than if you have it in your personal possession. Finally the courts may be seeing that handing over data to service providers is the modern reality and privacy protections should keep up.

This is a victory for The Digital Due Process Coalition and its supporters in the United States who are advocating for bringing due process into line with modern technology.

Check out some interesting commentary:

• Declan McCullagh's summary here: Appeals court: Feds need warrants for e-mail | Privacy Inc. - CNET News.
• Warrant Needed to Get Your E-Mail, Appeals Court Says | Threat Level | Wired.com
• Breaking News on EFF Victory: Appeals Court Holds that Email Privacy Protected by Fourth Amendment

And the decision is here: http://www.ca6.uscourts.gov/opinions.pdf/10a0377p-06.pdf.

Privacy in the cloud for Canadian universities

This past week, I was invited to speak at the annual get-together of The Canadian University Council of CIOs (CUCCIO) in Toronto on the topic of cloud computing. Many universities in Canada are struggling with the legal and privacy issues of adopting cloud computing, particularly when Google and Microsoft are both offering very attractive (and free!) offerings that would relieve universities of the costs and burdens of administering student and alumni e-mail.

Universities in Alberta, British Columbia and Nova Scotia are particularly hampered by legislation that was designed to thwart the boogeyman represented by the USA Patriot Act.

BC and Nova Scotia have each adopted legislation that either categorically prohibits the "export" of personal information by public bodies, or put in place administrative hurdles. Alberta joins this pack by making it an offense under their public sector privacy law to disclose personal information in response to a "foreign demand for disclosure".

Part of the problem is that the legal framework is not particularly nuanced, as each decision about whether to outsource a service should be guided by a detailed risk assessment and privacy impact assessment instead of ham-fisted categorical rules that don't take particular circumstances into account.

Here is my presentation, which was well received.

If the embedded slideshow isn't showing you the love, click here: https://docs.google.com/present/view?id=ddpx56cg_320fx7rkbhh&interval=30

Privacy Commissioner releases draft report on 2010 consumer privacy consultations

The Privacy Commissioner of Canada has released her draft report on her 2010 Consumer Privacy Consultations that focused on "Online Tracking, Profiling and Targeting and Cloud Computing." You can get to the report here: http://www.priv.gc.ca/resource/consultations/index_e.cfm.

Privacy Commissioner releases draft report on 2010 consumer privacy consultations

The Privacy Commissioner of Canada has released her draft report on her 2010 Consumer Privacy Consultations that focused on "Online Tracking, Profiling and Targeting and Cloud Computing." You can get to the report here: http://www.priv.gc.ca/resource/consultations/index_e.cfm.

Ontario Commissioner releases paper on cloud computing

Ontario Commissioner, Anne Cavoukian, has released a new paper on privacy and cloud computing. Here's a summary:

Modelling Cloud Computing Architecture Without Compromising Privacy: A Privacy by Design Approach

As the Internet has evolved, we have seen the emergence of “Cloud computing.” Organizations have begun to leverage the connectivity created by the Internet to optimize the utility of computing. Ever-cheaper and more powerful processing and storage capabilities are allowing data centres to act as viable, large scale central computing hubs. Simultaneously, increasing network bandwidth and reliable yet flexible network connections make it possible for clients – both individual and enterprise – to utilize high quality services which reside solely on these remote central hubs. These services will often include data storage (and real time access) or processing (by remote software and computing resources). This possibility, however, forces clients to re-think the data protection schemes developed for the point-A-to-point-B data flow.

US Senate considers update to Electronic Communications Privacy Act

This past week, the United States Senate Judiciary Committee held hearings on the possible update of the American Electronic Communications Privacy Act. The statute, passed in the 1980s, is in urgent need of an overhaul in an age of cloud computing. The law has its origin in (in my view, perverse) caselaw that says you have no expectation of privacy from the government once you've handed your information over to a third party. The law provides different standards (subpoena vs search warrant) based on the age of the message and whether it has been previously read by the intended recipient. In an age of cloud computing and the widespread use of text messaging, one high standard is required.

From the industry side, the effort for reform is led by the Digital Due Process Coalition, made up of industry leaders such as Google and Microsoft. For a great overview of the issue and the hearings, see here: Senate considers update to Electronic Communications Privacy Act | Gov 2.0. The Google Public Policy blog has information on Google's position, including the written statement by Richard Salgado, their senior lawyer responsible for this area: Digital Due Process: The Time is Now.

The Judiciary Committee page has a webcast link if you want to see the hearing.

Privacy in the Clouds presentation

Below is my slide deck that I presented at the Privacy Commissioner's public consultation on cloud computing in Calgary on June 21, 2010.

Let me know in the comments or by e-mail if you have any problems with the slides.

Privacy Commissioner's consumer consultation (cloud computing) continues on Monday in Calgary

I've been honoured to be invited as one of the keynote speakers at the Privacy Commissioner's consumer consultations taking place in Calgary on Monday. I'm speaking on the topic of Cloud Computing. The full agenda is here.

The proceedings will be webcast: http://welcome2theshow.com.previewyoursite.com/priv2010/index_calgary.html, starting at 9:00 Mountain time. I think you'll be able to watch it later from the same address if you miss it the first time. Or you can watch it over and over again.

The roster of speakers is very impressive, including:

• Mr. Joseph H. Alhadeff, Vice President for Global Public Policy and Chief Privacy Officer, Oracle Corporation
  
• Mr. Shane Schick, Editor-in-Chief, ITWorldCanada (moderator)
  
• Mr. Declan McCullagh, Senior Correspondent, CBS News web site
  
• Mr. Brad Templeton, Director, Electronic Frontier Foundation
  
• Mr. Doug Jones, Cloud Computing Unit Executive, IBM Canada
  
• Mr. Daniel Koffler, Chief Technology Officer, Syntenic
  
• Dr. Andrew Patrick, IT Research Analyst, Office of the Privacy Commissioner of Canada (moderator)
  
• Mr. Scott Morrison, CTO, Layer 7 Technologies
  
• Dr. Tomas Sander, Research Scientist, HP Labs
  
• Mr. Brian O'Higgins, Consultant and Entrepreneur (Founder of Third Brigade), Assistant to the CTO, Trend Micro
  
• Dr. Thomas Keenan, Professor, University of Calgary
  
• Mr. Carman Baggaley, Senior Policy and Research Analyst, Office of the Privacy Commissioner of Canada (moderator)
  
• Ms. Kathryn Ratté, Senior Attorney, Division of Privacy and Identity Protection, Federal Trade Commission
  
• Mr. Mike Hintze, Associate General Counsel, Microsoft
  
• Mr. Adam Kardash, Partner, Heenan Blaikie
  
• Ms. Janet Lo, Legal Counsel, Public Interest Advocacy Centre