All About Information

Here is list of good links recent information and privacy developments:

• “@zephoria: “When Your Twitter Friend Turns Out To Be The Boston Bomber” analysis of Dzhokhar’s network by @gilgul: http://bit.ly/14TPb7S ”
• “@DanPinnington: #Apple keeps your #Siri voice file data for up to two years @wired #privacy http://ow.ly/khiEZ ”
• “@IPCinfoprivacy: Canadian brokers demand answers on missing… data http://bit.ly/178qMsG ” Can’t notify when you’ve got nothing to say!
• “@MortonsMusings: Porter launches $4M libel lawsuit against union http://www.ctvnews.ca/business/porter-launches-4m-libel-lawsuit-against-union-1.1242440 … via @CTVNews”
• Cyber Security and Cyber Espionage: A CCCA Panel http://bit.ly/13idAPB
• “@MackenzieDRS: This Week at the SCC (12/04/2013) http://buff.ly/Zr8YDH  leave granted in case about mediation confidentiality”
• IPC considers and rejects journalist’s 2(b) claim. His e-mails to govt ordered to be disclosed http://canlii.ca/t/fwzpq
• Are law firms asleep at the cyber security switch?: http://wp.me/p1OhjK-HQ  via @timbwilbur
• BSSC: Er had cause to dismiss IT ee who accessed confidential file in another ee’s confidential folder w/o permission http://canlii.ca/t/fwsgt
• Craig Ball advocating for meaningful dialogue between counsel on discovery. Good one. http://bit.ly/ZaCOfD
• Concise article ON SCJ case about whether legal advice conveyed to physician is producible http://www.lawtimesnews.com/201304019709/Commentary/Personal-Injury-Law-Dupont-provides-little-comfort-on-protecting-legal-advice-from-disclosure?utm_source=responsys&utm_medium=email&utm_campaign=20130401_CLNewswire …
• Arbitrator Considers the Possibility of Liver Enzyme Test For Alcoholic Employee If Employer Can Demonstrate Need http://www.canlii.org/en/on/onla/doc/2013/2013canlii14493/2013canlii14493.html …
• Security Lessons from the Big DDoS Attacks http://bit.ly/10j99Cg
• “@kdmacneill: Motion for injunction to remove allegedly defamatory videos and comments from YouTube dismissed. http://canlii.ca/t/fwn9x “
• “@Canuckflack: Solid advice from @privacyprivee on preventing identity theft – and it’s an infographic! http://www.priv.gc.ca/resource/tool-outil/infographic/idt_info_201303_e.asp …”
• Fleeting reference to starlet in song not a misappropriation of personality http://bit.ly/ZnXsYs
• Alberta court finds that grievance response is privileged http://wp.me/p6aAc-22X
• Another Credit Card Breach Lawsuit Fails – Willingham v. Global Payments http://blog.ericgoldman.org/archives/2013/03/plaintiffs_whos_1.htm …
• “@RichNet: Storing Passwords, or The Risk of a No-Salt Diet via Tech @ FTC http://buff.ly/Y2DlmR  #infosec”
• Survey Reports High Percentage of Employee Misuse and Theft of Company Data http://bit.ly/Y2Ej4J
• No maintenance or champerty despite university’s agreement to pay costs of prof’s defamation suit http://canlii.ca/t/fwjn7
• “@BobMunroeLawyer: Cyberbullies and insurance coverage. #technology #data http://www.lawyersweekly-digital.com/lawyersweekly/3243/m3/Page.action?folio=11 …”
• “@BusinsJGreenwal: Harvard’s secret e-mail search is an intersection of internal investigations and digital privacy. http://onforb.es/WA4OMW ”
• “@BCInfoPrivacy: New guidance document: Use of personal email accounts for public business http://ow.ly/jbAUa  #bcpoli“

I’ve been posting less than I’d like to lately have a BIG pile of cases to catch up on. My apologies. I’ve been training very hard and getting ready for an event that I’ve always dreamed of doing and have finally committed to.The “M2O” is a 32 mile paddle race from Molokai to Oahu across the Ka’iwi Channel – the “channel of bones.” I’ll do it solo on a prone paddle board (paddling with my hands). The distance is not so bad, but the channel conditions are going to make the race very hard. My only goals is to finish with my dignity.

I’ve spent the last four months building some base and learning from paddlers in the community. At this point I’m extremely excited and feeling fit and positive, but the hard work is just starting. Forgive me for posting a bit about my progress here. I love the writing about the developing law, but the developing law is going to be competing for my attention for the next while!

Aloha,

Dan

Lots of good information and privacy content flowing through my Twitter network lately. Here are the highlights:

• Ottawa takes a leaf from Ontario on freedom of information http://www.thestar.com/news/city_hall/2013/02/28/ottawa_takes_a_leaf_from_ontario_on_freedom_of_information.html …
• Think of BlackBerry PIN-to-PIN messages as scrambled, not encrypted, says CSEC http://bit.ly/XHae4z  #privacy via @ilone
• “@feisty_jenn: Private Member’s Bill – C-475, putting order-making power in PIPEDA http://tmblr.co/Zg0QCyf5xt9L ”
• Not surprisingly, faxing intercepted communications for another is not an intrusion upon seclusion http://canlii.ca/t/fw5c3
• Chris Dale on Why We Can’t Just Use Google for eDiscovery http://bit.ly/XaTIvD
• Thrown Off a United Airlines Flight for Taking Pictures! http://upgrd.com/matthew/thrown-off-a-united-airlines-flight-for-taking-pictures.html … Terrible story. Good policy issue. Via @PatrickSumm
• Review: The Problem with Our Data Obsession http://techre.vu/15u1pBC  HT @MackenzieDRS
• Magistrate Recommends Dismissal with Prejudice of Claims Against Global Payments http://bit.ly/YnIT6A
• Information security on campus – lessons from the US http://gu.com/p/3dj6z/tw  via @bdlesser @jtestart
• Termination for receipt of unsolicited porn seems the subject of “puritanical” motivation – no cause (NBCA) http://canlii.ca/t/fw3w3
• Perell J augments his discovery thoughts in judgement on discovery and admissions http://canlii.ca/t/fw1gn
• Busted! How Happy Accidents Help Forensic Examiners Prove Data Theft (quite awesome) http://bit.ly/Ygh6VB
• “@LancasterCanada: HRTO: Union blog, like union meetings/newsletters, shouldn’t usually be considered ‘in workplace’ http://canlii.ca/t/fw0m5#par53 “
• IP address admissible as business record on strength of affidavit of Facebook employee (ONCJ) http://canlii.ca/t/fvzsm
• “There are few things more cowardly and insidious than an anonymous blogger…” Goldstein J. of ONSC. http://canlii.ca/t/fw0xk
• “@bsookman: BYOD could open businesses to copyright litigation http://bit.ly/UTzWoJ “

It’s getting very near the end of winter paddling season. The highlight was the Paddle With Purpose event from a couple weekends back. A group of us paddled 27 miles from St. Petersbug to Lido Key for Wounded Warriors Family Support. We paddled with the spirit of aloha, which you can FEEL in watching the beautiful video below. I’ve swung an invite to do another crazy paddle next weekend in California with some of same characters. I’m very excited. Story to be told later.

I’ve managed a few blog posts lately but haven’t been so active on Twitter. Here, however, is what is worth a re-post:

• V-C Hayes (as arbitrator) decides to receive surveillance evidence and then consider consequence of any impropriety http://canlii.ca/t/fvj32
• “@labourlawguy: Divisional Court confirms HRTO can rely on hearsay http://canlii.ca/t/fvsfr ” Nice win Michael!
• “@FaskenMartineau: Cloud Computing Survey http://dlvr.it/2rHnSv ” Good job here.
• “How far should privacy commissioners roam?” in Can. Priv. Law Rev. by the man who speaks the unspeakable, Chris Berzins. Worth reading.
• “@wiselaw: Sotomayor: Lawyering is a gift, and unhappy lawyers should ‘go back to square one’ #law #legal http://bit.ly/UmuF8S “
• Fine victory for Jennifer Penman in excluding electronic evidence (via @DerstinePenman)  http://www.durhamregion.com/iphone/news/article/1569712–durham-man-s-child-porn-charge-tossed-over-charter-breach …
• Take caution with pension committee email – http://tinyurl.com/bdvkn45
• “@HayeseLaw: No privacy if bags checked, court told | The Chronicle Herald http://lnkd.in/T7juvk ” Didn’t realize that went up!
• “@DanPinnington: Lawyers should (almost) never use BCC (SLAW Tips) http://ow.ly/h2zSf  #malpractice“
• “@kdmacneill: Driver’s seconds-long coughing incident causes pedestrian death; due diligence shown, acquittal entered http://canlii.ca/t/fvp39 “
• “@bsookman: Is Canada’s Anti-Spam Law a joke? http://bit.ly/13Oxkep ” This is quite awesome.

Thanks to all those who shared these good links.

In two weeks I’ll be flying down to Tampa to paddle 27 miles with a good group of other prone paddlers from the area and across North America. The energy is building around the event, but it’s going to be hard. If you’re a regular reader of this blog please consider donating to the charity for whom we will paddle – the Wounded Warriors Family Support organization, an organization that provides support to the families of American soldiers wounded, injured or killed in battle. Or, if you’d rather, please consider making a donation to an alternative Canadian charity here.

The “Information Roundup” is back!

This is something I’ve run in the past that features a compilation of tweets plus a personal note of some kind. I’m going to bring it back because I’ve started tweeting links to information and privacy decisions that don’t quite deserve a full post and want a good record of them somewhere. It will also be nice to add a little bit of colour back into the blog.

So here’s the first list for 2013, with a more to come as we go:

• Reviewing doc subject to lit privilege for discovery doesn’t cause waiver in Ont. Contradictory authority questioned. http://canlii.ca/t/fs3bd
• #SCC refuses leave to appeal BC v Harrison http://canlii.ca/t/frt0c  duty of public body to ensure accuracy of info affecting #employment (via @LancasterCanada)
• Request for 3P production order for records of residential treatment facility dismissed by arbitrator as fishing http://canlii.ca/t/fvf78
• Facebook Photos Found to be “Of Limited Usefulness” In Injury Claim http://bit.ly/ZDIfZ5 (via @erikmagraken)
• Predicting violence is a work in progress http://www.washingtonpost.com/national/health-science/predicting-violence-is-a-work-in-progress/2013/01/03/2e8955b8-5371-11e2-a613-ec8d394535c6_story.html … HT @ptheriault
• Discharge for e-mail related misconduct upheld. Policy prohibiting sending work to home account would have helped. http://db.tt/8JXzRCEm
• Failure to indicate docs did not exist not ideal, but consequences not to be borne on grievor (Ont. arbitrator) http://db.tt/xl2jJQF2

As for me, I’m quite obsessed by paddling (a prone paddleboard) right now and recorded this video just after Toronto had its big snowstorm this Christmas. It’s quite a beautiful thing to be on the Lake O at this time of year. Dark and moody but beautiful. I hope the video gives you an appreciation of the variety of experiences the Lake can offer and maybe an urge to get wet.

This year I nominate The Trial Warrior Blog by Antonin Pribetic and Morton’s Musings by James Morton. Blogs driven by genuine interest in the law are becoming more and more distinct as those with a more promotional bent are pouring in. I like both these blogs because they are pure in spirit. Bonus points to Pribetic for his honesty and feisty spirit and bonus points to Morton for contributing good, concise educational content.

I also nominate FMC’s Data Governance Blog, driven mostly by the efforts of Tim Banks. It competes most closely with the content from this blog, but is good.

On June 13th, Arbitrator Herlich issued an award in which he affirmed discipline meted to an employee who made various negative comments in the workplace but reduced the penalty because the discipline rested in part on an internal e-mail communication that was not culpable.

The employee worked at a convention centre. He was disciplined for expressing negative views on three occasions. Two occasions led to customer complaints. The third was in the workplace where clients were in attendance. The discipline also rested on an e-mail the employee sent to a senior executive that was critical of the employer (though not of any specific individuals). The employer felt the employee did not follow the proper procedure for raising a complaint.

Arbitrator Herlich said the following about the three occasions of negative expression in the workplace:

The grievor obviously has an extensive workplace and labour relations agenda. He is entitled to his views and he is entitled to engage in legitimate trade union activities, including, should he so choose, seeking trade union office and engaging in the politicking that may attend those efforts. That freedom, however, is not absolute and does not provide him with a license to freely express his views at work to, or within the earshot of, the employer’s customers or guests. The grievor clearly did not and, I fear, still does not understand this.

He felt that sending e-mail was different and, in the circumstances, not culpable. Based on this and a consideration of other factors, Arbitrator Herlich reduced the employer’s five day suspension to a three day suspension.

United Steelworkers and The Crown in Right of Ontario (Ottawa Convention Centre) (13 June 2012, Herlich).

On September 19th, the Human Rights Tribunal of Ontario dismissed an application that alleged a school board breached the Ontario Human Rights Code by using an Ontario Student Record in defence of a prior application.

Section 266 of the Ontario Education Act deems an OSR to be “privileged for the information and use of supervisory officers and the principal, teachers and designated early childhood educators of the school for the improvement of instruction and other education of the pupil.” It also explicitly states that an OSR is not admissible in evidence without parental consent.

In the prior application (which involved the same parties), the board had used the OSR in its response. This led the applicant to seek an order prohibiting the respondent from further relying on the OSR. The Tribunal denied the applicant’s request and, instead, held that it would dismiss the application as an abuse of process unless the applicant provided a consent. The applicant withdrew its application and filed a subsequent application that directly attacked the board’s use of the OSR, which the applicant alleged was discriminatory and a reprisal.

The Tribunal held that the board’s actions were absolutely privileged. It said:

The entire Application in this case is based on statements made in the respondent’s pleadings and the pre-hearing disclosure of documents to the applicant by the respondent in the course of a proceeding before the Tribunal. The respondent’s impugned statements and actions were thus clearly made and/or performed on occasions of absolute privilege. The applicant therefore cannot rely on them to found a claim under the Code. The Application must be dismissed on this basis alone.

The Tribunal also held that there was no reasonable prospect that the applicant would succeed on the merits.

GA v York Region District School Board, 2012 HRTO 1787 (CanLII).

On October 2nd, Arbitrator Albertyn partly upheld a suspension issued for taking photos in the workplace without authorization and refusing to delete them as directed. Here is what he said:

I have found that the Grievor refused to delete the photographs of the restaurant from his cellphone when asked to do so by the Employer. The images were likely of the restaurant, of an employee and of its proprietor. These images did not belong to the Grievor. All or some of them belonged to the Employer. The Employer was entitled to require that the Grievor delete them. That was a legitimate instruction from the Employer to the Grievor. His refusal amounted to insubordination.

The employer did not have a policy, and posted a memo that addressed photo taking in the workplace after the incident. Arbitrator Albertyn suggests that the employer did not need a policy to order the photos to be deleted.

Swiss Chalet Restaurant #1178 v United Food & Commercial Workers Canada, Local 206, 2012 CanLII 57387 (ON LA).

The Court of Appeal for Ontario issued a significant judgment yesterday in which it held that the police did not breach section 8 of the Charter by obtaining the identity of an anonymous internet user without judicial authorization. The decision touches deep questions about anonymity and the rights of citizens (corporate or otherwise) to help law enforcement.

The case is about a child pornography investigation that started with a concern about the trading of contraband on a German website. The trading was done openly, but under the cover of pseudonyms. The RCMP obtained information that child pornography had been downloaded to computers at various IP addresses in Canada. It requested and obtained information from a Canadian internet service provider (ISP) that linked three downloads to the accused.

The key issue for the Court was whether the accused had a reasonable expectation of privacy in the circumstances. The same issue was before the Court of Appeal for Saskatchewan in two cases last year, and it reached a different reasonable expectation of privacy finding in each case, arguably because the commercial terms imposed by the ISP in each case differed.

One key to the Court of Appeal for Ontario’s rejection of a privacy claim is its characterization of the information at issue. The Crown argued that the ISP merely disclosed a name and address. The defence argued that the ISP disclosed information that would reveal “browsing history” and “the details of an individual’s Internet activities.” The Court accepts neither position. It characterizes the information as follows:

The police did not want the subscriber information so as to be able to identify the appellant as a customer of Bell Sympatico. That fact alone was of no value to the police. Nor does the appellant contend that he has a reasonable expectation of privacy with respect to the fact that he is a client of Bell Sympatico. The police wanted the information because they believed it could potentially identify the appellant as the person who had anonymously accessed child pornography on three separate occasions over the Internet. Translated into the content neutral language required for the purposes of s. 8, the police wanted the information because of what it could potentially tell them about the appellant’s Internet activity on three occasions. They sought to connect an identity to certain activity: see Slane & Austin, at pp. 500-503.

The Court’s reference to “content neutral” pays heed to case law that establishes that the protection afforded by section 8 of the Charter should not be debased by framing the activity that the proponent seeks to protect as criminal and therefore unworthy of protection. R v Wong, for example, was a case about the surveillance of unlawful gaming in a hotel room. The Supreme Court of Canada said that the privacy interest at stake was about the right to use a hotel room in private, not the right to use a hotel room for unlawful activity in private.

But does yesterday’s decision really treat the privacy interest at stake as neutral?

In the above quote the Court links the interest at stake to the anonymous downloading of pornography. It explains that broader, more neutral framing is not possible based on the record:

I cannot, however, go so far as Mr. Dawe, and counsel for the intervener, who relying on the comments of Cameron J.A. in Trapp, at paras. 32-37, argue that the information sought by the police would provide “an electronic roadmap of the appellant’s travels on the Internet”. That description, while consistent with the language used in Trapp, at para. 36, goes beyond the evidentiary record in this case. Adapting the intervener’s metaphor to the evidence adduced here, I would say that the police sought information capable of putting the appellant at a specific place, at a specific time in the course of his travels on the Internet.

The only activity occurring at the specific place and specific time at issue is criminal activity. The Court’s framing is proper based on evidence that established the dynamic nature of IP addresses, but it points to criminal activity and is therefore not neutral.

Then, in another very significant part of its analysis, the Court assigns significant weight to the ISP’s interest in “preventing the criminal misuse of its services.” It says that it is legitimate for an ISP to choose, for reasons relating to civic engagement or out of pure self-interest, to make a limited, voluntary disclosure to police – especially so given the repugnance of child pornography.

This analysis rests on far more fundamental concerns than an analysis that focuses on the commercial terms between an ISP and its subscribers. As the Saskatchewan cases might illustrate, an analysis that rests on commercial terms is flimsy and leaves to much to depend on a private arrangement that may vary by circumstance. An analysis that rests on a system owner’s interest in preventing the use of its property as an instrument of crime is strong. It is the kind of analysis that employers (also system owners) have said is missing from the Court of Appeal for Ontario’s last third-party disclosure decision, R v Cole.

Recognizing that system owners have a legitimate interest in preventing misuse of their systems may be strong and proper, but it is not neutral. The Court addresses this by saying that the nature of the offence under investigation is relevant to the reasonableness of an ISP’s response to a police request, but not the reasonable expectation of privacy analysis itself. Is this really a meaningful distinction?

All of this is to stress the complexity of this decision, with which I agree. People who trade child pornography engage in criminal activity in public and in a manner that creates an obvious digital trail. They hold the thinnest veil of anonymity, the maintenance of which rests on the outlook of an ISP. Whether an ISP should be able to take a value-laden, non-neutral stance against crime seems like it will be the fighting ground on any appeal.

R v Ward, 2012 ONCA 660.

Here are my slides from a presentation today at the Canadian Institute’s internal investigations seminar. The over-arching message: investigation tactics that used to get an unqualified green light are now becoming subject to risk, so investigators need to think and act with an understanding that the reasonableness of every step may be subject to judgment.