Week of 2024-11-02
Google granted 5-year exemption from Canada’s Online News Act
Nojoud Al Mallees | Global News
The Canadian Radio-television and Telecommunications Commission (CRTC) has granted Google a five-year exemption from Canada's Online News Act, mandating that the company disburse $100 million annually to Canadian news outlets within 60 days. This decision follows Google's agreement to financially support Canadian journalism in exchange for exemption from the Act, which requires tech giants to compensate news publishers for content shared on their platforms. The Canadian Journalism Collective, a non-profit organization, will oversee the equitable distribution of these funds to eligible news organizations. The CRTC's ruling also stipulates that Google must allow more news businesses to join the collective, ensuring a broader inclusion of media outlets in the funding process.
75% of Europeans support police and military use of AI
Masha Borak | Biometric Update
A recent survey by IE University’s Center for the Governance of Change reveals that 75% of Europeans support the use of AI by police and military forces, particularly in applications like facial recognition and biometric surveillance. Support for AI in law enforcement and defense varies by country, with higher approval rates in Romania, Poland, and Italy, and more skepticism in Spain, France, and the UK. The survey also shows that public awareness about government use of AI in public services is low, with 61% of respondents unaware of its existing applications. Additionally, 86.5% of Europeans expressed a desire for governments to seek citizen approval before implementing AI in public services, underscoring the importance of transparency and public trust.
Delaware Supreme Court allows limited use of AI for judges and court staff under new policy
Angelica Dino | Canadian Lawyer Magazine
The Delaware Supreme Court has introduced an interim policy permitting judges and court staff to utilize artificial intelligence (AI) tools, subject to specific limitations to ensure responsible use. Under this policy, judicial officers and court personnel must exercise caution when employing generative AI tools and are accountable for the accuracy of their work. Any AI tools intended for official duties require prior approval from the court's administrative arm, and users must receive appropriate training before implementation. Importantly, the policy prohibits delegating decision-making responsibilities to AI systems.
AI-generated child sexual abuse images are spreading. Law enforcement is racing to stop them
Alanna Durkin Richer | CTV News
The rise of AI-generated child sexual abuse material (CSAM) is challenging law enforcement, as traditional detection methods struggle to identify newly created, realistic images. This content is often produced with advanced AI tools, complicating tracking efforts that usually rely on known CSAM databases. Authorities are now racing to develop new strategies and technologies to combat this emerging threat. Cases like that of Hugh Nelson in the UK and Justin Ryan Culmo in the U.S. underscore the dangers, as both used AI to create and distribute explicit images involving real children. These incidents highlight the urgent need for updated legal frameworks and collaboration between tech companies and policymakers to curb the misuse of AI for exploitation.
Ontario government moves to fast-track bills on traffic safety and digital security
Barbara Patrocinio | QP Briefing
The Ontario government is expediting two legislative bills: Bill 197, which amends the Highway Traffic Act to enhance road safety regulations, and Bill 194, the Enhancing Digital Security and Trust Act, aimed at strengthening digital security and privacy protections. Government House Leader Steve Clark introduced a motion to fast-track these bills through Second Reading and committee review under strict timelines, reducing the period for public and expert input. Bill 194, focused on digital security, establishes guidelines for safeguarding personal data and implementing stronger cybersecurity standards across public and private sectors in Ontario.
Yukon privacy commissioner's concerns about facial recognition lead to proposed Traffic Safety Act changes
Talar Stockton | Yukon News
The Yukon government has proposed amendments to the Traffic Safety Act in response to concerns raised by the Information and Privacy Commissioner regarding the use of facial recognition technology. Initially, Section 215 of the bill permitted the registrar to employ facial recognition software for identity verification. However, the commissioner's office was not consulted on this provision, leading to apprehensions about privacy implications. Subsequent discussions between the Department of Highways and Public Works and the commissioner's office resulted in draft amendments that limit the use of facial recognition software strictly to the registrar's duties under the Act. These changes also clarify that the software is intended solely to prevent identity theft and fraud, ensuring that its application is confined to comparing photos already within the registry's possession.
Amanda Todd’s family joins American parents in lawsuit against social media giants
Kelly Geraldine Malone | Toronto Star
The family of Amanda Todd, a Canadian teenager who tragically took her own life in 2012 after enduring severe online harassment, has joined a U.S. lawsuit against major social media companies. This legal action, initiated by American parents, alleges that platforms like Facebook, Instagram, and Snapchat have failed to implement adequate safeguards to protect young users from cyberbullying and exploitation. The lawsuit contends that these companies prioritize user engagement and profit over the safety and well-being of minors, leading to harmful consequences. By participating in this lawsuit, Amanda Todd's family aims to hold social media giants accountable and advocate for stronger protective measures to prevent similar tragedies.
Ontario Court of Appeal upholds privacy protection in murder case involving teenagers
Angelica Dino | Canadian Lawyer Magazine
The Ontario Court of Appeal has ruled that media organizations cannot access unredacted court records in a murder case involving eight teenagers, emphasizing that the Youth Criminal Justice Act (YCJA) prioritizes the privacy and rehabilitation of young individuals over the principle of open court proceedings. The court determined that the YCJA's privacy protections are essential to prevent stigmatization and support the rehabilitation of youth offenders, aligning with international conventions and the Act's foundational principles. This decision underscores the necessity of balancing public interest with the rights of young persons in the justice system.
What Teenagers Really Think About AI
Harry Booth | Time
A recent poll by the Center for Youth and AI, in collaboration with YouGov, reveals that 80% of American teenagers aged 13 to 18 believe addressing the risks posed by artificial intelligence (AI) should be a top priority for lawmakers. This concern ranks just below healthcare access and affordability, surpassing issues like social inequality and climate change. The survey indicates that nearly half of the respondents use AI tools such as ChatGPT several times per week, reflecting a rapid adoption rate among teens. Despite their frequent use, teenagers express significant apprehension about AI-generated misinformation and deepfakes, with 59% and 58% respectively citing these as major concerns. These findings highlight the importance of including youth perspectives in policy discussions surrounding AI's societal impact.
Commerce Department IoT panel says car dealers should display privacy labels on vehicles
Suzanne Smalley | The Record
The U.S. Commerce Department's Internet of Things (IoT) Advisory Board has recommended that car dealerships display privacy disclosures on vehicle windshields, akin to existing Monroney labels that provide fuel efficiency and safety information. These proposed labels would inform consumers about the collection and potential sale of personal data by vehicles, and whether a universal opt-out option is available. The initiative aims to enhance consumer protection amid growing concerns over data privacy in connected cars, as highlighted by a 2023 Mozilla Foundation report that documented widespread failures by automakers to protect consumer privacy and clearly notify them about data collection and sharing practices. The advisory board also suggests that the labels include a QR code linking to an online privacy policy, providing consumers with easy access to detailed information. While the Alliance for Automotive Innovation, a leading auto industry lobbying group, has expressed concerns about the feasibility of adding such information to already crowded labels, the advisory board maintains that clear and concise privacy disclosures are essential for informed consumer decision-making.
New UK data bill proposes dedicated digital ID office, biometrics retention changes
Chris Burt | Biometric Update
The UK government has introduced the Data (Use and Access) Bill (DAU), aiming to enhance digital verification services and open banking. A key component is the establishment of the Office for Digital Identities and Attributes (OfDIA) within the Department for Science, Innovation and Technology (DSIT), which will oversee approvals under the Digital Identity & Attributes Trust Framework and issue trust marks to certified entities. The bill also proposes digitizing civil registration by replacing paper-based systems with electronic registers for births and deaths, and allowing registrations via phone. Additionally, it includes provisions for the retention of biometric data, such as extending retention to individuals found not guilty by reason of insanity and permitting police to store biometric data indefinitely in pseudonymized form under certain conditions. These measures are designed to bolster data privacy protections, reduce fraud, and streamline access to services for individuals and businesses.
Liberals, Tories, and NDP remain united in court battle for ‘exclusive jurisdiction’ over voter data
Ian Campbell | The Hill Times
The U.S. Commerce Department's Internet of Things (IoT) Advisory Board has recommended that car dealerships display privacy disclosures on vehicle windshields, similar to existing Monroney labels that provide fuel efficiency and safety information. These proposed labels would inform consumers about the collection and potential sale of personal data by vehicles, and whether a universal opt-out option is available. The initiative aims to enhance consumer protection amid growing concerns over data privacy in connected cars, as highlighted by a 2023 Mozilla Foundation report that documented widespread failures by automakers to protect consumer privacy and clearly notify them about data collection and sharing practices. The advisory board also suggests that the labels include a QR code linking to an online privacy policy, providing consumers with easy access to detailed information. While the Alliance for Automotive Innovation, a leading auto industry lobbying group, has expressed concerns about the feasibility of adding such information to already crowded labels, the advisory board maintains that clear and concise privacy disclosures are essential for informed consumer decision-making.
Manager at Sask. clinic snooped on resident's eHealth record over 30 times
David Prisciak | CTV News
A Regina clinic manager accessed a resident's eHealth records 37 times without authorization, prompting an investigation by Saskatchewan's Information and Privacy Commissioner. The individual had no legitimate reason to view the records, as the resident had never been treated at the clinic. The manager's access was suspended for six months, and upon reinstatement, they were subject to random audits, which revealed no further issues. This incident underscores the necessity for stringent access controls and regular audits to protect personal health information from unauthorized access.
Researchers say an AI-powered transcription tool used in hospitals invents things no one ever said
Garance Burke | Hilke Schellmann | AP News
OpenAI's transcription tool, Whisper, has been found to fabricate content, including racial comments, violent rhetoric, and imaginary medical treatments, raising significant privacy concerns. Despite OpenAI's advisories against using Whisper in high-risk domains, some hospitals have employed it to transcribe patient consultations, potentially compromising patient confidentiality. Researchers have identified numerous instances where Whisper's transcriptions contained hallucinations, leading to questions about its reliability in sensitive settings. The sharing of patient conversations with tech companies for transcription purposes also poses risks to patient privacy. OpenAI acknowledges the issue and is working to reduce hallucinations, but the problem persists, highlighting the need for stringent privacy safeguards when integrating AI tools into healthcare environments.
Oracle announces new AI-powered electronic health record
Ashely Capoot | CNBC
Oracle has introduced an AI-powered electronic health record (EHR) system designed to streamline healthcare workflows and enhance patient care. This system integrates generative AI to assist healthcare professionals in summarizing patient interactions and generating clinical notes, aiming to reduce administrative burdens. However, the deployment of AI in EHRs raises significant privacy concerns, particularly regarding the handling of sensitive patient data. Ensuring robust data protection measures and compliance with healthcare privacy regulations is crucial to prevent unauthorized access and misuse of personal health information. The success of such AI-driven systems depends on balancing technological advancements with stringent privacy safeguards to maintain patient trust and confidentiality.
Ottawa police introduce 'risk navigators' to combat intimate partner violence
Nathan Fung | CBC News
The Ottawa Police Service (OPS) has introduced "risk navigators," social workers who engage with individuals involved in intimate partner violence (IPV) cases where no criminal charges have been filed. This initiative aims to provide support, legal information, and resources to those at risk, addressing situations that might otherwise lack formal intervention. The program was developed following the 2021 murder of Hanadi Mohammed by her husband, highlighting deficiencies in previous police responses to IPV incidents. By proactively reaching out, risk navigators seek to enhance victim safety and prevent future violence, ensuring that privacy and confidentiality are maintained throughout the process.
Is your smartphone being tracked? Here’s how to tell
Ariel Bogle | The Guardian
The Guardian's article "Is your smartphone being tracked? Here’s how to tell" highlights the prevalence of smartphone surveillance, particularly in contexts of domestic abuse. It emphasizes that while sophisticated spyware exists, perpetrators often exploit standard device features like location sharing and shared accounts to monitor victims. The piece advises users to conduct digital safety audits, including reviewing app permissions, checking for unfamiliar applications, and ensuring accounts are secure. It also underscores the importance of understanding and managing cloud services, as these can inadvertently expose personal information. The article serves as a crucial reminder of the need for vigilance in protecting one's digital privacy, especially for those in vulnerable situations.
Windsor police to expand use of dash cameras, body microphones after pilot project
CBC News
The Windsor Police Service is expanding its use of dash cameras and body-worn microphones following a successful pilot program conducted from June to September 2024. Starting in 2025, all patrol officers will be equipped with these devices, which automatically activate during emergency responses and traffic stops, with officers also able to initiate recording manually. The collected footage will be managed in compliance with privacy and freedom of information laws, ensuring appropriate use, disclosure, and retention. Officers are required to inform individuals at the earliest opportunity that they are being recorded, promoting transparency and accountability. This initiative aims to enhance evidence collection and foster public trust while adhering to established privacy standards.
Five Eyes intelligence partners launch shared security advice initiative for tech companies, researchers, and investors
Government of Canada
On October 28, 2024, the Five Eyes intelligence alliance—comprising Australia, Canada, New Zealand, the United Kingdom, and the United States—launched the "Secure Innovation" initiative. This program offers unified security guidance to emerging technology companies, researchers, and investors, aiming to protect them from threats, particularly those posed by state actors. The initiative provides cost-effective measures to safeguard intellectual property and sensitive data, addressing concerns over economic espionage and unauthorized data access. By delivering consistent advice across member nations, Secure Innovation seeks to enhance the resilience of the tech sector against privacy breaches and national security threats.
China 'compromised' Canadian government networks and stole valuable info: spy agency
Catharine Tunney | CBC News
The Communications Security Establishment (CSE) has identified China as the most significant cyber security threat to Canada, citing the scale, sophistication, and ambition of Chinese state-sponsored cyber activities. Over the past five years, Chinese actors have compromised multiple federal, provincial, territorial, municipal, and Indigenous government networks, collecting sensitive communications and information. At least 20 federal government networks have been breached, with attackers dedicating substantial resources to understanding and infiltrating these systems. These cyber espionage efforts aim to gain advantages in bilateral relations and commercial matters, posing serious risks to Canada's national security and the privacy of its citizens.
Global privacy authorities issue follow-up joint statement on data scraping after industry engagement
Office of the Privacy Commissioner of Canada
On October 28, 2024, the Office of the Privacy Commissioner of Canada, alongside 16 global data protection authorities, issued a follow-up statement addressing the privacy risks associated with data scraping from social media platforms. This initiative emphasizes that personal information, even when publicly accessible, remains subject to privacy laws and requires adequate protection. The statement outlines expectations for organizations to:
Comply with privacy and data protection laws when utilizing personal information, including from their own platforms, for developing artificial intelligence large language models.
Implement a combination of safeguarding measures and regularly update them to keep pace with advancements in scraping techniques and technologies.
Ensure that permissible data scraping for commercial or socially beneficial purposes is conducted lawfully and under strict contractual terms.
This collaborative effort follows a 2023 joint statement and subsequent engagements with major social media companies, highlighting the importance of protecting individuals' fundamental right to privacy in the digital age.
Privacy and access authorities gather in Toronto to address emerging issues
Angelica Dino | Canadian Lawyer Magazine
In October 2024, Toronto hosted a two-day annual meeting of federal, provincial, and territorial information and privacy commissioners and ombuds, organized by the Ontario Information and Privacy Commissioner (IPC). The gathering addressed key privacy and access issues pertinent to Canadians, fostering collaboration among various privacy authorities. Discussions encompassed the integration of artificial intelligence in government services, with Ontario's Ministry of the Environment, Conservation and Parks presenting AI initiatives to streamline Freedom of Information processes. The meeting also explored First Nations' perspectives on data sovereignty, emphasizing the OCAP (Ownership, Control, Access, and Possession) principles. Additionally, the IPC's Youth Advisory Council shared insights on online privacy, highlighting the necessity for public education policies to empower youth in digital spaces.
Tens of thousands of taxpayer accounts hacked as CRA repeatedly paid out millions in bogus refunds
Harvey Cashore | Daniel Leblanc | CBC News
A recent investigation by CBC's The Fifth Estate and Radio-Canada has uncovered significant cybersecurity vulnerabilities within the Canada Revenue Agency (CRA). Hackers exploited these weaknesses to access tens of thousands of taxpayer accounts, altering direct deposit information and submitting fraudulent tax returns, resulting in the CRA disbursing millions in bogus refunds. Notably, in early 2024, hackers obtained confidential data from H&R Block Canada, using it to infiltrate numerous CRA accounts and misappropriate over $6 million in fraudulent refunds. Despite the severity of these breaches, the CRA has been criticized for underreporting the incidents to Parliament and the public, raising concerns about transparency and the agency's capacity to safeguard sensitive personal information.
A work in progress and emergent threats: Canada’s critical infrastructure cyber law evolves to address foreign interference
Jasmine Samra | Brent J. Arnold | Gowling WLG
Canada's Bill C-26, An Act Respecting Cyber Security, has progressed through the legislative process since its introduction in June 2022, incorporating measures to address foreign interference in Canadian affairs. The bill proposes amendments to the Telecommunications Act to enhance the security of Canada's telecommunications infrastructure and introduces the Critical Cyber Systems Protection Act (CCSPA), which mandates that operators of critical infrastructure sectors implement robust cybersecurity measures. In response to emerging security concerns, the federal government enacted Bill C-70, the Countering Foreign Interference Act, in May 2024. This legislation introduced the Secure Administrative Review Proceedings (SARP) regime under the Canada Evidence Act, replacing the previous judicial review process under the Telecommunications Act. The SARP regime appoints special counsel to handle sensitive information during judicial reviews or appeals, addressing due process concerns and enhancing transparency for organizations affected by orders under the CCSPA. Despite these developments, the core objectives of the CCSPA remain focused on strengthening the resilience of Canada's critical infrastructure by ensuring effective identification and management of cybersecurity risks, including those associated with supply chains and third-party services.
Top Canadian cyber security body releases flagship guidance for critical infrastructure
Government of Canada
On October 29, 2024, the Canadian Centre for Cyber Security (Cyber Centre), a division of the Communications Security Establishment (CSE), introduced the Cyber Security Readiness Goals (CRGs) to bolster the protection of Canada's critical infrastructure against cyber threats. The CRGs comprise 36 cross-sector cybersecurity practices organized into six pillars: Govern, Identify, Protect, Detect, Respond, and Recover. This comprehensive framework offers organizations actionable steps to enhance their cybersecurity posture amid evolving threats. Designed as a dynamic resource, the CRGs will be updated based on feedback and changes in the threat landscape. This initiative aligns with international efforts, such as the UK's Cyber Assessment Framework and the U.S.'s Cross-Sector Cybersecurity Performance Goals, reflecting a coordinated approach to safeguarding essential services.
Fired Disney worker allegedly hacked into restaurant menus to change peanut allergy information
Ariel Zilber | New York Post
A former Disney employee, Michael Scheuer, has been charged with unauthorized access to Disney World's proprietary menu system, where he allegedly altered allergy information, including false indications that certain dishes were safe for individuals with peanut allergies. This breach, which also involved adding profanity and changing fonts to render menus unusable, was detected before the compromised menus reached the public. The incident underscores significant privacy and security concerns, highlighting the potential risks when sensitive information systems are accessed by unauthorized individuals. It emphasizes the necessity for robust access controls and vigilant monitoring to protect consumer health information and maintain trust in organizational data management practices.
Six senators tell Biden administration UN cybercrime treaty must be changed
Suzanne Smalley | The Record
On October 29, 2024, six Democratic U.S. senators—Tim Kaine, Jeff Merkley, Ed Markey, Chris Van Hollen, Ron Wyden, and Cory Booker—expressed significant concerns regarding the United Nations Convention Against Cybercrime, urging the Biden administration to address provisions they believe could undermine privacy rights and cybersecurity. The senators highlighted that the treaty, originally proposed by Russia in 2017, might legitimize surveillance and censorship by authoritarian regimes, potentially leading to human rights abuses. They emphasized that the convention's current language could compel countries to enact laws allowing law enforcement to access computer systems and electronic data without adequate safeguards, thereby threatening individual privacy. Additionally, the treaty's provisions could criminalize activities of cybersecurity researchers and journalists who identify and report on system vulnerabilities, potentially hindering efforts to enhance digital security. The senators called for a more rights-respecting approach, advocating for explicit requirements to uphold democratic principles and protect against mass surveillance, particularly in nations with histories of human rights violations.
Removed from U.S. blacklist: Waterloo, Ont. tech company promises major changes, watchdogs remain hesitant
Spencer Turcotte | CTV News
Sandvine, a Waterloo-based technology firm, was recently removed from the U.S. Department of Commerce's Entity List after being added in February for allegedly supplying deep packet inspection technology to the Egyptian government, which reportedly used it to target human rights activists and dissidents. In response, Sandvine implemented significant changes, including replacing its ownership group and consulting various organizations to reform its approach to technology deployment. The company has withdrawn its technology from numerous countries with questionable democratic processes and plans to cease services in Egypt. Despite these measures, watchdog groups like The Citizen Lab remain cautious, noting that Sandvine's products are still operational in several problematic regions. This situation underscores the ongoing challenges in ensuring that technology companies uphold human rights and privacy standards in their operations.
RCMP Public Safety Communicators call on RCMP to reverse privacy violations amid critical staffing shortages
Karine Fortin | Financial Post
The Union of Safety and Justice Employees (USJE), representing RCMP public safety communicators, has raised concerns over privacy violations stemming from the RCMP's practice of monitoring employees' personal phone calls during work hours. This surveillance, conducted without prior notice or consent, has been criticized for infringing on employees' privacy rights and contributing to a decline in workplace morale. The USJE argues that such practices exacerbate existing staffing shortages by creating a hostile work environment, potentially leading to increased turnover and further strain on public safety operations. The union is calling for the RCMP to cease these monitoring activities and to implement policies that respect employees' privacy while addressing operational needs.
Talent Quarterly: Employee burnout is on the rise in Canada
Jesse Synder | The Logic
A recent survey by Pollara Strategic Insights reveals that 24% of Canadian employees are experiencing burnout, an increase from 21% the previous year. Common symptoms include fatigue (40%), low motivation (38%), and declining efficiency (29%). The Robert Half consultancy corroborates these findings, indicating a similar rise in burnout rates. This trend poses significant challenges for employers, potentially leading to decreased productivity, higher turnover rates, and increased healthcare costs. Addressing this issue requires organizations to implement effective mental health support systems and promote work-life balance to mitigate the adverse effects of employee burnout.
CFPB warns industry against ‘deeply invasive’ workplace digital surveillance
Suzanne Smalley | The Record
The Consumer Financial Protection Bureau (CFPB) has issued a warning to businesses regarding the use of digital surveillance and artificial intelligence tools to monitor employees. The agency emphasizes that such practices may violate the Fair Credit Reporting Act (FCRA) if they involve third-party assessments without proper employee consent and transparency. Employers are required to inform workers about data collection methods, the purposes of data usage, and must allow employees to dispute inaccuracies. CFPB Director Rohit Chopra expressed concerns about the use of AI-generated background dossiers and reputation scores in employment decisions, highlighting the potential for misuse and privacy infringements. This guidance underscores the necessity for employers to implement ethical data practices and uphold employee privacy rights in the workplace.
Howard Levitt: Why spying on your co-workers is no longer just a workplace matter
Howard Levitt | Financial Post
In his article, Howard Levitt discusses the evolving legal landscape concerning workplace privacy, particularly regarding employees monitoring their colleagues. He references the 2012 Ontario Court of Appeal decision in Jones v. Tsige, which established the tort of intrusion upon seclusion, allowing individuals to sue for privacy invasions even without financial loss. Levitt highlights a recent case where an employee was terminated for secretly recording conversations with coworkers, emphasizing that such actions can lead to legal consequences beyond employment termination. He advises employers to implement clear policies on privacy expectations and to educate employees about the legal implications of unauthorized surveillance in the workplace.
