Commissioner Cavoukian Says the Patriot Act Is “Nothing”
Last Thursday, Ryerson University hosted a symposium entitled “Exploring the Future of E-mail, Privacy and Cloud Computing at Ryerson.” It was co-hosted by a Ryerson administrative committee and Ryerson’s Privacy and Cyber Crime Institute for the purpose of seeking input on Ryerson’s own plans to upgrade its e-mail and collaboration systems, including its open consideration of cloud based services. Ryerson was kind enough to open the event to individuals outside of its own community, and attracted a number of interested observers from other Ontario post-secondary educational institutions, many of which are also intrigued by the clear benefits of outsourcing to the cloud.
Although e-mail is generally associated with information of a less sensitive kind than in many other post-secondary educational institution records, the benefits of outsourcing to the cloud are nonetheless being assessed by institutions in light of the potential for loss of confidentiality. In 2009, Lakehead University defeated a grievance brought by its faculty association that claimed it had violated faculty members’ privacy and right to academic freedom by outsourcing its e-mail system to Google and thereby exposing faculty members’ communications to interception by American law enforcement authorities. The Lakehead grievance was brought on some association-favorable collective agreement provisions – including one promising members “a computer connection” and another expressly promising privacy in personal and professional communications. Regardless, Arbitrator Joseph Carrier dismissed the grievance on a finding that the university did not promise faculty members absolute data security (an impossibility).
The Lakehead decision was rendered in May 2009. In June 2009, the federal Commissioner consolidated her (pragmatic) views in a guideline on processing personal information across borders. The Information and Privacy Commissioner of Ontario made her views on cross-border outsourcing risks clear for the first time at the Ryerson symposium. The Commissioner herself said:
You just heard before myself Brian [Lesser, Assistant Director, Application Development and Integration Computing and Communications Services at Ryerson] make a compelling case about outsourcing e-mail onto the cloud. That, of course, is your decision. But, don’t let things like the Patriot Act… I mean, it’s just such a red herring. It’s nothing. There are stronger, before the Patriot Act existed, there are other things that would do what the Patriot Act would suggest that you might be concerned about. Whether you have the Patriot Act or not it doesn’t matter. There will always be law enforcement methods and techniques that will access certain types of information here, there and everywhere. What you should concern yourself with is the kind of accountability that you will be able to maintain if your e-mail systems go into the cloud. That’s what would concern me.
Though the Ontario IPC’s jurisdiction over employee privacy matters is limited, the Commissioner’s statement is nonetheless significant. It should be read as representative of a pragmatic outlook, but not as a license to ignore country-specific risks related to an outsourcing. Both the Commissioner and David Fraser, who spoke next, stressed the importance of conducting a comprehensive risk assessment as a prelude to any outsourcing.
Fraser (who’s known to many of us here at Slaw) also did a very good job of comparing and contrasting the Canadian and American domestic intelligence laws. He made the argument that there is no significant incremental risk associated with exposing e-mail to American domestic intelligence laws given our own laws. David has posted his slides here.
James Turk, the Executive Director of the Canadian Association of University Teachers, spoke last. He addressed the Association’s concern, less about personal privacy than about academic freedom, which he argued rests on “control and confidentiality of [our] professional information.” Turk said, “And unlike the Privacy Commissioner I don’t think [making communications subject to American law] is a red herring and unlike David I don’t think the fact that there are problems with laws in Canada means that we don’t have to be worried about the American legislation and its implications.”
Ryerson has posted the morning session (including Anne Cavoukian and David Fraser) and afternoon session (including James Turk) for viewing. The afternoon session also has a particularly good panel discussion featuring Fraser, Turk and Fred Carter of the IPC .
I agree that among the risks to privacy associated with putting your data in the cloud, invasion by Homeland Security is minor. (And, of course, as suggested in the post above, Canadian agents likely have less than perfect compunction about sharing information obtained here.) But that doesn’t mean it is non-existent — any lawyer representing a person of interest to the U.S. government can expect that gentlemen from below will be reading their mail. One hindrance to this — and likely a solution to most other security breaches — would be encryption of data.
I say “hindrance” because current reports have US agents obtaining a warrant to install keystroke loggers on a suspects machine, when they thought he was using PGP. And if your data’s in a US-based cloud, and you use the cloud company’s encryption, they can be compelled to assist in cracking it.
Software firms are developing sophisticated encryption tools that can be applied locally to your data, which can then be stored in the cloud. See, for instance, CipherCloud, which boasts Canada’s NDP as a client — as well it might be, given recent reports on the thousand-plus pages collected by the RCMP on good old Tommy Douglas, enemy of the people.