TekSavvy → Re: Teksavvy and PIPEDA

To all TSI customers,

Because of recent alarming event, I feel that a general discussion about our privacy is warranted. While I was reviewing some documentation from the Office of the Privacy Commissioner of Canada, I noticed something interested points regarding PIPEDA (Personal Information Protection and Electronic Documentation Act:

PIPEDA requires private-sector organizations to collect, use or disclose your personal information by fair and lawful means, with your consent, and only for purposes that are stated and reasonable.

They’re also obliged to protect your personal information through appropriate security measures, and to destroy it when it’s no longer needed for the original purposes.

If the intent of the data logs was originally intended for customer support then handing it over to Voltage Pictures would constitute a violation of Tek Savvy's customer privacy as it now is being used for purpose beyond its original intent. A key sticking point to handing this data over is the lawfulness of re-purposing the data without the consent of the customer that is not reasonable (i.e threat of a lawsuit for alleged copy-right infringement based on flawed evidence for a company that is known for its extortionist behaviour).

If you happen to be one of the affected users of the 2000 IPs, you should tell TSI that you do not consent to your data being given to Voltage Pictures unless they can present direct evidence linking your to the alleged copyright infringement (i.e they have concrete proof to show that you actually downloaded their movie and intended to sell it off to others as they have alleged thus far). Handing over your data would violate your privacy rights and their obligation to PIPEDA.

Here is some more interesting stuff from the PIPEDA (*Important sections have been highlighted):

The Privacy Commissioner is an independent ombudsman who tries to resolve disputes through negotiation, mediation and conciliation.

You are entitled to file a complaint if you believe a business is violating any provision of PIPEDA.

For example, you might complain if you run into trouble obtaining your personal information, if an organization refuses to correct information you consider inaccurate or incomplete, or if you suspect your personal information has been improperly collected, used or disclosed.

It’s important to try to settle the dispute yourself first. Under PIPEDA, organizations must have on staff a person who is responsible for privacy issues, and this is where you could begin.

You may also want to contact the organization's industry association, ombudsman or complaints office, if there is one. For example, the Canadian Marketing Association and the Ombudsman for Banking Services and Investments handle customer complaints about their member companies.

If you aren’t satisfied with the outcome, you have the option of filing a complaint with the Office of the Privacy Commissioner of Canada.

Here is the source for this information:
»www.priv.gc.ca/informati ··· 08_e.asp

I feel that we should all contact TSI and inform them of their obligations to us (their customers) under PIPEDA and that we do not consent to our data being handed over to any outside organization unless under reasonable terms ; what these terms are up for discussion and I’m hoping that we can have on here on these forums to address this issue.

P.S.

Here is the contact info for TSI Privacy Ombudsman:

Privacy Ombudsman
TekSavvy Solutions Inc.
800 Richmond Street
Chatham, Ontario N7M 5J5
Fax: 519-360-1716
Email: privacy@teksavvy.com

Cheers,

M

Very interesting point m3chen.

Very slippery slope TSI.

Poor Marc. Stuck between a rock and a hard place.

Case law is against you on this m3chen. R v Ward set the precedent that you do not have a reasonable expectation of privacy online when the ToS of the ISP allows for such disclosure. TSI's ToS/privacy policy specifically allows for this type of disclosure. In addition Voltage is not asking TSI to disclose your private logs, merely the customer's basic information (name/address/etc) associated with their logs. Such information is not protected by PIPEDA.

Edit: also, good luck getting a response from privacy@teksavvy.com - 8 days and nothing. Had TSI not been able to delay the decision until the 14th any response from them would have come too late to be of any use.

Not really... Teksavvy once stood on a pedestal as the saviour of all consumers in Canada because they fought so hard for rights.

Under different management now... things change i guess.

I honestly feel bad saying it.

Yup. I stated this around page 2 of the blog topic when I was stating that all this adds up in costs. So..

a) it will drive costs way up there
b) you have rights (more than 1 heh)
c) you have rights to file with privcom
d) teksavvy then again has to respond to all this which drive costs up again via privcom (they need to respond twice if a complaint is filed)
e) TSI has a right to reply within 30 days max

...and lots more

Cost of doing business in Canada. And it costs even more in Quebec.

+1 TSI

I think I may just send TSI some Quebec 11% micro-brew just because now.

Not sure which I should send them... there is:
-Maudite ("Damn"),
-La Fin du Monde ("The End of the World"), or
-Don de Dieu ("The Gift of God") though I've only seen this one once.

Not really. It's up to TSI to cost this properly and to claim costs.

It is peoples rights to do so. It would have been the first thing I would have done if I got such a letter (as I stated from the beginning).

There are basic rights under PIPEDA and basics rights to file w/ privcom under PIPEDA.

How this all comes together when faced with a motion such as this isn't my concern. Up to them (TSI & PrivCom) to spell it it out for people.

I am quite certain that a court order would fit this definition.

You should feel bad. I was there for every minute and agreed with every action *and helped* in each one of those actions that TekSavvy has ever taken.

Um. If a court orders TSI to hand over your information then they don't have a choice. They have to. Their obligations under PIPEDA were fulfilled when they told Voltage that no court order meant no information.

So there are lots of ways you can approach and fight what's going on, but this one is a dead end.

You would be much better off trying to corner your MP, pointing out what's going on, and asking if this is what they expected would happen when they passed bill C-11, and if not then WTF are they going to do to help us.

The Privacy Act does not override a court order. You are taking an excerpt out of context. If a court orders TSI to produce the information then that is an overriding legal requirement that supercedes the Privacy Act.

...Not to play devil's advocate, but is there a specific way the information has to be handed over? .....If so I'd be happy to pay to get some trees cut down and for some toner ink to have it all done by paper....

I mean if TSI has to give the information over, it shouldn't have to give it over on a silver platter all nicely and neatly formed and whatnot......just give it to them as raw data....I know they could pay someone to electronically transfer it all, but its the principle I guess....

They specifically asked for it to be handed over in Excel format.

+1 That too! Start writing your MP's, start influencing the lawmakers! Strive for Change in Canada!

They can ask for it in any format they want, they CANNOT get it in excel format. PIPEDA is very very clear on this issue: TSI must ensure that any 3rd party that gets data collected by them adhere to the same level of security TSI uses to protect it's customer data. Passing it along in unencrypted excel format is not secure at all and I'm sure TSI has much stricter systems in place.

@ JMJimmy:

With regards to TS Policy on Privacy; Name, Address and IP information fall under PIPEDA as defined on the Office of the Privacy Commissioner's website:

"Your personal information includes your...

• name, race, ethnic origin, religion, marital status, educational level
• e-mail address and messages, IP (Internet protocol) address
• age, height, weight, medical records, blood type, DNA code, fingerprints, voiceprint
• income, purchases, spending habits, banking information, credit/debit card data, loan or credit reports, tax returns
• Social Insurance Number (SIN) or other identification numbers."

If you have contacted the Tek Savvy's Privacy Ombudsman and have not received a response in a timely manner (i.e 1-5 business days); I urge you to file a complaint with the Office of the Privacy Commissioner and attach your original e-mail to the complaint.

As for case law (R vs Ward, see here for details: »www.ontariocourts.ca/dec ··· 0660.htm), you should note that was a case involving child pornography. In R vs Ward " police make this request following a protocol developed by the police and the ISPs, but without seeking or obtaining any prior judicial authorization. ". Saying that a copyright infringement case and a child pornography case are the same is stretching the word "reasonable" beyond what is actually reasonable. Here is the problem with your example of case law and where it applies in this particular unfolding case:

- Voltage Pictures (an American company) is not a law enforcement agency. While it has the right to protect it's intellectual property, it does not have the right to do so if it violates a Canadian citizen's privacy to do so. I would have to be busted selling pirated DVDs at a store with a computer with TSI internet service for them to have enough evidence to allege what they are alleging in their law suit and have a "law enforcement agency" (i.e Crown Attorney / RCMP / OPP / TPD) request the information. Requesting the information so that they can "fish" for evidence against me and use it to extort money from me with no intent to sue me (see NGN vs Does here:»New Canadian Bittorrent lawsuit: Who shared "Recoil"?) means I have a right to expect that my privacy will be kept by Tek Savvy as Voltage Pictures demands are unreasonable (they have NO concrete evidence against any one at this point).

Here is what i'm proposing is a reasonable:

If a law enforcement agency contacts TS for the purpose of an ongoing investigation / lawsuit, then I would expect them to contact me and tell my that they must hand over my information due to a criminal investigation and I should saddle up with a lawyer.

If a third party request my information and my consent is not given, I would expect that unless I was already identified as a part of a lawsuit and the information was requested by the court to "develop reasonable and probable grounds to obtain a search warrant for the customer’s residence and computer", such requests would be denied on the grounds that they conflict with the ISP's obligation to PIPEDA and the customer's section 8 rights in the Charter of Rights and Freedoms. If law enforcement agencies must face stringent requirements to get my private personal data, third parties must face even more stringent requirements to get at it.

Well said, m3chen !

Again, you're ignoring the R v Ward precedent. The major difference between R v Ward and previous rulings was that the judge took into account contract law. The justice determined that because of Bhell's ToS their customers have no reasonable expectation of privacy from law enforcement or otherwise. Read Teksavvy's ToS and privacy policy. They've got the right to disclose the information (name, address, phone number, and possibly email address) without needing a court order or consent. The fact that they are insisting on a court order is admirable.

Re: filing a complaint over no response... I'll let it slide seeing as Marc has personally addressed my concerns about the lack of response and I expect a call shortly to get the issue sorted. Way way above and beyond. I could not be more impressed with Teksavvy and how they've handled the issue. I'd hate to be a Bhell/Robbers/Cogeco customer right now (or ever).

That is reasonable... but it's not current reality.

An issued court order based on a request from a private party in a civil matter carries the same weight as an issued court order based on a request from a law enforcement agency in a criminal matter.

Voltage doesn't have the legal authority to force TSI to hand over that information - but the Courts do.

Nor does it matter what nationality the company in question is. Canadian companies don't have more rights under our new Copyright laws than companies from other countries.

Yes. But these are things Ontario users should have done on the first breaking news of this.

No. You're right.

However, people have a right to know what TSI has on file, What info will be given, what the logs actually show, to actually see these logs and info, to find out from voltage who they are sharing your info with, how Voltage will safeguard and protect it, if you info is leaving the country or staying with some Toronto law firm, on and on and on.

Marc has 30-days to reply, and even with a reply you can file with privcom. Then TSI has to reply again (so reply twice).

Not 100% sure, but the same can be done with voltage.

2300 X 2, as a minimum for TSI

2300 x 2, as a minimum for voltage (or their Canadian law firm)

And there is no cost or a very minimal cost (5 to 20$) to do this.

Nothing stops this. This is the basics rights under PIPEDA, is it not? I believe it is.

Sounds about right for TSI's responsibilities.

I have no idea when it comes to Voltage (& Co.), though. It's definitely an interesting question. At the very least, it'd be entertaining to see them get flooded with PIPEDA requests if the list of contact info does get released to them.

I am quite certain if TSi refuses to follow a court order to hand out information for any reason, even because a user follows this advice and TSi believes them, TSi will not only get slapped with a contempt of court charge, but they will end up being served with an Anton Piller order and thus out of business before the end of the day.

No one is stating this.

Any concerns about information disclosure under PIPEDA would happen before the court order is issued. They may be grounds to deny Voltage's motion of discovery... But once the motion is granted and the court orders disclosure, it's too late for TekSavvy to talk about PIPEDA.

@ JMJimmy:

With regards to the R v Ward precedent; it only applies to law enforcement pursuing a lawsuit against an individual in a criminal case. The precedent in R v Ward only applies to law enforcement seeking to gain information in criminal case involving an on-going investigation. Having said that I believe that the courts / a judge will decide whether or not this information will be given out; so far this has not yet happened. This case has no precedent as they are attempting to find information about unknown individuals in a civil case (hint: fishing for evidence). Neither of us is a lawyer but we're both voicing out opinions on how TSI should be protecting our privacy; I'm pushing for people to be proactive in protecting their privacy from known extortionist.

Here an excerpt from TS Privacy Policy:

In certain circumstances personal information can be collected, used or disclosed without the knowledge and consent of the individual. For example, the TekSavvy Companies may collect or use personal information without knowledge or consent if it is clearly in the interests of the individual and consent cannot be obtained in a timely way, such as when the individual is a minor, seriously ill or mentally incapacitated.
The TekSavvy Companies may also collect, use or disclose personal information without knowledge or consent if seeking the consent of the individual might defeat the purpose of collecting the information such as in the investigation of a breach of an agreement or a contravention of a federal or provincial law.
The TekSavvy Companies may also use or disclose personal information without knowledge or consent in the case of an emergency where the life, health or security of an individual is threatened.
The TekSavvy Companies may disclose personal information without knowledge or consent to a lawyer representing the TekSavvy Companies, to collect a debt, to comply with a subpoena, warrant or other court order, or as may be otherwise required by law.

These are the only lines that would cause TSI to disclose any of their customer's private information. See below for more:

@Shepd:
At this current time this is a civil case and there is no court order to disclose the data. What I'm getting at is that there are grounds for Tek Savvy to not disclose the data due to privacy concerns and the Judge should be made aware that the "Does" in the case do not consent to their information be given away on hearsay evidence. Voltage Pictures evidence of "forensic investigation revealing the "Internet Protocol Address" of the allege copyright infringees" is nothing more than hearsay in it's current state and has not been tested in court. No expert has reviewed this "forensic investigation" to be legally valid and it is an assertion that needs to be addressed before any data is to be handed away. Imagine what will happen if someone was incorrectly sued because TS gave Voltage Pictures the private information of a customer based on flawed / incorrect evidence. Do you not think they'll sue the pants off of TS?

@HM:

That's a very good idea and one I recommend people affected by this lawsuit follow up on. Since their data has not yet been given away, I highly recommend contacting TS to let them know of their obligations to PIPEDA and that they do not give consent (even if their data is given away anyways without consent, at least the record will show that the users protested their rights being violated). It would also be wise for anyone with legal counsel to have this information provided to their lawyer if they have gotten that far.

Except for:Electronic address is iffy because what constitutes a directory for email addresses? If it comes up in a google search that may be enough.

»canlii.ca/en/on/oncj/doc ··· 355.html

Oh yeah, R. v. Ward. Yet another kiddie porn case where privacy rights were gutted for the rest of us. It's funny (maybe the wrong word) how copyright trolls continually try to conflate file sharing with child pornography. If you look at Voltage's legal filings so far, they cite two specific cases, R. v. Ward being one of them, where courts in Ontario and Saskatchewan ruled that internet subscribers have no reasonable expectation of privacy when it comes to their IP addresses. Both kiddie porn cases, of course. Almost all of Voltage's legal argument for obtaining TekSavvy's customer information rests on these two cases, in fact.

I guess if you want to follow the law these days and gain a reasonable expectation to privacy, you must become an outlaw (in most parts of the world) and pay for it. That means subscribing to a VPN service. I wonder how long it'll be before those are outlawed too, based on some future kiddie porn cases? Or maybe terrorism? Always beware when you hear a politician say, "it's for The Children", or "it's to keep us safe from The Terrorists".

BTW some disclosure: I'm not one of the people named in the suit.

You are misinterpreting PIPEDA here.
a) this is not the phone book instance
b) this is not a business address.
c) it gives rise to liability

The PrivCom website mentions exemptions, and in this case this is not an exemption.

In addition to the above, where info is given that can give rise to liability (either party, as is the case here) then they have the obligation (which TSI has "mostly already performed, BTW. Except for those they stated they haven't had the time to contact).

So no, barring a court order.

It's heavy reading and going through it all may take a few days, but you can read it all on privcom.

In addition, there is a very big black hole that has opened up due to the fact the harper gov updated laws incompletely (their words). Still to come out is notice-on-notice some time next year. PrivCom is the perfect place to bring this up.

We pay privcom's salary for this and to ask questions to them. So if people are just going to ignore privcom yet pay for them, then there is this BMW i've been looking at that you can pay for as well. Doesn't matter to me which model, just buy me a frigging BMW. thanks. It will be cheaper than what we pay PrivCom annually, plus you don't use privcom it seems. So stop paying taxes too while you're at it