An Edmonton city councillor says he and his team are helping a woman facing intimate partner violence relocate with her children after her address was leaked in an alleged privacy breach by a separatist group.
The way the government has framed this sort of thing before, for private citizens, is that it’s not a “breach” but a “disclosure”, so it’s fine.
Kennedy Stewart used to be the mayor of Vancouver. Before that, he was a federal MP for the NDP. When he ran for mayor, he was the first/only candidate to spam my phone with campaign crap – because he had gotten lists of voter contact details from the federal NDP. Priv comms didn’t care, because it was a political party that had disclosed the information, and political parties are exempt from privacy legislation. The federal NDP was ‘fine’ to hand out my contact data to anyone they wanted, for any purpose they wanted, because there’re no constraints on political parties.
Even when it comes to companies, ‘disclosures’ that get mis-used by the recipient are generally not the fault of the disclosing organisation. Consider the semi-recent Equifax breach. Equifax got in a little trouble because they were found to have insufficient controls at play in that incident – but all the orgnisations that had willingly disclosed Canadian private data to Equifax were absolved of any guilt / fines. Like banks didn’t get any flak for having sent tons of sensitive information off to a third party that lacked controls / security.
Another odd thought, is that historically, things like the yellow/white pages published peoples names, addresses and phone numbers. I just re-verified that it has a bunch of information posted, by looking up my parents – it’s less common, I think, for them to list people without official landlines connected to street addresses, and the information may be a bit dated, but it’s there. Given that these sorts of companies have been posting up peoples contact information for literally decades, I would imagine that the ‘base risk’ of having that information be public is considered ‘very low’: you sorta need to demonstrate how information being ‘out there’ is a huge risk to the individuals when there’s a ‘breach’, and I reckon given the historic existence of these sorts of services / this sort of information being online, it’d be considered a non-risk in general. I have, quite literally, been in the room when Lawyers have said things like customers having their bank statements leaked, isn’t an issue they think requires a public disclosure – this was in relation to the DOXIM data breach that happened fairly recently. Lots of Canadian credit unions were impacted by that breach, which was effectively a breach of customer banking statements – not so many disclosed the incident to impacted members, because of legal advice. Statements generally have name, address, phone number, account numbers, account balances and purchase histories: but lawyers/legal sorts were advising the industry that even this information wasn’t sufficient to constitute a ‘threat’ to individuals, and as such didn’t explicitly require a disclosure under Canada’s privacy frameworks. Those that made disclosures, typically did so because they felt it the ‘right’ thing to do, against legal recommendations from industry counsel.
Like the reason SINs getting leaked is a bigger issue/concern, is that in the past, you could use that information + basic contact type information, to legitimately get the government to issue you ID as that person – “I lost my wallet, I need a new SIN card – I have a SIN card, I need a copy of my Birth Certificate – I have a SIN and a Birth Certificate, but I lost my photo ID, can I get a new one?” sorta deal. You could then take that official government ID to get things like Bank Loans. Which could then result in massive legal headaches for the person who’s had their identity stolen. A fairly clear “leak resulting in damage/risk” type flow. Harder to establish when it’s info that’s already, basically, publicly available on the whitepages.
The way the government has framed this sort of thing before, for private citizens, is that it’s not a “breach” but a “disclosure”, so it’s fine.
Kennedy Stewart used to be the mayor of Vancouver. Before that, he was a federal MP for the NDP. When he ran for mayor, he was the first/only candidate to spam my phone with campaign crap – because he had gotten lists of voter contact details from the federal NDP. Priv comms didn’t care, because it was a political party that had disclosed the information, and political parties are exempt from privacy legislation. The federal NDP was ‘fine’ to hand out my contact data to anyone they wanted, for any purpose they wanted, because there’re no constraints on political parties.
Even when it comes to companies, ‘disclosures’ that get mis-used by the recipient are generally not the fault of the disclosing organisation. Consider the semi-recent Equifax breach. Equifax got in a little trouble because they were found to have insufficient controls at play in that incident – but all the orgnisations that had willingly disclosed Canadian private data to Equifax were absolved of any guilt / fines. Like banks didn’t get any flak for having sent tons of sensitive information off to a third party that lacked controls / security.
Another odd thought, is that historically, things like the yellow/white pages published peoples names, addresses and phone numbers. I just re-verified that it has a bunch of information posted, by looking up my parents – it’s less common, I think, for them to list people without official landlines connected to street addresses, and the information may be a bit dated, but it’s there. Given that these sorts of companies have been posting up peoples contact information for literally decades, I would imagine that the ‘base risk’ of having that information be public is considered ‘very low’: you sorta need to demonstrate how information being ‘out there’ is a huge risk to the individuals when there’s a ‘breach’, and I reckon given the historic existence of these sorts of services / this sort of information being online, it’d be considered a non-risk in general. I have, quite literally, been in the room when Lawyers have said things like customers having their bank statements leaked, isn’t an issue they think requires a public disclosure – this was in relation to the DOXIM data breach that happened fairly recently. Lots of Canadian credit unions were impacted by that breach, which was effectively a breach of customer banking statements – not so many disclosed the incident to impacted members, because of legal advice. Statements generally have name, address, phone number, account numbers, account balances and purchase histories: but lawyers/legal sorts were advising the industry that even this information wasn’t sufficient to constitute a ‘threat’ to individuals, and as such didn’t explicitly require a disclosure under Canada’s privacy frameworks. Those that made disclosures, typically did so because they felt it the ‘right’ thing to do, against legal recommendations from industry counsel.
Like the reason SINs getting leaked is a bigger issue/concern, is that in the past, you could use that information + basic contact type information, to legitimately get the government to issue you ID as that person – “I lost my wallet, I need a new SIN card – I have a SIN card, I need a copy of my Birth Certificate – I have a SIN and a Birth Certificate, but I lost my photo ID, can I get a new one?” sorta deal. You could then take that official government ID to get things like Bank Loans. Which could then result in massive legal headaches for the person who’s had their identity stolen. A fairly clear “leak resulting in damage/risk” type flow. Harder to establish when it’s info that’s already, basically, publicly available on the whitepages.
Oh yes, the public phone book, that you could pay a fee to not be listed in