Marking 20 years
of bold journalism,
reader supported.
Mediacheck

Apple and Sony Privacy Woes Point to Legal Holes

Millions of Canadians awaken to risks from undisclosed tracking and security breaches.

Michael Geist 4 May 2011TheTyee.ca

Michael Geist, whose column runs on The Tyee weekly, holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at [email protected] or online at www.michaelgeist.ca.

image atom
Why are we so soft on firms that expose us?

Privacy officials have long warned about unseen consumer privacy risks, yet the issue has rarely generated significant political attention in Canada with potential reforms languishing for years without action. Recent high-profile privacy incidents involving two of the world’s most popular consumer electronic companies -- Apple and Sony -- could help change that as millions of Canadians awaken to the privacy risks associated with undisclosed tracking and security breaches.

Apple was first in the spotlight last month after researchers disclosed that the company quietly installed a database on iPhone users' computers that collected their geo-location activities. With Apple waiting nearly week to respond, millions wondered why the company gathered the data without offering users the opportunity to opt-out, whether their information was disclosed to any third parties, and how the data could be collected on their computers without any security safeguards.

Apple ultimately acknowledged that it was collecting the location information even when consumers opted-out of the iPhone's location services functionality. The company promised a software update that would respect user opt-outs and would cease backing up the location information on their computers.

The Sony incident involved one of the largest consumer security breaches in history. Six days after shutting down its PlayStation Network due an "external intrusion", the company began advising more than 75 million account holders that their personal information, including user profiles, birthdates, passwords, purchasing history, and credit card information, had been stolen.

The sheer scope of the security breach may be unprecedented since Sony appears to have stored all this information together (thereby allowing for easy linkages), much of it without encryption. Given the need to reissue credit cards and safeguard against identity theft and other misuse, the ultimate cost of the breach could run into the hundreds of millions of dollars.

Canada's legal framework: fuzzy and soft

While both companies were at pains to declare their concern for user privacy -- Apple characterized itself as "one of the leaders in strengthening personal information security and privacy" and Sony noted that it "takes information protection very seriously" -- lax security safeguards and delayed public notifications provide little reason for consumer confidence.

Indeed, it has become increasingly apparent that consumers must be the frontline guardians of their own privacy by rotating passwords, only providing personal information that is strictly necessary for the services they use, and opting-out of unnecessary disclosures to third parties.

Even with such measures, risks from security breaches and poor privacy practices remain a reality. Countering these risks requires tough regulation and enforcement so that companies prioritize consumer privacy and face serious consequences when failures occur.

Yet on the legislative and enforcement front, much more can be done. Canada still does not have a mandatory security breach disclosure requirement, so the Privacy Commissioner of Canada learned about the Sony breach through news reports. Moreover, Sony's decision to sit on the information for days without informing the public carries no legal consequences under Canadian law.

In stark contrast to the U.S., privacy lawsuits are also relatively rare in Canada. Within days of the Sony security breach disclosure, a California lawsuit seeking class action status was filed arguing the company did not take "reasonable care to protect, encrypt, and secure the private and sensitive data of its users."

Apple's failure to respect user opt-out requests from collecting geo-location information similarly raises few ramifications under Canadian law. Although the Privacy Commissioner could launch an investigation, there is no real prospect of penalties or fines under the current law. Canadians may expect better of Apple and Sony, but the law has thus far failed match those privacy expectations.  [Tyee]

  • Share:

Facts matter. Get The Tyee's in-depth journalism delivered to your inbox for free

Tyee Commenting Guidelines

Comments that violate guidelines risk being deleted, and violations may result in a temporary or permanent user ban. Maintain the spirit of good conversation to stay in the discussion.
*Please note The Tyee is not a forum for spreading misinformation about COVID-19, denying its existence or minimizing its risk to public health.

Do:

  • Be thoughtful about how your words may affect the communities you are addressing. Language matters
  • Challenge arguments, not commenters
  • Flag trolls and guideline violations
  • Treat all with respect and curiosity, learn from differences of opinion
  • Verify facts, debunk rumours, point out logical fallacies
  • Add context and background
  • Note typos and reporting blind spots
  • Stay on topic

Do not:

  • Use sexist, classist, racist, homophobic or transphobic language
  • Ridicule, misgender, bully, threaten, name call, troll or wish harm on others
  • Personally attack authors or contributors
  • Spread misinformation or perpetuate conspiracies
  • Libel, defame or publish falsehoods
  • Attempt to guess other commenters’ real-life identities
  • Post links without providing context

LATEST STORIES

The Barometer

Do You Think Naheed Nenshi Will Win the Alberta NDP Leadership Race?

Take this week's poll