On January 22, 2016, Justice Knazan acquitted Gregory Alan Elliott of criminal harassment using Twitter. A tweet is 140 characters – the decision is 84 pages long. It is not succinct, because it is new territory. Applying the criminal law to the social media frontier required a thorough investigation of the medium, the players and the law of harassment.
The decision, appropriately, turns on the facts. However, in reviewing the nature and extent of the interactions on Twitter, and the very nature of Twitter, Justice Knazan does give us some blunt guidance on social media privacy:
“Twitter is not private, by definition and in its essence….To subscribe to Twitter and keep your account open is to waive your right to privacy in your tweets. Arranging a meeting or social event using tweets other than direct messages is like inviting strangers into your home or onto your phone line while you talk to your friends.”
Your parents were right – the internet won’t protect your privacy – it is all up to you.
In the world of business, reputation matters. Being the victim of a cyber-security breach quickly erodes confidence, particularly if you or your organization is in the business of keeping information secure. Hackers know this, and are increasingly targeting high profile players in the security world. In the past few months, both the US Director of Intelligence and the CIA Director have had their personal email accounts hacked. While both have downplayed the information that was compromised, the media have made a big deal out of the events.
There are two lessons to be taken from these breaches. First, hackers can get you if they want. Even with good hardware and software protecting your information, you remain vulnerable. The vulnerability is caused, in part, by weak passwords (the two most common passwords are “123456” and “password”) and gullible humans who click on pfishing emails, or give out passwords to strangers posing as service providers or customers. Education and training are helping to address this, but it remains a serious problem.
The second lesson is that the harm to reputation can be disproportionate to the harm caused by the leak. Why? Because if some of your information has been compromised, the insinuation is that all of your organization’s information is at risk. So, if you are breached, how will you respond? Can you confidently say “we know what we have, where it is, and what has happened to it?” Probably not.
If you are like most organizations, information governance is on the “to-do” list. All organizations prioritize information governance AFTER a breach. If you are serious about protecting your reputation, being proactive about information governance is a good investment. A strong information governance program can help to reduce harm, and restore confidence in the event of a breach.
The protection of privacy has prevailed in a landmark decision about whether the Peel Regional Police violated the Charter rights of Rogers and Telus customers in requesting cell tower records as part of an investigation into a jewelry robbery. This type of order is known as a “tower dump”. The records would have disclosed personal information of over 40,000 cell phone users in the area where the crime took place.
Justice Sproat of the Ontario Superior Court found that the demand for disclosure of personal information was “far beyond what was reasonably necessary to gather evidence concerning the commission of the crimes under investigation” and was a breach of the customers’ Charter rights.
He recognized the need for this type of electronic evidence in investigations, but was clear that the intrusion on personal privacy in the production orders should be minimized. “Production orders must be tailored to respect the privacy interests of subscribers and conform with constitutional requirements”. He goes on to provide guidelines for requesting and issuing orders for cellphone records.
From an information perspective, Justice Sproat was candid about the risks associated with the police collecting masses of personal information in investigations: “It is not tenable to reason that since only the police will be in possession of this information any sensitive information will never see the light of day. One needs only read a daily newspaper to be aware of the fact that governments and large corporations, are frequently “hacked” resulting in confidential information being stolen and sometimes posted on-line.”
This statement by the Court should be taken as a warning. All information is at risk of a breach. Your information gathering and storage practices should take this into account. If you are storing unnecessary personal information, expect to be treated harshly if it is compromised.