Shostack + Friends Blog Archive


It’s "privacy," Jim, but not as we know it.

license.jpgThe Canadian Privacy Commissioner has issued a number of new rulings, essentially ruling that anyone in Canada can request an ID card whenever they want. The first, summarized by Michael Geist in “Privacy Commissioner on Domain Name Registrant ID Requirements” says:

requirements of personal identification, such as a driver’s license, in order to change the administrative email address for a domain name registration…was reasonable.

Which is odd, because my drivers license doesn’t contain my email address. Also odd is the idea, in a second case “PIPEDA Case Summary #361, Retailer requires photo identification to exchange an item” that “The investigation established that the information from the piece of identification is not recorded at this store.” Except in the paragraphs prior, they found that:

The store’s purpose for collecting the customer’s name, address and telephone number is to protect against fraud and error in order to protect its customers and business. It asks for photo identification in order to verify that the information provided by the customer is accurate.

So…information is taken down, and verified against the card, but not taken from the card. Would things be any different if they copied the information directly from the card?

It seems to me that these decisions are a great blow to privacy in Canada, essentially nullifying the common law tradition of being able to use whatever name one wants to use in one’s day to day business.

Remember, all non-trivial privacy fears come true. I’m confident that there were claims that drivers licenses won’t be needed for normal everyday life, and privacy advocates predicted this.