Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA Case Summary #2001-25

A broadcaster accused of collecting personal information via Web site

[Section 2; and Principle 4.3, Schedule 1]

Complaint

An individual complained that a broadcaster had attempted, through its advertising server, to collect his personal information, specifically the NETBIOS information on his computer, without his consent.

Summary of Investigation

The complainant had a computer equipped with both a cable modem for Internet connection and a firewall designed to detect and block attempts at intrusion. Every time he tried to log onto the organization's Web site, his firewall detected, rejected, and reported on, an attempt by the broadcaster's advertising server to gain access to the NETBIOS information on his computer. A NETBIOS is a computer's common or "friendly" name related to its Internet protocol (IP) address. If an IP address is traced, it allows access to information such as Web sites visited by the computer's user or recent passwords used in obtaining access to secure accounts. The likelihood of tracing an IP address is small if the user has dial-up Internet access, but significantly greater if the user has a fixed Internet connection via a cable modem, as was the case with the complainant.

After conducting internal inquiries, the organization confirmed that the complainant's allegation was true. The broadcaster explained that the network administrator, on installing Microsoft Windows NT had neglected to deactivate certain features that come automatically with that program. These features, known as Internet Name Services, enable a server to collect the NETBIOS information of Web site users. Once informed that the features were on, the network administrator promptly turned them off. The complainant subsequently confirmed that his firewall no longer detected any attempts by the organization to obtain his NETBOIS information.

Commissioner's Findings

Issued November 20, 2001

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to federal works, undertakings or businesses. The Commissioner had jurisdiction in this case because broadcasters are federal works, undertakings or businesses, as defined in the Act.

Application: section 2 of the Act defines personal information to be ". information about an identifiable individual .". Principle 4.3 of Schedule 1 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

The Commissioner was satisfied that in some circumstances, notably the complainant's, a NETBIOS might be used to obtain information traceable to an identifiable individual. He determined therefore that the information at issue was personal information for purposes of the Act.

The Commissioner found that the broadcaster had failed to meet its obligations under Principle 4.3. However, he did not dispute the broadcaster's explanation that this failure had been unintentional, and he noted that its response had been satisfactory.

He concluded therefore that the complaint was well-founded and resolved.