Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA Case Summary #2005-315

Web-centred company's safeguards and handling of access request and privacy complaint questioned

(Principles 4.1.4(b), 4.7, 4.9, and 4.10; subsection 8(7))

Complaint

An individual complained that a web-centred company, with which she had an e-mail account, did not:

  • adequately protect her personal information — she alleged that her e-mail account had been improperly accessed;
  • provide her with a satisfactory explanation when she tried to resolve her concerns; and
  • give her access to the personal information she had requested.

Summary of Investigation

When the complainant attempted to log on to her e-mail account, her password did not work and she had to reset it. As this was second time this had happened in less than a month, she was suspicious that her estranged husband was changing the password in order to gain access to her account. Her password was changed again a few days later.

She contacted the company by e-mail, informing it of the problem and requesting assistance. The company responded, explaining that it did not have access to passwords, and was therefore unable to verify her current password, reset it, or determine why the previous password was now invalid. The company provided her with several reasons to explain why the password might not be working, as well as instructions on how to change it. When she contacted the company again, after her latest password no longer worked, she indicated that she wanted the problem stopped and to press charges. She asked the company to help and, if not, to whom she should escalate the matter. She also asked for a telephone number.

The company again responded by e-mail, suggesting that she update her security question and secret answer as this is information that is most commonly used by unauthorized persons to access an account. The company cautioned her to choose a question that only she could answer, and directed her to the company's on-line information on account security.

The complainant requested a report showing any information that could help her determine who, when, and from where her account was being accessed and how many times the password had been changed. The company responded the same day with instructions on how to change a password. A week later, she wrote again, requesting an investigation into her account. Two weeks later, she reiterated this request. The company replied the same day, informing her that if she wanted information regarding password changes, she would need to provide a subpoena or court order.

With the Office's intervention, the company sent her the password change history for her e-mail account. The information consisted of date, time, and IP address of the computer being used to change the password. While the complainant wanted to know the name of the individual changing the password, the company stated that it did not have this information. The complainant also wanted to know what the passwords were because she was hoping to be able to identify her estranged spouse from this information. However, the company stated that it does not have access to passwords at all because they are encrypted when they are typed in by the user.

The company recommends that users change the password if they are having trouble accessing their account. To do so, the individual is first asked to enter the following information, which is matched with information provided at registration:

  • Date of birth
  • Postal code
  • Country
  • ID (the part of the e-mail address that comes before the @ symbol)

The individual is asked to answer the challenge question he or she selected when setting up the account. In the complainant's case, the question was "what is my mother's maiden name?" When the company-generated password is used, the user is prompted to choose a new password immediately. The company sends an e-mail to the account indicating that the password has been changed. The challenge question can be changed at any time in the password changing process.

The complainant admitted that all the information she provided at registration, including the challenge question, was known by her estranged husband. While the password change history showed that the password had been changed three times, and, with the exception of one date, corresponded to the complainant's version of events, the Office could find no documentary evidence supporting the allegation that the husband changed her password.

As for the lack of assistance allegation, the company stated that the customer care branch of its parent company, located in the United States, addresses complaints and queries from customers. The Canadian company provides a link at the bottom of most of its pages to its privacy policy, which in turn provides a link to a privacy feedback form. Users can use this form to ask privacy-related questions, give suggestions or make privacy-related complaints.

Once the form is filled out and e-mailed, the customer care group responds. The customer care personnel answering privacy questions are trained on specific privacy matters and work with the company's privacy officer and privacy team. The company states that very few questions are escalated to the privacy officer because most questions are standard ones for which the company has answers, such as, "what information do you collect when I sign up for an account?"

The company stated that its privacy team is trained on the requirements of the Personal Information Protection and Electronic Documents Act (the Act), and is involved in all aspects of the business, including product development. The company has operations worldwide, and is therefore subject to privacy laws in many jurisdictions. The Canadian company has a privacy officer located in Canada.

The company also stressed that the nature of its business and the structure of the company are key to understanding how privacy inquiries and complaints from customers are handled. It is a "virtual" company, and the e-mail service it offers is free. Instead of call centres, the company relies on e-mail based responses to queries and the extensive on-line reference section located on its web site. According to the company, this is the most efficient way to answer questions, the vast majority of which are on the same topics. All of its e-mail users can access the bulk of their personal information any time they want. Such information consists of the personal information provided at the time of registration and the contents of the e-mail account. As the accounts are free, there is no billing information as there would be in other types of businesses.

Findings

Issued August 9, 2005

Application: Principle 4.1.4(b) states that organizations shall implement policies and practices to give effect to the principles, including establishing procedures to receive and respond to complaints and inquiries; Principle 4.7 stipulates that personal information shall be protected by security safeguards appropriate to the sensitivity of the information; and Principle 4.9 provides that upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. Under subsection 8(7), an organization that responds within the time limit and refuses a request shall inform the individual in writing of the refusal, setting out the reasons and any recourse that they may have under the Act. Principle 4.10 states that an individual shall be able to address a challenge concerning compliance with the principles to the designated individual or individuals accountable for the organization's compliance.

In making her determinations, the Assistant Privacy Commissioner deliberated as follows:

Access complaint

  • The company refused the complainant's request in writing, as per subsection 8(7), and indicated that she would need to subpoena the information. The company's reluctance to release the IP addresses was based in part on the fact that it is typically law enforcement officials or lawyers who request this information, and not clients. The company was also concerned that such information could lead to incorrect conclusions on the part of the requester (in other words, he or she might get the impression that a number of individuals are changing his or her password, for example, when in fact the IP address may be linked to the account holder's computer only).
  • In the Assistant Commissioner's view, the IP address does form part of the account information and should be released to the account holder (when she or he requests it). The account holder is then free to pursue identifying the individual through legal channels. As for whether the IP address is third-party personal information, assuming that there is in fact a third party, it is the personal information of both the account holder and the third party.
  • In any event, the company did not have information regarding the identity of the IP address (only the internet service provider would have that), and there was therefore no reason to withhold the information. After the Office intervened, the company released the dates that the password was changed, and the IP addresses of the computers that were used. The Assistant Commissioner was satisfied that the complainant had been given access to her personal information, in accordance with Principle 4.9.

The Assistant Commissioner therefore concluded that the access complaint was resolved.

Safeguard complaint

  • The Assistant Commissioner reviewed the company's measures for changing the password. She noted that the information that is requested, which is matched to the information provided at registration, may be information that is known by another individual close to the account holder. A challenge question, which is selected by the account holder when the account is set up, is then posed.
  • When the complainant first experienced password problems, she was directed to the company's on-line help information. This section talks about the steps an individual should take to protect one's e-mail account, including choosing a password and challenge question that no one else can guess.
  • The complainant stated that she was not very savvy about technological matters and was confused by the company's responses to her queries. However, after reviewing the information she was provided by the company, the Assistant Commissioner did not agree that it was difficult to understand and believed it was reasonable to expect that the complainant had the responsibility to read it and act on it.
  • The Assistant Commissioner noted that while organizations are responsible for protecting the personal information in their possession, there is some onus on the individual to protect his or her own personal information. The company cautions users to choose a challenge question no one else can guess. Indeed, in one of its e-mails to the complainant, it reminded her to ensure that her challenge question could only be answered by her. Asking what her mother's maiden name is was not information that likely only she knew.
  • It was therefore difficult for the Assistant Commissioner to hold the company accountable, when the complainant had not taken the company's advice to fully protect her own personal information. The Assistant Commissioner deemed the company's measures reasonable and found that the company was not in contravention of Principle 4.7.

She concluded that the safeguards complaint was not well-founded.

Compliance complaint

  • With respect to the allegation concerning the company's compliance with the Act, the Assistant Commissioner took into account the nature of the company's structure.
  • As a Web-centred company that provides free e-mail accounts to its customers, it relies on on-line reference material and e-mail responses from customer care to address complaints and inquiries. In general such an approach appeared acceptable and in compliance with Principles 4.1.4(b).
  • However, the Assistant Commissioner noted that under Principle 4.10, an individual shall be able to address a complaint to the person designated as accountable for the organization's compliance.
  • The Assistant Commissioner commented that the privacy officer still has ultimate responsibility, regardless of whether a complainant has followed what staff have told him or her to do, or not. In this case, the complainant had specifically requested the name and telephone number of the person to whom she could escalate the matter. It was at that point that the employees who had been dealing with her should have brought the matter to the attention of the company's privacy officer.
  • She therefore found that the company was not in compliance with Principle 4.10.

Nevertheless, the Assistant Commissioner concluded that the compliance complaint was well-founded.

Further Considerations

The Assistant Commissioner was of the view that the customer care representatives responding to the complainant's concerns should have recognized from her e-mails that her concerns were not being addressed to her satisfaction and should have escalated the matter to the appropriate officials, as the complainant requested. She noted that the employees also needed to be reminded that security issues frequently have privacy implications, which must be taken into consideration when dealing with customer concerns. She therefore recommended that the company implement a procedure whereby outstanding privacy concerns are brought to the attention of the company's privacy officer.