No day goes by without some new internet peril being drawn to our attention. The most recent evil is an internet based program called Firesheep. Like others (i.e. Wireshark, Tshark, Snort, Nmap, etc.), this program, a free download on the internet, allows users to troll cyberspace for open WiFi networks and, by doing so, access personal data and communications. The danger in this is self-evident. A recent article by Gillian Shaw in the Vancouver Sun explains the program and its perils in good detail. From a legal point of view, is there a problem with using these programs? The short answer is yes, on many levels.
Among other things, intercepting electronic data is a criminal offence (i.e. section 184 of the Criminal Code). It is essentially theft. For the person from whom data is stolen while they are using a WiFi network, it could amount to a breach by them of theFreedom of Information and Protection of Privacy Act (“FIPPA”). This would occur where that data was accessed by a hacker in circumstances that the rightful user knew or ought to have known created a risk of disclosure. The use of an unsecure WiFi network in a public place creates just such a risk. It would be a breach of section 30.4 of FIPPA which prohibits disclosure of personal data except as authorized.
Electronic eavesdropping can also give rise to an actionable civil claim for breach of privacy. The courts have long recognized a claim for breach of privacy at common law but the legislature has also codified such a claim in the Privacy Act, first enacted in B.C. on April 6, 1968. This five section statute creates the statutory tort of “willfully and without claim of right” violating the privacy of another. Whether someone’s privacy has been violated will depend on the context of each case. But it is a fair argument that the use of a program such as Firesheep to access private networks and data over the internet, even in a public space, amounts to a breach of privacy. The essential issue is whether the owner of the WiFi network being hacked has an expectation of privacy.
The Privacy Act also protects from the unauthorized use of the name or portrait of another. Specifically, it codifies the tort of using the “name or portrait of another for the purpose of advertising or promoting the sale of, or other trading in, property or services” without consent.
While it is always better to avoid the loss of personal electronic data, there are remedies available when it occurs. As a practical matter, however, learning that you have been “hacked” and finding the person who did it are frequently insurmountable impediments to pursuing that civil remedy.