Speeches

ARCHIVED - Social Networking and the New Rules of the Road

Remarks at the IAPP Canadian Privacy Summit

Toronto, Ontario
April 30, 2009

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)


Introduction

Thank you for inviting me. It’s always inspiring to come to an IAPP event and meet so many people dedicated to privacy protection. The IAPP team has once again put together an interesting and diverse conference program for us. Our Assistant Commissioner for PIPEDA, Elizabeth Denham, sends her regrets. She is in Dublin, attending a meeting of the Galway Project – an initiative which brings together the private sector and regulators to consider what it means for an organization to be accountable for the personal information it collects – and whether current privacy principles need to be tweaked.

As you know, global privacy matters have been a key focus of my Office’s work because they have such a significant impact on Canadians through technology.

I’d like to speak with you today about another issue that has been the subject of a great deal of creative thinking in my Office over the last year or so – social networking.

We’ve been looking at a complaint against Facebook and we’ve just completed another investigation involving a social networking site. We’ve also done a great deal of public education work around social networking. And we’ve conducted and funded various research projects related to the issue.

The phenomenon of social networking requires us to think about privacy protection in new ways?

We are seeing a dramatic shift in the way in which people communicate as a result of the huge popularity of social networking sites.

And we as a society – here I include the sites themselves, users, parents, employers and data protection authorities – are only beginning to develop the appropriate rules of engagement in this new world.

I’d like to share some thoughts about these shifts and also offer a few suggestions about how we could all be doing a better job of protecting privacy in light of the enormous change we’ve seen in a very short period of time.

A Broad Range of New Challenges

Before we look at the privacy challenges raised by social networking, I think it’s important to point out that this is only one in a broad range of new technologies raising interesting issues when it comes to applying privacy legislation developed with more traditional models of collection and use of information in mind.

For example, street-level photography services, the best-known of which is Google Street View, are raising important questions for my Office as well as for my fellow commissioners in Alberta, B.C. and Quebec.

We’ve been in discussions with Google about Street View since 2007. A key concern for us is the question of notification and consent. Google and other street-level imaging services should ensure that people receive adequate notification that their images will be captured and uploaded to the Internet.

We’ve seen some notification by Google in recent weeks. Ideally, we’d like to see more than a press release – for example, it would be important for people to have an idea of when a Google car will be touring their neighbourhood to collect images.

We were also pleased that services such as Google and Canpages have agreed to blur people's faces, however, we have questions about how well the blurring technology is working.

Our other major concern relate to the retention of “unblurred” images of people's faces.

Street-level imaging sites still have a ways to go when it comes to protecting privacy. We recently worked with our counterparts in B.C., Alberta and Quebec to develop guidance on our expectations on what needs to be done.

You can find that document – Captured on Camera – on our website.

Meanwhile, behavioural advertising – which we’re only beginning to see – is already and will continue to be a very challenging issue for data protection authorities to address.

Deep packet inspection – an Internet traffic management tool which allows network providers to peer into the digital packets that compose a message or transmission over a network – raises all sorts of implications for us.

At present, we have no evidence that Canadian ISPs are looking at the content of traffic. However, DPI offers the capacity to conduct surveillance of content.

I hope you’ll all take a look at the new online collection of essays we commissioned on deep packet inspection by industry experts.

There are many new areas where we’re asking the question: How does society reconcile the technological benefits and the privacy impacts of new technology?

The architects of the Personal Information Protection and Electronics Documents Act, PIPEDA, couldn’t possibly have foreseen the dramatic rise of social networking sites – or many other technologies that are rapidly becoming part of the mainstream.

In my opinion, it’s fortunate that PIPEDA’s creators had the foresight to create a law which is technology neutral. They realized it would be impossible to change the law every time a new technology pops up.

The Social Networking Challenge

That’s the big picture. Now I’d like to focus on the still relatively new challenge of figuring out how privacy fits into the world of social networking.

First, I have a confession to make to you?. I am not on Facebook.

This is a personal choice undoubtedly influenced by the fact that privacy is part of my genetic makeup!

However, I know many other people who also care passionately about privacy – including members of my own Office – who do use social networking sites.

Social networking sites are here to stay – though undoubtedly in a constantly changing form. As I said a moment ago, we all need to think about how to make the sites – and the way they are used – a little more privacy friendly.

Creating a privacy-friendly site

Let’s begin by looking at the sites themselves?.

They have done many things well. They have created sites that people love. I read in the New York Times not too long ago that Facebook was registering its 200 millionth user – an incredible feat for a company that is only five years old.

Facebook calculates that, around the world, more than 3 billion minutes are spent on Facebook each and every day.

A new Nielsen Company study tells us that two-thirds of the world’s online population visits social networking and blogging sites.

Given this break-neck growth, it’s not surprising that we’ve seen some privacy hiccups – big and small – along the way.

Some social networking sites have privacy policies that even a lawyer would struggle with. Privacy options are not always front and centre. We’ve seen a number of cases where users have felt that new features were violating their privacy rights. In response, they’ve launched some highly effective popular uprisings which have forced companies to change their practices.

To help us all better understand the issues, my Office commissioned a comparative privacy analysis of six popular social network sites in Canada.

We’ll be releasing the report soon, but I’ll offer a bit of a sneak preview?

A key point that the report makes is that privacy issues in the social networking realm often arise out of a wide gap between users’ contextual understanding and the actual scope of information flows on the sites – and beyond. They believe a personal network is, by its nature, a private one, a secure one ? which is not always the case.

To me, this means that a social networking site should work hard to understand the expectations of its users. They also need to provide clear information about the site’s practices.

Users need tools to help them understand the context in which their information exists – plain language privacy policies, for example. But that’s just a start.

Users also require tools that allow them, first, to determine appropriate levels of sharing and, second, to implement appropriate protections to enforce those self-determined levels of sharing. To have real meaning, these tools must be built right into the regular pathways users take on these sites – from registration onwards.

Good privacy can offer a site a competitive advantage over other online services

But there are also legislative requirements for companies to build in tools and protections for personal information.

PIPEDA clearly covers social networking sites – although admittedly there are some challenges in applying all of its principles.

In the traditional relationship between a consumer and a bricks and mortar organization, the business directly collects personal information it requires in order to provide a service. With a social networking site, individuals proactively put their personal information online for the purpose of sharing it with others. That’s not the business model PIPEDA was designed for.

This will be an issue we address in our Facebook investigation findings, which we expect to release in the coming weeks. Our report will offer important insight into what my Office expects in the way of privacy protections on social network sites. Stay tuned!

We recently published findings in another investigation involving a social networking site.

The case involved a conman who used the name, personal information and photo of a regular family man to create a phony account on a social networking site.

Pretending to be the man, this individual duped the man’s daughters into becoming his “friend,” thus gaining access to their personal information. He began harassing the daughters with threatening and obscene postings and e-mails.

The victims recognized they’d been tricked, and notified the site, which deleted the offending account.

However, both father and daughters believed that the site lacked control mechanisms when accounts are created to prevent identity theft. They complained to us.

We explored the issue of verification procedures on social networking sites but concluded that such procedures would be more privacy-invasive, expensive, and time-consuming to administer. At the time they set up the accounts, the daughters were unaware of the fact that they could change their privacy settings (they had not restricted access to their profiles). They have since changed their settings, and, as I mentioned, the site deleted the false account.

The complainants were satisfied with the investigation and considered the matter settled.

The incident is a reminder to people to learn all they can about the privacy controls available on social networking sites. The controls won’t stop imposters, but they can reduce their access to the personal information of their victims.

Users of social networking sites also have responsibilities.

Creating Privacy-Conscious Users

We’ve conducted some focus group testing with teens and people in their twenties and thirties in order to better understand their views on social networking sites and online privacy. We’re using this information – which will be made public in the near future – to help us develop our public education materials.

We found that these younger Canadians were not particularly concerned about their personal privacy online. Where there was concern, it most often focused on economic consequences such as credit card fraud.

And yet we’ve all heard the stories about people getting stung by the privacy pitfalls implicit in taking their personal lives online.

People have been fired, missed out on job interviews and academic opportunities, and been suspended from school for instant messages, wall posts and other messages they mistakenly thought were like private real world conversations with friends.

Just a few weeks ago, a political candidate in British Columbia was forced to step down over some racy photos on his Facebook page.

Our digital breadcrumbs have the potential to come back to haunt us for years to come.

Here we are at the beginning of the 21st Century and we have gone back to the era of life in a village where everyone knows everything about you! The difference is that the village is now global.

Role of the OPC

As Canada’s privacy guardian, I believe my role, in many instances, including the use of social networking sites, is to (1) make people aware of privacy risks; (2) offer them some suggestions on how to address those risks; (3) make it as easy as possible for them to act on those suggestions; and, finally, (4) let them make their own choices.

For over a year now, my Office has been focusing a great deal of its public education efforts at younger Canadians. We’ve been working in collaboration with our Asia Pacific Privacy Authority Partners through Privacy Awareness Week, and also on various initiatives with academics, activists and youth researchers.

We have a website for youth and two blogs – one on our main site and one aimed at younger people. We’ve made posters. We’ve created illustrations that bring home privacy messages in a humorous way – rather than trying to scare people!

We also ran a national video competition, encouraging teenagers to produce video public service announcements that explore the importance of privacy. The caliber of the entries was impressive. You can watch the finalists’ videos at our conference booth or on our website.

Our Office and many other data protection authorities and privacy advocates around the world have already done a great deal of work in this area, but I think we are still at the early stages of figuring out how we can help individuals filter their online communications so they won’t face unexpected consequences down the road.

Social Networking and the Workplace

I’d also like to touch on one particular issue involving social networking. We are seeing a number of cases where what’s posted on social networking sites winds up having a major impact in the workplace. What we do online – even on Saturday or Sunday – can have negative implications in the workplace.

A couple of examples:

Several young employees at an Ottawa grocery store chain were fired after posting derogatory comments about the stores and its customers.

Several Canada Border Services Agency recruits embarrassed their employer by posting photos of themselves drinking in uniform and making highly inappropriate comments related to their jobs.

In many cases, a digital divide between generations causing a significant disconnect between young Canadians and the managers and executives they work for.

My Office helped fund some fascinating research at Ryerson University’s Privacy and Cyber Crime Institute. It showed that young people think of network privacy – their personal information is considered private as long as it is limited to their social network.

Organizations, however, see information posted online as public and therefore not deserving of protection

That’s a significant disconnect with major implications.

We’ve just developed some new guidance aimed at helping to bridge the gap.

Our new guidelines urge employers to develop policies on the appropriate use of social networking sites in the workplaces.

While employers have certain rights to ensure workplace security and efficiency, organizations should view tracking of employees on social networking sites as surveillance that may be subject to privacy legislation.

A policy on social networking sites in the workplace should address number of issues:

  • Does the organization permit the use of social networking sites in the workplace? In what context and for what purposes?
  • Does the employer monitor social networking sites?
  • What legislation applies to the collection, use or disclosure of personal information in the workplace?
  • What are the consequences of non-compliance with the policy?

These guidelines are also available on our website or at our booth.

Conclusion

Technologies are changing. Concepts of privacy are changing.

Along with the many benefits they offer, social networking sites and other new technologies are raising important privacy issues – and will continue to do so over the coming years.

We are beginning to see the emergence of new rules of the road for some new virtual worlds online applications that challenge avatars’ second life traditional privacy concepts.

My Office is working hard to provide practical, reasonable guidance to help social networking sites – as well as other organizations developing new technologies – meet their obligations under Canadian privacy law.

Hopefully the fact that we are starting to develop a better sense of how we “do” privacy in the realm of social networks will help us to avoid many of the privacy bumps that we’ve seen over the last few years.

Social networking has become the mainstream; is part of daily life for many, many people and is here to stay – though undoubtedly in a continually changing form.

My Office is clearly not trying to cast social networking sites in the role of privacy bogeyman.

However, we do believe that many sites could be doing a better job at weaving in stronger privacy protections and privacy awareness mechanisms.

We believe that people need to become more conscious of privacy matters when they use these sites.

And we believe that we have an important role to play to ensure these things happen.

We are not standing in the way of innovation – and fun. But we do believe that there is a way – a reasonable way – to ensure that new technologies can ensure that the privacy rights of Canadians are respected.