Getting Privacy Right in a World of “Mashups” and “Renonymizing”

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Remarks at the Geomatics Industry of Canada Annual Leaders Forum

June 17, 2009
Ottawa, Ontario

Address by Elizabeth Denham
Assistant Privacy Commissioner of Canada

(Check against delivery)


Introduction

Privacy is an increasingly fragile value. At the beginning of the 21st Century, privacy faces a vast array of new risks. In particular, technological advances have dramatically increased the threats we are up against.

We’ve seen the power of computers multiply many times over in recent years. Meanwhile, human creativity has led to a multitude of applications with important implications for our personal information.

Personal data has become a hot commodity for government – which sees it as the key to preventing another 9-11; and for the private sector – which uses your address, your purchase history, your likes and dislikes in order to try to sell you more stuff.

The geomatics industry has been strongly influenced by all of these trends. While the art of creating maps has been around for thousands of years, privacy concerns only entered the picture in the digital age.

A great deal of spatial information is not personal information – mapping and survey information, for example.

However, there are a growing number of applications that do involve personal information.

Location data becomes personal information when an individual is connected to a particular location. Examples include street-level imaging, cell phone tracking services such as Google Latitude and Loopt, as well as GPS.

An even bigger concern when it comes to privacy issues is the growing ability to link geospatial information with other data in a way that results in the creation of personal information.

In other words, personal information is created when the linking of information to a particular location allows for that new information set to be connected to a particular person.

Some “mashups” take data from a wide variety of databases – utility information, municipal tax rolls, emergency response data and so on – in order to build a profile of a particular property and the people who live there. These are incredibly powerful tools.

Here, USA Today took publicly available information about foreclosures and applied it to this map of Denver …

Our ability to make these types of linkages is raising significant challenges for our Office. We – along with industry and government – must be vigilant to ensure privacy rights are protected.

We have privacy laws which contain the right framework for the protection of rights, but lack the specific guidance and regulatory resources to ensure implementation is compliant.

Personal information and privacy issues are important issues for the geomatics industry to keep in mind as new applications are developed.

There is a wide range of geospatial information to which both federal and provincial private-sector privacy legislation could apply.

These emerging issues will be a focus area for our Office in the year ahead – and undoubtedly beyond that. Geospatial information is very much on our radar screen.

Personal Information in a Geo-Spatial Context

A key question as we look at how to protect privacy in the geomatics context is this: When does geospatial information become personal information?

Privacy legislation in Canada only applies to “personal information.”

These laws include the federal Personal Information Protection and Electronic Documents Act – or PIPEDA, the federal public sector Privacy Act, as well as provincial legislation in B.C., Alberta and Quebec. Ontario and some other provinces have has privacy legislation which covers the health sector.

While different pieces of privacy legislation use slightly different wording, definitions of personal information generally relate to the possibility that information could permit an individual to be identified.

If the information allows for the person to be identified, it’s considered personal information. It generally can’t be collected, used or disclosed without that person’s consent.

In the geospatial context, if an image of a street included people who happened to be walking on the sidewalk when the picture was taken, that image would constitute personal information.

Similarly, if objects in that image could be connected to a particular individual – say a vanity licence plate – that image is considered personal information.

In the online world, we’re seeing personal information being combined with maps to create websites that I can only describe as a Privacy Commissioner’s worst nightmare.

Here’s RottenNeighbor.com – where anyone can say anything about their neighbours and slap up a photo showing exactly where they live.

This is from Gawker.com’s “stalker” pages. People use it to share information on the whereabouts of celebrities (sometimes in real time). Some of the postings are particularly creepy – revealing, for example, where a movie star’s children go to school.

And look at this – a map pointing us to the homes of all the people who made donations in support of a campaign to have same-sex marriage banned in California.

I should note that these examples are all from the U.S., which lacks a strong data protection regime. If the commercial sites were Canadian, our Office would be able to shut them down.

But here is a Canadian example which also raises profound questions for privacy. The Toronto Star has put up a map of 2008 grow-ops including precise street addresses.

Clearly not all of the people associated to these addresses have been convicted. And what about the poor people who move into these homes after the drug traffickers leave? As it happens, I work with a young lawyer – an upstanding citizen – who lives in a house that was once a grow op. (It was apparently quite a good deal!)

Our privacy legislation in Canada includes a journalistic exemption, so this one is beyond our reach.

Privacy and the ‘Mashup’

A lot of geospatial information may appear, on its face, to be completely innocuous from a privacy perspective. Individual pieces of geospatial information may not allow for the identification of individuals. However, when that same geospatial data is combined with other information, it may become possible to identify people.

The ability to link data back to a particular person isn’t always obvious.

A few years ago, AOL published a list of 20 million web search queries and tried to protect the anonymity of users by assigning them with random numbers.

The New York Times followed the data trail of clues in one of those user’s search queries – 60 year old single men, dog that urinates on everything, landscapers in Lilburn, Georgia and so on – and quite easily identified “User No. 4417749” as a 62-year-old widow living in Georgia.

Needless to say, this woman was shocked when a Times reporter called her up and was able to rhyme off three months worth of her search queries.

More recently, a pair of U.S. researchers raised serious concerns that “anonymized” data collected from GPS-enabled devices may not be so anonymous after all. They found that knowing someone’s approximate home and work locations to a block level can uniquely identify them.

Indeed, the fact that, in many cases, we can attach supposedly anonymous information back to a particular person has spawned the creation of a new word in the English language – renonymize!

Matching back “anonymous” data can be remarkably simple.

Last week, Dr. Khaled El Emam, a renowned expert in this field, spoke at a workshop organized by our Office and demonstrated how a complete postal code with a date of birth is essentially a unique identifier.

You can find out more about his work on the Electronic Health Information Laboratory website.

OPC and Re-identification Issues

The jurisprudence on re-identification issues is still quite limited, but I would like to tell you about two cases our Office has been involved in. They illustrate how complex these issues can become!

The first was a legal case – widely known as “Gordon” – which involved the possible re-identification of individuals when government information is combined with publicly available information.

A CBC producer had sought access to a Health Canada database containing information relating to suspected adverse reactions to health products marketed in Canada.

Health Canada released some information, but refused to reveal the provinces in which information about adverse drug reactions had been collected on the grounds that it constituted personal information under the federal Privacy Act.

In a decision last year, the Federal Court found that information is “personal” where there is a serious possibility that someone could be identified through that information – either alone or in combination with other available information.

In this case, the judge concluded that disclosing the province would substantially increase the possibility that an individual could be identified when various sources of information were combined. He said the province field did constitute personal information and was exempt from access.

Earlier this month, we released the findings of an investigation into complaints alleging that a marketing organization had created personalized demographic information through data matching of White Pages information with Statistics Canada data.

The complainants argued that consent was required for the use and disclosure of this information.

However, we determined that the organization’s process of compiling consumer lists didn’t change the status of White Pages information from publicly available personal information to personal information subject to consent requirements.

The publicly available personal information included in the consumer lists had merely been sorted according to geo-demographic data.

Our view was that the lists consisted of information about neighbourhoods rather than identifiable individuals.

Street-Level Imaging

It also might helpful to look at another real-life example of how privacy issues need to be considered in the context of geospatial information.

Our Office has already spent a great deal of time thinking about privacy protection and street-level imaging services such as Google Street View and Canpages.

We’ve all seen the kinds of moments that can be captured ….

Street-level imaging applications underscore the challenges of the “mediated public place,” where people go about their business in public, but retain some expectation of privacy.

People recognize, for instance, that other passersby can see them, but they don’t necessarily expect a record of their movements to be uploaded to the Internet – perhaps in perpetuity.

The residents of the U.K. village of Broughton illustrated that view quite dramatically earlier this year when they formed a human chain to block a Google Street View car’s access to their streets. They berated the driver until he turned around and fled.

The reaction in Japan has also been less than friendly. People there have objected to Google Street View on the grounds that it is considered impolite and intrusive to look at into the front gardens of Japanese homes.

Google agreed to re-photograph cities in the country, raising the height of cameras so that front gardens are not captured.

Here in Canada, our Office has been in discussions with Google on the application. We’ve also met with officials at Canpages. These discussions have been productive.

Due to our office’s interventions, Google agreed that photographs of individuals will be blurred when they roll out the application in Canada. Canpages is also blurring faces.

But we also want evidence that the blurring technology is effective.

As you can see, [Paris couple kissing], there have been cases where individuals are still identifiable, even after the blurring process has been applied.

We also want assurance that the original “unblurred” images of people’s faces are destroyed as is required under privacy laws. We’re very pleased that Canpages has agreed to destroy these originals. We’re still talking with Google about this.

Another key concern for us is the question of notification.

Google and other street-level imaging services should ensure that people receive adequate notification that their images will be captured and uploaded to the Internet.

It would be important for people to have an idea of when a Google car will be touring their neighbourhood to collect images. People also need to be told how they can have their image removed if they don’t want it in a database.

To do this, companies should include visible marking on their camera vehicles; they could use press releases, local media outlets and web sites to outline dates and locations for filming; and where to go for further information.

We recently worked with our counterparts in B.C., Alberta and Quebec to develop guidance on our expectations on what needs to be done. These are up on our website.

I would add again that the biggest threat to privacy is not in street level imagery per se, but rather in the linkages between all address-based databases. This results in truly intelligent data.

Conclusion

In terms of the road ahead, our Office has been working with the federal GeoConnections initiative.

They’ve been working on a privacy best practices and we are deeply involved. We will be looking for ways to share what we learn with the private sector.

These are important issues. The potential risks to privacy are enormous and issues can be incredibly complex.

In many cases, you’ll need to think very carefully about whether geospatial information is personal information – and whether it has the potential to become personal information.

Privacy is really about protecting personal information and the right to control our own data. It is a deeply held value in Canada – one you can help our Office to protect.

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: