The Intelligence Solution: Why protecting personal information also strengthens security
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks at the Security Canada Alberta Tri-Lateral Conference
May 13, 2010
Address by Elizabeth Denham
Assistant Privacy Commissioner of Canada
(Check against delivery)
Thank you, Ken [Newans], for that kind introduction.
I am very happy to be here with you this morning, and to be part of this impressive program. Impressive – and somewhat intimidating, frankly, what with all the talk of fraud, cybercrime, security threats and gathering storms!
Without question, modern life has brought with it remarkable new challenges, and those of you in the fields of law enforcement, physical security, and cybersecurity are at the very forefront.
Protecting the security of Canadians, as well as our commercial assets and physical and network infrastructure, is of paramount concern to everyone. It is vitally important work – difficult, never without risk.
But there is one risk that can sometimes be overlooked, and that is the right to privacy.
And it is a risk.
Whether we’re talking about a new government-wide strategy, or a shiny new tactical toy, privacy cannot be an afterthought. It has to be taken into account right from the start, even at the design stage of any security measure.
And, even after privacy safeguards are carefully constructed around the initiative, they need to be reviewed periodically, tweaked and reinforced, because nothing ever works out exactly as planned, or remains static over time.
This is the same kind of message we delivered to Google and other online companies a couple of weeks ago at a press conference in Washington: Privacy has to be built in at the development stage of new products and services; it cannot be an afterthought.
I recognize that, in this room, I am not necessarily preaching to the choir. Many of you see personal information as the chief tool of your trade: The more you can gather, the closer you are to victory over your particular security threat.
But let me put this to you: There are privacy laws – at the federal level for both the public and the private sectors, as well as at the provincial level – and they apply to all organizations. Those involved in security are not exempt.
Aside from the legal obligations, there are other compelling reasons to weave privacy considerations into your day-to-day responsibilities. Some are on the philosophical side; others entirely practical.
- Human dignity
So what do I really mean by privacy?
In lay terms, we often think of privacy as modesty or discretion: The things you do in the privacy of your own home.
That is an important value –
[December 2009 cartoon of couple in bed]
– and it’s one that is particularly important whenever there is an inherent imbalance of power and authority.
[ March cartoon of two police officers and the strip search]
This meaning of privacy came to the fore when my Office weighed in on the new millimetre-wave airport security scanners. We felt that human dignity was at stake here, along with cultural norms around strangers viewing images of airplane passengers through their clothes.
I want to underline that, in this instance, we did not stand in the way of the technology, or of the security it is supposed to enhance.
Instead, we called for better safeguards for privacy, in the context of human dignity.
In the end, at the Office of the Privacy Commissioner of Canada we were encouraged by commitments that the inherent privacy-invasiveness of the scanners would be minimized:
- that they would be used as secondary screening measures,
- that they would be offered as optional alternatives to a physical pat-down,
- and that there would be a physical separation between the official who sees the passenger, and the official who views the scan.
- Identity integrity
But privacy is more than human dignity. It’s also about asserting a measure of control over your identity – how you present yourself to the world; your reputation.
[April cartoon of dad on the couch with kids posting image to YouTube]
That’s not an easy one to figure out. Many people, for instance, live in multiple worlds, and nurture a range of images and reputations. There are those who dwell in real life, or online in Second Life. Or both simultaneously.
There are those whose business face differs radically from their private face.
Some are all about show – tweeting, blogging, posting pictures and performing on YouTube. Others share their thoughts no farther than their most intimate circles.
[July cartoon about FB girl with 700 closest friends]
The point is that people have choices, and having choices is their democratic right.
It is their right because, as a democratic society, we place a powerful value on free speech, free expression and the right, in general, to be left alone. Our Constitution entrenches those liberties, and our privacy laws reinforce them.
- Control over personal information
I admit that those are tough concepts to pin down. They’re hard to define, to measure, and therefore to defend.
But let me put to you one other dimension of privacy, which is detailed in law and can therefore be protected with very concrete and practical measures.
And that relates to control over personal information.
PIPEDA, the private-sector privacy law, is based on 10 fair information principles that set out the ground rules for the collection, use, disclosure, retention and disposal of personal information by organizations engaged in commercial activities.
Among other things, those principles say that organizations should only collect personal data for clearly defined purposes –
[November 2009 cartoon of woman at grocery checkout]
and limit the use and disclosure of the information in ways consistent with those purposes.
[August cartoon of loans officer]
The rules also state that individuals whose personal information is being collected should have a chance to give their informed consent.
And there have to be adequate safeguards to prevent data breaches or unauthorized access to the personal information.
[November 2010 cartoon of janitor in doctor’s office]
I want to emphasize that these privacy principles also have important implications for security.
In the private sector, system security, data integrity and breach prevention must be priorities for any organizations that hopes to survive and thrive in a competitive market.
The state, meanwhile, also has practical reasons for applying fair information principles to the collection, use and disclosure of personal information. Not doing so can spark dire consequences.
People can, for example, be wrongfully accused of crimes as a result of faulty or illegal surveillance or wiretapping. They can be stranded without cause on the federal no-fly list, without meaningful recourse.
Erroneous information may also be shared with foreign powers, leading to deportation, false imprisonment and even torture.
What’s more, in the state’s collection of personal information, less really is more. Indeed, there’s evidence that the work of law enforcement authorities is actually hampered by a surfeit of information, collected willy-nilly without regard for its quality.
How these concepts guide the work of the OPC
Public sector policies and PIAs
These fair information principles are not mapped out as such in the Privacy Act, the law that governs much of our national security establishment.
They do, however, appear in something called PIAs, or Privacy Impact Assessments. Any federal department or agency that proposes a new or significantly revised measure involving the collection of personal information is obliged by Treasury Board to conduct a PIA and to submit it to our Office for review.
In the security arena over the past couple of years alone, we’ve reviewed PIAs on the airport scanners; the federal Passenger Protect Program (or no-fly list); enhanced driver’s licences; e-passports; the federal anti-money laundering and anti-terrorist regime, and the National Integrated Interagency Information System for records-sharing by police forces in various jurisdictions.
PIAs are a process that typically involves considerable discussion with our Office.
But before organizations even get to the point of applying the 10 fair information principles, we expect them to justify the need for the initiative against a four-part test.
That test, which flows from the constitutional law, requires that an initiative that could impinge on individual privacy
- is shown to be necessary in solving an identified problem;
- that it is demonstrably effective in solving that problem;
- that the resulting invasion of privacy is proportionate to the gains expected,
- and that there is no other alternative that would be less privacy intrusive.
The Canadian Air Transport Security Authority did a PIA in conjunction with its new airport scanners and, in the process, was able to design an approach that would be minimally invasive.
We were less sanguine, however, about the federal government’s proposed lawful access legislation. Measures along those lines have been in the works for some time, the most recent being Bills C-46 and C-47.
Both died at prorogation last December, although there’s every sign they will be resurrected.
The aim of the legislation is to make it easier for police and security agencies to obtain access to communications data.
The bills would compel any company providing a telecommunication service in Canada to build intercept capabilities into its networks, thus ensuring that it would be able to respond to a legally authorized demand to turn over communications from specific users.
Newer tools – such as online chat, peer-to-peer messaging, or VOIP services like Skype – would all fall under the new umbrella, as would PIN-to-PIN messaging on BlackBerrys or text-messaging on mobiles.
Our concern, shared by counterparts in every province and territory, was that the measures were going too far, especially since some personal data would have to be turned over to authorities even without a warrant.
And so we made a series of recommendations to Parliament, such as overhauling the warrant application system as an alternative to lower legal protections, tailoring the powers to specific crimes, and bolstering the proposed oversight system.
On the other hand, there is one piece of legislation that we sorely hope will be reintroduced, and the sooner the better.
That’s ECPA, the Electronic Commerce Protection Act. It’s an anti-spam bill that is long overdue, as we are the only G-7 country in the world lacking legislation of this sort.
Spam, as you will all appreciate, is one of the leading ills of the Internet. It is a primary source of viruses and malware, and the vehicle for a lot of phishing scams and identity theft.
We like the legislation because it does much to protect privacy. By outlawing unwanted contact, in whatever form, it frees people from intrusions on their private lives.
It also gives meaningful teeth to the idea that people’s personal information is their own, that it has value, and that it is worthy of protection.
At the same time, ECPA would also enhance security by protecting people from online threats, thus underscoring the potential for privacy and security to work in tandem.
Personal information has value to individuals as well as to the criminal element – no question about that. But it also has value to the legitimate private sector.
Businesses and those that support them – marketers, consumer survey organizations and so on – will pay dearly for information leading to the hearts, minds and pocketbooks of Canadians.
Again, as in the areas of public safety and national security, we wouldn’t stand in the way of legitimate commercial practices. But they have to be lawful: They have to comply with the law and its 10 principles for the fair use of information.
That said, we also acknowledge that things are changing quickly in this digital era. It’s no longer just about telephone surveys to gauge consumer preferences and intentions.
Today it’s about GPS tracking on smart phones, radio-frequency ID chips embedded in products, and a dazzling range of online applications meant to figure out where you’re going, what you’re thinking, and how to get you to turn in to Starbucks for a brew, or Holt Renfrew for a new outfit.
[June cartoon of couple with computer and pop-up ad for a rocker]
It’s a complex new area, but we’re determined to stay on the forefront because the implications for privacy are colossal.
That is why we are hosting consultations with experts and the public on the online tracking, profiling and targeting of consumers by marketers and other businesses. We held the first such consultations in Toronto in April, and will host the second in Montreal next week.
Next month we’re also coming back here to Calgary, in order to explore the privacy implications of cloud computing, a topic of intense interest to many of you here.
One of the ways that organizations collect a lot of personal information is through video surveillance, both overt and covert.
It can be a tricky area when it comes to complying with the law, and it certainly generates a fair bit of public anxiety.
[May cartoon of two women in public washroom]
That’s why my Office has issued guidelines for both overt and covert surveillance in the private sector, as well as for the surveillance of public places by police and law enforcement authorities.
Indeed, it is a commonly-held belief that organizations are released from their privacy obligations if video surveillance is conducted in a public place. That is, however, a misconception.
As Google found when it started filming Canadian neighbourhoods for its Google Street View application, PIPEDA very much applies. Google had to scramble to comply with the law, including reshooting some images after informing local residents that the camera cars would be coming through their streets.
Our guidelines for covert video surveillance, published last year, underline that the law applies, even when the activity is conducted surreptitiously. In particular, we expect organizations to be able to justify the need for covert surveillance, and to apply fair information principles to the collection, use and disclosure of any personal data collected in the process.
But the guidelines are reasonable and realistic. For instance, they recognize that an investigator is unlikely to ask the surveillance target for his or her consent.
And so we said that if, for example, a person launches a legal action against a company, he should anticipate that the company might hire a private investigator to collect evidence for its defence. In that case, it might be reasonable to simply infer the litigant’s knowledge and implied consent.
Another form of covert surveillance arises when companies are able to obtain information about the computers of users who interact with them online.
One way to do this is called digital fingerprinting. That’s when an organization uses tracking software to determine a range of things about online visitors – the type of operating system they use, their browser, hardware and software settings, and even their IP addresses.
A bank, for example, will use digital fingerprinting to ensure that only legitimate customers are logging on to its site. Organizations seeking customer feedback may use it to ensure each respondent completes an online survey only once.
But, in many cases, individuals don’t know the data is being collected, which means they cannot give consent.
And so my Office is preparing new guidance to inform people about this emerging technology. There are some things individuals can do to protect themselves, although their choices are by no means comprehensive.
Not unrelated is the phenomenon of DPI, or deep packet inspection. DPI allows ISPs to obtain information about the data packets they are moving through their networks. In Canada, ISPs say they are only inspecting the routing data contained in the packet headers in order to better manage network traffic.
Critics, however, argue the technology empowers ISPs to peer into the content of messages. In other words, they could, technically, be reading your e-mail.
In light of the potential for misuse, we commissioned extensive research on the technology. We now have a whole microsite on our website devoted to the subject.
Apart from that, we also investigated a complaint against Bell and its Sympatico Internet service.
I concluded that Bell was, in fact, only using DPI to manage its network traffic.
But I disagreed with them on one key point: Bell argued that IP addresses don’t constitute personal information. I found that, since the company also holds the names, phone numbers and other subscriber data, it could be matched to IP addresses.
That means subscribers could be identified by their IP addresses, which in turn means that IP addresses are personal information.
As such, I recommended that Bell properly inform its users about its use of DPI.
In conclusion, I want to say that, even in this era of digital exhibitionism, people value their privacy.
They may value it to different degrees, and express it in different ways.
But, in the end, the choice is theirs – the privacy law exists to protect everyone equally.
And it doesn’t exist in isolation; it is an integral part of our society. As governments and private enterprises go about their respective activities, they are obliged – by law – to take the privacy of Canadians into account.
That holds true whether an organization is real or virtual, based in Canada or merely operating here.
It holds true whether the organization is hosting a social networking site or safeguarding the security of the nation:
If it’s collecting the personal information of Canadians, then privacy rules apply.
I thank you for your attention.
- Date modified: