Why Privacy Still Matters in the Age of Google and Facebook and How Cooperation Can Get Us There

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Remarks at the 2010 Access and Privacy Conference

June 10, 2010
Edmonton, Alberta

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)


Introduction

I would like to express my appreciation for Wayne McDonald’s important contributions to privacy in Canada.  Wayne has played a tremendous leadership role in the professionalization of the privacy field in Canada – a cause that is close to a Privacy Commissioner’s heart! 

Over the past few years, I have been impressed by the increasing knowledge and commitment of Canadian privacy professionals.  Wayne, thank you for your role in helping to educate the next generation of privacy professionals to become worthy guardians of the personal information entrusted to their organization’s care.

The organizers of this year’s Access and Privacy conference have selected a theme of “Changes, Challenges and Choices.”

This morning, I’d like to share some thoughts about the changing nature of privacy in our increasingly online world.  

As you know, it’s fashionable in some circles to suggest that privacy is pretty much dead in this era of digital exhibitionism.  I’d like to explore some of these pronouncements and offer my own view of how privacy is evolving.

There’s no doubt that the digital world is raising monumental challenges for privacy rights. 

But that just means we need to work harder and smarter – not that we throw in the towel on privacy and “get over it,” as some have suggested.

There is a lot we can do in the face of new privacy risks stemming from technological change. 

We need to enforce our privacy laws and ensure they remain modern and relevant.  We need even more cooperation between privacy authorities – we’re far stronger when we speak with one voice.  And, as a society, we must ensure that our privacy literacy matches our online literacy because, at the moment, there’s a gap.

“Get Over It”

A little over a decade ago, Scott McNealy, then the chief executive officer of Sun Microsystems, made himself forever infamous in privacy circles with his decree that: 

You have zero privacy anyway…. Get over it.

Certainly privacy is suffering in the face of online surveillance technologies.  Virtually every click of our daily online wanderings is now meticulously – and often invisibly – monitored, recorded and stored.

But Scott McNealy’s haughty assertion that there is absolutely nothing we can do to fight this assault on our privacy really struck a nerve. In fact, people are not prepared to shrug their shoulders about the loss of their privacy.

In a way, the “get over it” dictum helped the cause of those of us in the business of protecting privacy.

It served as vivid illustration of the lack of sensitivity that some – and I did say some – business leaders have for privacy issues.  They simply don’t get it. 

It was also a sharp wake-up call about how precarious our privacy rights really are – and the fact that we need to fight to maintain them.

Scott McNealy’s remarks became something of a call to arms for the privacy community.  So maybe we should thank him!

Yes, we agree that the encroachments on privacy in this digital era are staggering, but that doesn’t mean we’re going to let them bowl us over.

More recently, we’ve heard a lot about what the heads of the two giants of the online world – Google and Facebook – think about privacy.

“Don’t Do It”

Google’s Eric Schmidt offered us his version of that old “nothing to hide, nothing to fear” argument.  He said:

If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.

Users do have some responsibility for their actions, but this assertion completely ignores the indisputable fact that privacy is a basic human need.  Each one of us needs a space that is ours alone.  And wanting this private space is not about hiding something wrong or shameful.  It’s about maintaining our individuality and our liberty. 

One online commentator had a nice retort for the Google CEO:

I planted a microphone in Eric Schmidt’s bedroom (it’s broadcasting live on my blog.)  I’m sure he won’t mind, as he surely isn’t doing anything he wouldn’t want anyone to know about.

Some things aren’t wrong.  They’re just private.

“New Social Norm”

Mark Zuckerbeg, the chief executive of Facebook, has also shed light on his view of privacy. Here’s what he said: 

People have really gotten comfortable, not only sharing more information and different kinds, but more openly and with more people.  That social norm is just something that has evolved over time.  We view it as our role … to constantly be innovating and be updating what our system is, to reflect what the current social norms are.

I would agree that our concept of privacy is changing.  That’s nothing new – what privacy means to us has no doubt been evolving since we lived in caves. 

Privacy looks different today than it did a generation – or even a decade – ago. It likely says something about my age that I have trouble understanding why so many 20-somethings post the nitty-gritty of their intimate life online.

But I also take heart in all the signs that they do, in fact, still care very much about privacy. 

For example, new research by the Pew Internet and American Life Project found that people between the ages of 18 and 29 are the most likely to use privacy settings on social networks.  They’re also the most likely to actively manage their online reputation by taking steps such as “untagging” themselves in photos uploaded by others.

Privacy remains an incredibly important and cherished value to Canadians – and to people around the world.

The people touting the idea that privacy is out of fashion are consistently those who stand to profit from its demise. 

These folks are in the business of making money from the use of personal information – it’s no wonder they would like everyone to think that privacy doesn’t matter.

In just the last few months, US privacy policy wonks have been repeatedly asking: “Can we have both privacy and innovation?” 

How can that question even be asked?  It shows the anxiety there is about doing anything that would stem the growth of these important contributors to the US economy.  Google’s revenues alone hit almost $6.8 billion US in the first quarter of this year – almost a 25 per cent higher than the same period in 2009.

Many of these online services have done remarkably well despite the global economic downturn.  When the financial crisis hit the U.S. in September 2008, LinkedIn saw its membership jump by 25 percent in only one month.  In fact, I understand that people were signing up at the rate of one new member per second as the downturn deepened.

Privacy does not stand in the way of innovation.

The pressure on privacy – at least in the private-sector context – is not the result of new social standards.  It comes from a desire to make a profit.  There is money to be made in pushing the privacy boundaries.

Pushing Back

But people are pushing back.

We’ve seen that recently with both Facebook and Google.

Facebook users spoke up – loudly – after the social networking site rolled out a series of changes that made it far more difficult for users to protect their privacy.  Joining the barrage of criticism, the New York Times calculated that opting out of full disclosure of most of your personal information on Facebook required clicking through over 50 privacy buttons and choosing from over 170 options.

The outcry had an impact.  Facebook scrambled to make privacy modifications to quell the criticism.  We’re still examining the changes, however, at first blush, it would appear that personal information is still more readily available than when we finished our investigation last summer. 

Frankly, we’re not sure they’ve gone far enough.  They are still further ahead in terms of their agenda of opening up the site and we don’t think people are comfortable with that.

We’re taking a very close look at the latest changes and then we will determine our next steps.

You’ll remember that Google also faced its own user privacy revolt over Google Buzz.

The company took Gmail, which had been a private, web-based e-mail service, and abruptly melded with a new social networking service.  Google automatically assigned users a network of “followers” from among people with whom they corresponded most often on Gmail, without adequately informing those users about how this new service would work or providing sufficient information to permit informed consent.

There was a storm of protest by users around the world who were understandably concerned that their personal information was being disclosed.

The rollout of a product with such significant privacy flaws betrayed a disappointing disregard for fundamental privacy norms and laws.  I was among a group of 10 international data protection authorities who jointly wrote to Google to remind it of the need to respect the laws of the countries in which they launch their products.

To its credit, Google quickly apologized to its users and introduced changes to address the widespread criticism.

Ironically, the company became embroiled in yet another privacy controversy not long afterwards.  It admitted that it had mistakenly collected data from unsecured wireless networks as its cars were photographing streetscapes for its Street View map service.

A class action suit filed against the company in the U.S. alleges that Google is seeking a patent for the technology that facilitated that collection of information.

My Office has just launched an investigation and many other data protection authorities around the world are also looking at it.

Privacy Still Matters

These two stories suggest that it’s these online powerhouses that are out of sync with the rest of society when it comes to privacy.

People do care about their privacy. 

Yes, many people – particularly young people – are willing to share more than we did in the past.  But they want to do so on their own terms.  They want to be able to control their personal information – and that just happens to be on the basics of privacy law in Canada and many other countries.

Canadians clearly like many of the new services being offered online and they want to continue using them.  I recently read that close to 50 per cent of Canadians are now on Facebook.  It’s become a hugely important way in which people in this country connect with one another – and that’s likely why the recent “Quit Facebook Day” didn’t really take off. 

But it’s also clear that people want a service that respects their privacy.  After our Facebook investigation last summer, we were profoundly touched by the congratulatory calls and e-mails we received from people across Canada – our Office had never seen such a strong public response to an issue before.

We are speaking on behalf of Canadians when we ask these companies to respect our laws.

Privacy Online

Online privacy issues are becoming an increasing focus for my Office – and addressing them is not without its challenges.

The issues are often complex and highly technical.  Websites seem to change every day, so it requires a great deal of effort to keep up with what’s happening.  The online world that Canadians access for products and services is global – we’re often dealing with organizations with little or no physical presence in Canada.

Clearly we are going to have to find many tools to help us meet all those challenges.

A Cooperative Approach

An important part of the solution will be cooperation.  Working with other jurisdictions – within Canada’s borders and beyond – has been a top priority for me from the very start of my mandate.

I arrived in the Privacy Commissioner’s Office on a cold December day in 2003.  By mid-January, both Frank Work and David Loukidelis were in my office to sign a cooperation agreement.  We’ve continued to have an excellent working relationship with both the Alberta and B.C. privacy offices in the years that have followed.

We’ve conducted a joint investigation with Alberta into the massive data breach involving Winners and HomeSense stores.  We’re currently working cooperatively on a couple of investigations with Alberta.

We’ve created a number of joint guidance documents with both B.C. and Alberta.

Frank Work has also been tremendously supportive in terms of lending us Elizabeth Denham, who had been heading up the private-sector investigations team in his office.  He even provided space for Liz and an OPC investigator in his Calgary office.  (We returned his incredible generosity by permanently stealing Liz from him – sorry Frank!) 

I’m sure you’ve all heard the wonderful news that Elizabeth Denham has been appointed Information and Privacy Commissioner for British Columbia.  While we’re going to miss her both on a professional and personal level in Ottawa, we’re delighted that we’ll have another strong partner in the B.C. office and that we’ll continue working together on issues of mutual interest.

There has also been a lot happening on the global stage – for example, we’re working with a number of initiatives to develop an international privacy standard and we’re involved in the new Global Privacy Enforcement Network.

The joint Google Buzz letter I mentioned earlier was also a significant development – an unprecedented collaboration of 10 offices on four continents speaking with one voice.

All of us recognized the need to – as much as possible – join forces to ensure our messages are heard.  This won’t be the last time you see us undertaking this kind of initiative!

Privacy Literacy

Another key to online privacy is to find ways to build a better understanding of privacy issues on the part of both consumers and organizations.

Canada is a nation of early adopters when it comes to new technologies – with 80 per cent of Canadians over the age of 16 now online.  And while we are sophisticated when it comes to online literacy, I think we’re lagging a bit when it comes to privacy literacy in the context of the digital world. 

Many people don’t know they’re leaving a trail of digital bread crumbs when they click their way through websites and from website to website.  They don’t know that those crumbs don’t disappear – that they are stored, analyzed and are accessible.  And they don’t understand that this information may be used in ways they never imagined. 

How many people actually read privacy policies? 

We also need to learn to make better use the tools available to protect our privacy while we’re online.  For example, there are search engines that don’t remember our searches; some search engines have shorter data retention periods than others. 

In the Google WiFi story, the focus has been on the company’s actions.  But there’s also a question about user knowledge about securing wireless networks.

The need for improved privacy literacy applies not only to individuals, but also to organizations.  Businesses need to ensure that their employees are privacy literate; that they have knowledge of how personal information should be used and handled in the context of privacy values.

We’re strong advocates for this kind of training – both in the private and public sectors.  Privacy training can save an organization a lot of grief.  An employee who has spent some time thinking and learning about privacy is less likely to leave a laptop containing personal information on the front seat of her car.  She’s less likely to allow her curiosity to prompt her to pull medical records or tax records that she has no business in seeing. 

Training – ongoing training – makes people stop and think about the need to protect personal information.  It builds awareness that personal information is private by default.

A recent poll conducted for my Office found that only 37 per cent of businesses had provided privacy training for employees.  I also have concerns about whether enough training is taking place in the public sector. 

Quite simply, we need to do better.

Conclusion

I’ve talked about change and about challenge.  The response to those changes and challenges requires a lot of our third conference theme – choice. 

It’s imperative that online companies give users choices when it comes to sharing or protecting their personal information.  It’s also critical that consumers have the information they need to make informed choices.

Before closing, I’d like to put in a plug for our upcoming public consultation discussion in Calgary. 

As you may know, we’ve been holding consultations are focusing on two areas – the privacy issues related to the online tracking, profiling and targeting of consumers by marketers and other businesses and the privacy issues related to cloud computing practices.

We’ve already held a day-long series of panel discussions in Toronto and in Montreal.

On June 21st, we’re taking the consultations to Calgary.  We’ll be canvassing a broad range of views from business, government, academics, consumer associations and civil society.

I hope I will see some of you there!

Date modified: