A Framework Around the Cloud: Contemporary Challenges to Personal Information Protection
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks at the Colloque québécois sur la sécurité de l'information
October 18, 2010
La Malbaie, Quebec
Assistant Privacy Commissioner of Canada
(Check against delivery)
The theme of today's symposium — the new rules of the game — is one that often comes up in conversations between the Office of the Privacy Commissioner of Canada and the media or the general public.
The OPC work that makes headlines is a reflection of the times. It is driven by the imperatives of security, globalization and the explosion of online activities — in a nutshell, the new rules of the game.
I would like to share with you today an overview of current privacy issues and contemporary challenges based on the OPC’s four strategic priorities:
- Public safety and national security;
- Information technology;
- Genetic information; and
- Identity integrity.
Activities of the Office of the Privacy Commissioner
First, I would like to tell you more about the Office of the Privacy Commissioner of Canada.
Our Office reports directly to Parliament and is responsible for ensuring compliance with the two federal acts protecting the right to privacy in Canada, i.e. the Personal Information Protection and Electronic Documents Act, which applies to the private sector subject to federal jurisdiction, and the Privacy Act, which applies to the federal public sector.
Both acts govern the use of personal information in their respective sectors and regulate an individual’s access to his or her personal information held by relevant organizations.
We accomplish our mandate through six clearly defined functions:
- Responding to requests for information — which numbered over 10,000 in 2009-2010;
- Receiving and investigating complaints — over 200 in the private sector and over 600 in the public sector;
- Reviewing the Privacy Impact Assessments (PIAs) prepared by 250 federal agencies about their programs, as mandated by the Treasury Board of Canada;
- Auditing the privacy practices of agencies subject to the Act, including the two audits recently made public regarding wireless communications and the disposal of information in the public sector, as well as our audit of mortgage brokers;
- Conducting and financing research and public education and awareness activities; and
- Providing Parliament with advice on the legislative bills that touch on privacy issues.
We report to Canadians during our frequent appearances before parliamentary committees and in the two annual reports we submit every year, one for each of the acts that we are responsible for monitoring.
I encourage you to read the 2009-2010 Annual Report on the Privacy Act, which was tabled in Parliament two weeks ago. It contains further information on many of the topics I will be speaking about today.
Four strategic priorities
Like anything of value, privacy is constantly under threat. It must be safeguarded with vigour, vigilance and care.
Looking back on the issues we have dealt with over the past few years, the OPC has identified four major trends and influences that we feel pose the greatest challenges to privacy. Lately, we have focused on these areas in our research and public awareness activities, our investigations, audits and strategic positioning.
Again, these strategic priorities are:
- Public safety and national security;
- Information technology;
- Genetic information; and
- Identity integrity.
I will go over each of the four priorities and illustrate them with a specific example taken from the OPC’s recent work to protect privacy in Canada.
Public safety and national security
The first strategic priority that I will summarize this morning is public safety and national security.
It is pretty much a given that any initiative aimed at strengthening public safety and security will have an impact on privacy.
But that does not mean that the objectives of security and privacy need be at odds.
On the contrary, they complement each other, morally and functionally. Morally, both privacy and safety characterize the society in which we have chosen to live.
Functionally, concerns for privacy protection and security come together by imposing strategic approaches that minimize the use of personal information and the invasion of privacy to only what is strictly necessary to achieve the security objective.
On the other hand, technological advances and security threats continually call into question the way privacy and security are protected.
In today's context, the challenge our society faces can be summarized as follows:
- As the threat has moved from states to individuals, national security rests more and more on the judicious use of personal information.
- As the threat is more and more diffused, it is less measurable and therefore generates overly broad responses that impact privacy — often because we cast the net too wide or hold onto personal information for too long.
- As national security officials need to maintain secrecy, it is all the more difficult to keep them accountable, particularly with respect to the protection of privacy.
To illustrate this priority issue, I will bring up a case that made headlines in early 2010: the use of body scanners in Canadian airports.
Millimetre-wave airport security scanners
Our review of a Privacy Impact Assessment (PIA) submitted by the Canadian Air Transport Security Authority (CATSA) drew considerable attention. The PIA looked at millimetre‑wave security scanners that the government planned to use in airports across Canada.
The technology was controversial because, even as it enables screening officers to detect non-metallic weapons and other concealed threats beneath a passenger’s clothing, it is equally capable of revealing images of the person's body.
CATSA conducted a pilot project on the scanners in Kelowna, B.C. in 2008, and we reported on their preliminary PIAs in last year’s annual report.
In 2009 CATSA submitted a PIA of the planned installation of seven scanners in four Canadian airports. Our analysis of the PIA applied a four-part test, which is the basis of our analytical framework:
- Is the proposed measure necessary?
- Is the proposed measure effective?
- Is the loss of privacy proportional to the security objective sought?
- Are there less intrusive alternatives?
Once these criteria are met, the question becomes "How will the personal information collected be protected?"
CATSA assured us that its decision to select this technology was based on rigorous threat and risk assessments and that it was necessary to complement physical searches. With regard to scanner effectiveness, CATSA demonstrated that physical searches had limitations that scanners could compensate for.
As for proportionality, the agency agreed with our recommendation that the scanners be used only as a secondary screening method. It further pledged that:
- participation would remain anonymous and voluntary;
- a physical pat-down would be offered as an alternative;
- screening officers would be separated from and unable to see the individual being screened;
- the images would not be correlated with any other personal information and would not be identifiable; and
- all images would be deleted immediately after the scanning is completed.
The agency also agreed to seek out and develop less privacy-invasive technologies; regularly reassess the need for full-body scanners against new intelligence; ensure that the public has clear and accurate information on which to base informed choices; and track and report public complaints and concerns.
We consider this initiative a good example of how privacy protection can be incorporated into security measures. We are, however, following developments in this area and have begun an audit of personal information protection in air travel in general.
New information and communications technologies are another key focus for the OPC.
There is no question that information technologies make life easier. Most people today can barely imagine a world without the Internet and the many other advances that computers and the digital age have brought.
But every technological innovation also introduces new risks to privacy. With the power of modern computers, there is today no practical limit to how much personal information can be collected, stored and used. That, in turn, makes it increasingly difficult, if not impossible, for individuals to control their personal data.
The advent of e-mail by itself brought forth new challenges to privacy:
- unprecedented creation of recorded personal information;
- unprecedented breadth of diffusion of personal information; and
- unprecedented risk of breaches with unprecedented magnitude of consequences.
Information technologies — and their impact on personal information protection — were the focus of two major audits conducted by the OPC during the last fiscal year.
Audit on the use of wireless technologies
A first audit focused on the use of wireless technologies by five federal government institutions, namely the Canada Mortgage and Housing Corporation, Correctional Service of Canada, Health Canada, Human Resources and Skills Development Canada, and Indian Affairs and Northern Development.
The objective of the audit was to assess whether personal information is protected when it is transmitted through wireless networks used by selected federal institutions or between federal employees' BlackBerrys.
- Network encryption;
- Passwords on portable communications devices;
- The security of data stored on smart phones and other portable devices;
- The use of PIN-to-PIN messaging services;
- Personnel training; and
- Disposal of surplus devices.
We discovered the following:
- None of the five institutions we audited had fully assessed the threats and risks inherent in wireless communications.
- Passwords used for smart phones did not meet the standard recommended by Communications Security Establishment Canada.
- Wireless encryption and data storage were also inadequate.
- Even though Communications Security Establishment Canada has stated that PIN-to-PIN messaging should be avoided, some departments still make extensive use of this means of communication.
- There are shortcomings in how portable devices are stored and disposed of, as well as the procedures to follow when a BlackBerry is lost or stolen.
- There is little evidence to indicate that departments and organizations provide staff with adequate training on the secure use of wireless devices.
We have issued many recommendations to help federal institutions mitigate the risks to personal information associated with the use of wireless technologies.
In particular, we recommended that:
- Institutions undertake a threat and risk assessment for their wireless networks and smart phones;
- Institutions ensure that employees are made aware of the privacy risks inherent in the use of smart phones;
- Employees use strong passwords — as defined by Communications Security Establishment Canada;
- Data stored on smart phones be encrypted;
- PIN-to-PIN messaging be used in accordance with guidelines issued by Communications Security Establishment Canada;
- Institutions adopt documented procedures to deal with the loss or theft of wireless devices;
- All excess wireless devices be stored in secure locations; and
- Control mechanisms be put into place to ensure that data stored on surplus wireless devices are deleted is purged prior to disposal.
A summary of the audit is included in our 2009-2010 Privacy Act annual report.
Audit of the Crown's excess asset disposal practices
Our latest annual report on the Privacy Act also includes a summary of a second audit completed this year concerning privacy protections surrounding the disposal of digital equipment and outdated hard-copy documents.
Most of the federal government's outdated computers are reconditioned and distributed to schools or Aboriginal communities through a program managed by Industry Canada.
We were interested in learning whether the hard drives of donated computers were wiped clean or whether they still contained potentially sensitive personal information.
Outdated hard-copy documents are usually shredded by private contractors under the supervision of Library and Archives Canada.
During our audit of practices related to the disposal of certain federal agencies' surplus assets, we not only discovered potential data breaches; we found real ones.
We examined a sample of almost 1,100 computers donated to the Computers for Schools Program. The hard drives of more than 1 out of every 4 computers contained residual data. Only 3 of the 31 institutions in our sample (or 10% of agencies subject to the audit) had not donated computers that still contained information.
A forensic analysis of a sub-sample of those hard drives revealed that they contained very sensitive data, particularly highly personal information, documents protected by solicitor-client privilege and even classified material.
The data remaining on the devices was so sensitive that we immediately returned the hard drives to their original departments to have them correctly disposed of — as should have been done at the outset in accordance with Treasury Board policy.
Our 1994-1995 annual report stated that 95% of computers sent out for disposal still contained data. Fifteen years later, that rate is 42%. Far more progress needs to be made, and fast.
At the end of our audit, we issued the following recommendations to Library and Archives Canada, who is responsible for the destruction of hard-copy documents on behalf of several other federal institutions:
- Ensure that the terms and conditions in off-site destructions contracts are consistent with Library and Archives Canada's own Security Standard.
- Implement a protocol for monitoring off-site destruction companies.
- Ensure that off-site destruction contracts include a requirement that the service provider issue a certificate of destruction.
As for the other part of the audit of federal government practices related to the disposal of surplus assets, we made the following recommendations to Industry Canada, which is responsible for the Computers for Schools Program:
- Ensure that all security weaknesses identified in the audit are analyzed and addressed in a timely manner.
- Work with the Treasury Board Secretariat to request that federal departments and agencies provide a signed declaration to the Computers for Schools Program certifying that donated surplus computers and related assets have been cleansed of information.
Our third strategic priority is in the emerging arena of genetic technologies.
Until now, we have been preoccupied with safeguarding relatively prosaic bits of personal information, such as names, addresses, phone numbers and credit card numbers.
Imagine the value of personal information derived from an individual’s genetic code, which really is the ultimate identifier.
Genetic information can be used for many wonderful and amazing purposes. But it can also be used in ways that intrude on our dignity and sense of self.
Moreover, it is difficult to exercise control over things we do not understand and, at the end of the known universe of science, genetic technologies challenge our capacity to grasp their full implications. Science is evolving faster than its legislative and ethical frameworks.
Control over our own genetic material is also complicated by other factors. How, for example, can we give meaningful consent for the use of a tissue sample, when it can be stored for decades and used for purposes we cannot even dream of today?
In this regard, our minds are focused on three main questions:
- In the area of medical research, how do we ensure meaningful consent in the context of such complex, scientific issues as genetics and how can that consent be meaningful in relation to yet unknown possible uses?
- In the area of medical research and criminal justice, how do we reconcile the individual right to privacy against the collective right to establish a DNA data bank?
- How can the information be kept secure in the context of centralized data banks or cross-border data sharing?
To illustrate this strategic issue, I will address the National DNA Data Bank, which is managed by the Royal Canadian Mounted Police. We sit as a member of the National DNA Data Bank Advisory Committee.
National DNA Data Bank
Parliament first enacted the forensic DNA provisions in Canada’s Criminal Code close to 12 years ago. The goal of the legislation was to facilitate obtaining genetic samples from individuals suspected of having committed one of a clearly defined range of offences under the DNA Identification Act.
The Act created a national DNA data bank and authorized the collection and storage, for DNA analysis, of biological samples from anyone convicted of an offence under this Act.
Privacy protection and public safety objectives are incorporated into the data bank through a governance structure that ensures restricted access to data and a strict mechanism to control access and data use. In particular, personal data, i.e. DNA, and crime-scene evidence are kept in two separate files, specifically, the offender's file and the crime scene index.
- Genetic data is dissociated from personal identity and is only linked through a bar code.
- Physical access to the data bank and personal data is strictly controlled.
- The data bank is managed independently of police forces.
- In addition, DNA samples are collected only in the event of a conviction.
The RCMP retains the data bank, and it is used to help law enforcement agencies in investigating serious crimes by comparing the database of samples linked to known offenders with samples found at crime scenes.
The operation of the data bank is monitored by the National DNA Data Bank Advisory Committee. I represent the OPC on that Committee, which also includes representatives of the police, legal, scientific and academic communities. The Committee is a forum for discussing policy and operational issues.
The National DNA data bank managers have gone to great lengths to remove the personal identifiers from the DNA sample so that only authorized personnel would have access to the information to conduct criminal investigations.
The Office of the Privacy Commissioner did not oppose establishing this limited warrant scheme to allow DNA to be obtained from those suspected of serious violence where DNA had been found at the crime scene. Nor did we oppose creating a DNA data bank of samples taken from those convicted of serious offences involving violence.
We have argued for clear controls and conditions for collecting DNA samples from suspects to help determine their culpability. We also advocated for clear rules and limits on the taking of DNA from convicted offenders. In large part, our concerns were met in both the 1995 and 2000 legislation.
We are concerned about the apparent shift in focus of DNA legislation. Both the original 1995 law that allowed samples to be taken from certain suspects and the later amendments that established the DNA data bank show that the central focus of these provisions was serious offences involving violence. If the offence was not of this nature, there would generally be no power to compel the production of a DNA sample from a suspect, and no power to include a convicted offender’s DNA in a criminal database.
However, since the DNA Identification Act was passed, we have seen the scope of the DNA scheme expanded and a fundamental shift away from the original rationale of the data bank. We now see the data bank being populated by the DNA of offenders who have committed a wide range of offences that are not necessarily violent or sexual in nature.
The OPC views this as a fundamental shift away from the original rationale of the data bank, which was intended to apply only to designated offences, including violent and sexual offences that might involve leaving DNA at a crime scene.
While the taking of a DNA sample via a swab of oral fluid or buccal cells may appear to be a relatively minor intrusion in a physical sense, the information that may be generated from DNA is vastly greater than that available from any other biological source.
One major assumption underlying DNA databases is that the DNA of the population from whom the samples were taken is sufficiently homogeneous that differences in a given strand of DNA may be interpreted as statistically significant.
The scientific exploration of human beings is far from complete. The human genome was sequenced in its entirety in 2003, and scientists have a relatively good understanding of the technical composition of DNA. Less is known, however, about the human genome’s highly complex structure and functions.
DNA data extracted from a biological sample can provide insights into an individual’s familial connections, ethnicity, ancestry, physical attributes, genetic mutations and medical predispositions.
DNA data represents the intersection of both physical privacy and informational privacy interests.
We believe that, in principle, the number of offences for which DNA samples can be taken and included in the data bank should be kept to a minimum, and that the identification of offences for which such measures are to be allowed must be based on a clearly articulated and demonstrably justifiable rationale.
We are concerned about familial searching which may produce false positives — samples that look like they might be relatives but are not — as well as false negatives — close blood relatives whose DNA profiles do not suggest kinship.
Our Office questions whether the National DNA Data Bank should be able to disclose the identity of a convicted offender when it has concluded that the crime scene index data comes from a close relative of a person in the convicted offender index.
Our Office supports the continued sound management and built-in safeguards against misuse of the National DNA data bank.
These include separating genetic and personal data, prohibiting unauthorized persons from entering the data bank and penalizing those who attempt to do so. We support the prohibition against using samples for research, and are of the view that use of the data bank should continue to be restricted to forensic identification purposes.
Our fourth priority focuses on the protection of identity integrity. By this, I am referring to people’s right to control the personal information that defines them to the rest of the world.
The fact is that, even if you never post a single word or image on the Internet, you still leave an electronic footprint. Today, with surveillance cameras, smart phones and global positioning systems, you create a rich trail of data about your movements, behaviours and preferences.
Each kernel of data taken in isolation may reveal little. But collated, cross-referenced and analyzed, all the pieces can yield an extremely detailed profile. Taken together, this can become your identity.
Managing your identity is a challenge, especially when you do not really control how it was created, how it is used or how it is shared with others.
And it can be used for good or ill.
You might, for example, enjoy VIP treatment at a shop you visit often. Or you could find yourself bombarded by irritating ads and wonder what happened to your privacy.
Facebook's personal information management practices
The Privacy Commissioner of Canada announced a few weeks ago that we have finished reviewing the changes that Facebook implemented as a result of our highly publicized investigation of the social networking site and concluded that the issues raised in the complaint have been resolved to our satisfaction.
The Commissioner said that the changes Facebook put in place in response to concerns we raised as part of our investigation last year were reasonable and meet the expectations set out under Canadian privacy law.
The investigation has resulted in many significant changes. Facebook has put in place measures to limit the sharing of personal information to third-party application developers. Moreover, the company is now providing users with clear information about its privacy practices.
A major concern during our investigation was that third-party developers of games and other applications on the site had virtually unrestricted access to Facebook users’ personal information.
Facebook has since rolled out a permissions model that is a vast improvement. Applications must now inform users of the categories of data they require to run and seek consent to access and use this data.
Technical controls ensure that applications can only access user information that they specifically request.
We were also pleased that Facebook has developed simplified privacy settings and has implemented a tool that allows users to apply a privacy setting to each photo or comment they post.
It has been a long road in arriving to this point. These changes were the result of extensive and often intense discussions with Facebook.
Our follow-up work was complicated by the fact that we were dealing with a site that was continually changing.
Overall, Facebook implemented the changes it promised following our investigation.
The issues related to the investigation — and, to be clear, I am only speaking about those issues rather than the site as a whole — have been resolved to our satisfaction.
Ultimately, Facebook has made several privacy improvements that will benefit users around the globe. I believe we have also demonstrated that privacy protection does not stand in the way of innovation.
However, our work with Facebook is not over.
While we are satisfied that the changes address the concerns raised during our investigation, there is still room for improvement in some areas.
We have asked Facebook to continue to improve its oversight of application developers and to better educate them about their privacy responsibilities.
We have also cautioned Facebook against expanding the categories of user information made available to everyone on the Internet — and over which users cannot control through privacy settings.
As well, we had recommended that Facebook make its default settings for photo albums more restrictive than “everyone on the Internet” — though this concern has been mitigated to a large extent by Facebook’s per-object privacy tool.
Facebook is constantly evolving and we are actively following the changes there — as well as on other social networking sites. We will take action if we feel there are potential new violations of Canadian privacy law.
As well, we have received several further complaints about issues that were not part of our first investigation and we are now examining those. The new complaints deal with Facebook’s invitation feature and Facebook “Like” buttons on other websites.
Finally, Facebook users also have a responsibility here. They need to inform themselves about how their personal information is going to be used and shared.
Our investigation has led to more privacy information and improved privacy tools, and Facebook users should take advantage of those changes.
This is how the new rules of the game are reflected in the work and strategic priorities of the Office of the Privacy Commissioner.
You will have noticed that, generally speaking, these priorities go beyond the understanding of the average person. Who among us can truthfully claim to have in-depth knowledge of public safety and national security, technological advances, DNA or of the social impact of virtual identities?
Today, the line between public life and private life is blurred, borders between countries are disappearing and personal information is a commodity.
The work of those in the business of protecting information is all the more important.
I hope to have shown you how the Office of the Privacy Commissioner is taking on that task, and I hope that this symposium provides you with an opportunity for fruitful discussions and exchanges that will complement your work. I will now be pleased to answer any questions you may have.
- Date modified: