New Platforms, New Safeguards: Protecting Privacy in Cyberspace

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Archived

This page has been archived on the Web.

Remarks to the Centre for National Security organized by the Conference Board of Canada

February 23, 2011
Ottawa, Ontario

Chantal Bernier
Assistant Privacy Commissioner of Canada

(Check against delivery)

---

I welcome the opportunity to be part of this panel on cybersecurity. I would like to address the issue of cybersecurity as it relates specifically to privacy.

The relationship between privacy and security is a two-sided coin. In some instances, cybersecurity—like any security measure—can be a threat to privacy. We have addressed this dynamic, for example, in our representations to Parliament regarding lawful access legislation. We have also drafted a guidance document on integrating privacy considerations into security measures. This document, entitled A Matter of Trust, is being distributed to you through the conference organizers.

But the other side of the coin is that cybersecurity—those measures brought forward both by government and by the private sector to protect the information infrastructure and the data it contains—is a means of ensuring privacy.

The privacy perspective I am taking today is quite simple: As personal information increasingly resides in cyberspace, privacy protection increasingly relies on cybersecurity.

That says it all. But since I have been granted a few more minutes to speak, let me give you concrete examples of how the OPC has been addressing cybersecurity challenges so far. I have chosen my examples to illustrate the range of activities performed by the OPC to protect privacy in the private and public sectors, namely investigations, audits, advice to Parliament, and public education.

As to the intrusion into federal government networks uncovered last week, we have been told informally that no personal information had been compromised, but we are keeping an eye on the issue.

Wireless audit

One of the ways in which the OPC fulfils its mandate is by performing audits of public or private organizations when we have reason to believe there are systemic issues affecting the right to privacy. Wireless represents an area of significant vulnerability, if only because wireless networks and devices are used to process and transmit significant amounts of personal information.

Because the government collects and holds some exceptionally sensitive information about Canadians, and that public servants are increasingly taking advantage of wireless devices and networks to be more efficient in delivering services to Canadians, the OPC has recently performed an audit of wireless technology in selected federal departments and agencies. Among the criteria we used to conduct the audit were the guidance and advice provided by Communications Security Establishment Canada, or CSE.

We found that none of the organizations we audited had fully assessed the threats and risks inherent with the use of wireless technologies. In the absence of such analyses, there is no assurance that all material risks have been identified and appropriately mitigated.

We also found that encryption levels on Wi-Fi networks varied among the four audited departments that had such networks in place: only three of the four were using security encryption that met the level recommended by CSE.

As for smartphones, only three of the five departments required strong password protection, and none of them required the data held on smartphones to be encrypted. Four of the five lacked documented procedures to mitigate the risk of a data exposure resulting from a lost or stolen wireless device, and four of the five did not educate users on the privacy risks associated with wireless devices or how to use them in a manner that respects privacy.

We also found that policies surrounding the use of PIN-to-PIN messaging were lacking—and according to a Canadian Press item issued over the weekend, some government officials are still using PIN-to-PIN to transmit information that should be secure, contrary to the CSE’s recommendations.

The government is using our audit report to bring the necessary improvements to IT security.

Recent public sector investigations

The recent security breach at the federal government was quite spectacular, but the truth is, we investigate on a number of incidents every year.

For example, in September 2008, an Agriculture and Agri-Food Canada system administrator discovered that an external party had hacked into two Linux servers and installed modified e-mailing software. The evidence trail pointed to a “script kiddie”—an amateur who uses readily available malicious software to attack computer systems and networks, usually for sport.

Though quite simple from a technical standpoint, the breach nevertheless threatened approximately 60,000 personal data records of farmers who were recipients of a federal loan guarantee program.

In October 2009, a call from a newspaper reporter alerted the Office of the Ombudsman for Canada Post that a programming flaw had enabled an unauthorized third party to gain access to personal information submitted through the ombudsman’s online complaint system. The data accessed included names, addresses, e-mail addresses and phone numbers of complainants, as well as details of their complaints.

In September 2010, Service Canada suffered a data breach upon the launch of the new Access Key technology. Service Canada was the first to field test the new Access Key system, and there was a glitch. The website malfunctioned and as a result, the personal information of Canadians was publicly displayed.

And of course, every year, several federal departments and agencies report the theft and loss of laptops, smartphones and portable storage devices that contain the personal information of Canadians. In any such incidents, our Office advises institutions to remind all employees of the importance of protection the personal information of Canadians. If a laptop must be taken home, for instance, it should not be left in the car or other places where it can easily be stolen. Data, moreover, should always be properly encrypted.

In the event of a breach, federal government institutions have an obligation to notify all affected individuals. They should be counselled on protecting themselves against identity theft, and advised of their right to file a complaint under the Privacy Act. Federal institutions also have an obligation to inform the OPC of privacy breaches as soon as possible—Treasury Board guidelines specify that this should be within days of the breach. When an institution informs us of a breach, we review the information provided about the breach itself, but also about the remedial action taken or planned. We provide advice to the organization, and may launch an audit or an investigation if  the situation calls for it.

Mandatory breach notification in the federally-regulated private sector is one of the amendments to PIPEDA that are presently being considered by Parliament in Bill C‑29—it goes without saying that we are emphatically supporting this proposal.

To underscore the relevance of cybersecurity in the context of privacy breaches: we commissioned Nymity to perform an analysis of the private sector breaches that were reported to us in 2008. The resulting report found that inadequate or absent security systems were at issue in 46% of the cases.

Recent private-sector investigations

Google Wi-Fi: Inadvertent collection on unsecure networks

The inadequate or absent security systems that were at fault in our recent investigation into Google’s collection of data over Wi-Fi networks weren’t the organizations’, but the victims’.

You may have heard about the investigation we conducted after the Commissioner initiated three complaints against Google, after we were made aware that Street View cars had been collecting payload data from unencrypted Wi-Fi networks during their collection of publicly broadcast Wi-Fi signals.

The personal information collected included complete e-mails, e-mail addresses, usernames and passwords, names, and residential telephone numbers and addresses. Some of the information captured was very sensitive, such as a list that provided the names of people suffering from certain medical conditions, along with their telephone numbers and addresses.

Google collected the personal information because of a particular code integrated into the software used to collect Wi-Fi signals. The code was developed in 2006 by a Google engineer who was taking advantage of Google’s policy of allowing its engineers to use 20 per cent of their time to work on projects of interest to them.  He developed the code to sample all categories of publicly broadcast Wi-Fi data and included lines that allowed for the collection of “payload data,” which refers to the content of the communications.

The code wound up being used in the Google Street View cars when the company decided to collect information about location of publicly broadcast Wi-Fi signals in order to feed this information into its location-based services database.

When the decision to use the code was taken, the engineer who created it did identify “superficial privacy implications.”  Those implications were never assessed by other Google officials because the engineer failed to forward his code design documents to the Google lawyer responsible for reviewing the legal implications of the Wi-Fi project—contrary to company policy. 

But a policy not accompanied by commensurate controls for compliance. We have made specific recommendations to Google to strengthen their governance around privacy assessments and safeguards. They have implemented most of them and we are still analyzing whether they meet privacy standards in Canada.

TJX: The Perfect Storm

Foremost in many people’s minds when they meet someone from the OPC are some of our more recent, highly publicised dealings with online giants such as Google and Facebook. But a major turning point for us was the investigation into the data breach that occurred at TJX, a bricks-and-mortar retailer.

In January 2007, TJX and Visa notified the OPC and the Alberta Commissioner that TJX had suffered a network intrusion affecting the personal information of an estimated 45 million payment cards in Canada, the US, Puerto Rico, the UK and Ireland.

It appears the hackers gained entry to the TJX system by “wardriving” outside a Marshall’s department store in the US and, using a telescoping wireless antenna, were able to break into parent company TJX’s database and gain access to payment information. Customer information was stolen for over a year and a half before TJX finally learned suspicious software had been detected on a portion of its computer system.

The TJX case demonstrated how several elements converged into a perfect storm:

• The company lacked an end-to-end approach to data security.
• It had been collecting more personal information than it needed, and keeping it longer than was warranted.
• The encryption of that personal information was lacking.
• Thieves gained access to personal information through a wireless network that wasn’t adequately secured.

And as a result, TJX incurred one of the largest data breach in history.

Another interesting point that can be made regarding the TJX incident is this: The hackers who gained access to the retail giant’s network weren’t trying to show off their mad coding skills; they weren’t doing this for bragging rights. They were after individual consumers’ information. Crime follows commerce, no matter what the technology or platform.

As Willie Sutton allegedly said, “Why do I rob banks? Because that’s where the money is.” Well today, the access codes to people’s money are literally flowing through your networks, so that’s where the bad guys are looking. Hacking is becoming very targeted, as the link has now been established from the piece of malicious code all the way to the bank account.

And this is where the connection between privacy and security is most obvious. When we are protecting cyberspace—the information that resides in it and the infrastructure on which it rests—we are protecting people’s personal information. Violating people’s privacy in the interest of ensuring cybersecurity would defeat the very purpose of cybersecurity. That is why the OPC has for years stressed themes on cybersecurity, information security standards and data protection models in its public education products.

Conclusion

We were pleased to see the launch of Canada’s Cyber Security Strategy last October. For the past several years, our Office has recommended a coordinated strategy on cybersecurity, along with a call for anti-spam legislation, a national effort on identity theft and mandatory breach notification requirements.

In regard to anti-spam, the legislation (C-28) not only gave us a framework to address a cybersecurity threat, spam; it also gave the OPC the right to cooperate with other regulators.

It should be noted that when we elected to write a joint letter to Google with nine of our international counterparts to express concern over Google Buzz, it was in part because a letter was an immediate and widely visible action—but it was also because until the coming into force of the anti-spam act, we are extremely limited in our ability to cooperate with foreign governments.

Now, we will be able to tackle the challenges of protecting privacy in cyberspace based on the reality of cyberspace: it cannot be contained within territorial frontiers or organizational jurisdictions. Consequently, cooperation is essential to address the transborder and cross-organizational challenges of cybersecurity.

With respect to the Cyber Security Strategy, our focus is to support the Strategy in its third pillar: public education. The cyberspying incident unveiled last week at the Department of Finance, Defence Research and Development, and the Treasury Board Secretariat  illustrates, I believe, the importance of that third pillar: helping Canadians keep safe in cyberspace.

The spear-phishing attack was, to quote the breaking CBC news story, “deadly in its simplicity” and “dreadfully effective”: all it took was for one person to open an email attachment. That is why the OPC has focussed on user empowerment, through public education, so intently: information campaigns, outreach activities with schools and private companies, a video contest, awareness-raising events such as the holiday message (this year on the vulnerability of apps), Data Privacy Day, and so on.

The third pillar of Canada’s Cyber Strategy—Helping Canadians To Be Secure Online—speaks to our long-standing and ongoing commitment to public education and outreach. As such, we are looking forward to supporting the Strategy through our ongoing efforts.