Security & Privacy: Guarding Information in a Transparent World
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks at the 2011 Canadian Telecom Summit
Building the Foundation for a Digital Economy
June 1, 2011
Address by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
I am delighted to note that you have dedicated a good chunk of this afternoon’s program to privacy issues. This gives me confidence that your industry is thinking seriously about your privacy obligations as you develop products and services for the digital economy.
As the opening speaker on this panel, permit me to start by taking you for a nostalgic stroll back in time…
There was a time, not long ago, when phoning meant using party lines that were shared with neighbours down the road. Before that, it took a switchboard operator at the phone company’s central office to connect a call.
Phoning, in other words, carried with it the risk of being overheard.
But it was a known risk; one that was understood. If you had something private to tell someone, best to bypass the heavy-breathing eavesdropper on that newfangled technology, and say it in person.
Today, our technology is 1,000 times more “newfangled,” but the risk to our personal information has not lessened.
If anything, it’s worse.
For one thing, most Canadians don’t grasp the scope or magnitude of the risk. How can they? The technologies are so complex, and changing all the time. Platforms converge; corporate players merge.
This new communications era is clearly driven by consumer demand. People want to upload and download data, stream videos, play online games, get services, shop, meet their romantic partners – and generally live their virtual lives in real time.
In the process, they generate a deluge of data, a veritable gold mine of information about their likes and dislikes, their activities and their intentions.
For the ordinary consumer, so much of this unfolds behind the screen. It’s difficult – if not impossible – for them to know about, to understand, or to give meaningful consent to the collection, use or disclosure of their personal information.
And that personal data is highly prized by all kinds of entities: Businesses that want to tailor their advertising and lure new customers. Law enforcement agencies that want to spot suspicious activity. Fraudsters hunting for the easy mark.
Such unimaginably vast and ever-growing quantities of data flowing through Canada’s telecoms networks pose a number of challenges. Many of those challenges come with a distinct privacy angle.
For example, there’s the issue of traffic management. You’re under competitive pressure to offer your customers top-notch service, even – and especially – at times of peak demand.
This drives the development of economic solutions, such as usage-based billing, and technical solutions such as deep packet inspection.
Both techniques involve the collection of personal information of Internet users.
From our perspective, DPI technology raises privacy concerns because it can involve the inspection of information sent from one end user to another. By offering the capability of peering into the content of messages sent over the Internet, DPI enables third parties to draw inferences about users’ personal lives, interests, purchasing habits and other activities.
The transition to IPv6 poses another technological challenge with a distinct privacy angle.
As you know, the escalating number of devices being connected to the Internet demands the adoption of a new addressing standard so that the Internet doesn’t run short of unique IP addresses.
IPv6 aims to address this problem. But it raises a new one from our perspective because it means that devices – whether computers, routers or smart phones – will each have unique addresses.
And that means they can be tracked much more easily, which raises concerns about people’s rights to function in anonymity.
Another serious risk arises from the massive amounts of personal data that come into your hands.
For you it’s a security concern: You know you have to safeguard the data, as a way to preserve consumer trust in your brand. As Sony will attest, a serious data breach can do significant damage to an enterprise’s competitive position.
But data security is just the flipside of the privacy coin, and it’s reinforced by the privacy law:
The Personal Information Protection and Electronic Document Act holds you accountable for – among other things – minimizing the collection of personal information, using it only for identified purposes, and keeping it safe and secure.
We realize that’s a tough job. So last month, my Office, along with our counterparts in Alberta and B.C., launched a new online tool to help businesses better safeguard the personal information of customers and employees. You can find this detailed questionnaire and analysis tool on our website.
Another risk stems from the increasing popularity of wireless technology. As we discovered in a recent consumer survey, three-quarters of Canadians own at least one mobile communications device, and all indications are that this segment of the market will only continue to grow.
But, as our poll revealed, only four in 10 people with mobile phones or tablets actually use password locks or adjust their settings to limit the sharing of personal information stored on the devices.
And it’s not just citizens. In a privacy audit last fall, we looked into the use of wireless networks and devices by federal government officials – many with access to some very sensitive data about Canadians. That audit turned up disturbing risks there as well – inadequate password protocols and data encryption, and improper procedures for lost and stolen devices, to name just a few.
Another big challenge you face emerges from lawful access legislation that the government is set to reintroduce.
If it’s anything like previous iterations, it will require you to respond to the demands of police and security agencies for electronic communications carried over your networks. That means you need to build and maintain the appropriate infrastructure and capability to preserve and turn over communications that may have passed through your systems long before.
From my perspective, the privacy implications are huge and troubling. With so much data, most of it without context, there is an infinite number of ways in which errors can be made and people wrongly investigated or accused.
In concert with my provincial and territorial counterparts, I have raised the alarm on numerous occasions. While we understand the legitimate needs of law enforcement and national security agencies, we have significant reservations about the proposed legislative response.
In our view, the powers the legislation would extend are too broad, the internal and external controls too few. What’s more, the government has never given Canadians proof that security officials are currently hampered in the performance of their duties as a result of shortcomings in the existing law.
So those are some of the issues that are surely preoccupying you, just as they are me. Not one of them is easy or straightforward, and we can expect they’ll only become more complex with time.
But, for all the complexity, we must never neglect a vital social good. And that is the right of Canadians – as consumers and as citizens – to privacy.
And I want to underline that, while we all play a role in safeguarding that right, the job has to start with you, in industry.
You need to build privacy and data security into every one of your products and services. When in doubt, make it the default.
It’s not about impeding innovation or adding cost; it’s about reinforcing customer trust.
The fact is that personal information has become an important currency in today’s economy. People are prepared to trade a certain amount of information for the products and services they want.
But the exchange has to be measured and it has to be fair.
It also needs to be a whole lot more transparent, so that consumers understand what they’re giving up, and can consent to it in a meaningful way.
With all the newfangled gizmos people are using today, they ought to have at least as much privacy as they did when they shared a party line with Ernie and Mabel down the lane.
- Date modified: