New Frontiers in Privacy Protection

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Remarks at the 2011 Privacy and Information Security Congress

November 29, 2011
Ottawa, Ontario

Address by Chantal Bernier
Assistant Privacy Commissioner of Canada

(Check against delivery)


Introduction

In these two days of Reboot Conference, various corners of a new privacy and technology universe are being explored.

What I would like to do this morning is highlight the issues of foremost importance to the OPC in this new universe and share with you our approach and strategies in relation to each.

There is no question that privacy professionals see their relevance reflected in the hottest news stories every day: the Arab Spring opened a new window on the political potential of social media and, with it, the privacy risks of exposing demonstrators and victims of police crackdown; the Vancouver Stanley Cup riots and the London riots brought us face to face with a new phenomenon: citizens as disseminators of personal information and the use of that information by law enforcement; and as criminality moves to the Internet, law enforcement authorities seek access to Internet communications, where we have developed unique privacy expectations.

Overview

Today, I would like to reflect on the Internet as a game changer in the informational social contract, meaning, in what we, as a society, have established as being private or being public.

I will address how this new reality—social media, Internet and mass dissemination—is opening the door to a new wave of opportunities for law enforcement authorities and technology-based commercial enterprises, how these opportunities are creating a new frontier for privacy protection and how the OPC is positioning itself to protect privacy in this new context.

My observations today will focus on the main elements of this new information ecosystem, in turn:

  • First, I would like to remind us of the ancient, human-nature reflex of reputation management and information sharing, which will not change, but which takes on a new dimension on the Internet.
  • Second, I will touch on the weapon of mass dissemination in your shirt pocket—the mobile device which seems to have a life of its own.
  • Third, I will discuss what this new ecosystem represents for private-sector entities, for law enforcement, as well as for democracy and privacy protection.
  • Finally, I will describe the OPC’s work and approaches in the face of these challenges.

As I am a huge fan of Daniel Solove and since he opened this conference, I will refer in my remarks to his seminal work The Future of Reputation and his latest book Nothing to Hide as he isolates so clearly the considerations at hand and describes so eloquently the challenges before us.

Reputation management through information sharing: It’s in our nature

So my first objective is to remind us of the fundamental, inescapable and immutable need to protect our privacy as a means to protect our place in society. In The Future of Reputation, Daniel Solove reminds us that at a very basic level, long before credit scores and police records, our ability to live among others depends on our reputation.

This explains why we are so keen on talking about ourselves, on controlling our own spin. We are concerned with feeding positive elements into our reputation.

That reputation can make the difference in our professional progression and therefore in our livelihood and social influence; our personal information can be key to our financial integrity and even to our personal integrity; in some cases, our personal information can be a matter of personal safety.

Therefore, it is no wonder that humans are so keen to show themselves on social media: it’s the most powerful reputation management tool in the history of humanity.

It is also no wonder that they are so concerned about the risks and safeguards.

Just look at the OPC’s latest public-opinion survey and our latest media analysis:

  • In August of this year, our public survey showed that 65% of Canadians consider that privacy protection is one of the most pressing issues facing Canada in the next ten years;
  • Our latest media analysis showed, in only one month, 117 articles on information technology, 90 on privacy in the context of national security and law enforcement, 66 on data breaches, and 361 on various aspects of privacy, from surveillance to Google, Facebook and cybersecurity. And that was before we tabled our Annual Report.

This interest comes from a shared concern with the acceleration and breadth of dissemination of personal information without a clear technological and normative framework around it.

For instance, a staggering amount of crimes are being solved because the perpetrators have essentially confessed to them on Twitter and Facebook—never envisaging that their communications could be made public.

And then crimes are unwittingly perpetrated on the Internet—as Paul Chambers discovered in the UK when he was convicted and fined for “sending a menacing communication” when he tweeted that if the Doncaster Sheffield airport didn’t reopen within a week, he would “blow it up sky high”. It was a joke; he never meant any harm.

Others become caught in the storm and can never seem to live it down. In The Future of Reputation, Solove mentioned the cases of Star Wars Guy, the young man from Quebec whose Jedi routine became viral, and Dog Poop Girl, the young woman from South Korea who failed to clean up after her canine companion in the middle of a subway car and couldn’t live it down.

During the Vancouver Stanley Cup riots, they were joined in the Internet Hall of Shame by a young polo player who was quickly identified by the mob after he set fire to a police cruiser.

Whether their actions were merely embarrassing, socially unacceptable or criminal, these young people—and countless others—are never going to live down their 15 minutes of fame. Thanks to the Internet, our bad deeds are up there forever.

And thanks to increasingly powerful search engines, they will never be drowned out by the constant influx of new data. Rather, they can be called up at any time for the rest of eternity.

In other words, the informational social contract, or what, as a society, we have agreed to respect as private or treat as public, is turned upside down by a new technology that feeds our old thirst for information at the expense of our (just as deeply rooted) need for privacy. Therefore, reputation management is long-standing and engrained, but there are new risks to reputation that currently escape our control.

The weapon of mass dissemination in your shirt pocket

But there is more. The social media itself was only the beginning. Let me move to the weapons of mass dissemination.

Not so long ago, we were only connected when we happened to be tethered to a desktop with wireline access to the Internet. Now, everyone in this room is carrying a wireless device with storage capability and processing power that eclipses that of their first desktop computer, multiple data capture mechanisms—and always-on connectivity.

Everybody has more cameras now: police, businesses and citizens.

Social media may not shape reality—after all, there were Stanley Cup riots in Vancouver in 1994, too. But in the 2011 riots, social media did more than document the unrest—it was part of it, amplified it, organized it.

The new frontier in this instance is citizen-on-citizen surveillance.

Our Office does not have jurisdiction on citizens: the Privacy Act only applies to federal public institutions—250 of them, mind you—but not to citizens. The Protection of Personal Information and Electronic Documents Act only applies to commercial activities—posting a picture of a riot on the Internet does not qualify.

Therefore, as the law does not quite cover new realities, lawyers try to adapt it in different ways; for example, a judge in Italy condemned three Google executives in criminal court for the posting, by mere citizens of course, of a demeaning video of a disabled boy. Google had brought the video down when it became aware of it, but there was no way for the executives to have acted sooner, and the decision is controversial.

Still, it shows the challenge of applying an old normative framework around protecting privacy to new technology: who is responsible for information on the net?

To begin addressing this new privacy challenge, the OPC has commissioned two discussion papers, one by Jesse Hirsh and one by Kent Glowinski, which will be posted on our website, to explore the new privacy frontier of citizen journalism.

Yet, while citizens have a role, the Internet giants are not immune from responsibility. For example, in our Facebook investigation of 2009, we called upon Facebook to remind users of the need to seek consent from the non-users whose pictures they were posting.

That in itself, however, has its pitfalls: our German counterpart is currently at odds with Facebook on a facial recognition feature that allows Facebook to recognize a person on a picture posted on the site in order to alert them of the posting. The issue there is whether Facebook can keep the biometric information necessary to the facial recognition feature, even though it was collected without explicit consent.

The feature is not offered in Canada, and Facebook is still fighting, so to speak, the German data protection authority on this; still, it does point to yet another frontier in protecting privacy in a new technological and normative context.

And yet the pressure is on to always renegotiate that frontier. Which brings me to my third point: a new commercial environment for privacy.

What’s in it for businesses

You can’t fault businesses for trying to make money. Yes, industry giants are in it for themselves, and industries generally succeed by giving people what they want.

Just look at the UK, to Justice Leveson’s public inquiry into the News of the World privacy violations in the phone-hacking scandal: someone was buying these tabloids.

Industry is banking on our visceral need to control our own reputation, while we keep tabs on each other’s. And social media used on a portable wireless device happens to be the most powerful tool at our disposal to satisfy this need.

Therefore, it makes perfect sense for businesses to present their customers with a cornucopia of networks and apps that make the most of the data capture and dissemination powerhouses that most individuals carry around with them everywhere.

In doing so, businesses that provide consumers with apps, Internet access, wireless, search, cloud computing services, and countless others, have access to a growing mass of information about us.

It is not surprising then that law enforcement authorities are increasingly enlisting private organizations in their surveillance functions.

It explains why the federal government is once more considering legislation to provide law enforcement authorities with access to Internet communications. Even at the state level, the terms of communication are being redefined, and the definition of private and public are being challenged.

This leads me to my fourth point, the new frontier for law enforcement.

What’s in it for law enforcement

Indeed, the power of social media on portable devices is a goldmine for law enforcement activities.

Just as you can’t fault businesses for trying to make money, you certainly can’t fault the police for finding better ways to catch criminals.

The 2011 Stanley Cup riots in Vancouver are once again a good example of what we are talking about. You will remember that some rioters were caught because others had used their smartphone cameras to record the unrest and post it in real time on the Web. Emerging facial recognition software was also used to match photographic evidence submitted by individuals with insurance records provided by the private sector. The swift arrests in the UK based on Facebook exchanges left as many horrified as others satisfied.

And as futuristic as it seemed, this is likely the tip of the iceberg. At the latest Black Hat convention in Las Vegas, Carnegie Mellon researchers demonstrated how facial recognition can be used to link online and offline identities—add geolocation to the mix and you come up with the ultimate panopticon.

However, it should be noted that citizens’ use of their smartphones cuts both ways: social media has played an important role in innocenting the vast majority of the 1,100 people arrested during the G20 summit last year in Toronto. It was also instrumental in holding some police officers accountable for their actions.

At the heart of all these new dilemmas is my last stop on this tour of the new ecosystem of technology, social media and society: privacy and democracy.

The fundamental values of privacy and democracy in this new ecosystem

As long as we have perfected democratic principles, we have recognized that privacy and free speech are both definitional elements of democracy, and that they are reconciled through the concepts of “public interest” and “the need to know”. Daniel Solove reminds us that democratic interests are best protected when free speech is not protected at all costs.

And yet, established principles of privacy and public interest, such as the open court principle, procedural fairness, or the protection of young offenders, witnesses and victims, are challenged in a networked society. For example, in the case of the polo player who set fire to the squad car in Vancouver, who was identified by name in new and traditional media, we saw that the protection offered to young offenders is being threatened, as is the notion of innocence until proven guilty—the young polo player was only 17.

The OPC’s game plan

In order to protect the fundamental value of privacy in this new context, where seemingly every aspect of society and individuality is being re-examined, we see four main courses of action:

  1. Promoting enlightened digital citizenship
  2. Oversight of law enforcement
  3. Fostering compliance among the private sector
  4. Informing and ensuring a public debate.

I will conclude by describing our activities with regard to this approach.

1. Promoting enlightened digital citizenship

  • We currently have several initiatives targeted at youth, which our 2011 public-opinion survey identified as the group least likely to indicate they are doing a good job protecting their information online. Among these initiatives are a Youth Presentation Package (“teach the teacher”), our 4th annual national youth video contest, and we are also developing a privacy-themed graphic novel aimed at tweens and younger teenagers. Information about all these initiatives is contained in our youthprivacy.ca website.
  • In the last year, we have produced and disseminated fact sheets on topics including online behavioural advertising, online privacy threats, the ins and outs of cloud computing and the potential privacy risks of spam.

2. Oversight of law enforcement

  • The main activities by which we oversee the privacy practices of federal organizations that oversee public safety are our review of Treasury Board mandated Privacy Impact Assessments and the comments we provide to Parliament on proposed legislation. We recently submitted letters to Ministers Toews and Nicholson regarding the expected bill on lawful access. In our letter, we urged the government to better demonstrate the necessity, proportionality and effectiveness of the proposed measures, and to confirm that these are indeed the least invasive options available.
  • Those of you who were here last year may remember that this four-part test was a significant component of A Matter of Trust, a guidance document that we launched at this very conference a year ago. A Matter of Trust presents a general approach for privacy analysis in relation to the wider policy goals of national security and public safety. This analytical framework corresponds exactly to Daniel Solove’s point about deference to authorities: without second-guessing them, we have developed a very rigorous test to hold them accountable for integrating privacy into public safety measures. As Daniel Solove states, it is not a matter of trading off privacy for safety; it is a matter of satisfying societal needs for both privacy and safety, and challenge public safety authority to demonstrate that they do so. We prepared A Matter of Trust with academics, experts and federal departments that oversee public safety programs, and we use it to analyze privacy protection and safety measures, whether body scanners, lawful access or border perimeter security.

3. Fostering compliance among the private sector

  • In order to foster compliance with PIPEDA among the federally-regulated private sector, we use a wide variety of products and channels.
  • Among our most recent products is an online tool for creating a privacy plan. Designed with small business in mind, this tool walks users through the information they need to comply with privacy laws and to provide their customers with the privacy protection they expect.
  • Among our most popular tools is Your Privacy Responsibilities: A Guide for Businesses and Organizations. This brochure is the first one we point to when businesses ask for our help in understanding and meeting their obligations under PIPEDA.
  • We also meet with industry associations and consumer interest groups on a policy basis, and we publish findings from our investigations when doing so is in the public interest.

4. Informing and ensuring a public debate

  • We contribute to informing and ensuring a public debate in great part through our support of parliamentary activities. In addition to the open letters to Ministers Toews and Nicholson I mentioned earlier regarding lawful access, we have recently made public submissions to the government during its consultations on border perimeter security, and during its review of the Aeronautics Act in response to the US Secure Flight program. We also regularly appear before Parliament and we make ourselves available to the media.
  • We also contribute to public debate through our Consultations Program, which this year is financing eight research and public education projects on themes such as “user-centered perspectives on the privacy expectations of digital citizens,” “young Canadians in a wired world,” and “posting pictures and personal information online: a teaching and learning kit.”

Closing

In his classic 1985 essay Amusing Ourselves to Death, media theorist Neil Postman reflected on the influence of the printed word on 19th century America. He said, “The influence of the printed word in every arena of public discourse was insistent and powerful not merely because of the quantity of printed matter but because of its monopoly.

Comparably, it would be easy to argue that in 21st century North America, the influence of the Internet in every arena of public discourse is insistent and powerful, not merely because of the quantity of online information, but also because of its ubiquity.

Another comparison I would make between the printing press and the Internet is that the printing press democratized the acquisition of information, while the Internet democratized the dissemination of information.  The printing press made reading accessible to the masses, while the Internet made publishing accessible to the masses.  

Moreover, the Internet redefines the frontiers of information and communication, but in the absence of new rules to protect the fundamental, immutable right to privacy.

In this context, it is our challenge and our duty, as privacy professionals, to rethink privacy protection to bring it in line with new privacy risks.

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: