Navigating through roiling waters: Protecting privacy amidst technological advances

Remarks at the Data Privacy Day Event, hosted by Dalhousie University

February 19, 2014
Halifax, Nova Scotia

Address by Patricia Kosseim
Senior General Counsel and Director General, Legal Services, Policy and Research Branch

(Check against delivery)

---

Today I want to discuss with you the potentially turbulent zones where technology and privacy meet – coming to your beautiful province brings to mind the analogy of waves colliding off your own Cape Sable.

The technology would be the waves, ebbing and flowing, in constant movement. Privacy principles would be the rocks - immutable, solid formations that stand as strong barriers between land and sea. But over time, even rocks begin to change shape ever so slightly and imperceptibly,–a point I will come back to in my conclusion.  

Today, I would like to highlight 4 areas where we see technology and privacy meet or rather – collide:

1. First where increased technological capacity leads to increased surveillance;
2. Second, where increased online crime begets  demands for enhanced enforcement powers;
3. Third, how living online invites a whole new generation of conceptual privacy issues;
4. Fourth, how technological vulnerabilities increase risks of data breach.

After expanding on these 4 areas my main message is this: as rapidly changing information technologies bring about exciting new waves of innovation, so too do they wash ashore new privacy risks.  While we must be flexible in adapting to this new reality, we must also stand strongly behind the immutable privacy principles that underlie Canadians’ fundamental rights of autonomy, dignity and integrity.  

Rising privacy concerns amidst technological advances

By way of introduction, let’s look at how Canadians value their privacy.
A public opinion survey commissioned by our Office last year found that two-thirds of Canadians are concerned or extremely concerned about the protection of their privacy. 

A majority (56%) are not confident that they have enough information to know how new technologies affect their personal privacy.

Seven in ten think that their personal information is less protected than it was ten years ago, while a slightly higher proportion (71%) think that protecting personal information will be one of the most important issues facing this country in the next 10 years. 

Canadians’ privacy concerns may be even higher now considering  that the survey  was carried out:

• before the news that Employment and Social Development Canada had lost a hard drive containing the personal information of some 583,000 recipients of student loans, and

• before Edward Snowden’s revelations began shedding light on activities of the U.S. National Security Agency and related actions by our own Communications Security Establishment here in Canada.

Canadians’ rising concerns about privacy are also apparent when looking at some of our Office’s statistics.  For example:

• In the last calendar year, we accepted 426 complaints under Canada’s federal private sector privacy law, up 17% from the year before; and
• In the most recently concluded fiscal year, we accepted a record 2,273 complaints under the Privacy Act, which applies to federal government institutions.  Granted, more than a thousand of these related to the ESDC breach, but even accounting for those, the total would still stand at a record annual high of 1,114.

No doubt, much of this heightened concern stems from the increased privacy risks Canadians see and feel as a result of emerging information technologies all around us. 

1. Increased technological capacity leads to increased surveillance

Our society, enabled by technology, has reached a truly unprecedented level of surveillance capacity and dispersion of threat among the general population.

Quite naturally, the agencies responsible for keeping us safe are highly motivated to embrace new surveillance technologies that can help in that regard. We certainly cannot fault them for that. The challenge is to integrate into these new public safety methods, effective means of ensuring privacy protection, accountability and oversight. 

Nothing has brought that closer to home than the recent Snowden revelations in the particularly vexing and secretive context of security intelligence.  Our Special Report to Parliament of last January 28 seeks to contribute to a constructive debate on how we can effectively reinforce privacy protection, oversight and accountability among the Canadian intelligence community in an era of cyber-surveillance.

There are countless other examples of increasing public surveillance enabled by new technologies. 

In 2009, we reviewed a Privacy Impact Assessment regarding the Automated Licence Plate Recognition program.  This is a joint initiative between the RCMP and British Columbia’s Ministry of the Solicitor General. The program uses video cameras coupled with pattern recognition software mounted on police vehicles.  These devices can read, record and identify licence plates and run them against databases holding information on suspended drivers, stolen and uninsured vehicles. A match triggers further investigation and police intervention.

In its first iteration, the Privacy Impact Assessment we reviewed purported to collect both match and non-match information.  In other words, even law-abiding car owners would have had their licence plate numbers collected in a police database, albeit for a shorter period of time.

We challenged the RCMP according to the analytical framework we use when evaluating the privacy implications of new government programs or initiatives – which you can find described in a document entitled A Matter of Trust: Integrating Privacy and Public Safety in the 21st Century, available on our website.

You will not be surprised to hear that, when pressed by our office, the RCMP was not able to demonstrate a legitimate need for collecting non-match information into their police database, and their systems were eventually reconfigured to exclude this information.

In the end, the RCMP did proceed with ALPR but in manner that reconciled privacy and public safety because

• the ambit of the programme was shown to be demonstrably necessary,
• the personal information collected was proportionate to what was necessary,
• license plate numbers were shown to be effective in assisting police investigations,
• there was no less intrusive alternative to accomplish that goal,
• safeguards were adopted  to protect the information; and
• oversight mechanisms were in place to ensure compliance.

As a result, the RCMP was able to adopt surveillance technology that enhanced its effectiveness while integrating privacy protection.        

But surveillance is not just the “stuff” of the State.  A recent investigation we conducted in relation to a computer rental company will give you the jitters.

In early 2012 we learned from the US Federal Trade Commission that they had just investigated a company, using a spyware application – including a camera covertly filming the computer user - to trace missing rental laptop computers.

Since this company had franchises in Canada, our Office initiated a complaint against the franchisee in order to investigate whether similar practices were being deployed here.  

Indeed, we found that the franchisee had activated the spyware at least four times in one week alone, collecting hundreds of pages of sensitive personal information.

This included a webcam photograph of a user, along with e-mail and home addresses, phone numbers, and personal messages to family members and friends. There were also screen shots of social networking site pages that included pictures of children.

While theft prevention and asset protection are legitimate objectives for any business, we concluded that a reasonable person would not consider the use of spyware that covertly films users and records keystrokes as appropriate means for recovering lost or stolen laptops. The balance between business need and level of privacy intrusion just wasn’t there.

The company accepted our findings and has stopped the practice. Still, the case illustrates the privacy risks that arise from the mere existence of surveillance technology.

2. Increased online crime leads to increased demands for online enforcement powers

Let’s face it, as wonderful as it is, the internet has also become a new haven for crime – take online fraud or ID theft or computer hacking – as examples.  

Quite logically, increased online crime begets increasing demands by law enforcement for enhanced investigative powers to combat it.   

Over the years, we have seen a slew of “lawful access bills” aimed at modernizing police investigative powers in order to keep pace with the emergence of online crime.  None of these has yet come to pass for a number of reasons.

The most recent legislative initiative to enhance policy powers needed to combat online crime is Bill C-13, also known as the anti-cyber-bullying bill, following the tragic death of Rehtaeh Parsons which you know only too well.

Bill C-13 seeks to address a particular egregious situation when intimate images of an individual are shared online without their consent – making it a new crime deserving of criminal sanction.

On that count, we believe the objective of Bill C-13 is a highly laudable one particularly in light of the gravity of cases that have come to pass.  But Bill C-13 goes further by purporting to address the general phenomenon of cybercrime.

While we recognize that crime on the Internet must be met with powers on equal footing, we are currently examining several aspects of the Bill and their potential privacy implications, including:

• The threshold for the use of the proposed new investigative powers;
• the number of “public officers” who could use these significant new powers;
• the provision that appears to grant immunity for parties disclosing personal information to authorities without consent– such as telcos; and
• the appropriate accountability and reporting mechanisms needed to shed light on the use of new investigative powers.

The Commissioner will no doubt provide her comments before Parliament when Bill C-13 is eventually considered in committee.  There, she will present her recommendations on how the objectives of Bill C-13 may be achieved while integrating the appropriate level of privacy protection.  

3. Living online invites a whole new generation of conceptual privacy issues

Is your personal information still personal once you’ve posted it?  Is your navigation history personal even though it is connected to your computer, rather than your name per se?  

These ‘new generation’ questions about what constitutes personal information online are particularly relevant considering that Canadians are the heaviest users of the Internet in the world, spending an average of 45 hours a week online.

Living online does not mean an individual surrenders his or her right to privacy.  

A couple of recent investigations remind us of this important principle. 

A Canadian activist complained to our Office that officials of Aboriginal Affairs and Northern Development Canada and Justice Canada had contravened the Privacy Act by repeatedly accessing and monitoring her online activities, and also distributing reports of her online postings widely within both departments.

The departments acknowledged these actions, which began in February 2010, but contended that she had surrendered her right to privacy through her extensive online postings and that the information being collected was relevant to ongoing litigation between the parties.

Yet, our investigation established that both departments were accessing and collecting personal information from the complainant’s personal Facebook page that clearly extended beyond what was directly related to a government operating program or activity, therefore in contravention of the Privacy Act.

An individual’s personal information, even when knowingly posted online, does not lose its character as personal information worthy of protection.   

On the private sector side, our Office released its findings in an investigation of Google last month that further serves to remind us how privacy interests persist even online.

In this case, the complainant sensed he was being tracked from website to website after having looked up information about sleep apnea devices. On investigation, we found that indeed he was being tracked  on the basis of personal health information – contrary to our Guidelines on Online Behavioural Advertising and, more importantly, contrary to Google’s own privacy policy which reassures users they will not be tracked on the basis of sensitive information – including health information.

Even Google was in fact bamboozled, so to speak, in its technological monitoring of advertisers using its platform. We’re talking about billions of ads, millions of advertisers  making connections on the basis  of website visits, some compliant – for example, serving ads for cruises after visits to a cruising company’s site, some non-compliant, like making connections on the basis of visits to a website selling medical devices.  It is certainly not an excuse – Google is rich and technologically sophisticated enough to come up with the right monitoring mechanisms to ensure compliance - but it is telling of the complexity of the task.

We made specific recommendations to Google that accepted to implement them all. 

A user’s online footprints, whether or not associated with a specific name, nonetheless constitute personal information in which an individual retains privacy interests.  Those privacy interests will be even stronger when sensitive personal information is involved.

4. Technological vulnerabilities increase risk of privacy breach

With the advent of technology, also comes the risk of compromising hundreds of thousands of individuals’ personal information by merely dropping a tiny USB on a side walk or walking away with a small hard-drive.

And of course, someone breaking in to capture such information today no longer needs to be onsite nor even in the same hemisphere. The privacy risks from such technological vulnerabilities are exemplified in two recent cases, which are still unfolding.

On January 7, 2013, Employment and Social Development Canada informed our Office about the loss of an external hard drive containing the personal information of 583,000 Canada Student Loan borrowers and 250 departmental employees. The lost information included individuals’ SIN, name, birth date, home address, telephone number and loan balance. Four days later, our Office initiated a complaint against the department. In the coming weeks, we will report on our findings and hopefully be able to share some important lessons learned for both the public and the private sector on the physical controls, asset controls, technological controls and staff support that are needed to address technological vulnerabilities in relation to personal information.  

Turning to the private sector now, just before the holidays, the giant retailer Target announced that malicious software had been used to steal the credit-card information of more than 40 million accounts over a period of almost three weeks from point-of-sale terminals at its U.S. stores. Then a month ago, a new twist: Target began emailing Canadians that their personal information may have been compromised - Canadians who had never shopped at Target.

Our Office is following up on these matters with the company.

Some emerging issues

Technological developments are constantly putting privacy principles to the test.  Here are some of the emerging issues our office is addressing.

1. Meta data  
   
   There are ever increasing incentives in both public and private sectors to collect so called “metadata” or data about the communications, such as the IP address, or device location data.
   
   Since our Special Report to Parliament was tabled, new revelations alleging that the Communications Security Establishment Centre or CSEC captured Wi-fi information at an airport in Canada. CSEC argues there was no interception of personal information because no communications content was collected, only “metadata”.
   
   A similar question regarding the privacy interests in “meta data” and whether it constitutes personal information has been put before the Supreme Court of Canada in the matter of Spencer v. The Queen.
   
   Our Office has addressed this question in a technical analysis posted on our website, called “What an IP address can reveal about you?”.  From a technological point of view, our research concludes that information about communications such as the number or nature of website visits connected with an IP address may be so revealing as to potentially disclose the identity of a person.   
   
   But the challenge ahead of us is to get social consensus and legal clarity on the definition of personal information in this new technological reality.   

2. Wearable computing
   
   Another technological development that puts privacy law to the test is wearable computing.
   
   To many people this sounds like the Jetsons, but the fact is that both the private and the public sector are looking at the possibilities of “wearing” computers. Google has developed computer glasses and police services around the country are adopting or envisaging to adopt body-worn cameras, namely, cameras affixed to the police uniform.
   
   Our Office has prepared a research report outlining the privacy implications of wearable computing devices in general and this will shortly be posted on our website.

3. Facial recognition technology
   
   Another emerging technology our Office is looking at is facial recognition, which can positively identify individuals by the unique characteristics of one’s face. Many fear this innovation will bring the end to any barrier between the online and offline world and render anonymity forever gone. While the reality is that technology hasn’t yet reached that level of sophistication, our office has significant concerns about the privacy implications of facial recognition as its uses can be employed both by both the public and private sectors.
   
   On this too we have recently completed a research paper that will be posted on our website should you wish to find out more.  

4. Drones
   
   Another privacy-sensitive emerging technology is that of Unmanned Aerial Vehicles or drones. Currently their best-known use in Canada is for search and rescue or accident investigations and we have been reassured that no drones are used to collect personal information for law enforcement or other purposes. That being said, we know the technology is rapidly evolving and we are following these developments closely.
   
   And, at the risk of repeating myself, on that too, we have posted a research paper that you may find useful to find out more.
   

Although we have capacity to conduct in-house research and technological analysis, we cannot do it all – and we certainly can’t do it alone.  This is why we invite the academic community to advance and disseminate new knowledge in these emerging areas through our Contribution Program  -  A competitive, peer-reviewed, arm’s length program that funds cutting edge research in privacy every year.

To sum up, let me return to the image of the collision between technology and privacy like the roiling waters off Cape Sable.

Some might contend that by sheer force, the waters erode rocks over time and that in light of the inevitability of technology, privacy just doesn’t matter anymore.  But rocks are solid, and do stand the test of time.  While they may eventually change shape, they serve to remind us of the bedrock principles that Canadians hold onto dearly to define the kind of society we want to live in – one that embraces the advantages of technology, but in a well-balanced and socially responsible way, that will be both enduring and beneficial for generations to come.