Privacy: An Agenda For Reform
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
April 24, 1995
Privacy Commissioner of Canada
(Check Against Delivery)
When Tom asked me to make a few opening remarks to this conference, I envisaged a few words of welcome to returning veterans, exhortations and encouragement to the new recruits and then beat a quick retreat to the coffee and pastries table.
I should have known better. Tom Riley knows how to dangle a topic in front of me. His chosen theme for this conference is "Access and Privacy: an Agenda for Reform".
Of course, I am not going to deal with reforming the Access to Information Act. But reforming privacy? Well, where do I begin? Frankly, we need more than reform here, we need something closer to a revolution.
Welcome to the age of Internet, Intelligent Transportation Systems, geo-positioning data, electronic health networks, DNA tests, Clipper Chips, Crackers and hackers. Privacy, if it is to survive at all, will demand a lot more than tinkering around the edges of the current federal Privacy Act. And, at the risk of offending my provincial counterparts, more than tinkering at their edges too.
I wouldn't want to be widely quoted outside this room on this, it's unfashionable to say good things about government, but the Privacy Act is not a bad intramural effort for what it was drafted to do, and that was to protect data in the hands of federal bureaucrats in Ottawa.
But we're kidding ourselves if we think this approach is going to protect our privacy at the end of the millenium. I am tempted to ask: Privacy, what privacy? We were naked before we ever got on this information highway, or on-ramp, or wherever the spinners of these clichés think we are at the moment.
In his book The Twilight of Sovereignty, Walter Wriston described what has happened in information technologies over the past few decades by analogy to a six-passenger car. To see a comparable change in the automobile, Wriston argues, the automobile would have to seat 600 persons, travel safely at 5,500 miles per hour and get 2,600 miles to the gallon. And it would have the same price sticker, and be the same size, as your family sedan.
Not only has information technology exploded, increasingly it has fostered the growth of big business because of the value attached to the information they produce. Microsoft Corporation is now worth more than General Motors. In Canada alone, information industries are worth about $45 billion a year and employ more than 300,000 people. Governments, banks, pharmacies and telemarketers are using their sophisticated products and services. By the year 2005, information industries are projected to grow to $90 billion and employ twice as many Canadians.
This is the electronic climate of our times. It is the sometimes harsh and inflexible environment in which many of us must work when trying to safeguard the fundamental human right of privacy.
Not too long ago, public servants were privately demonstrating the power of a new geographic information system (GIS) program. With the GIS program and a legally-obtained municipal database, they identified the home of every person who owned and registered a pit-bull terrier in one western city. They found that pit-bull owners were clustered in one low-income neighbourhood.
Critics who think our privacy concerns overblown may say, "So what? What does it matter that anyone knows the name or breed of your dog?" They miss the point. When we lose control over that information, or worse, the names of our children, or our children's school records, or our financial transactions, or our medical and prescription drug records, or the results of a genetic test, we are vulnerable to abuse of any or all of it. Perhaps more important, we lose control over our lives and with that another piece of our individual dignity.
In but 20 years, millenia of years of human experience have been demolished. The brakes have come off. Things that have become almost genetically characteristic of our relationships with one another are being put aside, and viewed in the light of what technology can do, not what we should do. If we put aside that respect for each other as individuals, each with their own beliefs and values, and treat one another as mere data subjects, then we truly do enter the spirit of Orwell's world. So the first reform we need is one of attitude. We need to stop being mesmerized by the power, speed and efficiency of these tools and emember they are simply that tools. Just because we have the power to put everyone under constant physical and data surveillance does not justify our exercise of the power. We must take back control. We must remind the creators and users of these systems that individuals are not laboratory rats.
A second reform we need is one of accepting greater responsibilty for the systems we put in place. In his provocative book, Information Warfare, Winn Schartau argues that in the new world order there will be no such thing as electronic privacy. Everything we do will be recorded somewhere in a digital repository. And those records that define us as individuals, our medical records, financial transactions, our reading and viewing preferences, our interpersonal communications, will be unprotected; subject to malicious modification, unauthorized disclosure and out-and-out destruction.
Intruders have learned how to penetrate sophisticated barriers and hijack computer systems linked to the Internet. According to the US Computer Emergency Response Team, these intruders can get top-level access, then copy, destroy or damage data by masquerading as authorized users.
For those of you who have not already heard the story, let me give you a telling example from the U.S. Department of Defence. The commander of the US Defence Information Systems Agency tested his systems' security by launching tiger team attacks against 9000 systems. The teams broke into 88 per cent of Defense systems; 96 per cent of those successful attacks went undetected. And in the remaining four per cent of attacks that were detected, Defense staff took action in just five per cent of the incidents. And no-one tried to stop the problem from recurring. So out of 9000 attacks, about 16 reacted to the hacking and no-one did anything about it.
The Defence commander also reported at a recent conference (but could not verify) that the FBI ran a similar test and the intruders were 95 per cent successful. These are among the most secure systems in the US. One would assume that they are protected by the most secure measures available. What chance do the newly converged cable/telephone systems, or the Internet, or Manitoba's propsed new health network, or B.C.'s Pharmanet stand?
Far from looking like fools, the U.S. Defence department should be congratulated for its frankness. Unfortunately, few organizations are prepared to be so forthright about breakdowns in security and penetrations of their systems. Acknowledging the penetrations risks embarrassment and perhaps loss of client and stockholder confidence. Yet, despite all the evidence to the contrary, business seems to be keeping its eyes firmly shut. A recent business survey found more than half of North American companies suffered computer-related financial losses in the past two years. Yet, only 22 per cent of the respondents said that management considered information security "extremely important". That's for financial information! Where on the scale would they place clients' personal information? No wonder consumers are worried.
Finally we are going to have to reform our approach to protecting ourselves. What we have at the moment is a little bit here; a little bit there there, and a whole lot of earnest statements of good intent and not much more in the middle. I am speaking about a good deal more than the Privacy Act, I am talking about how the law does or does not protect all our communications.
I am sure some of you here must be users of the Internet. I confess to being a bit of a technodunce and consider my conversion to an IBM Selectric my major concession to the elctronic age. But for those of you in full flight in the elctronic ether, do you ever wonder who is watching and tracking your communication? In Ottawa, recently, there was a story in the paper about a 49-year-old automobile salesman. This fellow had fallen afoul of the law on a previous occasion, and he was on parole. As he explained in the interview, he lives alone, is lonely, he has a terminal, and he is a subscriber to Internet. He spends his evenings playing on the Net, and has a lot of fun. Now his neighbour is a collector of antique guns (thoughnot the kind that Mr. Rock wants to ban).
To do his neighbour a favour, he put a message on the Net inquiring about an antique gun show in an American city, which had been advertised on the Internet. A couple of days later, he had a visit from the police. "We saw your name on the Internet," said they, "you must have violated your parole because you must have gone to the United States, so we're taking you in." By the time they had it all sorted out, and saw that he had not crossed the border, had not violated his parole, and was not interested in acquiring guns, he had spent three weeks in jail.
When he got out, he found out he'd been fired. Now, you have to ask yourself: should governments be involved in monitoring Internet news groups? And if not, how do you stop it? Well, think about wiretap laws. There is no technical reason to prevent the police from tapping every telephone wire in the country. But they don't because there's a law against it. I suggest we take the same approach with respect to Internet and other computer and transmission systems. Why not?
There's another danger. Some of you may be familiar with the Clipper Chip issue, the electronic microchip that's been designed for new digital telecommunications equipment, particularly telephones. It would have encrypted messages, making them unintelligible to anybody but the intended recipient. And given some of the experiences we've had with cellular telephonic communication, probably not a bad idea.
There ensued a raging debate over whether to allow United States government agencies a back door to decrypt electronic communications. The government argued that it needed that authority to be effective in combatting terrorism, drug trading and organized crime. They argued that they could now tap wires; why not tap encrypted telephone systems? In the face of huge opposition, the project has apparently died.
I have to confess that, personally, I don't have a ready answer to a question like where to strike the balance, but it does go directly to the need for an informed public debate on these issues, because it's typical of the kinds of trade-offs about which we must think hard when we're dealing with the impact of modern telecommunications and informatics technology on value systems that have taken centuries to build, and which we have become accustomed to live by. We have to remember that privacy, which is one of the absolutely integral elements of human freedom, is more than a pawn in such a game. Consider the cumulative impact of but a few of the surveillance techniques that have occurred just in the last 10 years. There are streets in cities in this country that you cannot walk down now without a camera following your progress, as an ordinary, law-abiding citizen, the purpose being, of course, to help control hooligan behaviour. You can't go into a bank or use a bank machine anymore without being watched by a camera. There are washrooms in factories where you can't do your business without one looking back at you.
You can't even drive down the 401 from Kingston to Toronto anymore without being uder the watchful eye of photo radar devices , as I know from personal experience; one hundred and seven dollars worth of experience. Not far down the road people will start asking, "Let's see your genetic card." It's already happening in the United States in some places. One industry in particular that's extremely interested is the insurance business, since it will help them greatly refine their liability calculations. As it is, there are organizations in this country where you can't get an appointment with the personnel office unless you are prepared to allow somebody to give you a drug test. Of course, each of these intrusions has its own justification. "It will help stop speeders." Or, "The neighbourhood toughs won't be fighting outside the bar, because we'll have pictures of them,". Or the factory foreman says, "Yeah, they won't be spending all of that time smoking in the john, because I'll be able to see 'em." But when you add it all up, you can see that we have arrived at what B.C. Commissioner David Flaherty called, in one of the understatements of our time, the surveillance society.
So we must reform our totally inadequate body of law to deal with the problem. We have the Criminal Code. We have some limited computer crime law. We have a federal Privacy Act which covers federal records. We have a few provincial Acts which cover provincial records. And we have the Quebec Act in which, God bless them; they're courageous in Quebec, they have extended their Privacy Act to cover all commercial life in the province, the only province to do so.
When the Quebec Legislature was facing this bill, there was a huge lobby mounted against the extension of the Privacy Act to cover private business. The sky was going to fall, business would cease, the province would shut down, the lights would go out.
None of that has happened. Quebec is plugging along. It's sharing the ups and downs of the Canadian economy as though none of this had ever happened. It's an experiment that the rest of us are watching with interest, because I think it has largely laid to rest the fears of business that privacy protections would be a very serious impediment to business.
So where do we go for reform? As some of you know, I had hoped for a clear Charter right to privacy as a statement of principle, rather more than the Court's interpretation of section 8, the protection against search and seizure. It was not to be. However, Mr. Justice Sopinka recently observed "...It [the Charter] only applies to government action. Given that much of the world of electronic communication is controlled privately, without any government regulation, the Charter may be an ineffective tool...".
The grave difficulty, of course, is that none of our legal instruments is particularly apt for the new electronic environment in general and the information highway in particular. They either do not have the force of law or, if they do, they do not cover the private sector. The Charter speaks only to state action, the Privacy Act speaks only to our federal government institutions; and international instruments remain voluntary.
The challenge is to adapt all these traditional privacy protection principles to the new electronic environment, to create new ones where necessary, and to overcome the privacy unawareness of those working in the environment. So here are some of the reforms I would like to see. First, reforms for the development of the information highway, we should:
- Encourage highway designers to alter their thinking about privacy to embrace it as an integral part of the highway which has to be factored in at the beginning of the design process, during its development, throughout its implementation and finally in any evaluation stage.
- Conduct a review of the Privacy Act, particularly its Code of Fair Information Practices, to see whether it requires or suggests adaptation for the new electronic environment and explicit language to assure its understanding and application. There are questions here. For example, will requests for access be processed differently as a result of the highway? Which agency has "control" of the information on the highway or is the notion of control not apt for highway records? If there are not answers providing this assurance, we must amend the Act accordingly.
- Ensure that Canadians are accorded sufficient control, either through the Act, or by some other legal instrument, over their personal information as it travels electronic communications systems. This control must exist from initial input into and also at every other step along the network. For example, legislative or contractual obligations must clearly attach to use by other levels of government, by other governments and especially by the private sector. Once information is downloaded from these systems onto private databases within or outside Canada, individuals must have recourse against wrongful disclosures or other misuse of their information.
- Submit all proposals for new electronic information technologies and services to a mandatory privacy impact assessment. Not only would this focus service providers on the issue it would assist in assuring that privacy implications are factored into the design.
- Develop technical security measures to protect the confidentiality of electronic communications but also provide the individual with a measure of control. Some applications can enhance privacy (such as encryption, locked or partitioned data-bases and ephemeral e-mail). However, the most valuable use of technology is not to enhance security but to enhance the ability of the individual to exercise control over his or her personal information.
- Establish a single oversight and monitoring mechanism to ensure the rules of the road are observed, to povide a means of assuring compliance, for investigating complaints and for affording redress.
- Create a focused privacy group, a federal-provincial-territorial working group to conduct a continuing review of the privacy impacts of the various options, particularly those proposed by private industry, and bring forward recommendations for government and for co-operative action.
I believe that the federal government could do what Quebec has done; extend the reach of its Privacy Act to the commercial activity under its jurisdiction, banks, the transportation companies, and the telecommunications industry. If they were covered, it would produce privacy standards that would be applicable to national companies that are visible in all our lives. That would be helpful both in educating the rest of us and in persuading the provinces to likewise level the playing field.
I think it is becoming increasingly apparent that Canadian business is less worried about being subjected to some legislated privacy rules than they are about the rules being applied unevenly. So perhaps it is time to consider the Canadian Standards Association's uniform privacy code. The CSA brought together a disparate group of interests and has achieved a remarkable degree of consensus. All the fundamental privacy principles are there. And the code was conceived in such a way as to be relevant to the private sector.
But, I confess, I am sceptical of one aspect. I don't see how, in this environment , any system which depends upon voluntarism is going to be truly effective. The public needs the confidence and credibility that only an independent oversight mechanism can provide. Nevertheless, this is a foundation on which we can build. Let's call it CSA Plus, the CSA code, embodied in law, plus an independent oversight mechanism to which Canadians can turn for protection.
That's my agenda for privacy reform, anything less will be smoke and mirrors. If we toss up our hands now, we will completely abdicate our responsibilities and forfeit those human values that have taken centuries to develop.
Thank you very much.
- Date modified: