Protecting Privacy in the Era of Government 2.0
Remarks at the Canada's Government Technology Exhibition and Conference (GTEC) 2010
October 7, 2010
Address by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
It is a pleasure to be here today as part of this important discussion on the role of technology in enhancing the performance of government.
Without question, a government that is responsive to its citizens is also more effective and, ultimately, accountable. To the extent that technology can mediate this responsiveness, it is undeniably beneficial.
Indeed, my own Office shares this view, and we employ a range of technologies to engage with stakeholders and the public at large.
However, in the rush to adopt technological solutions, it is imperative that the government maintain a firm focus on privacy.
That calls for the rigorous application of existing laws, policies and best practices for the stewardship of the personal information of Canadians – and building on these as situations evolve.
But it also places a fresh onus on the private sector. As government embraces new technological applications, it needs to know that the developers have incorporated the privacy safeguards the public expects – not just for today, but for tomorrow as well.
Over the past two days, you have heard much about the evolution of social media, cloud computing, ubiquitous wireless connectivity and the many other technological developments that are having such a dramatic impact on our lives.
There are valid, even compelling, reasons for the government to embrace digital media, collaborative technologies and other modern tech tools.
For one thing, it’s a way to respond to consumer demand.
Citizens today are accustomed to the convenience of 24/7 access to information and services, over any number of platforms. They want quick access to their personal information. They want tidy single points of service. And they demand more control over their own records and affairs.
Technology also enables government to tap into other viewpoints and areas of expertise, and to take the pulse of the people it serves. In many ways, it simply offers new mechanisms to facilitate the kind of horizontal collaboration, consultation and outreach that the government has been pursuing for some time.
For all these reasons, the Clerk of the Privy Council is encouraging the public service to experiment with a range of applications, such as the GCPedia, GCConnex, departmental wikis and blogs, Twitter and YouTube.
This is a welcome development -- provided, of course, that it is done right.
Because, without question, there are complex, multilayered considerations involved, including the use of both official languages, the protection of state secrets – perhaps even national security.
And – a key concern for me – privacy.
The intent of the Privacy Act is to underscore the value of personal information, thus furnishing a philosophical underpinning for the concept of privacy within the federal public service.
By making some 250 government institutions accountable for safeguarding personal information, it also provides a practical framework for the protection of personal information.
But the fact is that the Privacy Act came into force in 1983 – the year the Challenger shuttle made its maiden flight and the final episode of M*A*S*H hit TV screens.
Today, when privacy battles are fought at the frontiers of biometrics and the human genome, the Act’s reference to personal information “in recorded form” is almost quaint.
The creaky age of the law is clearly a challenge, and we have long asked Parliament for upgrades. And, in this era of big data and Web 2.0, the challenges just continue to multiply.
And so we should think of the law, not as an endpoint, but as a starting point for good privacy practices. Government departments and agencies have to think about privacy as an essential element of every initiative where technology plays a role.
This kind of thinking has to start at the earliest conceptual stages, when policies and programs are first being contemplated.
Policy guidance documents
My Office is encouraging this through a series of documents that will guide decision-makers on integrating privacy into policy in four priority spheres.
One of these spheres is information technology. The others are national security, genetic technology and safeguarding the integrity of personal identity.
The documents are intended to furnish a conceptual framework to position privacy as a fundamental right that coexists with other rights and priorities.
Two weeks ago [Sept. 23], we hosted a meeting of external experts who refined our inaugural guidance document on integrating privacy into national security and public safety initiatives. We intend to post it on our website in the near future.
In terms of our technology-related guidance, we are looking at specific topics, such as biometrics, cloud computing, online gaming and behavioural marketing.
Even as those guidance documents take shape, government policymakers already benefit from some very explicit guidance under the Privacy Impact Assessment process.
This Treasury Board policy obliges institutions to take privacy into account when they create or significantly alter a program or service that requires the collection, use or disclosure of personal information.
In submitting a Privacy Impact Assessment to our Office for review, institutions are asked to justify the need for the initiative, and to demonstrate that it would be effective in achieving its stated purpose. They should also show that the intrusion on privacy is proportionate to the expected benefits, and that no less privacy-invasive alternative exists.
While a policy must integrate privacy as a principle, it also needs to work in practice.
That’s why the Privacy Impact Assessment process also walks organizations through the widely accepted “fair information principles” – 10 specific rules for the effective stewardship of personal information.
My Office also looks for other ways to provide practical assistance to institutions wrestling with the privacy implications of technology. Right now, for instance, we are drawing up some guidance on device fingerprinting.
We are also finalizing a paper summarizing what we learned from our consumer privacy consultations. The consultation on cloud computing in Calgary last June could provide very useful insights for institutions contemplating the use of cloud services for data processing or storage.
In the expectation that organizations will learn from one another, my Office also disseminates lessons and best practices that we draw from our complaint investigations and privacy audits.
For instance, our most recent annual report on the Privacy Act, which was tabled in Parliament on Tuesday [Oct. 5], describes a number of cases where failures of technology led to breaches of personal information.
In one case where unauthorized tax department employees accessed the personal tax records of some high-profile sports figures, we learned that the computer system lacked an effective audit trail to monitor access. The Canada Revenue Agency has since modernized its National Audit Trail system.
We also reported on a hacker attack on the computer used by the Office of the Ombudsman for Canada Post for its online complaint system. The data collected in 131 complaints was exposed in the security breach.
It turns out that, while Canada Post tests the vulnerability of its information systems annually, the Ombudsman’s office fell outside the scope of these reviews. That too has since been rectified.
Audits highlight shortcomings
Many valuable lessons also emerge from our privacy audits, which are comprehensive examinations of specific practices within government.
For instance, an audit report we published on Tuesday in conjunction with the Privacy Act annual report shone a spotlight on what happens to personal information when the government no longer needs it for its original purpose.
Among other concerns, the audit uncovered significant problems with the disposal of surplus computers. Federal institutions are supposed to wipe them of data before recycling or otherwise disposing of them.
In too many cases, however, this is not happening.
In fact, we found that more than 40 percent of a sample of government hard drives donated to a computer recycling program for schools still held data. Some was so sensitive – even classified – that we had the devices immediately shipped back to their originating department to be properly and securely wiped.
A second privacy audit that we published at the same time looked at the security measures that protect personal information carried over the government’s wireless networks, or that is stored or transmitted by public servants using BlackBerrys and other handheld devices. This audit turned up issues that, if not addressed through appropriate mitigating measures, could put the personal information of Canadians at risk.
For example, of five federal entities we examined, none had fully assessed the threats and risks inherent in wireless communications. Gaps in policies or practices resulted in weak password protection for smart phones, and inadequate encryption for Wi-Fi networks and data stored on mobile devices.
We also noted shortcomings in the storage and disposal of surplus handheld devices. And we found that PIN-to-PIN messaging was still widely allowed, even though the Communications Security Establishment warns that this form of direct communication between two smart phones is vulnerable to interception.
With the government’s growing enthusiasm for Web 2.0 technologies, new challenges arise.
One of those is the blurring line between work and play.
With public servants apt to log in to their work computers anytime, from anywhere, on any type of device, the custody of personal information is no longer a nine-to-five affair, confined to the four walls of a government office.
And what about private social networking while in the workplace, or social networking with colleagues while at home?
What about collaborative work with other stakeholders, including from industry (which may be covered under private-sector privacy law) and citizens (who may not be covered under any privacy law at all)?
The Treasury Board Secretariat is reflecting on such issues as it devises guidelines on the best and safest way to encourage the use of social media in and by government.
But, from my perspective, we need to go even farther – and reach out to many of the people in this room.
Since these applications generally emerge from the private sector, we need industry to share our concern for protecting the personal information of Canadians.
Role of private sector
Certainly, our ongoing dealings with Facebook have helped drive home some of our concerns. In a series of investigations that go back to 2008, we have encouraged this worldwide technology giant to adopt a significant range of privacy-protective measures, and to be more transparent in its privacy policies and practices.
Privacy concerns also sparked a massive backlash when Google launched its Buzz social networking service in February. In that instance, people who had signed up for Gmail, a private webmail service, unexpectedly found their personal contacts exposed for all the world to see on this public social networking site.
Google quickly fixed the problem, but it cost them, in money and in reputation. Last month [Sept. 2], the company settled a class-action lawsuit for $8.5 million. And last April my Office teamed up with nine other data-protection authorities from around the world to express our concerns in an open letter to Google.
Our message to Google and other tech leaders was simple: Think of privacy before you launch a service. Don’t leave it to chance, and hope to clean up afterwards.
Google’s troubles on the Wi-Fi front are also instructive.
As you know, the company’s Street View camera cars vacuumed up unprotected Wi-Fi data in many countries. There is a class action lawsuit underway in California, and data protection authorities in several European countries, three dozen U.S. states, the U.S. Federal Trade Commission – and I here in Canada – have all launched probes.
Regardless of the outcome of these investigations – and I hope to be in a position to share our results soon – the situation does point to an important truth:
Namely, that every chain is only as strong as its weakest link. And, for all the security measures organizations construct for their own systems, the biggest vulnerability can be somewhere else altogether --
-- Like the individual at home with no firewall or virus protection software. Or a wireless environment with outdated safeguards, or none at all.
Some research suggests that about half of wireless networks in Canada can be cracked within minutes. Shouldn’t this be of concern to the reputable organizations that do business over such networks?
And if it’s truly of concern, then perhaps those organizations should share a duty to ensure that data security extends all the way to the user’s fingertips.
Wouldn’t it, for instance, make sense to restrict e-government or e-commerce services to devices, and over networks, that met appropriate standards of security?
And why are wireless systems not secure by default? Instead of obliging people to follow a sequence of steps to secure their home networks, wouldn’t it be easier to have them automatically encrypted, straight out of the box?
Privacy by Design
At an international conference of data protection and privacy commissioners in Jerusalem later this month, I will be co-sponsoring a resolution on “Privacy by Design,” put forward by my colleague from Ontario, Ann Cavoukian.
A draft of the resolution states that privacy considerations must be embedded as the default into the design, operation and management of information technologies and systems – across their entire lifecycles and throughout an organization, end-to-end.
The resolution would oblige signatories to advocate for privacy-by-design principles, and I certainly embrace the opportunity.
At the same time, I challenge government and private enterprises to join the chorus, to speak with a unified and authoritative voice.
And to make sure, not only that their own systems are secure, but to help educate clients and users on the importance of privacy-securing measures at their end.
In closing, I want to underline that technology does, indeed, offer immense opportunities for government, just as it does for other sectors of the economy.
Without question, it has the potential to make government more responsive, informed, efficient and effective.
But its capacity to enhance performance depends on the trust of users. Whether it’s a tax return or a pension, passport or immigration application, Canadians need to know that when they engage with government, their personal information will be held sacred and safe.
That’s a huge challenge, but it has to be faced. In safeguarding personal information, the Government of Canada has to set the standard, to serve as a model.
But it can’t do it without the private sector – the innovative minds behind so many applications we depend upon.
Only when everyone works together toward a shared vision of privacy can you count on the productivity gains that are the hallmark of high-performance government.
Thank you for your attention.