Appearances before Parliamentary Committees
Appearance before the Senate Standing Committee on Transport and Communications
December 8, 2009
The Office of the Privacy Commissioner of Canada has identified emerging information and communications technologies as one of its four strategic priorities. The following paper will address some of the emerging privacy issues related to the wireless sector, namely behavioural marketing, location data and cloud computing in the context of a globalized world and changing attitudes towards privacy.
Mandate of the Office of the Privacy Commissioner of Canada (OPC)
The mandate of the Office of the Privacy Commissioner of Canada (OPC) is to oversee compliance with both the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private-sector privacy law.
The Privacy Act imposes obligations on some 250 federal government departments and agencies to respect privacy rights by limiting the collection, use or disclosure of personal information. The Act gives individuals the right to access and request correction of personal information about themselves held by these federal government organizations.
PIPEDA applies generally to any personal information collected, used and disclosed in the course of commercial activity. It is a technology-neutral law that in no way thwarts innovation of new technologies. On the contrary, over the past eight years PIPEDA has been a dynamic, effective instrument that has strengthened the privacy rights of Canadians. PIPEDA can respond to most commercial collection and use of personal information and serves as an effective tool to help address privacy protections in developing plans for national broadband access and Universal Mobile Access (UMA).
- Wireless devices and Universal Mobile Access
National broadband and Universal Mobile Access connectivity are expected to accelerate rapidly both in Canada and around the world. In a not so distant future, users from all parts of Canada, both in urban centres and remote rural and northern areas, will have high-speed access to Internet content either through their computers or their mobile handheld devices. These developments will have an important impact on privacy.
Smartphones are currently driving media growth in North American markets. They are merging traditional mobile phone talk and text capabilities with the Internet and computer-like functionality. They serve as a platform for calling, social networking, online banking, and point-of-sale purchasing. A person carrying the latest-generation smartphone is actually carrying a sensor array, including camera, microphone and highly accurate locator devices.
A survey conducted in December 2008 by the Pew Internet & American Life project reveals that over three-quarters of Internet industry experts believe that, by 2020, mobile computing devices will be the primary Internet communication platform for a majority of people around world. In other words, wireless devices will be the principal means for accessing the Internet and Universal Mobile Access will be the standard for enabling access to mobile services over the broadband IP access network. With UMA, users will access all of their mobile voice, data and instant messaging services from any location.
- Attitudes towards privacy and use of technology: Canadians expect privacy
A 2009 EKOS survey commissioned by our Office found that, while individuals may not be aware of certain privacy risks, or consciously accept a trade-off to their privacy, Canadians still have high expectations for privacy, including online, and worry about how their personal information is being used, especially if it involves transborder data flows.
More than six in 10 (62%) Canadians think that protecting personal information will be one of the most important issues facing Canadians in the next ten years; 60 percent feel that their information is less protected than it was ten years ago; and 90 persent are concerned about the impacts of new technology.
People between the ages of 45 and 65 are particularly likely to be concerned about the privacy impact of new technologies while those under 25 are less likely to express high levels of concern about the issue. Canadians under 25 are also less likely to be concerned about off-shore processing and storage of their personal information.
Overall, 98 percent of all Canadians believe that it is important to have strong privacy laws.
Smartphone users text message, e-mail, use the Internet, send pictures, view videos and use location-based services. And the younger segment of smartphone users overwhelmingly prefers text messaging and social networking to calling.
As wireless devices are increasing the means through which people may interact and carry out their day-to-day tasks, the Internet itself is simultaneously and profoundly altering social dynamics.
We have observed a significant change in the scope and volume of personal information that individuals are comfortable sharing in cyberspace. In an era of blogs, online profiles, social networks, and tweets, the Internet has become a valuable tool for individuals to stay in touch and communicate with friends, family and acquaintances. And mobile devices make it easier for individuals to make ever increasing amounts of personal and behavioural data available to friends, businesses and government.
Young people are particularly eager to build and maintain a strong and dynamic online identity. Our 2008 annual report on the Personal Information Protection and Electronic Documents Act notes that many young people are choosing to open their lives in ways their parents would have thought impossible and their grandparents unthinkable. Their lives play out on a public stage of their own design as they strive for visibility, connectedness and knowledge.
Overview of challenges to privacy in an electronically connected world
Information shared to keep up with friends, to purchase online, or to connect with like-minded professionals often winds up being used in unexpected ways.
Although young people are especially prone to divulging information without a full knowledge or understanding of possible consequences, all demographic segments are learning the hard way – whether by being turned down for a job, by having long-term disability benefits cut off, by being shunned in real life friends gatherings or by having their identity stolen – that what seemed, at the time, to be safely private and for the consumption of the few is, in fact, very much public and accessible to many.
While technology and social perceptions of privacy are fast evolving, especially among the younger generation, the associated privacy safeguards and understanding of unintended consequences when sharing information are not always keeping pace.
Moreover, some systemic issues also lead to security breaches and the unauthorized disclosure of personal information. Our 2008 PIPEDA annual report identified some of them: inadequate or absent system security, insufficent employee knowledge and training about privacy, disgruntled staff, faulty administrative procedures including information disposal procedures, and breaches incurred by third party service providers.
Some of the common threats specific to mobile devices users’ privacy include signal interception through specialized devices, accessing text messages, accessing user records, and exploiting Bluetooth (“bluebugging”) to access information stored on the device.
Our Office has identified three specific privacy concerns that are expected to become more important as the use of wireless devices increases. They are behavioural marketing, location data and cloud computing. It should be noted that behavioural marketing and cloud computing are already common practices on the Internet; they will increase in prevalence as wireless devices become the tool of choice for Internet access.
- Behavioural marketing: concerns about lack of consent
Behavioural marketing consists of tracking consumers’ online activities over time in order to deliver ads that are targeted to individual consumers’ inferred interests. To target ads, behavioural marketers collect data about users’ online activities using a number of tracking technologies such as cookies. The type of information these technologies collect can include: pages visited (on a single site or across sites), the length of time spent on specific pages, advertisements viewed, articles read, what is purchased, search terms or other information entered, user preferences such as language, web browser type and language, operating system, and location information. Behavioural marketers use this data to build user profiles, determine user interest categories and show ads based on the assumptions they make about their interests.
It is argued that the data generated from behavioural marketing is aggregated and individual users are not identified. Consumers, moreover, are said to benefit from the free content and receiving more relevant advertising and discount offers that reflect their interests. Our office, however, is concerned about the privacy implications of this practice.
Data is rarely truly anonymous. There are cases where individuals have been re-identified and anonymous profiles have been combined with other information to identify people. Also, advertisers do not ask individuals for express consent to collect, store, use or share their data with third parties, and individuals do not know what data is being collected, what their profiles contain and whether these profiles are actually accurate.
- Location data: no place to hide
Behavioural advertising, already common on the Internet, will be of increasing concern as users increasingly interact with the online environment via mobile devices.
Indeed, the mobile environment is unique in that the device is carried with an individual. The newer generation of 3G wireless devices is GPS enabled, enabling the determination of a user's location with varying degrees of accuracy depending on the techniques used. This in turn has led to services such as Loopt or Google Latitude, which provide location and mapping information based on a users location. Location-based tracking and surveillance can reveal highly personal information about an individual. Profiling individuals based on their location, and creating location-based databases, raises serious privacy concerns.
Assistant Commissioner Elizabeth Denham noted in an addressFootnote 1 to the Geomatics Industry of Canada: “An even bigger concern when it comes to privacy issues is the growing ability to link geospatial information with other data in a way that results in the creation of personal information. In other words, personal information is created when the linking of information to a particular location allows for that new information set to be connected to a particular person”.
- Cloud computing: where is personal information going?
Cloud computing uses the Internet and central remote servers to maintain data and applications. In general, cloud computing users do not own the physical infrastructure, instead avoiding capital expenditure by renting usage from a third-party provider. Cloud computing allows users to use applications without installation and access their personal files at any computer with Internet access. They consume resources as a service and pay only for resources they use. Cloud computing is generally broken down into three services: «software», «platform», and «infrastructure».
In a «Software-as-a-Service» model, a user pays a software-providing company a subscription fee in return for running applications over the Internet from the service provider site centralized servers rather than from the business on-site. The «Platform-as-a-Service» model refers to the provision of hardware and software (such as databases) that allow users to develop and deploy their own applications. The third model in cloud computing, «Infrastructure-as-a-Service», is of particular concern to us. In this model, rather than storing data on their own computer network, cloud computing users store data on servers “in the cloud” and retrieve it as needed.
Although this may look like a classical case of an outsourcing relationship where respective responsibilities are clearly established, it is not. In a cloud environment, there are no single dedicated data centres where information is stored. “Data may be dispersed across and stored in multiple data centres over the world. In fact use of a cloud infrastructure can result in multiple copies of data being stored in different locations.”Footnote 2 And cloud relationships are not one-to-one relationships but multilayered, web-like relationships where Cloud User A contracts with Provider B that in turn may contract out to Providers C and D that may contract out, unbeknownst to User A, to Providers E, F and G.
These sharing and transfer of data within the cloud and the inability for anybody to easily say where the data is or has been have jurisdictional implications. Personal information belonging to Canadians is moving from server to server and from jurisdictions providing strong data protection to jurisdictions providing little data protection. Because of the diffuse nature of cloud computing itself, control and oversight of data flow are, for all intent and purposes, currently very difficult to enforce.
Security safeguards are also a concern. In cloud computing, users rely on the security measures provided by the each of the cloud participants that handle personal information. Some established companies may provide adequate security controls, whereas others may decide that security is not a priority.
Another related issue is the retention of information data. At the current time, our Office does not have a clear view of what happens when multiple copies of data are being dispersed and stored in different locations. Is information retrieved from one location also retrieved from another? Is information automatically updated in all locations or do we end up with a multiplicity of information versions lingering in various corners of cyberspace? How long are the multiple copies retained? Did the individual whose data is stored in a cloud provide consent to having his information disaggregated and stored in multiple copies in different locations?
Position of the Office of the Privacy Commissioner of Canada
Privacy and information security are not always front and centre priorities when new tools are being developed and used. This is not a caution against using new technologies or integrating new tools into everyday activities. Rather, it is recognition that Canadians, especially the younger generation, need help to begin developing appropriate information-management practices – ways to ensure their personal information is collected by organizations only with their permission, distributed only according to their wishes, and used only in ways to which they agree.
Our Office is of the view that technology and privacy can work hand in hand, and that ensuring privacy rests in outreach to Canadians, continued close dialogue with industry, and informed policy-making and legislation at the national and international levels.
In the next year, the Office of the Privacy Commissioner intends to conduct an in-depth examination of privacy issues related to behavioural marketing, location data and cloud computing. PIPEDA will be reviewed in 2011 and, although it is a technologically neutral law, our Office wants to ensure it will continue to respond optimally to technology developments that are shaping our future.
Given the increasingly globalized nature of privacy challenges, our Office believes that durable solutions will also come through international collaborative efforts.
How does Canada compare to other countries with respect to technology and privacy?
When it comes specifically to the issue of wireless devices, some countries such as Japan, Korea and the Scandinavian countries are more advanced in terms of using mobile phones as payment devices to pay for goods and services and offering location-based services tied to mobile devices. These types of services, which raise privacy concerns, are only starting to become more widely offered in Canada.
However, most privacy laws, like PIPEDA and the Privacy Act are technology neutral. They do not typically contain specific provisions dealing with communications technology. Canada's privacy laws are similar to laws elsewhere in that they are based on the same set of «Fair Information Principles» e.g., only collect as much information as you need and only use it for the purposes for which it was collected.
Notwithstanding the fact that most Data Protection and Privacy Commissioners are generally perceived to have greater enforcement and oversight powers than the Privacy Commissioner of Canada, PIPEDA, Canada’s private sector law, works well and it would hard to point to another law that would be clearly superior.
Going forward: the Madrid Resolution
As mentioned previously, our Office believes international initiatives are paramount in safeguarding privacy in a technological era. In that respect, we are especially pleased with the results of the International Conference of Data Protection and Privacy Commissioners held last month in which a resolution entitled «International Standards on the Protection of Personal Data and Privacy» (also known as the Madrid Resolution) was adopted by more than 50 countries.
Essentially, these standards are a proposal of international minimums. They define a series of principles and rights that guarantee the effective protection of privacy at an international level, as well as to ease the international flow of personal data, essential in a globalized world. All principles are common to the existing legal documents in various jurisdictions, including PIPEDA.
Among these rights we find those of access, correction, challenging compliance and the way in which they can be exercised. It also includes obligations such as security of personal data, through those measures that are considered appropriate in each case.
Furthermore, international personal information transfers may be performed when the country to which the data is transferred offers, at least, the level of protection foreseen in the document; or when whoever wants to transfer the data can guarantee that the recipient will offer the required level of protection, for example, through appropriate contractual clauses.
The Madrid Resolution also calls for proactive measures, which encourages states to promote better compliance with the applicable laws regarding data-protection matters as well as for the establishment of supervisory authorities, and for the different states to co-operate and co-ordinate their activities.
Our Office, as one of the proponents of this resolution, believes that the Madrid Resolution represents a significant step toward the development of an internationally binding tool that will contribute to stronger, more consistent protection of individual rights and freedoms at a global level.
Canadians are going wireless, thereby multiplying the means through which they interact, communicate and carry out their day-to-day tasks. There are of course privacy concerns related to new wireless technologies and the Office of the Privacy Commissioner of Canada has identified three emerging issues – behavioural marketing, data location and cloud computing – that warrant further examination. Nonetheless, our Office also believes that technology and privacy can work hand in hand. Ensuring privacy rests in outreach to Canadians, in informed policy making at the national and international levels and in continued close collaboration with industry.