Democratic implications of privacy issues take centre stage at ‘Privacy in Peril’

By Carlo Javier

It was fitting to end Data Privacy Day on Jan. 28 with a talk called Privacy in Peril.

Organized by the Vancouver Public Library and the SFU Library, the event saw Mike Larsen of the BC Freedom of Information and Privacy Association (FIPA) and Micheal Vonn of the BC Civil Liberties Association (BCCLA) cast a light on modern issues surrounding data, surveillance, and privacy.

Larsen opened the discussions with a statement that might best capture the complicated nature of privacy amidst our increasingly digital and interconnected world: “Privacy is a collective good. Thinking about the perils that privacy faces right now requires us to think about privacy as a democratic good.” The principle is especially critical of the framework often used to analyze privacy – one that isolates issues as strictly individual-based cases (think consent forms, website cookie policy notifications). Larsen’s suggestion is to look at privacy with a holistic perspective and to see how privacy rights have implications not only to an individual, but to many other agents that may either be directly or indirectly involved.

He then put forward two concepts he deemed to be main pillars of the current state of privacy: Surveillance Capitalism as discussed in Shoshana Zuboff’s new book and Bernard E. Harcourt’s study on the Expository Society.


“Privacy is a collective good. Thinking about the perils that privacy faces right now requires us to think about privacy as a democratic good.”

– Mike Larsen

The two ideas were both entirely unsurprising, yet undeniably unsettling. While the monetization of data has become fairly well-known (and seemingly accepted), Larsen disputed the belief that the collection of our digital footprint is dedicated solely to economic means like marketing and advertising. I heard noticeable gasps from around the audience when he delved into the other side of surveillance, the one we don’t talk about enough: prediction of behaviour, political sentiment, and voting practices – and information such as these can open the possibility for the steering and manipulation of the public.

Micheal Vonn (left) of the BCCLA and Mike Larsen (right) of BC FIPA discusses the complicated state of privacy amidst an increasingly digital and interconnected society.

Although the discussion on the Expository Society veered towards a more academic vernacular, the subject in its most basic nutshell did hit close to home. It is essentially a critique on how the digital age and the dawn of social media have changed our habits, how we have become more incentivized and inclined to share personal information in public spaces, which in turn builds copious amounts of vulnerable data.

The concern about the safety of our data was a sentiment that Vonn echoed in her discussion, stating that we create more data than most places, but unfortunately, “we can’t really protect it.” Vonn also delved into sovereignty and transparency, citing the lack of ability to hold government bodies accountable, relative to the amount of access government has to our personal information. As for tips and solutions, Vonn proposed a tactic she admittedly described as unpopular – go analog. A self-confessed Luddite, Vonn spoke of the security measures created by simply leaving devices like laptops (and yes, even phones) at home when travelling or crossing the US-Canada border.

Although we only celebrate Data Privacy Day once a year, the discussion it generates allow for issues surrounding data, surveillance, and privacy to permeate our general discourse. And while the meaningful action that we seek can come so few and far between, these discussions do represent a small victory. At the end of the day, we want as many people talking and caring about these issues. After all, privacy is a collective good.

Eager to get involved in the fight for our rights? Click here to join the cause.

Carlo Javier is the community awareness and outreach coordinator at BC FIPA. He has a Bachelor’s Degree in Communication Studies from Capilano University.

Updated: Two pieces of scotch tape that show why Statistics Canada doesn’t care about your privacy

***

Update:

As of December 3rd, 2018, one week following the publication of this blog post, and a couple of weeks after more than 400 Canadians exercised their privacy rights and requested their personal information through an OpenMedia campaign that FIPA assisted with, Statistics Canada has announced that they are suspending their practice of obtaining personal credit records from TransUnion and are delaying their plans to access the banking details of 500,000 Canadians.

Information contained in this blog post was cited in an article in the Globe and Mail that originally broke the story. 

***

I wish that was some kind of elaborate metaphor.

When I heard that Statistics Canada had been accessing the credit scores of Canadians, I wanted to find out if I was affected. I filed a request under the Privacy Act for “any records or data related to me that was received by Statistics Canada from TransUnion,” which is one of Canada’s two credit bureaus.

As someone interested in privacy and privacy rights, I was curious as to why Statistics Canada would be interested in my personal financial information and how they would safeguard it.

The offending envelope, replete with scotch tape and addressed to the wrong person.

The letter I received confirmed that Statistics Canada had, in fact, accessed my complete credit history. It was apparently protected though; the letter went on to explain that any personal information that could identify me had been scraped from my financial information. They had only recombined the information and re-identified me in order to fulfill my request (Click on the image to the below right to read the full letter).

Then they tucked these sensitive records, which contain my complete credit profile, into an envelope, attempted to close it with two pieces of scotch tape, and sent it to me in the mail.

Two pieces of scotch tape.

Forget for the moment that I had asked for electronic copies of my records and that Statistics Canada made a choice to print this sensitive financial information and send it through the mail.

Please also forget that the envelope was addressed to the wrong person.

Click the image to read about Statistics Canada’s “essential security” measures

Because I’m able to open the package, read the letter from Statistics Canada detailing the importance of safeguarding my personal financial information, flip through several pages that contain my Social Insurance Number, birth date, address, contact information, all of my banking information, including available credit, debts, accounts, balances, and more—and then I’m able to seal the envelope closed again with those same two pieces of scotch tape.

I would never know if this envelope had been opened prior to arriving at my residence.

If Statistics Canada does, in fact, take privacy seriously and does believe that it can responsibly hold the detailed and sensitive financial records of Canadians, then it needs to be able to comply with the Privacy Act in a way that doesn’t mean sacrificing privacy. That is the tragically ironic position that Statistics Canada finds itself in.

Here is one possible solution that Statistics Canada could consider employing as an additional “essential security measure”: Send an encrypted CD-ROM through the mail and provide a password in a separate letter or through email. This two-step authentication method means that anyone who interrupts the original package won’t have access to the sensitive records that Statistics Canada holds.

It would also mean providing access to the records through the means that I had initially requested.

The back of the envelope shows an intact seal.

But Statistics Canada made a choice about how they were going to respond to the request that I made through the Privacy Act. In doing so, they both fulfilled my request and put my privacy at tremendous risk. Perhaps, they were trying to send a message: Don’t bother us about our security measures if you want your data to be kept safe.

But alas, there is a saying that goes something like, “Attribute not to malice what can be attributed to incompetence.” This example illustrates why Statistics Canada shouldn’t have access to the sensitive financial information of 500,000 Canadians.

In era where trust in public bodies is eroding, and progressive technologists look towards adopting decentralized models like block chain, our government needs to be rebuilding trust. For Statistics Canada, that starts with taking decisive steps towards protecting the privacy of Canadians, of doing the fundamental work to earn the trust of its stakeholders.

And, quite frankly, two pieces of scotch tape won’t cut it.

Bryan Short is the Program Director at BC FIPA. He holds a master’s degree in Journalism and a bachelor’s degree in English Literature from the University of British Columbia. 

Statistics Canada Requesting Financial Information of Canadians

MEDIA RELEASE

November 5, 2018

Statistics Canada Requesting Financial Information of Canadians

VANCOUVER, November 5, 2018 – The recent media reports of Statistics Canada seeking to collect the financial information of Canadians in order to build a personal information bank—and the report that Statistics Canada has already received personal financial data from one of Canada’s two credit bureaus—exposes issues around how government agencies collect, store, and use the sensitive personal information of Canadians.

While the Freedom of Information and Privacy Association of BC supports Statistics Canada ability to provide a valuable service to Canadians, the government agency needs to find a balance between fulfilling its mandate and respecting the privacy of its stakeholders.

“It is untenable to give absolute trust and authority to a government agency in today’s technological landscape,” says Sara Neuert, FIPA’s executive director. “Given the regularity that personal information is breached, Statistics Canada has an ethical responsibility to inform Canadians about access to their sensitive financial information, and to seek their consent before doing so.”

As Statistics Canada only sees value in this data if it can be connected to the identity of a person, consent is needed to collect this information. In order to enshrine this privacy principle in law, the Privacy Act should be revised to include provisions that requires government agencies who seek to collect identifiable personal information from third-parties to first seek consent from those individuals.

In addition, the Statistics Acts needs to be updated to account for the digital transformation that has occurred since its inception. There are no longer the same kinds of physical limitations that once restrained the amount of sensitive information about Canadians that could be collected, stored, and used. Therefore, the Statistics Act should reflect this transformation.

Contact:

Sara Neuert, Executive Director

BC Freedom of Information and Privacy Association

Email: fipa (at) fipa.bc.ca

Phone: 604-739-9788

-30-

USMCA Puts Privacy at Risk

MEDIA RELEASE

October 17, 2018

USMCA Puts Privacy at Risk

VANCOUVER, October 17, 2018 – The pending free trade agreement between Canada, Mexico, and the United States (USMCA) conflicts with existing provincial legislation around data localization and puts the privacy of British Columbians at risk.

The Freedom of Information and Privacy Association of British Columbia continues to support the data localization provision within BC’s Freedom of Information and Protection of Privacy Act (FIPPA).

The data localization provision, section 30.1 of the act, protects the privacy of British Columbians by mandating that the personal information collected by public bodies must be stored and accessed only in Canada, with some limited exceptions.

“Controlling where personal information flows, and who has access to it, is an essential tool in the ongoing and evolving process of protecting the privacy of British Columbians,” said FIPA executive director, Sara Neuert.

While data localization has been and continues to be an important step in maintaining and enhancing personal information protections that are in accordance with our Canadian values, Article 19.12 of the USMCA prohibits computing facilities from being located in a specific place.

The domestic data storage provision within FIPPA is a matter of political consensus within in British Columbia. We are calling on the provincial government to reaffirm its commitment to section 30.1 of FIPPA in light of the recent USMCA trade agreement.

Contact:

Sara Neuert, Executive Director
BC Freedom of Information and Privacy Association
Email: Sara (at) fipa.bc.ca
Phone: 604-739-9788
Cell: 604-318-0031