Official Blog of the Office of the Privacy Commissioner of Canada

“Web leakage” research and follow-up work by the Office of the Privacy Commissioner of Canada has resulted in improvements to the privacy practices of some popular Canadian websites.

You may recall that our Office’s technologists tested 25 sites last year and found a significant number were “leaking” registered users’ personal information – including names and email addresses– to third-party sites such as advertising companies.

The research project prompted extensive discussions with the operators of 11 sites where concerns or questions were identified.

Positive changes

In the end, we’re happy to say that the initiative has resulted in a number of positive changes for Canadians:

• Several organizations have taken measures to stop unintentional or unnecessary disclosures of personal information.
• Many also agreed to take steps to ensure they provide consumers with clear, accessible information about their privacy practices.

All of the organizations cooperated with our Office and we were able to resolve our concerns in each and every case.  Here is a summary of the results of our work with the 11 sites:

• In three cases, the site operators had been previously unaware that personal information was being disclosed to third parties, but took steps to ensure the disclosures stopped.

•  In a further three cases, websites that had been intentionally sharing information such as email addresses to third parties, but agreed to stop after we questioned the practice.  Another organization was looking at whether its site could be re-designed to prevent sharing with two of its online service providers.

• One organization acknowledged that personal information was being shared with  third-party service providers in order to manage its website – even though its privacy policy states personal information is not made available to third parties.  The organization is in the midst of making changes to its privacy policy to provide greater clarity.

•  In other cases, our discussions with organizations confirmed that no information was being disclosed to third parties beyond that found in our research – for instance, postal codes.  As a result, we determined the disclosed information was not personal information.

Of course, our initiative involved a very small sample of sites and “web leakage” concerns are not confined to the organizations identified in our research.  All web site operators and third parties should review the personal information they share and test own sites to check whether data is unintentionally leaking.

Issues beyond “web leakage”

During our work, it became apparent that organizations’ privacy practices, such as the legitimate sharing of information with third parties, were not always disclosed in a meaningful way to consumers.

Commissioner Stoddart has expressed concern about privacy policies that are too long, too convoluted, and, as a result, tend to be largely ignored by users.

Organizations should have clear, descriptive privacy policies.  Our Office has also started looking at other practices that could also be adopted to help inform people about how their personal information will be handled.  For example, we like just-in-time notifications – providing explanations of privacy practices when data is collected.

To that end, we were pleased that several organizations committed to improve the way in which they tell consumers about their personal information handling practices.  For example, some are reviewing their privacy policies and exploring more innovative ways – such as just-in-time notices – to provide privacy information.

All of these steps will go a long ways to help ensure these organizations have obtained informed consent for the collection, use and disclosure of personal information online – as required under Canadian privacy law.

And since the issues we identified have been addressed, the Privacy Commissioner has decided not to exercise her power to name these organizations.

Given our study has revealed systemic issues in this area, our Office is developing a guidance document on best practices with respect to how organizations obtain informed consent from Canadians for the collection, use and disclosure of personal information in the online world. We expect to publish the guidance document later this year.

Who says hockey season is over in Canada? Check out these three stars from last week’s IAPP Canada Privacy Symposium - from left to right, Privacy Commissioner of Canada Jennifer Stoddart; Elizabeth Denham, B.C.’s Information and Privacy Commissioner; and Jill Clayton, Alberta’s Information and Privacy Commissioner. This year’s Commissioners’ Panel, in honour of the playoffs, was modelled after TSN’s The Quiz. The panel also included Ann Cavoukian, Information and Privacy Commissioner of Ontario. Commissioners were great sports – they poked fun at each other and themselves, and answered questions about a wide range of privacy issues, including big data, accountability and breach notification.  Moderator Kris Klein, IAPP Canada’s managing director, wore a striped referee’s sweater, but didn’t have to blow his whistle or put anyone in the penalty box even once.

It’s Emergency Preparedness Week in Canada – time to encourage Canadians to become better prepared to face an emergency with basic steps such as keeping bottled water and canned goods in the basement.

The Office of the Privacy Commissioner of Canada is also encouraging organizations to ensure they are prepared to address privacy issues that may arise during a time of crisis.

Personal information can play an important role in an emergency situation.  Uncertainty around the sharing of personal information could result in unnecessary confusion and delays – and have significant consequences for people.

Our Office, in consultation with several provincial and territorial counterparts, has created a Privacy Emergency Kit to help both private and public sector organizations ensure they are prepared.

Privacy laws do allow for appropriate sharing during a time of crisis, but it is crucial that organizations understand the legislation that applies to them and consider privacy issues in advance of an emergency situation.

The Government of Canada’s Get Prepared site advises individual Canadians: “Whatever you do, don’t wait for a disaster to happen.”

That’s also good advice for organizations subject to privacy legislation.

Yesterday, our Office participated in the first ever international internet privacy sweep. An initiative of the Global Privacy Enforcement Network (GPEN), the sweep is a coordinated effort among a number of data protection agencies to address a particular privacy issue. This year’s sweep assessed transparency online.

I was one of about 20 OPC employees who spent part of the day “sweeping” – visiting sites from a list we had compiled of over 1000 websites popular among Canadians. Our task: to review the privacy policies of popular websites from the point of view of the average consumer, and determine whether we could find out about an organization’s information handling practices, raise questions or concerns with an organization about their information handling practices, and understand their privacy policies.

Many of us sat at networked laptops in a small boardroom we dubbed “The Broom Closet”. Armed with coffee and spreadsheets, we clicked our way through privacy policies, checking for readability, counting words, and taking note of “Bouquets” (elements of privacy policies we felt were done well) and “Turnips” (elements of privacy policies that could be improved).

Through GPEN, the results from all of the sweeps conducted this week will be analyzed and results will be made public sometime in the coming months.

I spent the morning looking at popular kids’ websites. Some observations:

Privacy policies on children’s websites are written for parents, not kids.

In order to operate in the U.S., sites targeted to kids need to be compliant with the U.S. Children’s Online Privacy Protection Act (COPPA).

Operators of kids’ sites might aim to create privacy policies that are robust and comprehensive but in doing so, their privacy policies can risk being long, complex and legalistic.

Even so, some of the sites I visited clearly took some extra effort to break down their policies in order to meet the requirement under COPPA that privacy policies be “clear and understandable” – either by organizing information into hyperlinked chunks or tables, or providing summaries with links to the full policy below.

I can appreciate the challenge these sites face – on the one hand, they must demonstrate compliance; on the other hand, parents of kids who use these sites want to make informed decisions about their information. And parents often need to make those decisions quickly, or with other immediate priorities competing for their attention.  How many of you have tried to make heads or tails of a new game your child wants to play, while breaking up a fight over who gets to use the iPad, while sweeping up goldfish crackers and Cheerios? (Not that this happens in my house, ever.)

When you consider that researchers have estimated it can take people up to 250 hours to read all of the privacy policies they encounter in a year, wouldn’t it be nice to see a privacy policy that tells you what you need to know, but also helps shave a couple of minutes off?

This week is Privacy Awareness Week (PAW) – a global effort, coordinated by members of the Asia Pacific Privacy Authorities (APPA), to raise awareness about the value of privacy and the importance of protecting it.

For PAW 2013, APPA created an infographic that illustrates how technology has changed the way we communicate, do business and store information, and how this has introduced new privacy risks as a result.

It is an issue that many are thinking about. According to OPC’s recent survey, Canadians are increasingly anxious about their privacy in the face of new technology, and 70 per cent of them feel they have less protection of their personal information than they did 10 years ago. The research also indicates that Canadians avoid downloading apps or using certain websites and services due to privacy concerns.

What can we do?

It is true that consumers expect protections when they use products and services, but it is important to also realize that consumers have an important role to play and need to take an active approach when it comes to protecting their personal information. The best thing anyone can do, when using technology to collect or store personal information, is to understand the privacy risks that come with that technology. And here are some resources to help with that task:

Mobile App: We use our mobile devices to store a goldmine of personal information. To learn more about how to protect the personal information on your mobile device, download the OPC’s free myPRIVACYapp.

Video: Privacy and Social Networks: Do you know what happens to your personal information once you post it on to social networking sites? Watch this video that OPC created to understand how social networking sites make money off of your personal information. It may cause you to ask yourself some tough questions the next time you update your information online.

Infographic: 10 tips for preventing identity theft: Anyone who has personal information is at risk of identity theft, and the risks are higher now that we use technology for so many purposes. And while it’s impossible to entirely eliminate the risk of becoming a victim, it is possible to reduce it. The OPC’s infographic details 10 things you can do to prevent yourself from becoming a target.

Introduction to Cloud Computing: When you store your photos online instead of on your home computer, or use webmail or a social networking site, you are using a “cloud computing” service. The OPC’s fact sheet explains the privacy implications of this.

For more information on the privacy risks that come with technology, and on how to protect yourself, visit the OPC’s page of fact sheets covering a range of issues and topics.

Themes of privacy, surveillance and identity feature prominently in many science fiction novels. In fact, others have compiled entire lists of privacy-themed sci-fi fiction.

With so much choice, it was tough to narrow down our list. As well, we wanted to include other literary genres– young adult fiction (Little Brother), children’s novels (Harriet the Spy) and historical fiction (Le crime d’Ovide Plouffe).

We’re certain there are many more suggestions spanning the list of literary genres – we invite you to read through our list, and tell us about your own favourites in the Comments below.

1. Foundations by Isaac Asimov:  A seven-volume series organized around the notion of “mathematical sociology” – where one can predict the behaviour of a mass of people if the quantity of the mass is very large.

2. Earth by David Brin:  Brin’s novel includes many of the same themes around technology and surveillance that he later expounded on in The Transparent Society.  Released in 1990, Earth is also notable for predicting several technologies that have since come into common usage: the World Wide Web, e-mail spam, and cameras mounted on eyeglasses.

3. A Scanner Darkly by Philip K. Dick:  The film adaptation of this book made it onto our list of Top Ten Films. A Scanner Darkly is an interesting critique of law enforcement investigation and technology.

4. Little Brother by Cory Doctorow:  Following a 9/11-like situation, citizens are under extreme surveillance and their information is mined by government.  Little Brother is an excellent discussion of the effects of a surveillance society.  Its sequel Homeland was just released in hardcover.

5. Blind Faith by Ben Elton:  Satire set in a dystopian society where the human fascination to share information about ourselves with others is taken to extremes.

6. Harriet the Spy by Louise Fitzhugh:  A girl’s diary is lost and found, and in the process much is revealed.  Young adult story about information collection shows the effects of information on the collector, on those whose information is collected, and the impacts of transparency versus hidden surveillance.

7. Brave New World by Aldous Huxley: Considered one of greatest novels of the 20^th century, Brave New World is often compared to George Orwell’s 1984 (below).  A key difference in Huxley’s dystopian society is that its citizens are controlled through psychological manipulation and behavioural conditioning. Huxley feared that our increasingly fast-paced modern society would signal an end to individual identity.

8. Le crime d’Ovide Plouffe by Roger Lemelin:  A fictionalized version of a real case – infidelity leads to a family trip on which the airplane explodes.  Ovide Plouffe is a suspect in this novel that looks at evidence and assumptions and their intersection with humanity and law enforcement.

9. Whole Wide World by Paul McAuley:  This critique of countermeasures takes place in a post-Infowar UK. And explore a society of persistent CCTV where information is power, and law enforcement is ubiquitous and invasive.

10. 1984 by George Orwell:  The quintessential dystopian novel of totalitarianism and information control.  A future world of ongoing conflict, omnipresent surveillance, and the Big Brother state’s use of propaganda and mind control to create the desired society.

11. The Blue Light Project by Timothy Taylor:  Canadian writer Timothy Taylor explores the theme of ubiquitous surveillance in his novel about a televised hostage situation involving a failed reporter and a former military officer attempting to understand and invert the system.

12. La jalousie by Alain Robbe-Grillet:  This story is told through the eyes of an invisible narrator and jealous husband who suspects his wife of infidelity. Through the narrator, Robbe-Grillet examines the impact of surveillance and data analysis on information and perceived reality.

And finally, our list would not be complete without nods to two prolific writers whose works cement them as the godfathers of privacy-, technology- and surveillance-themed literature:

William Gibson:  The Gibson oeuvre has always included themes of technology, privacy, surveillance and security.  In The Sprawl trilogy (Neuromancer / Count Zero / Mona Lisa Overdrive) these themes are explored around artificial intelligence and online spaces.  The Bridge trilogy (Virtual Light / Idoru / All Tomorrow’s Parties) looks at the layers of technological and social intersection, but against a platform of mass media manipulation.  Finally, his Blue Ant trilogy (Pattern Recognition / Spook Country / Zero History), using a more contemporary setting, examining issues of branding, behavioural, geographic and RFID tracking; internet communication and mobile technologies.

Neal Stephenson:  Like Gibson, it’s impossible to isolate one particular book for this list. Snowcrash focuses on a future world organized and run by Big Data.  The Diamond Age looks at the role of access and information in sustaining and disrupting class and culture, while Cryptonomicon and its antecedents (The Baroque Cycle) reflect on privacy rights, global data flow, and the whole modern history of computing and cryptography.

A complaint investigation about a daycare that offered webcam monitoring to parents caused us to consider the prevalence of high tech surveillance tools in the day-to-day lives of children. Specifically, we wondered how technical surveillance might affect kids’ feelings about privacy.

To gain some insight into this issue, we examined current research on the effects of surveillance on children and youth. The resulting paper is Surveillance technologies and children.

The research we examined raised questions about the potential effects of surveillance on children’s social development in the long term, particularly as it pertains to children’s feelings of trust and autonomy. Some research suggested that persistent surveillance could even result in children not knowing how to establish their own privacy, or recognize the privacy of others.

But it seems that this area is only beginning to be studied. We would like to see more research being done on this subject, taking into account children of different age groups and varying levels of surveillance. Having more information about how surveillance impacts children’s attitudes, life skills, moral development, and sense of privacy would help parents find the appropriate balance between protecting their children and respecting their children’s need for independence and privacy. It might also focus more attention on those who track our children for less altruistic purposes, like for profit.

Have a read, and let us know in the comments: Do you think surveillance of children has an impact on their long-term development? We would love to hear from you.

As we close out Fraud Prevention Month, our Office is encouraging Canadians to learn more about how to prevent identity theft and fraud.

Canada’s Anti-Fraud Centre statistics for 2012 indicate that although the number of complaints are lower than in previous years (41,496 in 2012 compared to 48,061 and 51,947 in 2011 and 2010 respectively), the financial damages incurred have actually increased by over $17 million in the same period.

At no age can individuals consider themselves safe from the risk of identity theft.  Although Canadians between the ages of 50-59 appear to be those most targeted by thieves, victims can range from newborn infants to the elderly – anyone who has personal information may have that information targeted and/or stolen.

What Can I Do?

There are some basic measures that individuals can take in order to better control over their personal information and help restrict the availability of their information to identity thieves:

Take care what documents you carry with you

Many of the identification documents we carry with us on a daily basis are useful not just for our purposes but for those of identity thieves.  Carrying foundational identity documents like your social insurance number (SIN) card increases the risk of fraud since such information, in connection with other personal information, can be sufficient to allow someone to open an account in your name.

Be actively aware of your own credit profile and history

Be aware of the billing cycles of your credit providers and stay alert for missing bills.  When bills come in, review them carefully.  And contact the Canadian credit bureaus – TransUnion and Equifax – to report suspected identity theft and obtain a free copy of your credit report to ensure it is accurate and doesn’t include debts you haven’t incurred.

Know why and to whom you are giving your personal information

Don’t be lulled into uncritical obedience when someone asks for sensitive information – ask for what purpose the information is collected, how it will be used and shared, what happens if you refuse. If you’re not satisfied, don’t hand it over.

Be thoughtful about how you use social networks

Don’t let your social networking profile be a goldmine for fraudsters.

Be discreet about what you post online. Think about what information you’re putting out there, and the implications of it. Lock down your privacy settings, and don’t accept friend requests from people you don’t know in real life.  Regularly change your passwords and make sure that they’re sufficiently robust.  Think critically about what information you’re being asked to provide, and make your own active decisions about what information you share and why.

What If It Happens to Me?

If you suspect that your personal information has been hijacked and misappropriated to commit fraud or theft, take action immediately and keep a record of your conversations and correspondence.

For more information, visit the OPC’s page on identity theft and fraud and check out our infographic featuring top tips for preventing identity theft.

It is with sadness that we learned of the recent passing of Alan F. Westin.

Dr. Westin’s work had a profound influence on public law in the digital age in that it articulated privacy concepts in a way that speaks to the modern information society.

His pragmatic approach to addressing fundamental tensions between privacy and freedom in light of ever increasing surveillance powers and ever growing databases provided the necessary footing for some of the most important societal debates of our time.

May his legacy continue to be manifest in the work of privacy scholars, advocates, lawyers and policy-makers.

When we set out to write a post about privacy-themed songs, we knew this would generate a lot of debate. After all, it’s a topic that others have tackled, with “best of” song lists all over the Internet.

We wanted to create a list that went beyond the ordinary, pointing you towards some other, less expected choices.  (Admittedly, the list also reflects our collective musical tastes… but that’s our blogger’s prerogative!)

We’ve also taken a broader view of privacy, so our choices reflect a range of privacy-related issues: Joan Jett’s classic, Bad Reputation, could be interpreted now as an anthem for the social networking age, touching on identity and reputation. Government surveillance emerges as a distinct theme in songs by Mos Def and The Kinks. M.I.A. raps about online tracking, and Elvis Costello sings about counter-surveillance.

We found it difficult to whittle the list down to only 10, as we’d done with our post on privacy-themed films. So, we’re posting our top 15 in the hopes that you will weigh in, either in the comments below or on Twitter, and help us determine the best ten, sometimes overlooked, privacy-themed songs.

Without further ado, here is what made our list:

Bad Reputation – Joan Jett

Bagman’s Gambit – The Decemberists

Big Brother – Bernard Lavilliers

Everybody’s Stalking – Badly Drawn Boy

Fear Not of Man - Mos Def

Laissez-moi tranquille – Serge Gainsbourg

La Machine – Daran

Nothing To Hide – Yo La Tengo

Party Line – The Kinks

Pictures of You – The Cure

Spying Glass – Massive Attack

The Message – M.I.A.

The More You Ignore Me, The Closer I Get – Morrissey

Videotape – Radiohead

Watching the Detectives – Elvis Costello

We’ve compiled all the songs onto a playlist on our YouTube channel. And if you think we’re missing something, let us know!