Official Blog of the Office of the Privacy Commissioner of Canada

22 Sep 2016

How fit is your gadget? Putting web-connected health/wellness devices through their privacy paces


Smart TVs . . . Fitness trackers . . . Automated thermostats . . . Self-driving cars . . .

The Internet of Things is the next frontier in digital technology which is why the Global Privacy Enforcement Network focused its 2016 Privacy Sweep on this emerging market. Sweep participants were especially interested in how companies communicate their personal information handling practices.

Given the sensitivity of the information that health and wellness devices, as well as their associated apps and websites, are capable of collecting, the Office of the Privacy Commissioner of Canada (OPC) focused its Sweep on 21 devices ranging from smart scales, blood pressure monitors and fitness trackers, to sleep and heart rate monitors, a smart breathalyzer and a web-connected fitness shirt.

The choice of devices dovetails with one of our four strategic privacy priorities—the body as information. Identified as an important area of focus during a priority-setting exercise that culminated in May 2015, the body as information refers to the mounting privacy concerns related to highly sensitive health, genetic and biometric information that is being used by organizations and governments in all sorts of new ways.

During the Sweep, our Sweepers—aka OPC staff—put the products to use to see first-hand what information the devices requested, compared to what privacy communications said would be collected. In some cases, they followed up with specific privacy questions for the companies.

Below is a brief assessment of how the devices stacked up.

Note: the Global Privacy Sweep is not a formal investigation. We did not seek to conclusively identify compliance issues or possible violations of privacy legislation. This was not an assessment of a device’s overall privacy practices, nor was it an in-depth analysis of device design or functionality.

We sought to recreate the user experience and for the purposes of this blog, we compared and contrasted certain features observed by our Sweepers—namely those they found particularly fit, with those they felt could benefit from some rehab. We learned a lot and hope these concrete examples will help device makers, as well as Canadians, better understand our conclusions.

We’ve also offered some takeaways for companies and consumers. The purpose is to provide some basic tips on how to improve privacy communications from a user’s perspective. These takeaways should not be viewed as legal advice or a substitute for any legal requirements under applicable privacy legislation. Organizations that would like more information on their legal obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law, may wish to have a look at our Privacy Toolkit.

Location, location, location!

Why do so many devices want to know where you are at any given time? Sure, it might make sense for a fitness tracker that needs to follow your route to calculate your distance travelled. But a blood pressure monitor or thermometer?

The QardioArm blood pressure monitor seeks access to location when the user creates an account and provides the following explanation which seemed a bit odd to our Sweeper.

quardioarmxxx

Then again, it might be interesting to check whether a visit to the in-laws does indeed thrust the ticker into overdrive.

The Kinsa thermometer also gives users the option to enable location tracking and provides a couple of reasons for it.

In a follow-up email to our Sweeper, the company explained that access to location helps users find groups of other Kinsa users. Presumably to swap riveting tales of temperature readings?

The Privacy Policy also offered an interesting use for location data:

kinsaxxx

I suppose it might be nice to know if there’s a strep throat outbreak before everybody starts double dipping the guacamole at your next party.

Takeaway for companies: Besides location, users also want to know why you need to collect certain information such as full date of birth, height, weight and why you require access to such things as one’s photos and contact list. Provide the purposes for the collection up front and you’ll avoid leaving users guessing. For something as sensitive as location tracking, Sweepers were pleased that many devices gave users the option to turn it on or off.

Takeaway for consumers: Just because a device or associated app asks for data, doesn’t mean you’re required to turn it over. Many data points are optional and users should be prudent before handing over information. Make sure you understand and agree with the intended use of your personal information.

Checking out?

Had enough health tracking for one lifetime? Time to resume your position on the couch with a bag of chips? Deleting your account may not be so simple.

Despite technological advances that allow users to share data electronically with doctors and relatives, the Everlast Health blood pressure monitor relies on snail mail to fulfil requests for data deletion. Seriously?

everlastxxx

By contrast, the Jawbone UP3 wireless activity, sleep and heart rate tracker offers what appears to be a comprehensive series of instructions for deleting data, whether it’s specific readings or all personal data on the company’s servers and beyond, including that collected by its partners.

jawbone1xxx

jawbone2xxx

Unfortunately, despite all these seemingly quick click mechanisms for deleting data, our Sweeper noted his account was still active and personal information was still accessible two months later, despite following up with the company’s customer service department to confirm deletion.

Takeaway for companies: There’s no need to make things difficult for customers who wish to delete their data. As technological innovators, we are confident in your ability to come up with a simple and quick way for people to delete account information that does not require more than a few clicks of a mouse. Simplicity is a great way to build trust and credibility with your customers.

Takeaway for consumers: Know what you’re getting into before diving in. Before providing personal information, make a point of finding out what’s going to happen to it and whether you can erase it later if you so desire. If you’re not sure, contact the company for more information. Most organizations are sensitive to consumer concerns about privacy. Let them know if something doesn’t feel right. Positive changes to the general policies or practices of an organization are more likely when people speak up.

Three (or more’s) a crowd

Transactions in the online world are never black and white. From marketing, to analytics, to scientific research, behind seemingly every company you think you’re dealing with is a myriad of third parties potentially getting access to your data for one reason or another.

The QardioArm wireless blood pressure monitor offers a crystal clear explanation of who it won’t share your information with, such as advertisers and marketers, data brokers and information resellers. To our Sweeper’s delight, there’s an added caveat that nothing will be shared without the user’s express (opt-in) consent.

Meanwhile, the BACtrack Mobile breathalyzer device gives users the option to store blood-alcohol level readings and sets its default to not keep this data on file, which is great. But if you decide to create an account and keep a record of your readings, your data, including your readings as well as your location, notes, photographs, gender, weight and other data will be stored and may be shared with third parties, including the media. BACtrack warns in the printed Privacy Policy that comes with the device that “although we will not associate your name with such data, your identity may be determined by the other data available.”

Curiously, we did not find this same clause in the online version of the privacy or terms of use policies.

Takeaway for companies: Consumers want to know who their personal information is being shared with and for what purposes. Ideally, companies should provide details about what information is being shared and with whom. For example, is it being shared for marketing, research or operational purposes?

Takeaway for consumers: Read and make sure that you are comfortable with the use and sharing practices of a company you are dealing with. Remember, many companies will not only sell you a device, they may sell your data as well. Note, however, that you do not have to agree to all a company’s requests to share your data. Certain requests to disclose, such as for marketing purposes, should not necessarily be a condition for using a device. Also know that devices may connect to existing social media platforms or offer their own social media features that allow you to share data publicly. Think twice. Once information is out there, it may be impossible to get back. Think of the impact certain comments or images could have on your reputation or the reputation of others. What might seem like a good idea in the moment, might not in the days, weeks, months or years ahead.

Details please

Sweepers were certainly conscious of the sensitive nature of health data and were protective of it. While they understood that providing too much information about safeguards could compromise a company’s security, they felt some detail was important.

The Garmin Vivosmart HR fitness tracker monitor offers users a pretty detailed explanation of its security controls under the heading “Keeping Data Safe at Garmin” and encourages users to report any security or vulnerability issues they might encounter.

The company also explained its use of encryption, but our Sweeper was left wondering whether it only applied to financial data and if health information is also encrypted.

garminxxx

Meanwhile, the Fitbit Charge HR fitness tracker offered a single vague line about safeguards in its privacy policy and invited users to contact the company for details:

fitnitxxx

A follow-up email to the company yielded a slightly more detailed explanation that included some information about its use of encryption, but it mostly just “rest assured” us that its products were “designed with security in mind.”

Takeaway for companies: Sweepers noted a number of vague statements about the use of safeguards, with organizations reassuring users that their information is safe. Ensure you have the necessary robust safeguards in place, commensurate with the sensitivity of the personal information you have collected.

Takeaway for consumers: If, after reading about what safeguards a company has employed to protect your personal information, things still aren’t clear or you have questions, ask. If you believe your data has been compromised, raise your concerns with the company. If you are not satisfied with the results, you have a right to file a formal complaint about organizations subject to PIPEDA with our Office.

Get to the point

Ever purchase a product only to wonder whether the company realizes they’ve provided the wrong privacy communications? Generic privacy policies that read as though they were written for another product are frustrating and unhelpful. But it doesn’t have to be this way.

The Razer Nabu fitness tracker provides a great example of just-in-time notification—a practice that provides valuable information to users about how their data is going to be used at the very moment they are asked to provide it.

nabuxxx

The iMazeFitness HR strap, on the other hand, offered a link to a privacy policy that seemed completely unrelated to the device or company in question. On top of that, after our Sweepers were desperately looking for some form of relevant privacy communications for iMaze, they were disappointed to find a placeholder inserted at the bottom of a profile page that said: “insert customer data privacy clause here.” How embarrassing!

imazexxx

Takeaway for companies: Privacy communications that are specific to the device in question are far more useful than generic policies that will simply leave your customers scratching their heads. Just-in-time notifications provided on the device at the moment data is sought is a best practice worth considering. Finally, do your due diligence. Generic templates and unfilled placeholders are embarrassing and do little to engender trust and credibility with customers.

Takeaway for consumers: If the privacy communications do not match your experience using the product, let the company know. As mentioned before, companies tend to be responsive to consumers when they express concerns about privacy. A testament to this statement is the fact that 19 of the 21 companies we wrote to with follow-up questions got back to us in a timely fashion. We were satisfied with the responses from two-thirds of them. It’s a start!


19 Sep 2016

Children’s Privacy Sweep yields positive changes


So whatever happened with that Children’s Privacy Sweep, you ask?

Before we delve into the results of the 2016 Internet of Things Sweep—look out for them very soon—we thought we should update you on the outcome of our discussions with developers behind the mobile applications (apps) and websites we raised concerns about in a blog post and/or letters issued last fall.

As you may remember, the Office of the Privacy Commissioner of Canada assessed the privacy practices of 172 mobile apps and websites either targeted directly at children, or considered popular among them as part of the Global Privacy Enforcement Network’s annual Privacy Sweep.

We raised concerns about the sheer volume of personal information being collected from children, including sensitive data such as photos, videos and location. We found many companies failed to provide adequate protective controls to limit collection and often provided links redirecting children to other sites with different privacy protection practices and sometimes questionable content.

We pointed to a number of best practices and areas for improvement and ultimately wrote to 13 targeted apps and websites and 16 popular ones to explain our concerns in a bid to effect positive change. We heard back from eight of those targeted at children while just four popular sites got back to us.

Of those targeted at children, three elaborated on their privacy practices and clarified that they were either not collecting information as described in their privacy communications or that they did indeed have parental controls.

Five targeted sites said they’d made positive changes as a result of our letter and their subsequent review of their privacy practices.

YTV.com is a prime example. The website belonging to the specialty TV channel raised concerns around collecting the full name, age, postal code, phone number and email address of children who sign up for a contest.

The company says it’s since stopped collecting the information from children and will instead ask for the parent or guardian’s particulars. The company said it would delete the information 120 days after the close of a contest.

ytv1

In response to our concerns that kids could be redirected to third-party sites with inadequate warning, the company has addressed that with a child-friendly drop-down message that’s hard to miss.

ytv3

Meanwhile, we didn’t even have to send a letter to one company that proactively made positive changes after seeing our blog post.

Santasvillage.ca originally made our naughty list for urging kids to hand over their full name and email address in order to receive contest details and other marketing materials. The company has since revised its site to make it clear that this section is for adults.

santa1     santa2

Before                                                                              After

Unfortunately, three targeted companies didn’t respond and two letters were returned to us unread.

But while the response rate for targeted apps and websites was a respectable 83 per cent, the same cannot be said for those sites that are considered popular among children, but are geared to all ages.

Only four of the 16 popular apps and websites we wrote to responded. Bell Media, which is responsible for MuchMusic.com, was among the few that gave us something to sing about.

After we raised concerns, the company wrote back indicating they’d made a number of changes.

Bell added a check box to ensure underage users seek parental consent and reviewed existing profiles, deleting those of users under the age of 13 and those with incomplete date of birth information.

much1

The company also added language explaining that usernames should not be real names and links to its Privacy Policy on all pages in which personal information was sought. The company is also now offering users a simple way to delete their profile.

much2

FIFA also got back to us with a plan to review its digital platforms and what information is being collected by next year. As you might remember, our Sweeper was able to post publicly his age and location despite a note in the Terms of Service that the site was moderated. We also had concerns at the time about language in its Terms of Service that put the onus on parents to supervise children on the site.

Pending the completion of its review, the company says it will block access to its FIFA Club to users under the age of 18.

Websites and apps cannot abdicate responsibility for children who are obvious users just because they are geared at a general audience. Developers should know their users and if children are among them, there is an expectation that developers will take responsibility for protecting their privacy.

We urge developers to find innovative and technical solutions to protect children’s privacy on their sites and apps. These efforts could include the use of protective controls such as moderated chat and message boards to prevent the inadvertent sharing of personal information and the use of parental dashboards.

We also expect developers, which may be subject to privacy laws, to provide a proper means for deleting an account to ensure personal information is not retained indefinitely.

While we haven’t re-swept all the sites, we have noticed that some made changes quietly and we appreciate those efforts. We remain confident that public education and outreach can lead to positive change.

Stay tuned for the results of the 2016 Internet of Things Privacy Sweep in the days ahead!


27 May 2016

Required reading for email marketers: a case study in how not to collect and use e-mail addresses


1-shutterstock_66401092%20-%20spammail

Our Office recently concluded an investigation that has resulted in two important firsts along with some key lessons learned for businesses conducting e-mail marketing.

The investigation represents our first action taken under the “address-harvesting” provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA) introduced by Canada’s anti-spam law (CASL).   It also resulted in the implementation of our first compliance agreement, a new tool made possible by changes to PIPEDA introduced by the Digital Privacy Act.

Identifying a potential problem:

Following the launch of the Canadian Radio-television and Telecommunications Commission’s (CRTC) Spam Reporting Centre, we identified a cluster of hundreds of submissions received from the public about the e-mail marketing activities of Compu-Finder, a Quebec-based corporate training provider.

We launched an investigation against the company that examined its privacy management practices and possible use of address harvesting software. In discussions with the CRTC, we found that they were pursuing action against Compu-Finder under their CASL mandate regarding the sending of unsolicited commercial e-mails (“spam”).  As a result, we agreed to share information between our offices, as permitted under CASL and a related Memorandum of Understanding.

The investigation:

During our investigation, the company reported that as of January 2014, it held approximately 475,000 e-mail addresses. Of these, around 170,000 were collected using address-harvesting software.

The company claimed that, in anticipation of the coming into force of CASL, it reduced the number of its addresses to just over 100,000 including 28,000 collected by address harvesting software.

Collecting from websites:

Compu-Finder also said it collected emails from websites of companies which it believed would be interested in its training and which had on obligation to provide such training under Quebec legislation. Yet while its sessions were offered almost exclusively in French at facilities in Montreal and Quebec City, e-mails were continually sent to recipients across Canada as far away as British Columbia and even overseas.

Compu-Finder believed that it could rely upon implied consent to collect and use many of the e-mail addresses in its possession due to: existing business relationships; the non-sensitive nature of the information collected; the open publication of the e-mail addresses; and, the relevance of its commercial e-mails to the professional activities of the individual recipients.

Yet we found that some of the websites the company collected addresses from had clear non-solicitation notices. We also interviewed some individuals who provided submissions to the Spam Reporting Centre and found that none had any business relationship with the company and the messages they received were not relevant to their work. For example:

  • One individual received e-mails promoting a course for finance directors when he was a computer science professor at a university;
  • Another person received e-mail messages promoting courses on measuring a business’s profitability despite being a scientist working for a government agency; and
  • An e-mail to another recipient promoted training on leading groups, although he was a self-employed bookkeeper.

Collecting by phone:

Compu-Finder also collected addresses by phone. We obtained a copy of the script used by the company’s employees, which did not explain that the purpose for collecting the addresses was to send individuals e-mails selling the company’s services. In addition, it was clear that Compu-Finder was collecting the e-mails from reception, administration and support staff, rather than the individuals who used the addresses.

Lack of records:

We asked the company to provide evidence of the express consent it was relying upon to collect specific e-mail addresses, and it was unable to provide any relevant information regarding how consent was obtained for the collection of addresses.

The result:

All told, it was clear that Compu-Finder was not aware of, or did not respect, its privacy obligations under PIPEDA. And while the company claimed it ceased collecting e-mail addresses using computer software prior to CASL’s July 2014 coming in to force, it clearly continued to use such addresses afterward.On top of this, the company’s websites did not include a privacy policy or a designated contact to where questions about the company’s collection and use of personal information could be directed. As a result, we issued several recommendations to Compu-Finder to bring it back into compliance with PIPEDA. The company eventually agreed to implement all of our Office’s recommendations and enter into a compliance agreement.

Key lessons learned:

Express consent

When a company claims express consent for the collection and use of e-mail addresses, it must make sure that individuals approached are fully informed as to the purposes for which their e-mail address will be collected and used.

During the investigation, we found that Compu-Finder’s telemarketing activities did not provide such clarity which brought into question whether the consent obtained was meaningful, particularly in the absence of any privacy policy.

Publicly available information

Companies should read and understand PIPEDA’s regulations carefully before determining if information is really “publicly available.”

During the investigation, Compu-Finder said it thought email addresses posted on websites were potentially open to collection without consent due to PIPEDA’s “publically available” exception. This however was not the case, as Compu-Finder’s collection and use of e-mail addresses for the purposes of sending e-mails selling its services were not, at least in some cases, directly related to the purposes for which organizations had posted individual’s e-mail addresses on their websites.

In addition, the publicly available exception cannot be claimed if an address was collected by the use of address-harvesting software.

Keep robust records

This investigation drives home the importance of keeping robust records and conducting appropriate due diligence.

Even if Compu-Finder’s assertion that it obtained consent from individuals to collect and use their email addresses were to be believed, it lacked adequate records to back up its claims.

Any company doing e-mail marketing should keep records indicating when and how consent from individuals was obtained to collect and use their e-mail address. They should also provide some indication as to the individual’s employment, business or profession and the e-mails sent to them to prove relevance where required.

Such records and their sources should also be revisited at intervals if your organization is relying on implied consent to check that such consent remains valid. For example, has a non-solicitation statement been added to a website?

Robust records not only prove good practice in the event of an investigation, they also enable a business to readily remove an individual’s e-mail address should consent later be withdrawn, as required under PIPEDA.

For more information

To find out more about more about best practices in e-mail marketing and complying with electronic address-harvesting provisions following CASL’s amendment to PIPEDA, read our tip sheet and guide.


11 May 2016

Mending the consent model: A call for solutions


ReadingPrivacyPolicies

We all encounter scores of user agreements when we go online. Do you read the full terms and conditions governing your use of a site, or do you just hit the “I accept” button and surf on?

If you were to read everything, research suggests you’re spending more than 10 full, 24-hour days of your life every year, immersed in privacy policies and related legalese. If you’re more inclined to skip that stuff and hit “OK”, then know that you’re explicitly allowing the organization to collect, use and share your personal information, exactly as it said it would in that fine print you ignored.

Providing meaningful consent is a cornerstone of Canada’s federal private sector privacy legislation.

But in this modern era of technological advances and new business models, the consent provisions in Canada’s federal private sector privacy law are being sorely tested.

Routine, predictable, one-on-one interactions with company representatives—be it your bank teller or insurance broker—are quickly becoming a thing of the past. Meanwhile, things like cloud services and third-party marketing, have made it increasingly difficult for Canadians to understand exactly who is processing their information and for what purposes.

Add to that the foibles of basic human nature—especially our impatience with anything that slows us down online—and the old notion of informed consent between customer and business becomes even more challenging.

How can we make the consent model work better and what role might individuals, organizations, regulators and legislators play? This is at the heart of a public discussion the Office of the Privacy Commissioner of Canada is launching.

To set the scene we developed a discussion paper. It reviews the role of consent and the challenges it faces today. We look at what other jurisdictions, principally the U.S. and Europe, are doing to tackle the challenges, as well as some of the solutions that have been proposed.

Changing landscape

Nowadays, with all those app-laden, GPS-enabled mobile devices that you carry, wear or have embedded in your personal environment, you’re constantly emitting billowing clouds of personal data.

Where do all these bits go? What happens to them? Who has access to them? Are we OK with them being collected, stored and reused for some future purpose yet to be imagined?

These are the sorts of questions that preoccupy people concerned about the sanctity of personal information in this new era of “big data” and the “Internet of things”, where, for instance, a “smart” fridge can monitor your perishables, draw up a shopping list and order fresh milk.

As it becomes increasingly difficult to wrap our minds around the meaning of privacy in this brave new world, the obvious question becomes: How can you meaningfully exercise your right of consent over the collection, use and disclosure of your personal information?

Potential solutions

Our discussion paper outlines a number of possible solutions, but more importantly, we consider the different roles and responsibilities of the various players—individuals, organizations, regulatory authorities such as our Office and legislators.

Some proposed solutions involve making privacy information more accessible for consumers, giving them the ability to manage privacy preference across different devices and ensuring privacy is not an afterthought, but is rather “baked” into products and services.

Others seek to ban certain collections and uses of personal information outright, while placing restrictions on others. Another school of thought contends certain information should be allowed to be collected and used without consent, so long as there is adequate oversight.

Industry codes of practice and tougher enforcement measures for regulators are some of the other possible solutions discussed in the paper.

At the end of each section, we ask specific questions about the proposed solutions we described, and whether we’ve missed some.

Help wanted

We hope the paper will help start a conversation across the country and we will be consulting widely on how to address this issue.

We’re reaching out to a variety of experts and official stakeholders for their take on the problems around online consent, as well as potential solutions.

And we’re also keen to hear from you — Canadians who, in going about your day-to-day lives, are directly affected by the challenging new environment.

You could address the questions we asked, or share any other thoughts you consider helpful. For example:

  • How important is it to you to be able to consent to the collection, use and disclosure of your personal information in the online environment?
  • Do you read online privacy policies and user agreements? Can you suggest ways to improve them? Have you come across any privacy pop-ups or notices for apps or other services that you have found helpful?
  • Do you feel that always-on, GPS-enabled mobile and wearable technologies, from smart phones and smart cars to wristbands that monitor your fitness or health, raise new consent issues?
  • Among individual users, organizations and regulators, who should be responsible for what?
  • What can organizations do to make consent work better for you?

You can provide thoughts on these questions or other related issues through:

  • The comment feature at the end of this blog post;
  • Our Privacy Comment form allows for a less public way to share your thoughts (please add “Consent Consultation” to the top, so we don’t miss your input); or
  • The formal consultation process.

By the end of this exercise, we hope to be in a position to identify improvements to the consent model. We will apply those that fall within our jurisdiction and recommend legislative changes to Parliament where needed.

Please provide your thoughts by July 13th.  We welcome your comments and thank you for your participation!


18 Mar 2016

We want to hear from you about….


Creating and Controlling your Online Reputation

“You are, without doubt, the worst pirate I’ve ever heard of,” sneers Commodore Norrington, the local military boss, in a scene from Pirates of the Caribbean.

Our hero, Jack Sparrow, is miffed but for an instant.

“Ah!” he crows, “but you have heard of me!”

In our celebrity-soaked culture, reputation is everything. It may be good or—as in Captain Sparrow’s case—bad, but never indifferent. Invisibility, the lack of an online identity, is the new no-no of our times.

And so, in an effort to build and burnish a pleasing reputation, we put it all out there. We post comments and status updates, pictures, tweets, blogs and videos. We tell our friends —and sometimes everybody—where we are, what we’re seeing, reading and eating, what we’re thinking and drinking. shutterstock_210790618-SM

We have no secrets. The world, to paraphrase Jack Sparrow, has heard of us; anonymity is dead.

Accidents and sabotage

It can be fun and rewarding to broadcast our existence with an ease unthinkable in generations past. It’s a way to feel socially engaged, networked, involved and in the know.

But does it always work out as we plan?

Sadly, no.

As readily as online identities can be formed, so can they be destroyed. A simple accident like the posting of an ill-chosen image or idea can cause untold misery.

What’s more, control over our reputations rests not with us alone. Anyone else can post information about us, tag us in photos, copy, recirculate or manipulate content, or otherwise alter the way we’re perceived online.

And, for all its usefulness and wonder, the online world is also haunted by bullies and trolls. Across the Internet, we can find websites dedicated to publicly blaming, shaming and defaming people for perceived shortcomings, or exacting revenge through the malicious misuse of intimate images.

They’re troubling spaces that can sideline careers and ruin lives.

We’ve also seen cases where seemingly innocuous information has had harmful consequences. Take, for example, the teacher who lost her job over a vacation photo posted online showed her holding a glass of wine in one hand and a beer in the other. shutterstock_358342700-SM

Many people have posted information about themselves that has come back to bite them in very unexpected ways.

And when bad things happen online, it’s virtually impossible to turn things around. Unlike in the physical world, where our missteps may quickly be forgotten, data online persists. It can be endlessly replicated and shared. It can be archived, searched and retrieved, months and years later.

Public consultations underway

At the Office of the Privacy Commissioner of Canada, our business is the protection of personal information, the very building blocks of reputation.

And so we think long and hard about the notion of online reputation—what it is, how it’s built up or beaten down, how people might better manage it in their own best interest, and whether we, or others, have a role to play. It’s so important to us that we’ve made it one of the four priorities that will guide our work over the next five years.

To get a better handle on the issues, we recently published a discussion paper that sets out the problems and challenges as we see them. For example, you might think someone has posted something nasty about you; they feel they’re simply exercising their freedom of speech. Who has the authority to decide between competing rights and interests?

Along with our discussion paper, we launched public consultations around the topic of privacy and online reputation.

We’re hoping their input will shed light on the practical, technical, policy or legal solutions that could help reduce the reputational risks people face when they go online.

Your thoughts, please

We are interested in hearing not only from experts such as academics, advocacy groups, IT specialists and educators, but also from regular folks—people like you who use the Internet and have thought about the image their online presence projects to friends, family, co-workers and the broader community.

We want to hear what you have to say on this topic. And, if you’re not sure where to start, here are some questions to consider:

  • Do you have specific tips to share? Have you ever taken steps to safeguard, rescue or improve your online reputation, and how did those actions work out?
  • Whose responsibility is it to manage a person’s online reputation? For example, if you feel that individuals need help in this regard, who should provide it? Educators? Webmasters? Social media organizations such as Facebook and Twitter? Search engine companies such as Google? Media or other opinion leaders? Regulators or other authorities such as our Office? The courts?
  • Should there be special protections for children, teens and other vulnerable groups, or should the protections be the same across the board?
  • Are you aware of educational resources to help people protect their online reputation? Have you used them? Are more needed?

Getting involved

If you want to weigh in on these or any other question, we encourage you to take a look at our discussion paper.

You can provide feedback through:

  • The comment feature at the end of this blog post;
  • Our Privacy Comment form (please add “Reputation Consultation” to the top, so we don’t miss your input);
  • Or, you can always wade in to our formal consultation process. Please read and follow the criteria and procedures that we ask everyone to follow if they wish to participate in this manner.

Regardless of which mechanism you choose, we need your thoughts by April 28th, which is the end of our consultation period.

We appreciate your interest in this process, and will use what we learn to enrich the public debate on online reputation, to develop our own policy position, and to better inform Parliament on the issues and potential solutions.


2 Sep 2015

Who did it better? A look at children’s apps/websites and the privacy protective controls on offer


Children are more connected than ever and often miles ahead of their parents when it comes to navigating the Internet and mobile applications (apps).

They’re also among our most vulnerable demographic groups and, in their quest to access their favourite game or social network, they may be apt to give out personal information without any thought to the potential privacy ramifications.

For this reason, the Global Privacy Enforcement Network made Children’s Privacy the theme of its 3rd annual Privacy Sweep.

The Office of the Privacy Commissioner of Canada, along with 28 other privacy enforcement authorities across the country and around the globe, assessed the privacy communications and practices of some 1,494 websites and mobile apps.

The goal: to find out which of them collect personal information, what type of personal information they collect, whether protective controls exist to limit the collection and whether a simple means to delete account information exists.

By briefly interacting with the websites and apps, the exercise was meant to recreate the consumer experience – in this case, the experience of children under the age of 12. Our sweepers, which included a number of adult volunteers as well as nine children, ultimately sought to assess privacy controls based on four key indicators:

  1. Collection of children’s data: Does the app/website collect children’s personal information and if so, what information is collected? (Ex. Name, email, date of birth, address, phone number, photo/video/audio.) Does a privacy policy or other privacy communications exist and if so, does it clearly explain the app/website’s personal information handling practices?
  2. Protective controls: Do protective controls exist and do they effectively limit the collection of personal data? (Ex. Prompts for parental involvement, warnings when leaving the site, pre-made avatars/usernames, moderated chats/message boards to prevent inadvertent sharing of personal information.) Are privacy communications tailored to children? (Ex. Simple language, large print, audio, animation.)
  3. Means to delete account information: Is there a simple means for deleting account information?
  4. Overall concerns about a child using the app/website: Overall, would I be comfortable with a child using this app/website?

In total, our Office examined 172 websites and mobile apps for both Android and iOS platforms. We focused on websites and apps that are targeted at or popular among children 12 and under.

Some 118 websites and apps appeared to be targeted directly at children, while 54 were considered popular among them. In other words, while designed for older audiences or audiences of all ages, children are said to be frequent users of these apps and websites.

The bulk of websites and apps swept were based in Canada and the United States. Our Sweep included a significant number of games and educational websites and apps, as well as leisure websites and apps hosted, for example, by museums or zoos. Traditional and social media apps and websites rounded out the list.

Before delving in, let’s be clear on a few points: Since apps and websites are constantly evolving, it’s best to think about our results as a snapshot in time. Also note that the Sweep was not a formal investigation. We did not seek to conclusively identify compliance issues or possible violations of privacy legislation. This was not an assessment of an app or website’s overall privacy practices, nor was it meant to provide an in-depth analysis of the design and development of the apps or websites examined.

Instead, we have compared and contrasted some of the web/app features and privacy practices that we found to be particularly kid-friendly, with those we felt could benefit from some “child-proofing.” We learned a lot and hope these concrete examples will help Canadians, as well as website and app developers, better understand our conclusions.

The moderated message/chat function:

Moderated message/chat functions ensure contributions are vetted before they are posted publicly. Items may be vetted for content but also for personal information as free-text portals can open the door to the inadvertent sharing of potentially sensitive details.

Family.ca, a site clearly targeted at children, indicated its message board feature was moderated. Our Sweepers put that claim to the test by attempting to post a message that included a full name, age and hometown. A day later, here’s the modified message that went public:

Family.ca image. Moderated message/chat function works effectively. Message was changed to exclude personal information.

As you can see, the site even cropped the username to “victorg.” Nice catch Family.ca.

We attempted the same experiment with Lego.com. As you can see, the moderator informed us that it had rejected our post for privacy reasons. Awesome moderating decision master-builder Emmet!

Lego.com image.

Kudos to Family.ca and Lego.com which have shown how a little moderation can go a long way!

By contrast, Moviestar Planet is an example of a social networking app targeted specifically at kids that displays little self-control. While the app said it is moderated for content, children were free to post selfies with titles asking, for example, others to rate them “hot or not.” Not the sort of thing you might necessarily want out there on the Internet when you grow up. We won’t display those images to protect the privacy of the children, but you can also see how our sweeper was able to include a whole lot of personal information in the free-text chat function. Big no no! What’s stopping kids from entering their address, school or where they plan to be that afternoon?

Moviestar Planet image.

Meanwhile, sweepers noticed that websites/apps that are popular among children may moderate for certain content but not to ensure that children aren’t sharing personal details about themselves online. The website for FIFA, soccer’s governing body and a site popular with soccer fans of all ages, for instance, moderates its site to ensure that there are no violations of the Terms of Service. But as you can see below, our sweeper was able to state his age and location. Therefore this reference to moderation has more to do with the appropriateness of the content . . . You know how partisan soccer fans can get!

FIFA image.

The website’s Terms of Service also states that it is the responsibility of parents to supervise their children’s activities on the site and that appears to be as far as FIFA’s obligation goes towards moderating the content that children may be sharing. Certainly parents have a role to play in protecting children’s privacy while online, but seriously FIFA, you are not absolved from getting in the game. If you’re already moderating for content, why not make sure kids aren’t oversharing too? This serious foul deserves a red card.

Less is more:

Leave a little mystery! Profile displays do not have to give everything away.

GamezHero.com is an example of a targeted website that allows users to display a significant amount of personal information on their user profile including name, grade, gender, age and city. While the website said it does not collect from children under 13, it had no problem posting our 10-year-old’s information. Fortunately, there was no option to load a photo!

GamezHero.com image.

A similar interface on Family.ca, however, had limited options for sharing personal information. The photo was a preset graphic and messages were fixed text. In other words, kids could choose what to say from a list of phrases.

Family.ca (Less is More) image.

Things can get a little trickier with popular apps and websites. Even though many children use these sites, they are often not designed with the under 12 crowd in mind. Gurl.com is one such example. As you can see, the social platform geared at teen girls collected and posted our 10-year-old sweeper’s full name, date of birth, occupation and location.

There were also no warnings or mechanisms to prevent users from uploading photos or posting personal information on message boards, some of which broach some pretty sensitive topics such as depression, suicide and self-mutilation. Given the lack of protective controls, there’s no telling what children could post and who might see it, raising all sorts of questions about the potential for harm to one’s reputation and well-being.

Gurl.com image.

For an otherwise pretty kid-friendly website, we found this next example worth mentioning. Santasvillage.ca offered kids an easy way to “get on Santa’s nice list” – by coughing up their full name and email address. In exchange, it promised to bombard subscribers with marketing materials. Not cool Santa, we’ll take the coal.

Santasvillage.ca image.

Avatars:

Selecting an image that will serve as your online identity doesn’t have to be personal. PBSkids.org is an example of a targeted website that asked our sweeper to choose from a pre-set list of icons.

PBS.org image.

Other websites/apps asked sweepers to load their own avatar which opens the door to using personal photographs. For example, the Cookie Monster Challenge app prompted us to take a selfie for our profiles. The app’s generic privacy policy also suggested personal information may be shared with third parties.

As the Cookie Monster himself might say: Parents not like when Cookie gobble up sensitive personal information like photograph and share with udder monsters.

Cookie Monster Challenge image 1.  Cookie Monster Challenge image 2.

All in a name:

Just as children should be discouraged from using a personal photo online, so too should they be discouraged from using their real name.

Websites such as Harry Potter fan site, Pottermore.com, don’t give kids the option. Instead, our sweepers were encouraged to select a username from a pre-set list. Thanks for thinking about the privacy of your younger Hogwarts classmates, Harry!

Pottermore.com (All in a name) image.

Meanwhile, Classdojo.com, a classroom management site that connects teachers, students and their parents, got a gold star for advising sweepers in simple, child-friendly language not to use their real name. But unfortunately that gold star got yanked as there was no actual mechanism to prevent us from using it.

Classdojo.com image.

Parental control:

On the subject of parental control, there are some effective ways to limit the functionality of a website or app to protect privacy. A great way to do that is with a parental dashboard and here are a few examples that put parents in the privacy driver’s seat.

The first was Grimm’s Red Riding Hood, an app targeted at children that allowed parents to turn certain settings on and off, such as in app purchases and access to the store.

Grimm's Red Riding Hood image.

Another example is Battle.net, a popular game website designed for children over the age of 13, even though younger children are known to frequent it. As long as young users have provided a valid parental email address, parents can control settings through a fairly comprehensive dashboard.

Battle.net image shows parental dashboard to control privacy settings and voice chat.

On social networking site GeckoLife.com, parents of young children must register an account, to which they can add a child.

GeckoLife.com image shows request message sent to parents when child asks to open an account.

Parents could also monitor their child’s activities, including media uploads and connections with other users, however, the website collected a fair bit of personal information in the process.

GeckoLife.com image shows parental dashboard to set permissions to upload media and contact other users. Also asks for child`s full name,  sex and date of birth.

Now just as the First Year kids at Hogwarts require parental permission for weekend trips to Hogsmeade, young Pottermore.com users need parental permission to activate their account. Of course that means deploying a summoning charm: Accio parental email address. Good job on involving mum and dad!

But this website didn’t just seek mum or dad’s email address, it also asked for the child’s first name, country, date of birth and which Harry Potter books and movies you’ve read or watched before sending the parental consent link via email. Is all that information really necessary, Harry?

Pottermore.com (Parental Control) image.

The American Girl doll website had options to collect personal information through quizzes and sweepstakes, but to post a photo of your child with their favourite doll, parents had to provide a signed waiver.

American Girl image 1.

American Girl image 2.

These other apps clearly targeted directly at children have found some creative ways to keep wee ones out of adult sections of the site, though they do so assuming young users can’t read or follow very basic instructions! Consider making it a little tougher. Don’t forget, some wee ones are learning how to swipe a tablet screen before they can walk!

Parental control says area is for grown-ups only and asks user to enter three numbers.

Parental control says area is for grownups and asks user to swipe left with two fingers anywhere on the screen.

Delete:

What seems so simple is often anything but. To put it mildly, not all delete functions are equal. From “no brainer” to “not an option,” here’s a look at our sliding scale when it comes to ease of deleting.

For some apps/websites, it was as easy as the click of a button. Take Quizlet.com for example. This educational website allows users to sign up and join study groups on a variety of topics. But when you’re done, you simply had to click the settings button in the top right corner, scroll down and hit delete.

Quizlet.com image.

Others required a multistep process that could involve emails and/or phone calls to the company. Buried in the middle of its privacy policy is the delete option for targeted game app Despicable Me: Minion Rush.

Despicable Me: Minion Rush image 1.

Stardoll.com, a website targeted at children that allows them to create dolls and interact with other users, requires parents/guardians to fill out a form. As you might be wondering from reading this excerpt from its privacy policy, it’s not clear whether the company actually destroys the personal information it has collected or whether it simply stops collecting, using and disclosing it to third parties. Given the amount of information this site collects and displays – country, gender, date of birth and anything through its free-text function – this raised some serious concerns for sweepers.

Stardoll.com image.

Unfortunately many popular websites and apps that collect personal information had no apparent means for deleting account data, leading our sweepers to believe that their information would be out there in the ether in perpetuity.

Off course:

It’s no surprise that kids like to click on shiny colourful things which many apps and websites have in spades. What’s not cool is when those shiny colourful things lead kids to places with different personal information collection practices or questionable content.

Redirection off-site often occurs through an ad or contest icon that sometimes appears to be part of the original site.

About a third of apps did not redirect users. Bravo! Meanwhile, 14 percent of them, including Barbie.com, at least provided a pop-up warning.

Barbie.com image.

Others had more questionable redirection practices. For instance some websites/apps, including ones targeted directly at children, had ads for alcohol or dating websites that could lead users astray if clicked on. Some even had non-descript icons that, if clicked on, led sweepers to other sites that contained graphic and violent videos. Scary!

BONUS: Battle of the bands

Pop idols Justin Bieber, Taylor Swift and One Direction are all hugely popular among the under 12 crowd. But which fan site best bears that in mind when it comes to protecting the privacy of their youngest Beliebers, Swifties and Directioners?

Based on our indicators, here’s how these musical magnates stacked up.

Taylorswift.com collected username, email, full name, photo, date of birth, city, gender and occupation. There was also an unmoderated free-text function in which users could type in whatever they like. The site could display your username, photo and city. While the site attempted to block users under the age of 13, the measure could be easily circumvented by keying in a different date of birth. It also redirected visitors to a half dozen social media sites, the Google Play Store and another Taylor Swift shop that separately collects a whole host of personal information. Finally, according to the website’s privacy policy, users could “access, update or delete” personal information via email. It also noted this could be done via the “my account” area of the website. That would be great. Too bad we couldn’t actually find a delete button.

Justinbiebermusic.com could collect a fan’s first name, email, date of birth, postal code and country. It too barred users under 13 but that measure could be similarly circumvented. The site also had links redirecting users to a variety of music and social media sites, including the pop star’s Facebook fan page. To “correct, update, amend, delete/remove” personal information, users are asked to send a letter via snail mail to an address in California, or to fill out an online form. It said users could also do it through the member information page, but no such page could be found.

Onedirectionmusic.com, meanwhile, did not collect any personal information directly on site, though users could be redirected to a number of social media and music sites. The One Direction store, however, did collect a variety of personal information.

We are certainly not trying to create any “Bad Blood,” despite Taylor Swift’s lyrics, but it seems as though all three sites could use some helicopter parenting! That said, according to our final indicator, OPC sweepers said they were most comfortable with the One Direction site which seemed to hit the higher privacy notes of the three. Too bad the band has broken up:( Or so we think!

While we recognize that age verification can be tough as crafty kids have found clever ways around such mechanisms, we commend One Direction for simply limiting collection. Remember, don’t collect if you don’t have to. We also observed other sites that recognized a user’s URL and barred them from going back to the site and simply entering a different age for a period of time in order to gain access to the site. Others automatically redirected young users to a children’s version of the site. While many protective controls are seldom fool proof, we encourage developers to be creative and to find new ways of using technology to protect our most vulnerable.

Final thoughts . . .

As you can see, sweepers here at the Office of the Privacy Commissioner of Canada found many great examples of websites and mobiles apps that do not collect personal information whatsoever. We believe there are many effective ways to at least limit collection.

When it comes to protecting the privacy of children online, everybody has a role to play. Children themselves need to be educated about digital privacy issues and the perils of sharing personal information online. Teachers and parents can help instill this knowledge and should themselves be aware of what sites and apps their kids are using and what types of information they are being asked to hand over. Finally, developers should be mindful of who their users are and limit, if not eliminate, the collection of personal information from children through the use of innovative privacy protective controls.

Once we’ve finished sorting through our results, in conjunction with our provincial and international partners who are doing the same, we will determine any appropriate follow-up action.

As with last year’s Sweep, our follow-up activities could include reaching out to organizations to inform them of our findings and making suggestions for improvements. We also have the option to pursue enforcement action.

By the way, we wrote to the companies mentioned in the blog before posting this to share our concerns. Past experience has shown that education and outreach alone can often go a long way towards effecting positive change for privacy.

 


2 Sep 2015

Child sweepers share observations on web/mobile app privacy


Commissioner Daniel Therrien visits with children during Kids Privacy Sweep.

Privacy Commissioner of Canada Daniel Therrien pops in on Global Privacy Enforcement Network Children’s Privacy Sweep where a few kids are on hand to help.

A children’s privacy sweep with no children? In the words of cartoon curmudgeon Charlie Brown, “good grief!”

. . . and that was roughly genesis of the Office of the Privacy Commissioner of Canada’s (OPC) first ever Kid’s Sweep.

Nine youngsters, the offspring of OPC employees who also participated in the Sweep, descended on 30 rue Victoria one early May morning during International Sweep Week.

Fuelled on promises of pizza and cookies, the seven to 13-year-old boys and girls parked themselves in front of the laptop or tablet of their choice. Their job? To interact with their favorite apps and websites, thus recreating the user experience under the watchful gaze of their parents who took notes on how they navigated the privacy settings, or lack thereof, as the case happened to be for some sites.

The following is an edited transcript of what the kids, and their parents, had to say during a post-Sweep debrief before the smell of hot cheese and pepperoni wafted into the room and snatched their attention.

Did you have fun?

“Yeaaah!” (Kids shout in unison.)

Was anything hard or frustrating?

“It was hard to read privacy policies; they were really long and boring.”

Was it hard to sign up for some of the websites?

“If you are under 13, you are redirected to (the kid’s version of the website.)” Mom proceeded to explain that her son nonetheless managed to find a work-around.

What were some of the personal questions the website or app asked you?

“Where do you go to school? What’s your address?”

“It asked if you’re a student or a teacher.”

“It asked what gender you were.”

“Date of birth.”

“(On one website), if you typed in your real name, it wouldn’t take it or any short form of the name.”

“My photo.” (Mom added: “I wouldn’t let him. I shut it down real fast.”)

“It asked for what grade you were in.”

“(One website) asked for your picture but we just used a picture of a penguin that was already saved on the computer.” (Mom added: “But then it encouraged you to use a real picture.”)

Boy at computer.Did you always understand what the website or app was asking for?

“When I was working on (one website), I thought there were games made by other people that you could play but it was just shopping. That’s where there was the long and boring parts.”

Did any websites or apps tell you to go get a parent to help you?

“Before you were able to get on (one website), they send an email to your parent.” Mom added: “And the parent had to confirm.”

“On one website there’s a privacy mode so if you’re under 13, you can’t change it. If you want to change your age, you have to ask a parent by email.”

Did you ever click on something that led you to a totally different website?

“I was on (one website) and there was this little thing on the top of the page that said ‘are you a boy or a girl.’ It didn’t really look like an ad but it was just like a little thing with a picture and so, of course, we clicked on it and it went to another game website and it showed you a trailer.” Mom added that it was “teen rated” and included a warning that the content contained “violence, blood, partial nudity and alcohol.”

If you had to sign up for an account, did the website or app make it easy to delete your account when you were done?

“I was on (one website) and there was an option to delete the account and it deleted right away.”

Did anybody have trouble?

“A little bit. You had to email the company to delete it.”

– – – – –

Days after the Kids Sweep we got some great feedback from one of our parental sweepers who quipped that her kids are now tattling on each other for failing to read privacy policies. She added:

“They had a really good time and learned a lot about thinking critically when it comes to their personal information. If the result is that they make one brighter choice about their own privacy, then it was 100 percent worth it to me.”

It was this very comment that inspired one of our post-Sweep follow-up activities. The OPC has drafted a classroom activity for Grade 7 and 8 teachers across Canada based on our 2015 Kids Sweep.

We’ve simplified the Sweep form used to assess the privacy communications of apps and websites and are encouraging teachers to conduct privacy sweeps with students using the forms as a way to kick off a discussion about online privacy and the protection of personal information.

Alone or in groups, we are encouraging students to “sweep” their favorite apps and websites, to learn how to read privacy policies, to learn about tracking, the different types of personal information that might be collected and to discuss their observations with their teacher and peers. We’ve also provided a take-home tip sheet dubbed Pro Tips for Kids: Protecting Your Privacy for students and their parents.
Mother and daughter at computer.

Note to teachers: you can find the classroom activity on our website. As for parents and guardians, if it’s not something your kids are learning in school, think about adapting the lesson plan as a rainy Sunday afternoon activity!

Intimate, controversial or embarrassing photos and comments can have a lasting impact on a person’s reputation. Today, digital literacy as is as important as learning your ABCs and kids who understand and implement safe online privacy practices are less likely to make the sort of mistakes that could haunt them in the future.

Click here for more on the results of this year’s Children’s Privacy Sweep.


11 May 2015

Majority of app developers contacted by OPC commit to improve privacy communications in wake of GPEN sweep


Last fall’s Global Privacy Enforcement Network (GPEN) Mobile App Privacy Sweep is continuing to yield positive results for consumers in 2015.

As you might recall, the Office of the Privacy Commissioner of Canada (OPC) coordinated an assessment of the privacy communications of 1,211 popular mobile applications (apps) in conjunction with 25 national and international privacy enforcement partners. Our office alone assessed 151 apps.

Sweepers around the world found that 85 per cent of apps they looked at failed to clearly explain how they would collect, use and disclose personal information.

Our office decided to share our concerns with the developers – both the large corporate ones and the small-time basement genius types – behind some of the apps we swept.

Aside from the “l-APP-luster” and “dis-APP-ointing” apps we wrote to last fall before identifying them in a blog post, we sent letters to dozens of other apps outlining a number of our privacy concerns.

Our concerns ranged from not being able to find a privacy policy prior to download on the app marketplace or the developer’s website, to not being able to read it properly because it wasn’t designed for the small screen and either cut off words or required zooming in or horizontal scrolling.

Other times, we raised concerns about the lack of in-app privacy communications, or the fact that the so-called privacy policy didn’t actually address key issues such as the app’s practices regarding the collection, use and disclosure of personal information.

We’ve now heard back from the developers behind 31 of the apps we swept. The vast majority of them were grateful for our feedback and have committed to making improvements to their privacy communications.

For example, within just 34 minutes of receiving our letter via email, the developer of one health app added a privacy policy to its website. Another developer from Northern Europe with 14 apps to its name, thanked our Office for our letter, agreed to make privacy communications an immediate priority and is now ensuring that a privacy policy link is included in each of its marketplace listings. We also received positive feedback from one of the world’s largest online gaming companies, as well as a leading social networking app.

Other developers indicated they would improve privacy communications in future versions of their app, fix broken links to privacy policies or follow up with our Office once suggested changes have been implemented. Several Canadian news media apps committed to wholesale changes, from making privacy policy links more prominent to making them more user-friendly on the small screen.

Sweepers were particularly impressed with the response received from the popular game Farmville 2: Country Escape. The developer, Zynga Inc., fixed broken links and vowed to remove a permission that it no longer required from future versions of the game. The company also launched an abbreviated mobile privacy notice that summarized its lengthy privacy policy in an easier-to-read format on the small screen. But it didn’t just do this to address our concerns about Farmville. The developer has more than 70 other apps to its name and is making sure the privacy notice is available on the app marketplace for all of them. Bravo!

 

In fact, our outreach efforts have led to positive changes to the privacy communications and practices of some 136 apps.

We take from the overwhelmingly positive response to our letters of concern that many app developers want to protect the privacy of their customers and may simply be unaware that their practices were falling short.

The feedback we’ve received shows that education and outreach can often effect change without the need for more costly and time-consuming formal investigations. We see this as a testament to the success of the annual privacy sweep initiative.

Unfortunately, we could not reach the developers behind six apps despite significant effort. We’ve decided instead to name those apps here in the hopes that their creators might see our comments and make positive changes for their customers – starting with providing adequate contact information.

Here’s what we found:

Emoji Keyboard 2: Animated Emojis by Shishi Li

This app allows users to add emojis to their text messages. According to sweepers, no privacy communications were available before or after download. The data controller’s website was little more than a link to a Facebook page in the name of “John Smith.” Sweepers say the app appeared to link to Facebook, Twitter, email and SMS functions, but it did not ask for permission. Users are also asked to login to social media, but it’s unclear if personal information is being collected as a result.

Hide N Seek: Mini Game with Worldwide Multiplayer by Wang Wei (FingerLegend)

This app is a cartoon hide-and-seek game. According to sweepers, the app has no privacy policy and the developer’s website is an unused Twitter account. There was no explanation as to why the app wanted access to the user’s photos.

Smashy Birds With Blood by Bitcage Europe, Ltd.

Aside from its, ahem, interesting name, sweepers raised concerns about this game app because it has no privacy policy prior to or after download. The developer’s website, bitcage.com, is a template that has not been filled out. Sweepers raised concerns because the developer has seven other apps available in the app marketplace. While it’s not clear all the apps collect personal information, some appear to link to the user’s Instagram or Facebook account, calendar and contacts. Sweepers were disappointed to discover that Bitcage’s website was devoid of even the most basic of information, let alone a privacy policy that outlines if and how personal information is collected, used and disclosed. In fact, our Sweepers got an error message when they clicked on the part of the website where the privacy policy was supposed to be.

 

Can You Escape – Tower? by Kaarel Kirsipuu (MobiGrow)

This app is a puzzle game. Sweepers could find no privacy communications prior to download or within the app itself once it was on their device. The developer’s website is a Facebook page that includes no privacy information whatsoever. Sweepers raised concerns because the developer has 10 similar apps available in the Google Play Store. Some of the apps appear to collect and disclose, among other things, information about the user’s location. Some also seek access to external storage, which could contain the user’s photos, videos and other stored data. Sweepers felt MobiGrow should provide a proper privacy policy that explains what personal information is collected and how it is used and disclosed. Even if an app does not collect personal information, an assessment our Sweepers had difficulty making when there were no privacy communications, it is a best practice to say so.

Belly Fat Workout FREE: 10 Minute Ab Exercises by Pro Code Media

This is a fitness app that walks users through a variety of exercises. Sweepers were unable to find any communications explaining the app’s privacy practices prior to installation, or within the app itself. Nothing was found on the app marketplace listing nor was anything initially found on the developer’s website. Later, a mock privacy policy was found. It was written in Latin and had nothing to do with privacy, leaving our sweepers with a serious case of Confusus Maximus. There now appears to be a privacy policy of sorts on the appandaway.com website which is listed as the seller of the app in the app marketplace. The policy, however, does not include any information about consent for the collection, use or disclosure of personal information.

2048 by Estoty Entertainment Lab

This app is a highly addictive math game that, according to the developer, has been downloaded more than 35 million times. Our Sweepers have found no privacy communications whatsoever in the app marketplace or on the developer’s website. There were also no in-app privacy communications which left sweepers with a sense of unease over whether personal information was being collected and if so, how it would be used and disclosed. This developer also has other apps available in the app marketplace, at least one of which appears to link to Facebook, and Sweepers felt a best practice would be for Estoty Entertainment to be upfront about its personal information handling practices. 

Update:

It’s been eight months since we publicly raised concerns about four apps for their l-APP-luster or downright dis-APP-ointing performance when it comes to privacy communications.

We are happy to report that Super Bright LED Flashlight, an app that dis-APP-ointed our sweepers, is now asking for fewer permissions. It has removed its request for permission to access photos/media/files and ID/Call information. The app has also added a link to its privacy policy in its Google Play Store marketplace listing.

Note to developers: Click here for great tips on how to communicate your privacy practices to app users.


20 Nov 2014

A warning to webcam users


Update:

    Shortly after this letter was sent, the OPC was pleased to see that the website stopped broadcasting footage from unsecured webcams.

    The incident highlights the need for anyone with a webcam in their home or business to ensure they take steps to secure the camera.

    As well, it is important for companies that manufacture and sell Internet connected cameras to emphasize the importance of changing the factory default password – and make it as clear and easy as possible for people to do so.

The Office of the Privacy Commissioner of Canada is working with international and provincial counterparts to address the issue of a Russian website that has posted links to footage of unsecured surveillance videos from remote access webcams in use around the world, including Canada.

We fully support UK Information Commissioner Christopher Graham’s call for Russian authorities to take immediate action to take down the site.

We are also in the process of contacting the operators of the website to urge them to take down the webcam images.

In the meantime, we are urging anyone with a webcam in their home or business to ensure that they take steps to secure the camera – make sure you are not using the factory default password.

Check out the UK Commissioner’s blog on this issue.


27 Oct 2014

The kids are alright: innovative ways youth protect their privacy online


 

“Privacy is about much more than just solving technical issues of access control. That is not how people live and experience privacy. Privacy is in many ways about controlling the social situation.” – danah boyd

Through our Contributions Program, the Office of the Privacy Commissioner provided funding to the non-profit organization Mediasmarts for Young Canadians in a Wired World, a nation-wide survey of Canadians between the ages of 9 to 17 about their privacy habits.  Adults typically argue that youth don’t take privacy seriously, but Mediasmarts’ study suggests young people do care about privacy, but see it differently from their parents or teachers. While adults may see privacy and security from the perspective of keeping young people safe from online dangers, many young people see privacy and security as a way to manage their reputations and identities online.  So while both groups view online privacy as important, they do so for different reasons and use different methods to protect themselves.

One of the focuses of National Cybersecurity Awareness Month is promoting online safety.There are a lot of great resources and organizations out there to help with that (including on our website), but we thought we’d highlight some of the innovative and interesting ways researchers have found that young people have developed themselves to protect their privacy.

We want to highlight them for two reasons: to raise awareness among parents, teachers and other adults who influence kids that these practices do exist, and to demonstrate to adults that, contrary to popular opinion, young people actually care about their privacy and can go to great lengths to protect it.

White-walling: white-walling is the method of deleting a post after a specified period of time (generally when you post the next status update).  By doing this, kids minimize the risk of someone dredging up information from the past and using it against the individual in the future.

The super-logoffYou just don’t log out of your Facebook account, you delete it.  Since there are a few steps before you can remove a Facebook account completely, a super-logoff allows users to shut down their account when they aren’t using it.  This prevents other people from searching for information, writing on a user’s wall, or tagging photos when a user is not online.

Cloaking messages & different platforms:  According to Pew Internet Research, youth will often cloak their messages in order to mitigate having to “code switch” between their different audiences.  Oftentimes, youth will use different platforms to segregate their audiences.  For some, Facebook, for example, may contain more family whereas Instagram may be a place where users interact more with friends.  They will also use references that will be understood by their friends as being a double-entendre but that their parents and teachers would take at face value.  This allows them to communicate with their peers while still enjoying privacy from adult eyes.

Finally, teens are having fun with the ways their information is being used to target them for advertising.  They are amused by throwing in tidbits of information and watching the result of targeted advertising.  As danah boyd pointed out, “if you are a 15-year-old boy, nothing is funnier than using Gmail in a way that will trigger advertisers to send your friends diaper ads”.  So while adults may fret about the ways we are trying to keep children safe online, kids these days are also showing us new and surprising ways to protect information online.

New and innovative methods of protecting personal data are constantly being introduced online.  If you have heard of any inventive ways people are managing their privacy, be sure to leave them in the comments so we can highlight them in a future post.

Learn more about youth and online privacy by visiting the youth section of our website at – https://www.priv.gc.ca/youth-jeunes/index_e.asp