Archive for the ‘Location’ Category

6 Mar 2017

Privacy Tech-Know Blog: Let me virtually assist you


The way we interact with our digital devices has evolved over time: from specific commands in command line interfaces, to graphical user interfaces (GUIs), to touch-based interfaces. Virtual assistants (VAs) are the next step in this evolution, and they present new privacy challenges. These assistants, such as Siri (Apple), Alexa (Amazon), Cortana (Microsoft), or simply ‘Google’, are designed to respond to your spoken or written commands and take some action. Such commands let you place phone calls, order a car service, book a calendar appointment, play music or buy goods.

The use of these assistants is on the rise: a 2015 Gartner study found that 38 per cent of Americans had used a virtual assistant in 2015 and that two-thirds of customers in developed markets would use them daily in 2016. The most commonly-used VAs are voice-based, however, much of the presented information also applies to text-based VAs.

Read the rest of this entry »


8 Dec 2016

Privacy Tech-Know Blog: Uniquely You: The identifiers on our phones that are used to track us


techblog-uniquelyyou

Canadians’ mobile devices are filled with applications that collect personal information, including identifiers that are engrained into different parts of the devices. But what exactly are these identifiers, and how are they used?

An identifier is a piece of information (usually a sequence of characters) that’s used to uniquely identify a device, a user, or a set of behaviours taken on the device. Mobile identifiers constitute privacy-affecting technologies because they can be used to correlate an individual’s various activities while using a phone, tablet, or other connected device, and they support the linking of devices with actual persons.

Our mobile devices are filled with identifiers that uniquely label different components and behaviours. The radios and other physical hardware, operating systems, applications, and even web browsers are all rife with identifiers that can uniquely identify the device, the person using the device, or the behaviours of the user. And while these identifiers are typically meant to serve a useful purpose, the user is often unaware that these identifiers exist or how they’re collected and used. We will outline several of the most prominent identifiers associated with mobile devices and their significance for privacy.

Read the rest of this entry »


22 Sep 2016

How fit is your gadget? Putting web-connected health/wellness devices through their privacy paces


Smart TVs . . . Fitness trackers . . . Automated thermostats . . . Self-driving cars . . .

The Internet of Things is the next frontier in digital technology which is why the Global Privacy Enforcement Network focused its 2016 Privacy Sweep on this emerging market. Sweep participants were especially interested in how companies communicate their personal information handling practices.

Given the sensitivity of the information that health and wellness devices, as well as their associated apps and websites, are capable of collecting, the Office of the Privacy Commissioner of Canada (OPC) focused its Sweep on 21 devices ranging from smart scales, blood pressure monitors and fitness trackers, to sleep and heart rate monitors, a smart breathalyzer and a web-connected fitness shirt.

The choice of devices dovetails with one of our four strategic privacy priorities—the body as information. Identified as an important area of focus during a priority-setting exercise that culminated in May 2015, the body as information refers to the mounting privacy concerns related to highly sensitive health, genetic and biometric information that is being used by organizations and governments in all sorts of new ways.

During the Sweep, our Sweepers—aka OPC staff—put the products to use to see first-hand what information the devices requested, compared to what privacy communications said would be collected. In some cases, they followed up with specific privacy questions for the companies.

Below is a brief assessment of how the devices stacked up.

Read the rest of this entry »


2 Sep 2015

Who did it better? A look at children’s apps/websites and the privacy protective controls on offer


Children are more connected than ever and often miles ahead of their parents when it comes to navigating the Internet and mobile applications (apps).

They’re also among our most vulnerable demographic groups and, in their quest to access their favourite game or social network, they may be apt to give out personal information without any thought to the potential privacy ramifications.

For this reason, the Global Privacy Enforcement Network made Children’s Privacy the theme of its 3rd annual Privacy Sweep.

The Office of the Privacy Commissioner of Canada, along with 28 other privacy enforcement authorities across the country and around the globe, assessed the privacy communications and practices of some 1,494 websites and mobile apps.

The goal: to find out which of them collect personal information, what type of personal information they collect, whether protective controls exist to limit the collection and whether a simple means to delete account information exists.

By briefly interacting with the websites and apps, the exercise was meant to recreate the consumer experience – in this case, the experience of children under the age of 12. Our sweepers, which included a number of adult volunteers as well as nine children, ultimately sought to assess privacy controls based on four key indicators:

  1. Collection of children’s data: Does the app/website collect children’s personal information and if so, what information is collected? (Ex. Name, email, date of birth, address, phone number, photo/video/audio.) Does a privacy policy or other privacy communications exist and if so, does it clearly explain the app/website’s personal information handling practices?
  2. Protective controls: Do protective controls exist and do they effectively limit the collection of personal data? (Ex. Prompts for parental involvement, warnings when leaving the site, pre-made avatars/usernames, moderated chats/message boards to prevent inadvertent sharing of personal information.) Are privacy communications tailored to children? (Ex. Simple language, large print, audio, animation.)
  3. Means to delete account information: Is there a simple means for deleting account information?
  4. Overall concerns about a child using the app/website: Overall, would I be comfortable with a child using this app/website?

In total, our Office examined 172 websites and mobile apps for both Android and iOS platforms. We focused on websites and apps that are targeted at or popular among children 12 and under.

Some 118 websites and apps appeared to be targeted directly at children, while 54 were considered popular among them. In other words, while designed for older audiences or audiences of all ages, children are said to be frequent users of these apps and websites.

The bulk of websites and apps swept were based in Canada and the United States. Our Sweep included a significant number of games and educational websites and apps, as well as leisure websites and apps hosted, for example, by museums or zoos. Traditional and social media apps and websites rounded out the list.

Before delving in, let’s be clear on a few points: Since apps and websites are constantly evolving, it’s best to think about our results as a snapshot in time. Also note that the Sweep was not a formal investigation. We did not seek to conclusively identify compliance issues or possible violations of privacy legislation. This was not an assessment of an app or website’s overall privacy practices, nor was it meant to provide an in-depth analysis of the design and development of the apps or websites examined.

Instead, we have compared and contrasted some of the web/app features and privacy practices that we found to be particularly kid-friendly, with those we felt could benefit from some “child-proofing.” We learned a lot and hope these concrete examples will help Canadians, as well as website and app developers, better understand our conclusions.

The moderated message/chat function:

Moderated message/chat functions ensure contributions are vetted before they are posted publicly. Items may be vetted for content but also for personal information as free-text portals can open the door to the inadvertent sharing of potentially sensitive details.

Family.ca, a site clearly targeted at children, indicated its message board feature was moderated. Our Sweepers put that claim to the test by attempting to post a message that included a full name, age and hometown. A day later, here’s the modified message that went public:

Family.ca image. Moderated message/chat function works effectively. Message was changed to exclude personal information.

As you can see, the site even cropped the username to “victorg.” Nice catch Family.ca.

We attempted the same experiment with Lego.com. As you can see, the moderator informed us that it had rejected our post for privacy reasons. Awesome moderating decision master-builder Emmet!

Lego.com image.

Kudos to Family.ca and Lego.com which have shown how a little moderation can go a long way!

By contrast, Moviestar Planet is an example of a social networking app targeted specifically at kids that displays little self-control. While the app said it is moderated for content, children were free to post selfies with titles asking, for example, others to rate them “hot or not.” Not the sort of thing you might necessarily want out there on the Internet when you grow up. We won’t display those images to protect the privacy of the children, but you can also see how our sweeper was able to include a whole lot of personal information in the free-text chat function. Big no no! What’s stopping kids from entering their address, school or where they plan to be that afternoon?

Moviestar Planet image.

Meanwhile, sweepers noticed that websites/apps that are popular among children may moderate for certain content but not to ensure that children aren’t sharing personal details about themselves online. The website for FIFA, soccer’s governing body and a site popular with soccer fans of all ages, for instance, moderates its site to ensure that there are no violations of the Terms of Service. But as you can see below, our sweeper was able to state his age and location. Therefore this reference to moderation has more to do with the appropriateness of the content . . . You know how partisan soccer fans can get!

FIFA image.

The website’s Terms of Service also states that it is the responsibility of parents to supervise their children’s activities on the site and that appears to be as far as FIFA’s obligation goes towards moderating the content that children may be sharing. Certainly parents have a role to play in protecting children’s privacy while online, but seriously FIFA, you are not absolved from getting in the game. If you’re already moderating for content, why not make sure kids aren’t oversharing too? This serious foul deserves a red card.

Less is more:

Leave a little mystery! Profile displays do not have to give everything away.

GamezHero.com is an example of a targeted website that allows users to display a significant amount of personal information on their user profile including name, grade, gender, age and city. While the website said it does not collect from children under 13, it had no problem posting our 10-year-old’s information. Fortunately, there was no option to load a photo!

GamezHero.com image.

A similar interface on Family.ca, however, had limited options for sharing personal information. The photo was a preset graphic and messages were fixed text. In other words, kids could choose what to say from a list of phrases.

Family.ca (Less is More) image.

Things can get a little trickier with popular apps and websites. Even though many children use these sites, they are often not designed with the under 12 crowd in mind. Gurl.com is one such example. As you can see, the social platform geared at teen girls collected and posted our 10-year-old sweeper’s full name, date of birth, occupation and location.

There were also no warnings or mechanisms to prevent users from uploading photos or posting personal information on message boards, some of which broach some pretty sensitive topics such as depression, suicide and self-mutilation. Given the lack of protective controls, there’s no telling what children could post and who might see it, raising all sorts of questions about the potential for harm to one’s reputation and well-being.

Gurl.com image.

For an otherwise pretty kid-friendly website, we found this next example worth mentioning. Santasvillage.ca offered kids an easy way to “get on Santa’s nice list” – by coughing up their full name and email address. In exchange, it promised to bombard subscribers with marketing materials. Not cool Santa, we’ll take the coal.

Santasvillage.ca image.

Avatars:

Selecting an image that will serve as your online identity doesn’t have to be personal. PBSkids.org is an example of a targeted website that asked our sweeper to choose from a pre-set list of icons.

PBS.org image.

Other websites/apps asked sweepers to load their own avatar which opens the door to using personal photographs. For example, the Cookie Monster Challenge app prompted us to take a selfie for our profiles. The app’s generic privacy policy also suggested personal information may be shared with third parties.

As the Cookie Monster himself might say: Parents not like when Cookie gobble up sensitive personal information like photograph and share with udder monsters.

Cookie Monster Challenge image 1.  Cookie Monster Challenge image 2.

All in a name:

Just as children should be discouraged from using a personal photo online, so too should they be discouraged from using their real name.

Websites such as Harry Potter fan site, Pottermore.com, don’t give kids the option. Instead, our sweepers were encouraged to select a username from a pre-set list. Thanks for thinking about the privacy of your younger Hogwarts classmates, Harry!

Pottermore.com (All in a name) image.

Meanwhile, Classdojo.com, a classroom management site that connects teachers, students and their parents, got a gold star for advising sweepers in simple, child-friendly language not to use their real name. But unfortunately that gold star got yanked as there was no actual mechanism to prevent us from using it.

Classdojo.com image.

Parental control:

On the subject of parental control, there are some effective ways to limit the functionality of a website or app to protect privacy. A great way to do that is with a parental dashboard and here are a few examples that put parents in the privacy driver’s seat.

The first was Grimm’s Red Riding Hood, an app targeted at children that allowed parents to turn certain settings on and off, such as in app purchases and access to the store.

Grimm's Red Riding Hood image.

Another example is Battle.net, a popular game website designed for children over the age of 13, even though younger children are known to frequent it. As long as young users have provided a valid parental email address, parents can control settings through a fairly comprehensive dashboard.

Battle.net image shows parental dashboard to control privacy settings and voice chat.

On social networking site GeckoLife.com, parents of young children must register an account, to which they can add a child.

GeckoLife.com image shows request message sent to parents when child asks to open an account.

Parents could also monitor their child’s activities, including media uploads and connections with other users, however, the website collected a fair bit of personal information in the process.

GeckoLife.com image shows parental dashboard to set permissions to upload media and contact other users. Also asks for child`s full name,  sex and date of birth.

Now just as the First Year kids at Hogwarts require parental permission for weekend trips to Hogsmeade, young Pottermore.com users need parental permission to activate their account. Of course that means deploying a summoning charm: Accio parental email address. Good job on involving mum and dad!

But this website didn’t just seek mum or dad’s email address, it also asked for the child’s first name, country, date of birth and which Harry Potter books and movies you’ve read or watched before sending the parental consent link via email. Is all that information really necessary, Harry?

Pottermore.com (Parental Control) image.

The American Girl doll website had options to collect personal information through quizzes and sweepstakes, but to post a photo of your child with their favourite doll, parents had to provide a signed waiver.

American Girl image 1.

American Girl image 2.

These other apps clearly targeted directly at children have found some creative ways to keep wee ones out of adult sections of the site, though they do so assuming young users can’t read or follow very basic instructions! Consider making it a little tougher. Don’t forget, some wee ones are learning how to swipe a tablet screen before they can walk!

Parental control says area is for grown-ups only and asks user to enter three numbers.

Parental control says area is for grownups and asks user to swipe left with two fingers anywhere on the screen.

Delete:

What seems so simple is often anything but. To put it mildly, not all delete functions are equal. From “no brainer” to “not an option,” here’s a look at our sliding scale when it comes to ease of deleting.

For some apps/websites, it was as easy as the click of a button. Take Quizlet.com for example. This educational website allows users to sign up and join study groups on a variety of topics. But when you’re done, you simply had to click the settings button in the top right corner, scroll down and hit delete.

Quizlet.com image.

Others required a multistep process that could involve emails and/or phone calls to the company. Buried in the middle of its privacy policy is the delete option for targeted game app Despicable Me: Minion Rush.

Despicable Me: Minion Rush image 1.

Stardoll.com, a website targeted at children that allows them to create dolls and interact with other users, requires parents/guardians to fill out a form. As you might be wondering from reading this excerpt from its privacy policy, it’s not clear whether the company actually destroys the personal information it has collected or whether it simply stops collecting, using and disclosing it to third parties. Given the amount of information this site collects and displays – country, gender, date of birth and anything through its free-text function – this raised some serious concerns for sweepers.

Stardoll.com image.

Unfortunately many popular websites and apps that collect personal information had no apparent means for deleting account data, leading our sweepers to believe that their information would be out there in the ether in perpetuity.

Off course:

It’s no surprise that kids like to click on shiny colourful things which many apps and websites have in spades. What’s not cool is when those shiny colourful things lead kids to places with different personal information collection practices or questionable content.

Redirection off-site often occurs through an ad or contest icon that sometimes appears to be part of the original site.

About a third of apps did not redirect users. Bravo! Meanwhile, 14 percent of them, including Barbie.com, at least provided a pop-up warning.

Barbie.com image.

Others had more questionable redirection practices. For instance some websites/apps, including ones targeted directly at children, had ads for alcohol or dating websites that could lead users astray if clicked on. Some even had non-descript icons that, if clicked on, led sweepers to other sites that contained graphic and violent videos. Scary!

BONUS: Battle of the bands

Pop idols Justin Bieber, Taylor Swift and One Direction are all hugely popular among the under 12 crowd. But which fan site best bears that in mind when it comes to protecting the privacy of their youngest Beliebers, Swifties and Directioners?

Based on our indicators, here’s how these musical magnates stacked up.

Taylorswift.com collected username, email, full name, photo, date of birth, city, gender and occupation. There was also an unmoderated free-text function in which users could type in whatever they like. The site could display your username, photo and city. While the site attempted to block users under the age of 13, the measure could be easily circumvented by keying in a different date of birth. It also redirected visitors to a half dozen social media sites, the Google Play Store and another Taylor Swift shop that separately collects a whole host of personal information. Finally, according to the website’s privacy policy, users could “access, update or delete” personal information via email. It also noted this could be done via the “my account” area of the website. That would be great. Too bad we couldn’t actually find a delete button.

Justinbiebermusic.com could collect a fan’s first name, email, date of birth, postal code and country. It too barred users under 13 but that measure could be similarly circumvented. The site also had links redirecting users to a variety of music and social media sites, including the pop star’s Facebook fan page. To “correct, update, amend, delete/remove” personal information, users are asked to send a letter via snail mail to an address in California, or to fill out an online form. It said users could also do it through the member information page, but no such page could be found.

Onedirectionmusic.com, meanwhile, did not collect any personal information directly on site, though users could be redirected to a number of social media and music sites. The One Direction store, however, did collect a variety of personal information.

We are certainly not trying to create any “Bad Blood,” despite Taylor Swift’s lyrics, but it seems as though all three sites could use some helicopter parenting! That said, according to our final indicator, OPC sweepers said they were most comfortable with the One Direction site which seemed to hit the higher privacy notes of the three. Too bad the band has broken up:( Or so we think!

While we recognize that age verification can be tough as crafty kids have found clever ways around such mechanisms, we commend One Direction for simply limiting collection. Remember, don’t collect if you don’t have to. We also observed other sites that recognized a user’s URL and barred them from going back to the site and simply entering a different age for a period of time in order to gain access to the site. Others automatically redirected young users to a children’s version of the site. While many protective controls are seldom fool proof, we encourage developers to be creative and to find new ways of using technology to protect our most vulnerable.

Final thoughts . . .

As you can see, sweepers here at the Office of the Privacy Commissioner of Canada found many great examples of websites and mobiles apps that do not collect personal information whatsoever. We believe there are many effective ways to at least limit collection.

When it comes to protecting the privacy of children online, everybody has a role to play. Children themselves need to be educated about digital privacy issues and the perils of sharing personal information online. Teachers and parents can help instill this knowledge and should themselves be aware of what sites and apps their kids are using and what types of information they are being asked to hand over. Finally, developers should be mindful of who their users are and limit, if not eliminate, the collection of personal information from children through the use of innovative privacy protective controls.

Once we’ve finished sorting through our results, in conjunction with our provincial and international partners who are doing the same, we will determine any appropriate follow-up action.

As with last year’s Sweep, our follow-up activities could include reaching out to organizations to inform them of our findings and making suggestions for improvements. We also have the option to pursue enforcement action.

By the way, we wrote to the companies mentioned in the blog before posting this to share our concerns. Past experience has shown that education and outreach alone can often go a long way towards effecting positive change for privacy.

 


2 Sep 2015

Child sweepers share observations on web/mobile app privacy


Commissioner Daniel Therrien visits with children during Kids Privacy Sweep.

Privacy Commissioner of Canada Daniel Therrien pops in on Global Privacy Enforcement Network Children’s Privacy Sweep where a few kids are on hand to help.

A children’s privacy sweep with no children? In the words of cartoon curmudgeon Charlie Brown, “good grief!”

. . . and that was roughly genesis of the Office of the Privacy Commissioner of Canada’s (OPC) first ever Kid’s Sweep.

Nine youngsters, the offspring of OPC employees who also participated in the Sweep, descended on 30 rue Victoria one early May morning during International Sweep Week.

Fuelled on promises of pizza and cookies, the seven to 13-year-old boys and girls parked themselves in front of the laptop or tablet of their choice. Their job? To interact with their favorite apps and websites, thus recreating the user experience under the watchful gaze of their parents who took notes on how they navigated the privacy settings, or lack thereof, as the case happened to be for some sites.

The following is an edited transcript of what the kids, and their parents, had to say during a post-Sweep debrief before the smell of hot cheese and pepperoni wafted into the room and snatched their attention.

Did you have fun?

“Yeaaah!” (Kids shout in unison.)

Was anything hard or frustrating?

“It was hard to read privacy policies; they were really long and boring.”

Was it hard to sign up for some of the websites?

“If you are under 13, you are redirected to (the kid’s version of the website.)” Mom proceeded to explain that her son nonetheless managed to find a work-around.

What were some of the personal questions the website or app asked you?

“Where do you go to school? What’s your address?”

“It asked if you’re a student or a teacher.”

“It asked what gender you were.”

“Date of birth.”

“(On one website), if you typed in your real name, it wouldn’t take it or any short form of the name.”

“My photo.” (Mom added: “I wouldn’t let him. I shut it down real fast.”)

“It asked for what grade you were in.”

“(One website) asked for your picture but we just used a picture of a penguin that was already saved on the computer.” (Mom added: “But then it encouraged you to use a real picture.”)

Boy at computer.Did you always understand what the website or app was asking for?

“When I was working on (one website), I thought there were games made by other people that you could play but it was just shopping. That’s where there was the long and boring parts.”

Did any websites or apps tell you to go get a parent to help you?

“Before you were able to get on (one website), they send an email to your parent.” Mom added: “And the parent had to confirm.”

“On one website there’s a privacy mode so if you’re under 13, you can’t change it. If you want to change your age, you have to ask a parent by email.”

Did you ever click on something that led you to a totally different website?

“I was on (one website) and there was this little thing on the top of the page that said ‘are you a boy or a girl.’ It didn’t really look like an ad but it was just like a little thing with a picture and so, of course, we clicked on it and it went to another game website and it showed you a trailer.” Mom added that it was “teen rated” and included a warning that the content contained “violence, blood, partial nudity and alcohol.”

If you had to sign up for an account, did the website or app make it easy to delete your account when you were done?

“I was on (one website) and there was an option to delete the account and it deleted right away.”

Did anybody have trouble?

“A little bit. You had to email the company to delete it.”

– – – – –

Days after the Kids Sweep we got some great feedback from one of our parental sweepers who quipped that her kids are now tattling on each other for failing to read privacy policies. She added:

“They had a really good time and learned a lot about thinking critically when it comes to their personal information. If the result is that they make one brighter choice about their own privacy, then it was 100 percent worth it to me.”

It was this very comment that inspired one of our post-Sweep follow-up activities. The OPC has drafted a classroom activity for Grade 7 and 8 teachers across Canada based on our 2015 Kids Sweep.

We’ve simplified the Sweep form used to assess the privacy communications of apps and websites and are encouraging teachers to conduct privacy sweeps with students using the forms as a way to kick off a discussion about online privacy and the protection of personal information.

Alone or in groups, we are encouraging students to “sweep” their favorite apps and websites, to learn how to read privacy policies, to learn about tracking, the different types of personal information that might be collected and to discuss their observations with their teacher and peers. We’ve also provided a take-home tip sheet dubbed Pro Tips for Kids: Protecting Your Privacy for students and their parents.
Mother and daughter at computer.

Note to teachers: you can find the classroom activity on our website. As for parents and guardians, if it’s not something your kids are learning in school, think about adapting the lesson plan as a rainy Sunday afternoon activity!

Intimate, controversial or embarrassing photos and comments can have a lasting impact on a person’s reputation. Today, digital literacy as is as important as learning your ABCs and kids who understand and implement safe online privacy practices are less likely to make the sort of mistakes that could haunt them in the future.

Click here for more on the results of this year’s Children’s Privacy Sweep.


21 Nov 2012

Employee privacy – a balancing act


Companies are always seeking ways to improve productivity.  The most innovative and successful methods can create some positive buzz around a company.

Other approaches can sometimes be ill-advised, premature or ineffective, and this can make waves within an organization.

Last month, a law firm in Toronto was the subject of some media interest over its highly controversial plan to use fingerprint-scanning technology to monitor the comings and goings of its administrative staff. The plan was meant to ensure that staff were not “abusing the system” with lengthy lunch breaks and short work days. Media reports and blog posts zeroed in on the privacy implications of such a plan.

Our Office wouldn’t have oversight over this specific employment matter – we only have oversight into matters of employee privacy in federal works, undertakings, or businesses (lovingly referred to as “FWUBs”). Otherwise, employee privacy is largely a provincial matter, with several provinces having passed privacy legislation that applies to personal information of private sector employees. It’s unfortunate that there is little redress for employees in those provinces that do not have legislation in place, this being one such case in point.

An employer’s need for information should be balanced with an employee’s right to privacy. While employers may be focused on increasing productivity, they should seek to ensure that they weigh the benefits of any potentially privacy-invasive plans against the costs — and not just economic  costs.  Cost considerations should include potential impact on staff morale, loss of trust and loss of human dignity.

Law firms, in particular, could set a model example in how they handle personal information when managing their law practice. In Girao v. Zarek Taylor Grossman Hanrahan LLP, Hon. Justice Richard Mosley wrote,

““Law firms providing advice to clients who deal with the personal information of their customers must be knowledgeable about privacy law and the risks of disclosure. Lawyers also have a public duty to protect the integrity of the legal process. The failure of lawyers to take measures to protect personal information in their possession may justify a higher award than that which would be imposed on others who are less informed about such matter.”

While the Federal Court was referring to the personal information of clients rather than employees in those circumstances, it’s still a significant message about the high standards of conduct judges expect lawyers to live up to.

We hope law firms will take the opportunity to consult our privacy guidance for lawyers. And we hope organizations will take advantage of the other resources we have on dealing with workplace privacy issues, including our fact sheet for human resources professionals.

 


29 Mar 2011

Insights on Privacy – Adam Greenfield and Aza Raskin


On April 20th, 2011, our Office is holding the third Insights on Privacy armchair discussion. We heard in February about what motivates us to reveal or conceal details of our personal lives, and how we protect the private lives of others around us.

To complement this talk, we’ve invited tech innovators Adam Greenfield (@agpublic) and Aza Raskin (@azaaza) to explore opportunities for privacy in the design of intimate devices, like smart phones, that we share our lives with every day, to the sensor-rich landscape that’s upon us. We’ll discuss opportunities for companies to empower individuals with greater choice and control over how their data are used and for greater collaboration within and across industry sectors.

In his 2006 book Everyware, Adam Greenfield argued that we were headed for a world in which keeping the boundaries between different roles in our lives was going to prove untenable. That notion is coming to pass with the current debate over the public/private divide and the blurring of our various roles and reputations online. Adam was Nokia‘s head of design direction for user interface and services from 2008 to 2010 and Lead Information Architect at Razorfish Tokyo. His current projects through Urbanscale focus on improving how users experience technology, such as stored-value cards for public transit and many other “smart-city” initiatives.

Aza Raskin’s passion for improving the way we experience technology recently had him heading up user experience for Mozilla, developer of the popular Firefox browser, where he rethought and simplified conventional approaches to privacy policies. Raskin left Mozilla in late 2010 to launch the start-up Massive Health, with the goal of helping people improve control of their health through innovatively designed technology and the ways we interact with it.

The video of this event will be made available after the event, as we did for the December 10, 2010 event with Jesse Hirsh and Chris Soghoian and for the February 28, 2011 event with Christena Nippert-Eng and Alessandro Acquisti.

Space is limited and is available on a first-come, first-served basis. Please RSVP before April 15, 2011. Simultaneous interpretation for both official languages will be available.

When: 2:00-4:00 p.m. Wednesday, April 20, 2011
Where: Minto Suites Hotel, 185 Lyon Street North, 2nd Floor, Salon Vanier/Stanley

RSVP: knowledge.savoir@priv.gc.ca


9 Mar 2011

A creepy app


While there are always advance warnings about the potential privacy risks of emerging technologies, it usually takes a “killer app” for people to take notice of the real dangers. For geotagging, that app is the rather aptly named creepy.

Photo geotagging — the embedding of geographical location information within digital photos — is becoming increasingly common as a side effect of regulation by the US Federal Communications Commission.  By September 11, 2012, American mobile wireless service providers are required to provide precise location data to improve 911 emergency service. To meet this directive, more and more mobile phones sold in North America now have built-in GPS chips.

Often times, the embedding is automatic. If consumers take a picture with their GPS-enabled phone and haven’t specifically disabled geotagging, the coordinates where the photograph was taken become a digital record contained within the picture file. If enough of these location-tagged photographs are taken and uploaded to on-line sharing services, the aggregated GPS information can indicate a pattern of behaviour. If your picture gallery also contains a self-portrait, it becomes possible for strangers to track you down in person.

Creepy can harvest data from a dozen of the most popular photo hosts, including flickr, twitpic and yfrog, then illustrate any found location data with Google Maps. The result is a visual cluster of your usual whereabouts: your favourite park, your place of employment, or your home.

Have you checked your mobile’s camera settings for mention of geotagging or EXIF data embedding? If not, now is a good time to familiarize yourself with the configuration screen. Consider turning those “features” off, unless you have reason to do otherwise.


12 Aug 2010

Badges? Badges? We don’t need no stinkin’ badges!


Loyalty discounts, the power of recommendations, serendipitous encounters with friends and colleagues, recognition badges, and stalkers. I think that’s a fair summary of most commentary about the growth of location-enabled services and tools.

Location is just one piece of information that can be generated by most smart phones, but is the most relevant for a marketer eager to deliver precise and context-specific messages to a consumer on the move. It is also a highly useful data point for a social scientist trying to measure the flow of human migration and socioeconomic progress, as in the case of Nathan Eagle’s research in the slums of Kibera, Nairobi, Kenya.

Between June 2008 and June 2009, Eagle and his co-researcher evaluated the calls recorded by mobile phones across Kenya (with all callers’ identification replaced with unique hashed IDs) to focus on calls originating or ending in Kibera. Their research tracked between 53,000 and 74,000 calls a month and a total of 18,000 individual callers during the year.

What did this data reveal about individual mobile phone users? “With each call, we can infer a number of individual characters such as

  • spatial data (by the location of the cell tower that transmitted the call),
  • economic data (the average length of each call, the amount of pre-paid minutes an individual has put on their phone, the type of phone),
  • an individual’s regional or tribal affiliation, and
  • a radius of migration for groups of individuals (by the distance between locations of cell towers calls have been made from).”

A first indication from this research is that Kenyans only live in the Kibera slum for a mean of 1.559 months. This high rate of movement and population turnover “supports the theory that slums act as a filter as opposed to a sink where there is a large amount of flux within the slum population.”

Amy Wesolowski, Nathan Eagle, Parameterizing the Dynamics of Slums

Eagle’s work in Kenya is an extension of a research project originally conducted at MIT, where 100 students were provided with mobile phones for 265 days. The mobile phones were equipped with custom survey software that recorded data and prompted the students with questions when certain conditions were met.

How much data?

“From the studies, we gathered 370 megabytes of raw data, including short recordings from 667 calls, 56,000 movements, 10,000 activations of the phone, 560,000 interaction events with our applications, 29,000 records of nearby devices, and 5,000 instant messages.”

Thankfully, from a privacy advocate’s point of view, the researchers also had to struggle with (a limited number of) weak points in their data sets – instances when the participants didn’t bring their phone with them, consciously turned the phone off, or simply ignored it. I would like to think that some of this reflected a conscious effort to mediate information collection, but it was probably just fatigue or forgetfulness.

There was one significant distinction between the two projects: the active involvement and acknowledgement of the participants. In Cambridge, the participating students were walked through the information collection process, provided with details about the information that would be collected, and required to complete a consent form(.pdf).

M. Raento, A. Oulasvirta, N. Eagle, “Smartphones: An Emerging Tool for Social Scientists“, Sociological Methods Research 37:3, 426-454.

This is an important point when it comes to the collection of location data, especially when it is associated with other personal information: individuals want to know what is happening with their information, and would like some element of control over its use.

A recent and exhaustive examination of the 89 then-available location-sharing services (really, who can keep track?) by researchers from Carnegie Mellon University noted that “the willingness to share one’s location and the level of detail shared depends highly on who is requesting this information (or knowing who is requesting this information), and the social context of the request.”

Supplemental interviews confirmed that potential users had particular scenarios in mind when evaluating the benefits and risks of these services: scenarios that would best be addressed with more detailed privacy controls, rules and conditions (explained in detail in the paper):

  • Blacklists
  • Friends Only rules
  • Granularity of controls
  • Group-based rules
  • Invisible status
  • Location-based rules
  • Network permissions
  • Per request permission
  • Time-based rules
  • Time-expiring approval, or
  • No restrictions

Janice Y. Tsai, Patrick Gage Kelley, Lorrie Faith Cranor, Norman Sadeh, Location-Sharing Technologies: Privacy Risks and Controls

Obviously, there are significant gaps in how personal privacy is protected when information is collected and analyzed in a large scale research project, a smaller experiment and within the context of online commercial services.


6 Aug 2010

Something new between us and our Calvins


In a move to monitor inventory in its stores, Wal-Mart will launch an item-level Radio Frequency Identification (RFID) inventory tracking program starting August 1st, 2010.  In its first phase, the system will track individual pairs of jeans, socks and underwear.  The items will be tagged with removable RFID tags that can be read from a distance using hand-held scanners so employees will know what sizes are missing from shelves and what is in the stock room, all in a matter of seconds.  If the program is successful, it will be rolled out at Wal-Mart’s more than 3750 U.S. stores with more products.

The upside of RFID systems have been well-documented –they help retailers better control their inventory and cut costs for consumers,  create efficiencies in our health care system, increase customer convenience (enter the smart coffee mug), and save valuable time for consumers (let’s face it, the ability to push a shopping cart through an RFID reader that instantly calculates your grocery bill without removing a single item from the cart sounds down-right heavenly!).

RFID systems also continue to be rolled out new contexts: we have written about privacy issues surrounding the use of RFID in the workplace, Northern Arizona University is using their RFID enabled student cards to track student lecture attendance,  transportation systems use RFID to monitor traffic flow, our passports are being equipped with RFID chips and our pets are tracked and monitored via RFID implants.

While these systems can be really useful and save us time and money, they also raise some serious privacy concerns.  While the RFID tags in the Wal-Mart example are removable, not all RFID tags are (some are as small as a speck of dust and are virtually invisible).  RFID tags can be tracked and hacked, may not be easy to turn off and can be read at a distance, potentially allowing tags to be read outside the original system for purposes limited only by human ingenuity.

As the tags get cheaper and the size of the tags gets smaller, extending the reach and uses for such systems will likely evolve too. Perhaps most concerning is that RFID systems have the potential to track individuals and could do so without their knowledge or consent.  As a recent article notes:

“Location-aware apps are scary enough, based on GPS with the broad range they offer. But for the most part you still have to sign up for those. RFID is being implemented all around you…it can track infants to senior citizens with Alzheimer’s. In between it can track your clothes, your purchases, your car – even you. RFID is on the verge of tracking us all, cradle to the grave.”

As we and others in a number of jurisdictions continue to wrestle with questions about RFID and privacy, the evolving application of RFID systems serve to highlight the fascinating convergence of emerging technologies and human creativity.