Archive for the ‘Privacy Breach’ Category

18 Feb 2009

Time Inconsistency, Behavioural Economics and Privacy

A question that occupies a lot of our time in the office is why, despite growing research that clearly shows that privacy is important to Canadians, do many of us give out our personal information to anyone who asks? While we know privacy is important to people, they still trade personal information for just about anything – from a “free” service to a chance to win something. Why does what we say is important to us often not translate to our observable behaviour? Where does this disconnect happen?

To cast a bit of light on this conundrum, an offshoot of economics may offer some insight. Behavioural economics integrates psychology into classical economic theory to look at why we make decisions and to better understand and predict our choices. It views the individual not as not just one self but as a collection of selves that have different preferences at different points in time. The notion that humans are rational decision makers running around maximizing their utility flies right out the window with these folks. Instead, our behaviour is seen as more complex and dynamic.

An interesting sub-theory within behavioural economics is time inconsistency, which basically says is that we often exhibit a “present bias” – we place more “value” on the present than on the future. Bringing this into the realm of privacy, parting with some personal information now to sign up for free social networking site is more valuable to us in the moment than the overall state of our privacy in the future – say ten years from now. The result is that even though we believe our privacy to be important and something to be safeguarded, we continue to make choices now that negatively affect the future. We lose sight that what is optimal now, may not be optimal later.

Time inconsistency gained some attention a few months back when Google Labs released a new feature called “Mail Goggles”. Effectively a drunk dialing early warning system, when the feature is turned on you can not send an email late at night on the weekend until you answer some math questions first. In a fun and simple way, Google has capitalized on the concept of time inconsistency – giving us control now over our future (and potentially embarrassing) behaviour. Mail Goggles allows us to “pre-commit” in the present to not doing something detrimental later.

So what does all this have to do with privacy? Well, it can help us think about how we can use time inconsistency to promote privacy-protecting behaviour. Maybe we mandate that an irritating tone be installed in all computers, a tone that goes off each time you seem to compromise your privacy online, for example.

All kidding aside, we figure if Google can help us avoid the humiliation of a drunk dial by incorporating some lessons from behavioural economics, surely the discipline’s potential for privacy protection is worth an extended look.

28 Jan 2009

Data Privacy Day

To commemorate Data Privacy Day today, we offer up our latest Top Ten list…The Top 10 Ways Your Privacy is Threatened:

10. Surveillance cameras, swipe cards, Internet searches – as you go about your daily routine you actually leave a trail of data behind you for others to collect, merge, analyze and even sell, often without your knowledge or consent.

9. New and exciting technologies are emerging daily; but often your personal information is the cost of admission. Think about the information you have surrendered just to play online games, join virtual worlds, or even shop online.

8. Millions of people post all sorts of personal information about themselves, their family and their friends on social networking sites without reviewing the privacy policies, modifying the privacy settings, or considering how this information can be used or misused by others.

7. Governments are indiscriminately collecting mountains of personal data in the name of national security and public safety.

6. Businesses are collecting more and more information about an ever-greater number of people, often without having appropriate means to protect the information or dispose of it.

5. Data breaches happen every day in both the public and private sectors. Recent incidents have exposed the personal information of millions of people. In fact, you could already have been one of those people, but due to the lack of mandatory breach reporting laws in Canada, you may never even be informed.

4. Fraudsters have become extremely devious and technologically savvy. From the other side of the planet, they can steal your personal information. These days, you need to shred documents, protect your computer, watch out for fraudulent e-mails, be on guard against pretexting and much more.

3. Identity theft, which is fuelled by excessive personal information collection and failure to protect it, is rampant – and it is becoming a very lucrative business for criminals.

2. We live in a global society where information flows freely around the world – from person to person; jurisdiction to jurisdiction; public sector to private sector – and all privacy protection laws are not created equal.

1. The notion that “if you have nothing to hide, you have nothing to fear”. Privacy is an essential freedom that shapes our society; an internationally recognized human right; and the foundation of modern democracy – but if we don’t value our privacy or stand up for it as our right, it will be eroded over time.

What are you doing to take note of Data Privacy Day? Check out our Data Privacy Day page for new information and material demonstrating the importance of data privacy issues and encouraging people to become better guardians of their own personal information. And be sure to share with us how you protect your personal information for a chance to win one of our T-shirts!

4 Dec 2008

Remember Mafiaboy?

In 2000, this 15-year-old hacker brought down some of the most heavily visited websites on the net: Amazon, eBay, CNN, Yahoo!. At the time, reports claimed the hack caused a billion dollars’ worth of damage to these companies.

Since that time, cybercrime has become big business, with some reports suggesting it’s on par with or bigger than the illicit drug trade. Identity theft features prominently in this underground frontier, with credit card information and entire identities up for sale by the thousands.

Tonight, CBC is airing Web Warriors, a one-hour documentary with an exclusive look at the world of hackers, and the cyber-sleuths who pursue them. If you miss it on TV, the entire documentary is available on CBC’s site as well.

And on the subject of teenage hackers, we’d like to point you towards Little Brother, the novel for young adults by BoingBoing blog coeditor Cory Doctorow. Little Brother takes place in the not-so-distant future where a group of teens use technology to protest the ever-increasing government surveillance around them. It’s a story that looks at hacking, jamming and surveillance, and offers insight into the privacy vs. security debate…all through the eyes of a 17-year-old.

24 Sep 2008

What’s in store for a new session of Parliament

On July 3, 2008 the Office of the Privacy Commissioner of Canada announced the results of a public opinion study we commissioned on the personal information customers hand over (or refuse to) to retailers.  According to the results, more than half of Canadians said that they were apprehensive about giving their personal information to retailers, citing concerns over security issues, identity theft and fraud.

The growing concern about disclosing their personal information is understandable given the rise in privacy breaches over the last year (as seen here and here).

In a speech this summer, Commissioner Stoddart noted that while a greater number of companies were voluntarily reporting breaches to the OPC, “it’s clear we still aren’t hearing about every breach which could have a harmful impact on people.”

In a different speech delivered to the Canadian Bar Association Legal Conference and Expo last month, Commissioner Stoddart spoke about her support for mandatory breach notification:

“I am a strong supporter of mandatory notification. By every measure I’ve seen, breaches are a growing problem. Despite the clear risks, we continue to see too many organizations – large and small – underestimating the need to protect personal information. This results in deficient privacy and security safeguards – and, not surprisingly, data spills.”

She also took the opportunity to provide an update on potential amendments to the Protection of Personal Information and Electronic Documents Act (PIPEDA), Canada’s private sector privacy legislation.  One of the anticipated amendments is a formal requirement to provide breach notification.

As an election has been called for this October, the proposed amendments to PIPEDA are now on the backburner until a new Parliament convenes.

Despite the election call, interest in privacy rights and the future of our privacy legislation remains high. Continued interest and engagement by Canadians reminds us that individuals have a high degree of expectation that privacy rights should be respected and safeguarded.

No doubt, progress on privacy legislation will be keenly followed by individuals, government, academics, privacy advocates and civil society as the next Parliament gets underway.

28 Jan 2008

A correction – but still a concern

Today, we issued a news release celebrating Data Privacy Day, an initiative of the International Association of Privacy Professionals. In that release we made the assertion that  “We have seen a proliferation of identity theft and spam as well as a tripling of reported data breaches around the world last year” – based on an analysis of data breaches first reported in USA Today, and similar reporting by the Associated Press.

“Dissent,” who blogs at pogowasright, contacted me to question that analysis. Dissent’s dissection of the claim that breaches have tripled can be found here and here. His/her email suggested that maybe we were thinking of the records revealed as a result of breaches?

I think we can all agree it is hard to track whether a data breach has occured, unless it is then reported in the media.  Dissent’s analysis seems to make sense.

At the Office of the Privacy Commissioner, however, we are certain that there were a number of remarkable data breaches in 2007 – in Canada and abroad.

Whether we are talking about breaches themselves or the records they revealed, there were millions of personal records exposed because of poor record handling, inadequate security, lax staff procedures and disregard for privacy agreements.

And that has to change.

But we still appreciate Dissent for paying close attention. We need more like him/her.

31 Dec 2007

A new year’s errand list

As we close out 2007, we’d like to sound a note of caution for privacy rights in Canada. We are lucky to have a variety of protections for personal information and data at the territorial, provincial and federal levels. Nevertheless, the Commissioner took a moment last week to highlight some of the steps that need to be taken by individuals, corporations and the government in the face of continuing challenges:

“Heightened national security concerns, the growing business appetite for personal information and technological advances are all potent – and growing – threats to privacy rights,” said Commissioner Stoddart. “The coming year will be another challenging one for privacy in Canada.”

What challenges, you may ask? Privacy International, a London-based non-governmental organization, issued their annual report on privacy protection world-wide. Canada was one of three countries recognized as a world-leader, but we were criticized on several fronts:

  • Federal commission is widely recognised as lacking in powers such as order-marking powers, and ability to regulate trans-border data flows
  • Variety of provincial privacy commissioners have made privacy-enhancing decisions and taken cases through the courts over the past year (particularly Ontario)
  • Court orders required for interception and there is no reasonable alternative method of investigation
  • Video surveillance is spreading despite guidelines from privacy commissioners
  • Highly controversial no-fly list, lacking legal mandate
  • Continues to threaten new policy on online surveillance
  • Increased calls for biometric documents to cater for U.S. pressure, while plans are still unclear for biometric passports

7 Dec 2007

Not all data breaches are caused by fraud

This week, we’ve been speaking to the media* about an incident at the Passport Office: a person using their online application form found that they could access others’ personal documents by changing one variable in the URL displayed in their browser. The Globe and Mail and Slashdot report that this was likely the result of an error in the code behind the web page – or an omission in the code.

We’re still looking into the incident, but thought it was valuable to point out that not all data breaches are caused by fraud or theft. In some cases, personal information is left exposed because employees and organizations have left their data management systems unsecured.

They may have not updated their systems to the latest encryption standard, they may not require their employees to think up robust passwords, or they may have made a decision to wait for a more stable version of the software.

In the end, however, these organizations and their employees are making decisions about security of their clients’, customers’ and colleagues’ personal information.

And sometimes that personal information leaks out.

At that point, a software or hardware issue becomes a matter of personal concern. The appropriate reaction from an organization is contrition and an expressed dedication to resolve the breach quickly and fully.

Oh, and a commitment to reforming the personal or organizational habits that led to the lax security in the first place.

*As you may have noticed, “we” generally refers to Colin McKay, the Director of Communications. Other employees have blogged, and we expect more of their work in coming weeks.

26 Nov 2007

Privacy Commissioner on 60 Minutes

In case you missed it, last night the CBS News program 60 Minutes discussed the data breach at TJX (also known as TJ Maxx, Marshalls, Winners and Home Sense). Our report on the data breach can be found on our site. Further to our report, TJX announced they had, in fact, lost the information for 90 million cards.

An interview with Jennifer Stoddart, the Privacy Commissioner of Canada, led the program. The video is available on the CBS site.

21 Nov 2007

A complete and utter failure

When privacy advocates try to imagine their idea of the worst possible data breach, I doubt they could think up this catastrophe.

Last month, a British government agency, Her Majesty’s Revenue and Customs, lost a copy of the records for over 7 million families, or 25 million individuals, who receive child benefits.

Diskettes with the records were apparently sent by in-house courier across London – breaking departmental standards – and were never received.

The diskettes included a trove of information, including names, addresses and dates-of-birth of the children, and their national insurance numbers. Some of the records may have included the bank details of parents claiming child benefits.

As a result, Paul Gray, the chairman of HM Revenue and Customs, resigned.

It appears several HMRC protocols were broken:

  • the data records, while password protected,  should not have been shared in the format used;
  • when the data was shipped, no record was made of its departure, and no proof was required of its delivery; and
  • senior management was not informed of the loss for another three weeks.

The impact – even if the records are found to have been simply misplaced and their delivery unrecorded in some sub-office – has been profound.

Child benefit recipients are having their accounts monitored for signs of fraud.

Financial institutions across the country have had to begin reconstructing transactions completed since the data breach to make sure fraud hasn’t already taken place. This is a costly and time-consuming exercise.

The sheer scale of the data lost is staggering. The fact that a junior official apparently had the access to this information is disturbing – but that official’s apparent disregard for the security of such a vulnerable population is shattering.

The message for governments everywhere is clear: even in an organization clearly aware of the sensitivity of its data holdings, even with management dedicated to organizational efficiency and responsibility, the security of vital personal data cannot be taken for granted.

A failure of apparently rote safeguards, process or procedure can have potentially devastating consequences: for vulnerable populations, for their families, for civil servants, and possibly for governments.