Yesterday, the CRTC rendered its decision on ISP’s traffic shaping practices. It announced that it was denying the Canadian Internet Service Providers’ (CAIP) request that Bell Canada, which provides wholesale ADSL services to smaller ISPs across the country, cease the traffic-shaping practices it has adopted for its wholesale customers.

“Based on the evidence before us, we found that the measures employed by Bell Canada to manage its network were not discriminatory. Bell Canada applied the same traffic-shaping practices to wholesale customers as it did to its own retail customers,” said Konrad von Finckenstein, Q.C., Chairman of the CRTC.

Moreover, the CRTC recognized that traffic-shaping “raises a number of questions” for both end-users and ISPs and has decided to hold a public hearing next July to consider them.

We’ll be following the public hearing closely, and here’s why: Internet traffic management requires the use of deep packet inspection (DPI) technology - technology that can “read” packets of information flowing through the Internet. In this case, packets are being read to identify specific Internet activities - like the use of peer-to-peer (P2P) file-sharing applications. That same technology can be used to read a whole lot more about what you do on the Internet: what you’re watching, downloading or reading, who you’re talking to, what you’re saying, as well as where you are and who you are.

As we’ve mentioned on this blog, our office is already looking into a complaint about DPI and we expect to have a decision soon.

The time has come for net neutrality, both as an economic and a social policy issue, to be examined by the Canadian government. And we look forward to being a part of that discussion.

Huddled under a blanket in the quiet of your computer room, aching from head to toe, you decide do a quick Google search for flu remedies or maybe read more on the where the next flu clinic will be held. Congratulations – with Google’s help, you’ve just volunteered for the public health early warning system.

Discussed Tuesday in the Drudge Report, Google’s new Flu Trends is said to aggregate Google search data and it claims to estimate flu activity in US states up to two weeks faster than traditional public health tracking. Google is also providing graphical results for flu-related search results for some Canadian provinces.

Perhaps you believe searches for flu-related terms aren’t very revealing? What about when it expands its reporting into more sensitive areas – say, sexually transmitted diseases (or genetic diseases like Huntington’s chorea)? But with Google having announced that it will anonymize search results after nine months, doesn’t that give you comfort?

Perhaps you say all this doesn’t matter because Google says user privacy is protected: “Google Flu Trends can never be used to identify individual users because we rely on anonymized, aggregated counts of how often certain search queries occur each week. We rely on millions of search queries issued to Google over time, and the patterns we observe in the data are only meaningful across large populations of Google search users.”

There is a delicate balance to be struck between tracking data in the public interest and the danger of violating personal privacy. Many issues need to be considered. For example, the recent Federal Court’s recent decision in Gordon, which dealt with the concept of identifiability of information in a database of adverse drug reactions,adopted a test suggested by our office.
More robust public debate is needed about the issues raised by these developments and we look forward to your feedback.

Are you looking for the inside scoop on what the Office of the Privacy Commissioner of Canada (OPC) is doing to protect and promote privacy rights in Canada and abroad?

The OPC has launched a new e-newsletter, Privacy Perspectives. This new publication includes feature articles about the work the OPC is doing and its take on a wide variety of privacy issues. It also offers links to all sorts of useful publications and tools that will help individuals, organizations and institutions understand both their rights and their obligations when it comes to privacy. In addition, the e-newsletter offers real-world examples of how Canadian privacy legislation comes into play by highlighting the Office’s most recently published case summaries.

The e-newsletter is available on the OPC Web site and readers have the option of subscribing to receive it via e-mail. The first issue of Privacy Perspectives is posted now. Issue number two is scheduled to be published in early 2009.

The popularity of mobile computing is skyrocketing – from teenagers to business travelers, hand held devices such as Blackberrys, iPhones and smart phones allow users to surf their favourite sites, manage their relationships within a social network, review work documents or download music.

Using traditional privacy protections such as passwords on your handheld device is a step in the right direction, but there are a number of other privacy concerns that are worth considering.

According to a CTV news report, personal information is turning up in refurbished handheld devices being purchased by Canadian consumers.

Reselling refurbished devices, whether by a large company or an individual on EBay, is a common practice. Many people also donate or recycle their unwanted electronic equipment, but never really know where those old handhelds may end up.

Sensitive files stored on handhelds can provide a wealth of personal information or valuable company data.

Despite their widespread use, the full privacy implications of losing a device are still largely unknown. A lost or stolen handheld can expose personal data to unintended parties, and this could be used for illicit or simply mischievous purposes.

As well, some devices appear to be susceptible to unauthorized access – whether through the carrier’s network, the phone’s built-in WiFi capabilities or with the intervention of a nearby Bluetooth device.

So how can we protect privacy while using mobile devices?

• First off, always use the built-in password protection. Use a strong password, with a combination of lower case and capital letters as well as numbers.
• Remove sensitive files from handhelds once you are finished using them.
• If you have to keep sensitive files on a mobile device, encrypt the file, install a correctly configured firewall and/or password protect the file.
• If your device is Bluetooth enabled and you do not use it, disable the feature.
• When you upgrade your device, take the time to wipe it of personal information. A quick search will provide resources that will show how to clean a device such as a Blackberry or an iPhone. Installing anti-theft software on a device can allow a user to erase personal data remotely and even render the device unusable if it is ever lost or stolen.

There’s a further risk involved in mobile computing, a risk that we are in the process of evaluating: the privacy protections found (or absent) in the third party applications (apps) now common on handheld devices.

By their very design, apps installed on or downloaded to mobile devices may put personal data at risk.

It appears that apps are being built by a range of developers – from students to multi-national companies. As you would expect, these developers can have very different standards when it comes to accessing and protecting your personal information.

• Before installing an app, check out the developer. You may need to make a personal judgment about whether you trust them with access to your device and your information.
• Check your favourite apps for safeguards like password protection.
• When you change your password on a non-mobile application (the web site), make sure the app reflects that change.
• Make it a habit to log out of apps on a regular basis.

Mobile computing offers the opportunity to carry more of your life around in your pocket. Taking a bit of time to secure your device and personal information can help safeguard your privacy.

On October 11, In 22 cities across Europe, citizens demonstrated to express their concerns over what they see as the increasing growth in government-created surveillance societies. October 11 was Freedom Not Fear Day, organized by the German Working Group on Data Retention.

In Berlin alone, over 15,000 protesters gathered in a rally that ended at the Brandenburg Gate. (The organizers have argued that 15,000 is a lowball number from the authorities, and the actual number could be closer to 50,000.) Peaceful and creative action took place throughout Europe, including art performances in Vienna, public lectures in Rome, and the construction of a collage made from uploaded photos of UK surveillance equipment and tactics in London.

From the website of the German Working Group on Data Protection:

“Surveillance mania is spreading. Governments and businesses register, monitor and control our behaviour ever more thoroughly. No matter what we do, who we phone and talk to, where we go, whom we are friends with, what our interests are, which groups we participate in - “big brother” government and “little brothers” in business know it more and more thoroughly. The resulting lack of privacy and confidentiality is putting at risk the freedom of confession, the freedom of speech as well as the work of doctors, helplines, lawyers and journalists.

The manifold agenda of security sector reform encompasses the convergence of police, intelligence agencies and the military, threatening to melt down the division and balance of powers. Using methods of mass surveillance, the borderless cooperation of the military, intelligence services and police authorities is leading towards the construction of “Fortresses” in Europe and on other continents, directed against refugees and different-looking people but also affecting, for example, political activists, the poor and under-priviledged, and sports fans.

People who constantly feel watched and under surveillance cannot freely and courageously stand up for their rights and for a just society. Mass surveillance is thereby threatening the fabric of a democratic and open society. Mass surveillance is also endangering the work and commitment of civil society organizations.

Surveillance, distrust and fear are gradually transforming our society into one of uncritical consumers who have “nothing to hide” and - in a vain attempt to achieve total security - are prepared to give up their freedoms. We do not want to live in such a society!

We believe the respect for our privacy to be an important part of our human dignity. A free and open society cannot exist without unconditionally private spaces and communications.”

In the United States, Freedom Not Fear Day was supported by a number of NGOs, including the Electronic Frontier Foundation (EFF) and the Electronic Privacy Information Center (EPIC). Together, they issued a release calling for an end to watch lists and data profiling programs that fail to comply with the federal Privacy Act, the establishment of comprehensive data protection legislation, and the repeal of the Patriot Act.

But Freedom Not Fear Day was a decidedly more subdued affair in the U.S. Besides this endorsement and statement issued by EPIC, EFF and IP Justice, no other activities appear to have been scheduled to commemorate Freedom Not Fear Day in Washington D.C. Canadian activities were similarly subdued: the official website notes that a light projection was planned for Toronto’s City Hall but information on who organized it and how it turned out couldn’t be found.

Granted, the roots of Freedom Not Fear Day are in Berlin and the global day of action seems to have spread to other European capitals but it’s interesting to note that North Americans seem reluctant to stand up to the notion of “security theatre“.

Last week, an important resolution brought forward by our office was passed at the International Conference of Data Protection and Privacy Commissioners in Strasbourg, France. The resolution calls for an international effort to protect the privacy of children online.

Young people today are using the Internet to communicate in numbers that rival the telephone. The resolution stresses that while many young people recognize the risks associated with their online activities, they often lack the experience, technical knowledge and tools to mitigate those risks. In addition, they are sometimes unaware of their own legal rights. The resolution was cosponsored by data protection authorities (DPAs) from New Zealand, France, Ireland, Berlin and the United Kingdom.

The DPAs agree that a global commitment to education and increasing awareness is needed to ensure that children and young people around the world have access to a safe online environment respectful of their privacy. They are also calling on industry to take greater responsibility for protecting user privacy in the online environments they create for children.

This resolution is one more important step towards protecting our children’s online privacy. Earlier this year, in Canada, the federal, provincial and territorial privacy commissioners and ombudspersons issued a joint resolution expressing their commitment to work together to improve the state of online privacy for children and young people. In addition, the provincial Commissioners responsible for privacy are working with teachers and Ministries of Education to build information and advice into the materials presented to Canadian students. Further inroads are being made internationally as well. Ireland and the Asia-Pacific countries held video contests for kids around the issue of privacy; Spain released a booklet on privacy for parents and children; and Norway has created books and videos on the subject.

You know, you’re not really worrying quite enough about the information being collected about you, your preferences, your obsessions and your movements. Not by the government, not by security agencies or law enforcement officials, but by the companies that serve you everyday.

I suspect that everyone reading this blog is familiar with the tracking and monitoring put in place by online companies like Amazon, whose recommendation engine analyzes your previous searches, purchases and related items and then suggest related books that might interest you.

But Steven Baker’s The Numerati sheds some light on the many, many efforts underway to collect information on individuals, groups, professions, communities and demographic segments. Information that can then be analyzed by teams of highly skilled mathematicians, statisticians and inspired polymaths to identify associations between seemingly disparate details – associations that can be used to make decisions about how the company approaches you as a customer.

Once this information is properly analyzed, companies can target advertising, design product placement in grocery stores, monitor your elderly parents, pull together teams of consultants from across the world, anticipate the onset of diseases like Parkinson’s and Alzheimer’s and, of course, drive you to the polls on election day.

“I think we’re in the early days yet. They don’t know you all that well yet. … One of the important things is that they’re beginning in areas where they can make mistakes …

The shopping people have ridiculous amounts of data about the shopping patterns of every one of us, so they can understand what makes a Cheerios buyer a likely Cheerios buyer. The counter-terrorists do not have good data on how potential terrorists behave, so it makes it very difficult for them …”

Eerily, Baker recounts one part of a conversation with the chief mathematician of the National Security Agency, who Baker asked “do you get too much information?”

The response? “You can never have too much information. You might not understand it; you might not know how to manage it; you might not know how to store it, but you can never have too much.”

Remember: the Numerati described in Baker’s book are not collecting personal information (in what we would consider the traditional interpretation), but their work can reveal a tremendously rich portrait of a customer’s preferences and choices. When combined with standard demographic data, or even voter files, these math wonks can create profiles that can help marketers, product designers or political consultants to focus and target their efforts to sway your decision making.

“They make tons of mistakes. The areas where they thrive are those like advertising, where they can afford to make mistakes.”

The quotes above are taken from an interview between Stephen Baker and Leonard Lopate of WNYC radio.

Nora Young, the host of CBC Radio’s Spark, also interviewed Baker, and there was one comment that was particularly insightful - and funny:

“There was one story about an FBI agent in California who wanted to track the consumption of hummus, thinking that hummus could be an indicator of terrorist acitivity. And you know, I don’t know about here, but where I live hummus is an indicator of yoga.”

With another federal election underway, a number of policy issues with privacy implications have been put on hold until after October 14. The debate over copyright was one of the most contentious issues before the House and certainly one that captured the interest of Canadians throughout the country. Before the election call, we received a letter from James Pew, a music studio owner in Toronto. He voices his concerns as a small business owner over the proposed copyright legislation, pointing out that it “does not take into account the needs of consumers and Canada’s creative community who are exploiting the potential of digital technology”. (You can view his full letter on his blog.)

Our office felt the need to respond to Mr. Pew, outlining our own concerns with the draft legislation - namely, that the use of digital rights management (DRM) software by copyright holders and customer tracking by ISPs largely ignores consumers’ privacy rights. Below is Commissioner Stoddart’s response to the letter in its entirety.

While the draft legislation died with the dissolution of Parliament and subsequent election call, we fully expect the copyright debate to pick up where it left off in the next session of Parliament.

Dear Mr. Pew,

Thank you for including me in recent correspondence with your Member of Parliament.  In that letter, you put forth your impressions of amendments proposed this summer for Canada’s Copyright Act.  I appreciate your thoughts and had some concerns of my own about Bill C-61.

My Office has been involved in the issue since similar amendments were proposed in 2005.  In that instance, as with Bill C-61, the legislation died with an election call.  However, the underlying issues still cause me some concern.  As I explained in a letter to the responsible Ministers, as Canada’s Privacy Commissioner, two particular aspects of the legislation trouble me.

First, the amendments would allow companies to use digital rights management (DRM) software on media sold to Canadian consumers.  These tools have been used in the past to collect personal information without users’ knowledge or consent.  DRM software has also been shown to create other security problems.  These practices largely ignore the principles found in Canada’s private-sector privacy legislation, the Personal Information Protection and Electronic Documents Act.  As a result, I have asked the Ministers who oversee the copyright file to consider the privacy implications of any new law.  Our Office also prepared a primer on DRM, should you be interested.

Secondly, and perhaps even more serious, is the new role Internet Service Providers (ISPs) would be required to play in tracking, recording and reporting on consumers.  Most Canadians neither expect nor want routine, systematic surveillance bundled into their internet services.  Casting such a wide dragnet over millions of subscribers - simply to ensure copyright compliance in isolated cases - seems to me grossly disproportional.  This is particularly worrisome where the commercial interests of telecommunications companies converge with media producers, to the detriment of consumers’ privacy rights.

All this is to say, while I have been raising these issues within government and the wider public, I hope the current election will provide an opportunity for the various parties to clarify their position on these important matters.  Again, thank you for your letter.

Sincerely,
Jennifer Stoddart
Privacy Commissioner of Canada

On July 3, 2008 the Office of the Privacy Commissioner of Canada announced the results of a public opinion study we commissioned on the personal information customers hand over (or refuse to) to retailers.  According to the results, more than half of Canadians said that they were apprehensive about giving their personal information to retailers, citing concerns over security issues, identity theft and fraud.

The growing concern about disclosing their personal information is understandable given the rise in privacy breaches over the last year (as seen here and here).

In a speech this summer, Commissioner Stoddart noted that while a greater number of companies were voluntarily reporting breaches to the OPC, “it’s clear we still aren’t hearing about every breach which could have a harmful impact on people.”

In a different speech delivered to the Canadian Bar Association Legal Conference and Expo last month, Commissioner Stoddart spoke about her support for mandatory breach notification:

“I am a strong supporter of mandatory notification. By every measure I’ve seen, breaches are a growing problem. Despite the clear risks, we continue to see too many organizations – large and small – underestimating the need to protect personal information. This results in deficient privacy and security safeguards – and, not surprisingly, data spills.”

She also took the opportunity to provide an update on potential amendments to the Protection of Personal Information and Electronic Documents Act (PIPEDA), Canada’s private sector privacy legislation.  One of the anticipated amendments is a formal requirement to provide breach notification.

As an election has been called for this October, the proposed amendments to PIPEDA are now on the backburner until a new Parliament convenes.

Despite the election call, interest in privacy rights and the future of our privacy legislation remains high. Continued interest and engagement by Canadians reminds us that individuals have a high degree of expectation that privacy rights should be respected and safeguarded.

No doubt, progress on privacy legislation will be keenly followed by individuals, government, academics, privacy advocates and civil society as the next Parliament gets underway.

Protecting your kids from online predators in social networking environments is a hot topic nowadays – especially with the findings of a recent study by Ryerson University that found that “nine out of ten young Canadians socialize online regularly and frequently”.

But there are strategies that will help change kids’ behaviour – and strategies that every parent should probably avoid. Here’s one: having a cop scare and embarrass a child by pointing out, in front of his or her peers, what “a predator in prison” could do with the information that child has made public on a social networking site. Will Richardson, the “grandfather of blogging in the classroom” details just such a scenario in a recent blog post about a policeman in Cheyenne, Wyoming who was brought into a school to teach kids about MySpace.

One important lesson is that it’s hard to erase information from the Internet once you’ve made it public – so using fear tactics about information that has already been posted can certainly be frightening and possibly harmful. You want your child to alter his or her future behaviour – there is nothing to be gained from having a child lose sleep over a decision or action they have already taken. 

The situation in Cheyenne obviously raised the hackles of some parents – otherwise it wouldn’t have been blogged about. The principal of the school in question came to the defense of the police officer, backing his story that he had not gone as far as the students claimed. But it’s an important lesson anyway – kids take what we say seriously. And when we have serious messages to impart we have to be careful that we don’t go too far.