You Might be Interested In

(from our news release)

The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) has more personal information in its database than it needs, uses or has the legislative authority to receive.

This was one of the key findings of the Privacy Commissioner of Canada’s in-depth audit of the independent agency mandated to analyze financial transactions and identify suspected money laundering and terrorist financing in Canada …

Legislative changes passed in 2006 expanded the types of transactions that must be reported to FINTRAC, as well as the number of professionals and organizations that are required to collect information about clients and to report it to FINTRAC. Examples of entities required to report to FINTRAC include financial institutions, life insurance companies, accountants and casinos.

The audit found that FINTRAC needs to do more to ensure that the amount of personal information it acquires is kept to an absolute minimum. A random sample of files examined in the audit turned up several reports that did not clearly demonstrate reasonable grounds to suspect money laundering or terrorist financing.  For example:

• A reporting entity filed several reports stating it was “taking a conservative approach in reporting this … because there are no grounds for suspecting that this transaction is related to the commission of a money laundering offence, but there is a lack of evidence to prove that the transaction is legitimate.”
• An individual deposited a government cheque for an amount less than $300 and then withdrew the entire amount. The financial institution filed a suspicious-transaction report, but did not indicate why the transaction was deemed suspicious.
• A financial institution filed a report about an individual who had deposited a cheque from a law firm.  The institution was satisfied that the individual had provided legitimate reasons for the source of funds, but decided to notify FINTRAC anyway because of the individual’s ethnic origin and the fact that this person had visited a particular country.

“It is clear that such reports, containing not a shred of evidence of money laundering and terrorist financing, should not be making their way into the FINTRAC database,” says Commissioner Stoddart.

“It is a bedrock privacy principle that you collect only the personal information you need for a specific purpose,” she says. “The federal government needs to have a justifiable need to collect someone’s personal information. Clearly, FINTRAC needs to do more work with organizations to ensure it does not acquire personal information that it has no legislative authority to receive – and that it does not need or use.”

The audit recommended enhanced front-end screening of reports; stronger ongoing monitoring and review to ensure that information holdings are relevant and not excessive, and the permanent deletion of information that FINTRAC did not have the statutory authority to receive.

Under amendments passed in 2006, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act requires the Privacy Commissioner to review FINTRAC every two years and report the results to Parliament.

A survey commissioned by American academics and privacy advocates reveals that Americans are generally suspicious of efforts to track their behaviour online and to target advertising based on this tracking.

While you might expect older Americans to be suspicious of efforts to track their behaviour on individual websites, and even more so if tracking their behaviour on multiple sites, there seems to be opposition from younger Americans as well. 55% of 18 to 24 year-olds do not want to be subject to tailored advertising – and this number increases significantly if the advertiser is compiling data from a number of sources in order to target.

Interestingly, promises to anonymize the data do not seem to win many supporters:

“Even when they are told that the act of following them on websites will take place anonymously, Americans’ aversion to it remains: 68% “definitely” would not allow it,  and 19% would “probably” not allow it.”

The June/July survey was conducted by telephone interviews with a national sample of 1,000 adult internet users living in the continental United States, using both land line and cellular service.

The report by Joseph Turow, Jennifer King, Chris Hoofnagle, Amy Bleakley and Michael Hennessy is available on the Social Sciences Research Network.

A 51 page privacy impact assessment on how the Department of Homeland Security inspects electronic devices at the border.

As followers of Canadian federal privacy law might know, there was a complaint to the Office in June 2004 related to the operations of a US company called Accusearch, which promised to find confidential telephone records on anyone, for a fee. A detailed explanation of the case can be found in our Legal Corner, but the conclusion was a ruling from the Federal Court of Canada that web sites that are accessible from Canada may fall under the OPC’s jurisdiction for investigation.

In May 2006, the Federal Trade Commission charged Accusearch and its chief executive with breaking the Federal Trade Commission Act and the Telecommunications Act. A federal court in Wyoming found for the FTC in September 2007. Accusearch subsequently appealed this decision to the 10th Circuit Court of Appeals.

The Office submitted an Amicus Curiae brief in support of the Federal Trade Commission in this matter.  This highlighted the fact that the unauthorized collection, use and disclosure of personal information over the Internet by data-brokers can cause harm and has extra-territorial effects.

Today, the 10th Circuit Court denied the appeal, noting that:

“… Accusearch attempts to portray itself as the provider of neutral tools, stressing that it merely provided “a forum in which people advertise and request” telephone records … But that phrasing mischaracterizes the record. As explained above, Accusearch solicited requests for confidential information protected by law, paid researchers to find it, knew that the researchers were likely to use improper methods, and charged customers who wished the information to be disclosed. Accusearch’s actions were not “neutral” with respect to generating offensive content; on the contrary, its actions were intended to generate such content …”

The full decision is available on the Court’s website.

Is there an identifiable combination of social, economic, legal, technological or psychological factors that contribute to how Canadians make decisions about their privacy?

While an easy answer to this question is impossible, conversations at last week’s Computers, Freedom and Privacy 2009 Conference did offer some insight into how individuals perceive and protect their personal privacy.

Mike Shaver, drawing upon his experience working with privacy pioneer Zero Knowledge, noted that people at the time were interested in privacy protection, but did not want to deal with the financial cost, the complexity of privacy tools, or the degradation of the speed on their network.

In his experience, individuals “don’t enhance their privacy. They prevent it from being degraded and they limit the damage.”

In fact, people can act against their own interest, even when they are aware of the cost. As Shaver pointed out, we still continue to buy Starbucks frappucinos, even if they may violate our stated goals of losing weight and cutting down on sweets.

Lauren Gelman, of the Stanford Center for Internet and Society, argued that a more pragmatic approach to privacy advocacy may be necessary from time to time.

In developing What App?, a tool to help consumers judge the privacy protections behind third party applications, Gelman admitted that the project was “willing to sacrifice highly technical information for information that is useful for my mom and informing her decisions as a result.”

A different panel touched upon literacy skills – and whether online users were equipped to interpret the range of written, visual and audio information presented to them online.

Past research by Valerie Steeves and Jacqueline Burkell has confirmed that literacy skills can affect how users assess their exposure to privacy risks – especially if online privacy policies are presented as cumbersome documents, hidden in a thicket of legal terminology.

Is the solution a more elaborate but considered opt-in process, like that put in place by Google in order to subscribe to its PowerMeter application?

Or is reality more accurately reflected in the announcement last week that Dairy Queen will offer free or discounted ice cream treats to members of their new loyalty program – a program which depends upon an RFID chip stuck to each customer’s mobile phone?

It seems clear that privacy advocates will have to spend more time looking at the social sciences (economics, psychology, sociology) while evaluating novel approaches to privacy protection – approaches that attempt to influence individuals to make more privacy-positive choices in their day-to-day lives.

A clickable icon on all behavioural advertisements to find out (quickly and in plain language) what type of information an advertiser is collecting and using about you?  Sounds too good to be true for us privacy enthusiasts but this intriguing concept was recently blogged about in the New York Times.

According to the blog’s author, Saul Hansell, the concept of a “privacy dashboard” was developed by Joe Turow, a marketing professor at the Annenberg School for Communications at the University of Pennsylvania.  Mr. Turow has suggested that advertisers: “Put an icon on each ad that signifies that the ad collects or uses information about users.”  You can click on the icon (Mr. Turow has suggested a “T?” for behavioural targeting) where the privacy dashboard would tell you what information was used to deliver that particular advertisement to you (such as your surfing habits) and allow you to edit any information or opt out of targeting completely.  Score one for privacy principles!

This comes on the heels of Google’s recent announcement of its interest-based advertising system.  The post points out that the “Ads by Google” link will only provide limited information about the targeting system and allow users to adjust some of the interest settings Google is tracking.  Mr. Turow’s dashboard on the other hand, would explain exactly why you are seeing a particular ad and allow you to delete or modify the information advertiser used about you to serve that ad.

Behavioural targeting can be perceived by some as creepy and invasive – to have a simple tool where you can learn more about an advertiser’s data collection and usage practices and exert some control over what information they can and can’t use about you can allow those who feel stalked by the internet to close the curtains.  Providing choice to the consumer will likely benefit advertisers over the long run as it could help mitigate potentially negative (and long-lasting) impressions that unwanted behavioural targeted advertising can create.

You know, you’re not really worrying quite enough about the information being collected about you, your preferences, your obsessions and your movements. Not by the government, not by security agencies or law enforcement officials, but by the companies that serve you everyday.

I suspect that everyone reading this blog is familiar with the tracking and monitoring put in place by online companies like Amazon, whose recommendation engine analyzes your previous searches, purchases and related items and then suggest related books that might interest you.

But Steven Baker’s The Numerati sheds some light on the many, many efforts underway to collect information on individuals, groups, professions, communities and demographic segments. Information that can then be analyzed by teams of highly skilled mathematicians, statisticians and inspired polymaths to identify associations between seemingly disparate details – associations that can be used to make decisions about how the company approaches you as a customer.

Once this information is properly analyzed, companies can target advertising, design product placement in grocery stores, monitor your elderly parents, pull together teams of consultants from across the world, anticipate the onset of diseases like Parkinson’s and Alzheimer’s and, of course, drive you to the polls on election day.

“I think we’re in the early days yet. They don’t know you all that well yet. … One of the important things is that they’re beginning in areas where they can make mistakes …

The shopping people have ridiculous amounts of data about the shopping patterns of every one of us, so they can understand what makes a Cheerios buyer a likely Cheerios buyer. The counter-terrorists do not have good data on how potential terrorists behave, so it makes it very difficult for them …”

Eerily, Baker recounts one part of a conversation with the chief mathematician of the National Security Agency, who Baker asked “do you get too much information?”

The response? “You can never have too much information. You might not understand it; you might not know how to manage it; you might not know how to store it, but you can never have too much.”

Remember: the Numerati described in Baker’s book are not collecting personal information (in what we would consider the traditional interpretation), but their work can reveal a tremendously rich portrait of a customer’s preferences and choices. When combined with standard demographic data, or even voter files, these math wonks can create profiles that can help marketers, product designers or political consultants to focus and target their efforts to sway your decision making.

“They make tons of mistakes. The areas where they thrive are those like advertising, where they can afford to make mistakes.”

The quotes above are taken from an interview between Stephen Baker and Leonard Lopate of WNYC radio.

Nora Young, the host of CBC Radio’s Spark, also interviewed Baker, and there was one comment that was particularly insightful – and funny:

“There was one story about an FBI agent in California who wanted to track the consumption of hummus, thinking that hummus could be an indicator of terrorist acitivity. And you know, I don’t know about here, but where I live hummus is an indicator of yoga.”