You Might be Interested In

I know. It’s kind of boring when I only post excerpts from our more formal publications. In some cases, though, the traditional news release and backgrounder nail the issue and the details.

We’re ” … hosting consultations with Canadians on issues that we feel pose a serious challenge to the privacy of consumers, now and in the near future.

The topics to be explored include the online tracking, profiling and targeting of consumers by businesses, and the growing trend towards cloud computing.

The aim of this consumer consultation is to learn more about such industry practices, explore their privacy implications, and find out what privacy protections Canadians expect with respect to these practices. The consultation is also intended to promote debate about the impact of these technological developments on privacy, and to inform the next review process for the Personal Information Protection and Electronic Documents Act (PIPEDA).

The centerpiece of the consultations will be a series of single-day panel discussions [in Toronto, Montreal and elsewhere] involving a range of participants, including representatives of industry, government, consumer associations and civil society. In order to canvass the broadest possible range of views in preparation for these events, we are also welcoming written submissions.”

More details on the public consultations can be found elsewhere on our site.

Do your loved ones have toys on their wish lists this holiday? A stuffed animal for a little one… a cell phone or a camera for a teen? These days, these toys and gadgets are more than they used to be. Just a few years ago a stuffed animal was something to cuddle with and a phone was, well, just a phone! Now, many stuffed animals come with codes that allow kids to register them online so that they can play games, feed and care for them, and even chat and play with other kids. And many cellphones are phones, computers and cameras, all in one.

And while such toys and gadgets can be fun, we want people to enjoy them without putting their privacy and personal information at risk.

Here are our tips for protecting your privacy as you and your loved ones enjoy your new gadgets and toys. For parents especially:

Understand new toys and their capabilities – It is important to understand the capabilities of new toys and how your children will use them. Speak with your kids about how they will use the toy and, where appropriate, agree on guidelines and limits.

Pay attention to privacy settings and parental controls – Privacy settings on social networking sites control what people see about you. Only allow your friends to see your page, your posts, your photos and your applications. Parents, if you depend on parental control software that is installed on your desktop, remember that. Those controls won’t be in place on new mobile devices.

Remember, with Wi-Fi, children can access the Internet from anywhere in the house – And if their new toy/gadget has Internet capabilities they can also use it to access the Internet from locations and networks outside your supervision and control.

Here are our tips for protecting your privacy as you and your loved ones enjoy your new gadgets and toys. For everyone:

Think before you click – The Internet is a public arena, and photos and comments you post are permanent. Even if you delete them from a web page, they could continue to exist in archived pages, in your computer’s cache or on the computers of other Internet users who may have copied them. If you don’t want certain people to see something, now or in the future, don’t post it!

Pick and protect the perfect password – Your information is only as safe as your passwords. Use different passwords for different systems; make sure they are strong (eight characters or more and a variety of letters or numbers); never share them with anybody; and change them regularly.

Know your friends – Online, you can’t be 100 per cent sure who you are talking to. Don’t accept friend requests from people you don’t know in real life.

Protect your identity – Identity theft is a growing problem and the Internet is the least private of spaces. Don’t post or e-mail personal details such as your social insurance number, phone number, home address or birth date.

Be careful on online gaming sites – Online gaming sites are hotbeds of people accessing personal information. Be aware that ill-intentioned people can use information from your profile to establish accounts in your name, or use your stolen identity to access your existing accounts.

Be wary of e-mail or instant messages from unknown people – Don’t open online messages that seem odd or are from someone you don’t know. They could contain a virus or let a hacker gain access to your computer.

Have a happy holiday and enjoy all your new toys!

It’s also the 20^th anniversary of the day the United Nations General Assembly adopted the Convention of the Rights of the Child. A significant milestone, this made privacy a basic human right for everyone under the age of eighteen.

Privacy is a right that all young people should enjoy, no matter where they live. With today’s world being so different than it was 20 years ago, this is something they may not think much about. Today, young people are videotaped by security cameras almost everywhere they go. They are asked for their postal code or driver’s license number when they buy a pair of jeans. They can instant message, update their statuses, download music, talk to friends on Facebook and play games on their computers with people all around the world. Twenty years ago, if someone wanted to get in touch with you they had to phone you or send you a postcard!

It is so easy for young people to overlook their privacy rights and why they’re so important. And it’s easy to forget about the risks that are out there if they don’t protect their personal information. These risks can range from nuisance (all those marketers who are looking for people to target their ads to) to serious (from the people on the Internet who are looking for identities to steal, to the predators who are looking for victims). Many of them also tend to forget that when they post comments, photos and videos, online, that information is public and permanent and almost impossible to remove.

So today, on National Child Day, take a minute and remind the young people in your life, in your community, that privacy is their right. Have them look around youthprivacy.ca and click through the pages. Encourage them to find information about how they can have fun online while protecting this valuable basic human right.

Now that Canada has officially entered the “second wave” of the H1N1 flu season, and the United States President has proclaimed the H1N1 pandemic to be a national emergency, Canadians are staring at the possibility of a significant flu outbreak. The sense of concern and urgency about how to respond to this situation presents interesting challenges for protecting the right to privacy.

As anyone who has stood in the long lines to get the new H1N1 vaccine can tell you, preparing for the potential disruptions in our daily lives as a result of the flu outbreak may well be new territory for organizations, employees, as well as customers.  And business continuity plans don’t always address important privacy questions!

To help bridge this gap, we’ve developed guidance for organizations and a fact sheet for employees to explain how privacy laws apply in the private sector workplace during the H1N1 pandemic. This important work was prepared in consultation with our counterparts in Alberta and British Columbia.

Right now, in Canada’s current “non-emergency” situation, it’s important to remember that privacy laws apply in the usual way. For example, employers can collect only the minimum amount of personal information necessary to meet a business need.

However, it’s a different story if an emergency is declared. For example, if an outbreak is declared to be a public emergency, the powers to collect, use and disclose personal information to protect the public health may be very broad. Privacy legislation would not prevent the sharing of information in the event that H1N1 is declared to be an emergency pandemic.

This guidance will be updated as circumstances warrant.

As you may have noticed, we held a news conference this morning to announce further progress in our investigation into the privacy practices at Facebook. Our news release is now available, as is Facebook’s.

The changes proposed by Facebook will make it easier for users to make clear and informed decisions about how to share their personal information within the popular social networking site – and with whom.

Importantly, Facebook has announced that it will be making changes to its API. These changes will, effectively, force developers to acknowledge what pieces of information they would like to access in your profile, and why. The changes will also give each user the opportunity to deny an application access to that piece of information.

Here’s an excerpt from our news release:

Third-party Application Developers

Issue: The sharing of personal information with third-party developers creating Facebook applications such as games and quizzes raises serious privacy risks. With more than one million developers around the globe, the Commissioner is concerned about a lack of adequate safeguards to effectively restrict those developers from accessing users’ personal information, along with information about their online “friends.”

Response: Facebook has agreed to retrofit its application platform in a way that will prevent any application from accessing information until it obtains express consent for each category of personal information it wishes to access. Under this new permissions model, users adding an application will be advised that the application wants access to specific categories of information.  The user will be able to control which categories of information an application is permitted to access. There will also be a link to a statement by the developer to explain how it will use the data.

This change will require significant technological changes. Developers using the platform will also need to adapt their applications and Facebook expects the entire process to take one year to implement.

As many have rightly pointed out, it seems contradictory to participate in a social network and to then attempt to restrict access to some or all of your personal information.

To us at the Office, users should have the chance to find out what information is being collected by the social networking site or a third party application, and for what reason. Third party applications have long been a concern to members of the privacy advocacy community, since they have had relatively free access to the information stored in your Facebook profile.

If you have any doubt about the extent of the access granted to apps, just take this handy quiz developed by the Northern California chapter of the ACLU – but make sure to delete the app once you’re finished! (Facebook has instructions for that )

Thankfully, Facebook has made it clear that they consider the privacy of their users to be a priority – and maybe even a competitive advantage in comparison to other social networks.

The changes announced today will take months to implement, but the Office will continue to monitor progress on this important issue.

How comfortable, exactly, are online users with their information and online browsing habits being used to track their behaviour and serve ads to them?

A survey of Canadian respondents, conducted by TNS Facts and reported by the Canadian Marketing Association, reports that a large number of Canadians and Americans “(69% and 67% respectively) are aware that when they are online their browsing behaviour may be captured by third parties for advertising purposes.”

That doesn’t mean they are comfortable with the practice. The same survey notes that “just 33 per cent of Canadians who are members of a site are comfortable with these sites using their browsing information to improve their site experience. There is no difference in support for the use of consumers’ browsing history to serve them targeted ads, be it with the general population, the privacy concerned, or members of a site.”

But how much information are users willing to consciously hand over to win access to services, prizes or additional content?

A survey of 1800 visitors to coolsavings.com, a coupon and rebate site owned by Q Interactive, has claimed that web visitors are willing “to receive free online services and information in exchange for the use of my data to target relevant advertising to me.”

Now, my impression is that visitors to sites like coolsavings.com – who are actively seeking out value and benefits online – would be predisposed to believing that online sites would be able to deliver useful content and relevant ads.

That said, Mediapost, who had access to details of the full Q Interactive survey, cautions that users “… continue to put the brakes on hard when asked which specific information they are willing to hand over. The survey found 77.8% willing to give zip code, 64.9% their age and 72.3% their gender, but only 22.4% said they wanted to share the Web sites they visited and only 12% and 12.1% were willing to have their online purchases or the search history respectively to be shared …”
In both the TNS Facts/CMA and Q Interactive surveys, the results seem to indicate that users are willing to make a conscious decision to share information about themselves – especially if it is with sites they trust and with whom they have an established relationship.

Startling for privacy advocates is the willingness to trade data like zip code, age and gender – three data points that can effectively identify each individual when overlaid and correlated. (Kim Cameron has made this point, and academics from the University of Calgary have demonstrated how closely a postal code can target your actual street address.)

Now, users may be willing to provide that information because they fully intend to lie about it. In a survey conducted by our office in 2007, 13% of Canadians reported that they had deliberately given incorrect information to a retailer when asked for it – and that was in a face-to-face transaction. We can assume that it is far easier to mislead when simply entering information into an online form.

It is encouraging to read that respondents are reluctant to allow sites or services to share specific information about their purchases or their search habits.

A common thread seems to be emerging: consumers see a benefit to providing specific data that will help target information relevant to their needs, but they are less certain about allowing their past behaviour to be used to make inferences about their individual preferences.

They may feel their past search and browsing habits might just have a greater impact on their personal and professional life than the limited re-distribution of basic personal information by sites they trust. Especially if those previous habits might be seen as indiscreet, even obscene.

Twitter. That’s right; I’m going to talk about Twitter, making the Office of the Privacy Commissioner of Canada the official end point for the “Have you heard about Twitter?” meme. (For a quick summary of this meme, listen to this audio from a podcast called Jordan Jesse Go!)

Twitter, the instant messaging application that limits each message to 140 characters, is experiencing tremendous growth across a range of demographic groups.  Entrepreneurs, employees, supervisors, managers and executives are leaping aboard, sharing information as broad as golf scores, children’s hobbies, favourite movies, the relative tedium of on site meetings, and more interesting tidbits about their daily business.

Senior executives from across the Fortune 500 are experimenting with the service – and are being tracked by members of the traditional media.

While the Office doesn’t want to discourage the use of new technologies, especially when they seem to encourage professional development and the creation of personal networks, we continue to gently remind Canadians to watch what they say online.

This is especially true when it comes to business. Loose and quick finger work can result in uncorrectable errors and mis-statements. Every level of an organization handles information that could be considered sensitive or a business secret – from information in human resources files to the data underlying market forecasts.

Every online identity is expected to have a personality, and it is preferred that they have a professional or personal obsession that provides colour and detail to their activities.

If you are experimenting with an application like Twitter, you should have a clear idea of your desired identity in mind when putting finger to keypad.

THAT’s the way to avoid embarrassment – at home and at the office.

Today the OPC issued Captured on Camera, a fact sheet intended to help Canadians understand the privacy issues surrounding street-level imaging applications like Google StreetView and a similar product offered by Canpages.(html), (pdf)

The basic message?

“Under Canadian privacy law you should know when your picture is being taken for commercial reasons, and what your image will be used for. Your consent is also needed. There are exceptions, but they are very limited and specific.” …

“We think companies that engage in this activity have to let citizens know that they are going to be photographing the streets of their city, when this will happen, why and how they can have their image removed if they don’t want it in a database.”

There’s more, but you should go read it yourself.

“Captured on Camera” is a joint product of the OPC and the Privacy Commissioners of Quebec, Alberta and British Columbia.

How does society reconcile the technological benefits and privacy impacts of new technology? Deep packet inspection is just one seemingly neutral technological application that can have a significant impact on privacy rights and other basic civil liberties, especially as market forces, the enthusiasm of technologists and the influence of national security
interests grow stronger.

We have produced a web site (http://dpi.priv.gc.ca) meant to serve as a resource on deep packet inspection. It grew out of a desire at the Office of the Privacy Commissioner of Canada to understand more about a technology that has application in network traffic management, behavioural advertising, and law enforcement.

In the summer and fall of 2008, we contacted leading academics and professionals working in telecommunications, law, privacy, civil liberties and computer science to ask if they would contribute a short essay to a project we were planning – a project that would help Canadians understand the impact of just one component of the technology that underlies our networked society.

The resulting project site presents the work of these academics, lawyers, researchers, activists and industry professionals. We value the time they invested in preparing their essays, and we are happy to present their work in a format that will, hopefully, encourage further discussion around deep packet inspection and similar technologies.

You will notice that this web site was developed with sharing in mind. There are opportunities for you to leave your comments about each essay – either through a written comment or by voting on the essay. We have built in links to some of the more popular content sharing services, in case you think some or all of the essays should be brought to the attention of friends, colleagues, legislators or others.

Or, alternatively, please feel free to send me your comments.

What would you think if you wrote a letter and it could be opened up by a postal or a courier service before it reaches its destination?  What would you think if that happened to your online communication?  It’s not necessarily a hypothetical question.

Stemming from a request to the CRTC from the Canadian Association of Internet Service Providers (CAIP) to stop Bell from throttling/shaping their wholesale internet service, the CRTC reached a decision on November 20, 2008.  Though CAIP’s application was denied, the CRTC noted that a number of parties raised concerns related to Internet traffic management practices that were beyond the scope of that particular procedure.

As a result, the CRTC announced that it would be holding public consultations to review the Internet management practices of Internet service providers.

In a previous blog posting we discussed the CRTC decision and this new public consultation – which calls for written submission (due by February 23, 2009) and a public consultation (planned for July 2009).

One issue that has been the focus of much debate is the use of deep packet inspection (DPI) to shape/control traffic.  So, what is the privacy issue? Well, there is the potential for DPI technology to peek into an individual’s entire on-line activity, which may include sensitive personal information.  When DPI is used, it is also seemingly “invisible” to individual users. It is important that we are made aware of DPI’s potential use to manage our activities on the internet.

Last year, the US Federal Communications Commission (FCC) ruled on a complaint about internet service provider Comcast Corporation’s network management practices – which included using DPI and false reset packets to manage traffic generated by peer-to peer (P2P) applications.

The FCC found that Comcast’s level of disclosure to its customers was inadequate, and that individuals would not have been able to reasonably recognize that P2P applications were being discriminated against.
Comcast’s “…practices are not minimally intrusive…but rather are invasive and have significant effects.”

The FCC also noted that Comcast was using DPI to monitor its customers and route electronic communications based on the contents of the communication and not the address.

For the CRTC consultations, a number of interested stakeholders are providing their opinions on Internet traffic management and other related matters.

As we’ve already noted, the OPC is one of those interested parties. We have provided a written submission (.pdf), contributing to the overall discussion of privacy, which can be found on the CRTC’s website.

We hope that if you do have a chance, you are able to look at the submissions from all the parties.  If you would like to share your views on the submissions, we look forward to hearing your thoughts – this consultation is an excellent opportunity to promote and encourage discussion on the privacy issues related to Internet traffic management practices.