You Might be Interested In

Canadians are heavy users of social networks and other communications technologies, but many are not taking basic steps to protect their personal information, a comprehensive new survey has found.

The telephone survey of 2,000 randomly selected adults, commissioned by the Office of the Privacy Commissioner of Canada (OPC) and published August 25, 2011, found that three-quarters (74 percent) of respondents own at least one mobile communications device, such as a cell phone, smart phone or tablet.

However, only four in 10 use password locks for the devices, or adjust their settings to limit the sharing of personal information that may be stored on the devices.

The 2011 Canadians and Privacy Survey also found that one-third of Canadians use public Wi-Fi sites, such as those located at coffee shops and airports, where online communication may not always be protected by encryption. Of those, fully 85 percent admitted to some concern about possible risks to the security of their personal information.

The poll, conducted in late February and early March by Harris/Decima, also found that just over half (51 percent) of respondents use social networking sites such as Facebook, MySpace or LinkedIn. Fortunately, four in five said they take advantage of privacy settings that allow them to control access to their online content. Even so, 45 percent of all respondents who use social networking sites acknowledged that they are concerned about the associated risks to their privacy.

While the survey found that younger Canadians aged 18 to 34 are the most enthusiastic users of technology, they are also appear to be the most likely to use available mechanisms to protect their privacy.

The OPC commissioned the poll in order to gauge public understanding and awareness of privacy issues, particularly in the Office’s four priority issues: information technology, public safety, identity integrity and protection, and genetic technology. Similar surveys were conducted in 2005, 2006, 2007 and 2009.

The complete survey, which has a margin of error of +/- 2.2 percent, 19 times out of 20, can be found on our website. http://www.priv.gc.ca/information/survey/2011/por_2011_01_e.cfm

Do youth care about privacy? We will explore this question on September 8, 2011, when our Office holds its next Insights on Privacy armchair discussion.  We have invited two experts on young people’s use of social media, Kate Raynes-Goldie (@oceanpark) and Matthew Johnson (@MFJ72) to talk about what privacy means to youth and how we can help youth preserve their privacy by promoting digital literacy skills.

Kate Raynes-Goldie is completing her PhD in the Department of Internet Studies at Curtin University of Technology. Her current research explores Facebook privacy issues by combining a study of the ideologies that drive the site’s privacy architecture with a nuanced look at user understandings and practices. Kate is also a Research Associate at Ryerson University’s EDGE Lab, where she is researching privacy, autonomy and social media for children.  She is the founder of PrivacyCampTO, Canada’s first privacy unconference. 

As Director of Education with Media Awareness Network, Matthew Johnson creates resources for educators, parents and community groups. He is the designer of MNet’s comprehensive digital literacy tutorials Passport to the Internet (Grades 4-8) and MyWorld (Grades 9-12). Matthew also writes the Talk Media blog, one of the most popular sections of the MNet Web site.  He has given presentations and interviews to parents, school, community and industry groups on topics such as the effect of media violence on children, video game addiction, alcohol advertising, children’s use of new media and the moral dimensions of computer games.

This event is the fifth in a series hosted by the OPC to shed light on experts doing new and thought-provoking work in the field of privacy.

To participate:

We are inviting full participation in this discussion. For those of you who attend the session in person, we will be asking for questions from the audience as well as inviting you to tweet the content using the #privtalks hashtag.

If you are unable to attend the session in person, and would like the speakers to address a particular aspect of this topic, please send your question to knowledge.savoir@priv.gc.ca by September 2^nd and we will try to incorporate it in the issues we cover.

The video of this event will be made available after the presentation, as we’ve done for previous Speakers Series events.

Space is limited and is available on a first-come, first-served basis. Please RSVP before September 6^th, 2011. Simultaneous interpretation for both official languages will be available.

When: 2:00-4:00 p.m. Thursday, September 8, 2011
Where: Minto Suites Hotel, 185 Lyon Street North, 2^nd Floor, Salon Vanier/Stanley

RSVP: knowledge.savoir@priv.gc.ca

One of the themes to emerge from our 2010 Consumer Privacy Consultations was the blurring of the divide between our public and private lives online. As we note in our consultation report:

with the prevalence of mobile technology and increasing popularity of social networking, the traditional notion of public and private spaces is changing. Social networking provides individuals with the mechanisms to make their private lives more public, and this is contributing to shifting expectations of privacy. In turn, some social networking operators point to this shift to justify further openness and sharing. The use of mobile phones and the increasing availability of location-based applications further bring the public eye into the private realm.

Our Office is striving to better understand the dynamics of information sharing in digital environments and what private and public really mean to the average person. Last February, as part of our Insights on Privacy speaker series, Christena Nippert-Eng and Alessandro Acquisti spoke about what motivates us to reveal or conceal details of our personal lives, and how we protect the private lives of others around us.

More recently, we conducted a poll of a thousand Canadians to gauge their attitudes about the types of information they consider private online and off.  Half of respondents admitted to sharing more information about themselves today, both online and offline, than they did five years ago. The poll also showed that the majority of those surveyed limits access to their personal information online, and either asks for permission or refrains from sharing the personal information of others. However, a similar majority of respondents posts their real names and personal details online and has not asked others to refrain from posting their information.  We will be using the survey results to narrow our focus as we pursue further study in this area.

An increasing number of researchers and other thought leaders have started engaging in meaningful dialogue about the shifting concepts of public and private space and the resulting impacts on information sharing. For example, the Berkman Centre for Internet and Society at Harvard University recently held a symposium on Designing Privacy and Public Space in the Connected World, to discuss, in part, how “design is also an agent of change. New media are our new public forums and the design of their interfaces affects what people reveal, wittingly or not.  Design is essential in making legible the line between private and public, and in showing people the significance of the information they are revealing.” Design was also the focus of our April speaker series event where Adam Greenfield and Aza Raskin discussed opportunities for privacy in the design of intimate devices, like smart phones, that we have integrated into our daily lives.

Hopefully, as we explore what drives people to online disclosure, we will be able to come up with ways to ensure that privacy can in fact exist online.

We have been following recent cases where online social networks have been accused of leaking personal information to third parties. The leakage is caused by the networks’ use of referrer headers (information about where on the web a user is coming from) that can include the username, allowing automatic linking to profile information if it is available.

New research from AT&T and Worcester Polytechnic shows that it is not just online social networks that are leaking information. In fact, more than half of the popular web sites examined in this study are also leaking personal information. The research was presented at the Web 2.0 Security and Privacy 2011 Workshop and the paper is available.

The major finding of the research is that 56% of the 120 popular web sites examined leak personal information to third parties in a variety of ways. This includes cookies, referrer headers, GET parameters, etc. The authors also show how identifying information can be used to link users across different sites.

The report is notable because it goes beyond online social networks to look at the practices of a variety of web sites that simply require people to create accounts. Leakage of private information, some of it identifying and/or sensitive, seems to be a common issue.

The authors also argue that the source of the problems is often the practices of the first parties, either through neglect or deliberate practices, and yet the current focus has been on third-parties. They show that the tools currently being debated, developed deployed, such as do-not-track headers in web browsers, will do little to solve the problem.

We continue to be interested in the privacy practices of web sites and online services, and we are monitoring the development of new web privacy practices and tools.

Last month, our Office was invited to participate in a youth privacy conference hosted by the American Library Association (ALA). The ALA’s Office for Intellectual Freedom has been focused on the issue of libraries and privacy awareness for the last three years, thanks to a grant from the Open Society Institute.  They plan to focus their efforts in 2011 on developing strategies for how best to deliver the privacy message to young people and see libraries as ideal places for youth to learn about privacy. They brought together privacy advocates, policy experts, librarians, educators, and our Office to pick our brains on how to best achieve this.

Their keynote speaker was Cory Doctorow of BoingBoing, who gave a very engaging talk via Skype where he advocated for network education – an approach we’ve discussed in this blog before.

He argues for the development of critical thinking skills, and defines the goal of youth privacy initiatives as  “A future where ‘why do you need to know this?’ is the default position when someone asks our kids to disclose information.”

He gave a similar talk at TEDx Observer recently on privacy and kids – worth watching:

On April 20^th, 2011, our Office is holding the third Insights on Privacy armchair discussion. We heard in February about what motivates us to reveal or conceal details of our personal lives, and how we protect the private lives of others around us.

To complement this talk, we’ve invited tech innovators Adam Greenfield (@agpublic) and Aza Raskin (@azaaza) to explore opportunities for privacy in the design of intimate devices, like smart phones, that we share our lives with every day, to the sensor-rich landscape that’s upon us. We’ll discuss opportunities for companies to empower individuals with greater choice and control over how their data are used and for greater collaboration within and across industry sectors.

In his 2006 book Everyware, Adam Greenfield argued that we were headed for a world in which keeping the boundaries between different roles in our lives was going to prove untenable. That notion is coming to pass with the current debate over the public/private divide and the blurring of our various roles and reputations online. Adam was Nokia‘s head of design direction for user interface and services from 2008 to 2010 and Lead Information Architect at Razorfish Tokyo. His current projects through Urbanscale focus on improving how users experience technology, such as stored-value cards for public transit and many other “smart-city” initiatives.

Aza Raskin’s passion for improving the way we experience technology recently had him heading up user experience for Mozilla, developer of the popular Firefox browser, where he rethought and simplified conventional approaches to privacy policies. Raskin left Mozilla in late 2010 to launch the start-up Massive Health, with the goal of helping people improve control of their health through innovatively designed technology and the ways we interact with it.

The video of this event will be made available after the event, as we did for the December 10, 2010 event with Jesse Hirsh and Chris Soghoian and for the February 28, 2011 event with Christena Nippert-Eng and Alessandro Acquisti.

Space is limited and is available on a first-come, first-served basis. Please RSVP before April 15, 2011. Simultaneous interpretation for both official languages will be available.

When: 2:00-4:00 p.m. Wednesday, April 20, 2011
Where: Minto Suites Hotel, 185 Lyon Street North, 2^nd Floor, Salon Vanier/Stanley

RSVP: knowledge.savoir@priv.gc.ca

Last month, we held our second Insights on Privacy armchair event, with Alessandro Acquisti and Christena Nippert-Eng as our guests. Much of the discussion revolved around the challenges of negotiating privacy in an online environment, and we heard many interesting observations about how human nature gets in the way of good online privacy decisions. Dr. Acquisti’s research shows that the more in control people feel over their personal information, the more sensitive information they tend to disclose. Granular controls in privacy settings give people a sense of power over their information that may be more illusion than reality. When deciding how much information to reveal, people also become confused in online environments because they cannot rely on the physical cues that guide them in their off-line interactions. Without physically seeing our audience, it’s easy to misjudge or disregard those who can see us.

What can be done to bring more reality to our online experience? With technology companies pushing disclosure, innovative solutions need to be developed to help individuals better adapt to the online world. Perhaps we should be presented with personalized visual cues, like a picture of a disapproving grandmother, to make us think twice before posting. According to Dr. Nippert-Eng, personalization is important because the reactions of those we know are much more influential than those of strangers. Dr. Acquisti believes, like many privacy advocates, that more privacy protections need to be built into technology, like seatbelts for the internet. This would go far in addressing the problem of perceived control over information, and make individuals less susceptible to making mistakes with their privacy.

As Dr. Nippert-Eng describes in her book “Islands of Privacy: Selective Concealment and Disclosure in Everyday Life”, we make dozens of privacy decisions on a daily basis. It would be nice if online that process became a little bit easier.

The next event in the Insights on Privacy series will take place on April 20^th with Aza Raskin and Adam Greenfield , who will talk about privacy, design and innovation. Stay tuned to our blog for details.

There have been recent reports about security vulnerabilities arising from the reuse of passwords on different web sites. What about the reuse of usernames? Can identities established on multiple web sites be linked together based on the usernames, and what are the implications for privacy?

A recent research paper from INRIA in France described an experiment that looked at over 10 million usernames from popular services such as Google and eBay. In some of the tests, Google profiles that listed multiple accounts on different web services were used to establish “ground truth” about linked usernames.

The first finding was that the usernames chosen by people on the various websites tend to be very unique, with a probability of duplication being approximately one in one billion. This was true for a variety of web services, including a corporate network, Finnish web forums, and MySpace.

Second, the researchers found that when people used different usernames for different services, many of the usernames were constructed by making very small changes to existing usernames (e.g., sarah, sarah2).

Third, the study demonstrated that more than 50% of the usernames created for different services could be linked to one another because the username was identical, or very similar, and unique from other usernames.

The results are important for privacy protection. Although you may limit the amount of personal information you reveal when using a particular service, if your profile can be linked to other services than a detailed personal profile can be constructed from the various bits of partial information. This could lead to embarrassment if a supposedly anonymous profile is linked to a real-world identity. Spammers and fraudsters could also gather information from multiple services to target their messages or launch phishing and social engineering attacks.

In a demonstration of the risks involved, a quick examination of people using anonymous file sharing services (private BitTorrent trackers) found that 13 out of the 20 usernames examined could be linked to other web services (e.g., YouTube, eBay) and 4 usernames could be linked to real-world identities.

The lesson is similar to the warning about passwords – make sure that you choose a truly unique username (and password) for each service that you do not want linked together.

There truly is an app for everything.

Recently, the digital world has been aflutter with news of the first-ever app approved by the Catholic Church – Confession, an app that helps Catholics prepare for the sacrament of confession by guiding the user through “a personalized examination of conscience”:

“To help those that are feeling guilty ready themselves for the sacrament of confession, the app provides a checklist of the Ten Commandments — along with mini-questions based on each — to help in compiling an inventory of malfeasance. The app even lets one add in non-traditional transgressions not already listed.”

One of the selling points of the app appears to be the password-protection feature, enabling you to lock out anyone who may try to find out about your sinnin’ ways. But what seems to be missing is what Little iApps, the developer of Confession, will do with the data they collect. According to reports, the app asks users to also provide information on their age, sex and marital status – paired with detailed information on the user’s transgressions, that’s a potentially detailed profile that would be quite attractive to marketers and others.

Details on the collection and use of the user-provided data wasn’t available on Little iApps’ site…so if the developer is collecting and using information without the user knowing, does that mean they’ve broken one of the commandments themselves – “Thou shalt not steal”?

On February 28, 2011, our Office is holding its second Insights on Privacy armchair discussion. We’ve invited behavioural economist Alessandro Acquisti and sociologist Christena Nippert-Eng to talk about what motivates us to reveal or conceal details of our personal lives, and how we protect the private lives of others around us.

In the context of their fields of privacy expertise, we will discuss how we represent ourselves both online and off and the implications of changing perceptions of public and private spaces. The discussion will extend to the challenges of maintaining a professional and personal presence online.

The Insights on Privacy Speakers’ Series is a series of armchair discussions hosted by the Office of the Privacy Commissioner to shed light on new and provocative voices doing interesting work in the field of privacy.

Alessandro Acquisti is an Associate Professor of Information Technology and Public Policy at the Heinz College, Carnegie Mellon University. He is the co-director of the CMU Center for Behavioral Decision Research (CBDR), a member of Carnegie Mellon Cylab, and a fellow of the Ponemon Institute. His work investigates the economic and social impact of information technology, and in particular the economics and behavioural economics of privacy and information security, as well as privacy in online social networks.  He is co-editor the book Digital Privacy: Theory, Technologies, and Practices (2007), an analysis of state-of-the-art technologies, best practices, and research results, as well as legal, regulatory, and ethical issues.

Christena Nippert-Eng is Associate Professor of Sociology in the College of Science and Letters at the Illinois Institute of Technology. Her most recent book, Islands of Privacy: Selective Concealment and Disclosure in Everyday Life (2010) is an exploration of the ways we think about privacy on a daily basis – how we try to achieve it for ourselves and enable it for others. In addition to her work as the National Chair of the Communication and Information Technologies Section of the American Sociological Association (2010-2011), Dr. Nippert-Eng conducts industrial research on people’s behaviour and relationships with objects and spaces, including information and communication technologies. She is currently at work on a second book on privacy and socialization.

To participate:

We are inviting full participation in this discussion. For those of you who attend the session in person, we will be inviting questions from the audience as well as inviting you to tweet the content using the #privtalks hashtag.

If you are unable to attend the session in person, and would like the speakers to address a particular aspect of this topic, please send your question to knowledge.savoir@priv.gc.ca by February 24th and we will try to incorporate it in the issues we cover.

We will also be offering the audience members the opportunity to complete a voluntary survey to provide us with their views on some of the key questions in the discussion.

The video of this event will be made available after the event, as we did for the December 10, 2010 event with Jesse Hirsh and Chris Soghoian.

Space is limited and is available on a first-come, first-served basis. Please RSVP before February 25, 2011. Simultaneous interpretation for both official languages will be available.

When: 2:00-4:00 p.m. Monday, February 28, 2011
Where: Minto Suites Hotel, 185 Lyon Street North, 2^nd Floor, Salon Vanier/Stanley

RSVP: knowledge.savoir@priv.gc.ca