You Might be Interested In

Have you ever looked yourself up online and wondered how companies you have never heard of know your name? Where did they get your information and what are they using it for?

Data brokers were the subject of a recent article in The Wall Street Journal’s “What they Know” series on online privacy. Data brokers collect personal information from various sources such as public registries, telephone listings, product registration cards, and, notably, online social network sites and blogs.  The information is then compiled into profiles and sold – to marketing companies, to individuals through “people finder” websites, to fundraisers.

In the past, data brokers relied primarily on organizations like retailers, subscription services, payment processing companies and charitable organizations to share their customer information by renting or selling customer lists. The lists would typically include names and contact information together with attributes like income, age group, number of children, purchase history, and interests. Data brokers would combine these lists with information from other sources, like survey and census data, to generate specialized lists they would then sell to marketers.

Now that we spend more and more time in a digital world, data brokers are able to tap into a wealth of rich new data sources.  Vast amounts of customer information is being stored online. Public records, like court decisions, no longer live in musty filing cabinets but can be accessed by anyone anywhere with the click of a mouse.  Our actions online – where we go, what we do – are tracked and recorded.

And then there is the information that we voluntarily share on social networking sites, blogs, chats and other social media services. Data brokers say this information has been made public and therefore should be free for the taking. Privacy advocates argue that combining and repurposing data exposes individuals in ways they may not have anticipated or consented to. Why do Canadians chose to reveal personal information online? Privacy by obscurity is a theme we at OPC often hear when we ask that question. “I’m not a celebrity so why would anyone be interested in what I post?” Data brokers are interested because collecting and selling your information is how they generate revenue.

The implications of having so much of our personal information out in the ether are only beginning to be understood. Industry practices are not transparent and the average person knows little about companies that routinely harvest online information.  We have seen reports of information gathered from blogs and chats being used to help determine creditworthiness. But would we even know if that happened to us? And would we know how to stop it?

Many of these companies are based in the U.S., where consumers have to navigate a patchwork of laws and regulations that for some will mean being able to opt out of tracking or having information removed from brokers’ databases.  Here in Canada, we are more fortunate.  Canadian private sector privacy law gives individuals the right to see what information data brokers have about them, ask them to correct inaccurate information, and request that the information be deleted.  The only exception is contact information that appears in a public directory such as a telephone book.  American companies which operate in Canada are also subject to our privacy law. If, after contacting a data broker, you are not satisfied with the response, you can file a complaint with us.

You can also try to limit what information you willingly give away.  Be more selective when posting online, restrict your privacy settings, and think twice about filling out that customer satisfaction survey or warranty card. Stay vigilant and let us know if you come across practices that cause you concern.

With new technologies emerging all the time, it can be hard to stay in the loop in terms of privacy. Many applications and websites have privacy settings, but using them might not always be straightforward or obvious (or even seem to matter), especially to youth. That’s why the Office of the Privacy Commissioner of Canada is proud to be a sponsor of the Youth Privacy Online Conference in Toronto, held on Wednesday, December 1^st.

Social networking websites, as well as a variety of interactive applications on the internet, are a facet of daily life for today’s youth. Along with these new technologies comes the risk that many people using and interacting with the platforms do not understand how to ensure the safety of their personal information, or even of their person. This can result in such things such as identity theft, luring, and loss of employment, among a range of other consequences.  

The conference will feature speakers from Canada, the US, and the UK. It will be a forum for discussion, debate and inquiry that will focus on different approaches to protecting children’s privacy online. With the amount of time they spend on the web, youth privacy is a very prevalent subject in the media. This conference will be useful for people working with youth and give them a general idea of how to protect their privacy.

Click here for more information.

By now, many of you have heard of the information that is “leaking” from Facebook applications, and how this wide-ranging problem might affect your personal privacy.

On Monday, the Wall Street Journal continued its online privacy series by reporting that many popular Facebook applications leak personal information – in the form of Facebook user IDs – to online advertisers.  A Facebook user ID is a unique number issued to every user of the site, and is part of a person’s public profile: you cannot restrict access to your user ID simply by modifying your account’s privacy settings.

When you visit a web page, browsers typically report the URL of the page you were viewing before you clicked over to the current page: this is known as the “referrer” URL.  A Facebook app is often loaded on the same web page as third-party ads. When these ads are fetched (to be loaded onto the page), the application tells the advertising network the URL of the current page that is loading their ad. In the case of many Facebook apps, this URL contains the unique user ID of the person who loaded the page. This ID can then be used to identify that specific user – it is linked to public profile information like their full name.  The URL (with the ID) is sent even if the user does not click on any ads.

This is not the first time it has been the subject of discussion. It was raised in a research paper in August 2009 and – in a similar context – described in an earlier WSJ article about Facebook ads. A lawsuit has been filed in California that alleges that Facebook has shared personal data with advertisers.

Current debate around the privacy implications of referrer information has also included criticism of the statements made in the WSJ article. Some commentators found the article alarmist, and others pointed out that these issues are not specific to Facebook, but are a wider web privacy concern. Indeed, the broader privacy implications of referrer data have also been recently raised as part of a complaint to the Federal Trade Commission about Google’s use of referrer headers.

It is important to note that using referrer data is, by itself, a legitimate practice. The web standards that underpin how information and instructions are communicated across the internet allow browsers to send the referrer field as an optional part of a request to a web server. However, there is flexibility as to exactly what information is included in the referrer header, and also whether users allow their browsers to send referrer data in the first place. Harlan Yu outlined a number of solutions in a timely blog post; these include omitting IDs from the web request, using placeholder IDs instead of real Facebook IDs, and improving browsers to give people better control over the transmission of referrer data.

One prominent member of the web community co-wrote an Internet standard document that pointed out privacy concerns of referrer data:

Note: Because the source of a link may be private information or may reveal an otherwise private information source, it is strongly recommended that the user be able to select whether or not the Referer field is sent. For example, a browser client could have a toggle switch for browsing openly/anonymously, which would respectively enable/disable the sending of Referer…information.

The co-author? Tim-Berners Lee (considered the father of the web), in 1996. The privacy debate continues…

Understanding how we construct and manage our online reputations is crucial in our understanding of how people determine what to make public and what to keep private in online environments. The interview below, with Firefox’s Creative Director Aza Raskin, has some interesting observations on what the construction of identity and memories could look like in the future. Also, around 4:35, he talks about the work Mozilla has been doing to create a set of privacy icons in the style of Creative Commons licences to help people understand how their data is being collected and used.

We’re launching our 2010 My Privacy & Me Video Contest for 12-18-year-olds – and the first-place winners will win an iPad!

It’s the same thing this year – but a little different, too! Again, we’re asking them to create their own public service announcements about privacy. But this year, we’d like the videos to fall into one of four categories: Surveillance; Reputation Management; Targeted Advertising; or Online Scams. You can find all contest details here.

This year, teams can consist of one to three people. First-place winners in each category will win an iPad. Second-place winners will win a $200 gift card; and third-place winners will win a $100 gift card. We’ve recognized top-participating schools and teachers in the past, and we have something in store for them in 2010! The deadline is December 10, 2010.

For inspiration, sit down with your young ones and watch the 2009 winning videos. Then, have them start exercising their video-making muscles – we can’t wait to see what they’ve got!

On June 21, 2010, The Office of the Privacy Commissioner hosted its third Consumer Privacy Consultation event of the year. Located in Calgary, this consultation event focused primarily on the privacy implications of cloud computing.  Featuring a wide variety of industry experts and engaging panelists, the event was highly successful.

One of the factors contributing to the success of the event was the extraordinary online engagement of citizens both at the event and elsewhere. Using Twitter, interested participants could ask questions, share knowledge and engage with the experts. Hundreds of messages were exchanged over Twitter throughout the day, resulting in a fascinating back-channel to supplement the live interactions taking place at the consultation event itself.

Did you miss the event? You can still check out the Twitter chatter for the event below:

Calgary Consumer Privacy Consultation

Do you know how your location information is used?  A recent survey commissioned by security company, Webroot, asked 1,645 social network users in the U.S. and UK who own location-enabled mobile devices about their use of location-based tools and services.  The survey found that 39 percent of respondents reported using geo-location on their mobile devices and more than half (55 percent) of those users are worried about their loss of privacy. 

A few notable concerns over security and privacy: 49 percent of women (versus 32 percent of men) were highly concerned about letting a would-be stalker know where they are and nearly half (45 percent) are very concerned about letting potential burglars know when they’re away from home (a very real risk outlined nicely by Pleaserobme.com)

The growing popularity of geo-location tools and services (including offerings by industry giants such as Twitter, Apple, Facebook and Google) means that location information is being collected on a colossal scale and the real and potential uses for this information are just starting to work themselves out – from iPhone photos tagged with GPS coordinates to location-based gaming platforms such as Scvngr that enable mobile users to create their own location-based games.

This increase in the collection and use of location information can also pose unique risks for users.  The survey summary notes that a surprising number of respondents engaged in behaviors such as sharing location information with people other than friends that could put them, and their private information, at risk.  A blogger recently wrote about her experience with location sharing gone wrong and Foursquare was recently blasted for unintentional data leakage via their popular location-based service. 

As we note in our recent submission to Industry Canada’s Digital Economy Consultation, good privacy practices can support innovation by reinforcing confidence in users that they have the right to control their personal information and that the technology they use is secure.  With location information, the usual privacy concerns abound and with each cool, new service that hits the market. How to communicate these risks to consumers is something that occupies a great deal of our time.  Dealing with the privacy concerns of location information during the design phase for new services would help businesses avoid expensive (both financial and reputational) after-the-fact privacy fixes and might even provide those privacy-friendly businesses with a significant competitive advantage

We’ve just sent in our submission to the Digital Economy Consultation, available online here.

In our submission, we argue that privacy isn’t an impediment to innovation. Rather, we believe privacy can support innovation by reinforcing confidence in users that they have the right to control their personal information and that the technology they use is secure. Too often privacy is left out of the design stage, and fixes after the fact can be expensive. We recommend that privacy become an integral part of the business models that rely on technology. We want to see a privacy culture that complements Canada’s digital advantage and, in our submission, we put forward a number of recommendations on how the federal government can help build one.

First of all we recommend strengthening privacy protections within the federal government. We’ve written previously about the need to reform the Privacy Act, but we think the federal government can go even further in being a model user of technology – for example, we’d like to see the federal government make Privacy Impact Assessment (PIA) analysis a requirement as part of preparing Memoranda to Cabinet for program approvals. We’d also welcome the federal government’s use of state-of-the-art authentication and protection technologies. Other countries are already exploring this, including the United States, where they are looking at how open-source products and standards can be used to provide identity verification.

The consultation on the digital economy includes a discussion on the importance of digital skills. We increasingly view privacy literacy and online reputation management as part of a suite of digital citizenship skills necessary for success in the digital economy. To this end, we recommend making privacy literacy an integral component of digital citizenship and would like to see the federal government fund research to support digital citizenship programs.

We also recommend providing tools to help small and medium-sized enterprises (SMEs) – and in particular SMEs that are technology innovators – better understand privacy so that privacy is considered at the outset of the design stage, and built into the end product.

Finally, we’d like the federal government to fund “privacy positive” research and development – for instance, network and security technologies that incorporate privacy protections.

With only a handful of days left, we encourage you to read our submission, and the submissions and ideas of others and offer your comments.

Two years ago, we launched our youthprivacy.ca website to engage people on the issues around young people and digital privacy.

When we launched youthprivacy.ca, Twitter had about 500,000 users, Google was rumoured to be entering the mobile phone market, and the idea of managing your digital footprint was just gaining some steam.

To say a lot has changed over the last 24 months would be an understatement.

We want to redesign the site to better present existing and new content, and highlight resources and work being done elsewhere on the topic. We also want the process of rebuilding this website to be open and transparent. We feel that there is a much larger community of public servants and private citizens with the experience, the expertise and the skill sets to make this a useful and highly collaborative exercise.

After all, why build communities of practice if we only continue to build projects within silos and concealed behind departmental garden walls?

We are inviting input from people with interest and expertise from both within government (specifically #w2p and #ux communities of practice, and those with experience reaching out to young people and engaging in public education and social marketing) and external to government (non-profit sector, educators and librarians, young people themselves).

Much of the process will be run on GCpedia to facilitate contribution among Government of Canada employees. For folks external to government without access to GCpedia, we’ll provide some updates on this page – and if you have ideas on how we can open up collaboration to the outside community, let us know.

Check out the wiki page on GCpedia or this page for additional information, and let us know if you interested in pitching in. And I’ll leave you with this thought:

“It’s always easier to tame a wild idea than to invigorate a limp one.”

A few dedicated OPC staffers spend much of their time visiting schools and talking to young people about why privacy is important.  If you believe a popular line of thinking, privacy may seem to be a lost cause in the age of online social networking and “anything goes” disclosure. We who talk to youth on a regular basis, however, are always pleasantly surprised that a generation that is growing up online shows such interest and enthusiasm about protecting their information.  It’s nice when research findings reflect our day-to-day observations that many young people are in fact proactive about protecting their online privacy.

The Pew Research Center’s Internet and American Life Project recently published a report entitled “Reputation, Management, and Social Media” in which it found that “younger users are far more active and deliberate curators of their online profiles when compared with older users.” This infographic shows other interesting report findings about how people interact and conduct themselves online.

Much of the debate around online privacy seems to revolve around binary choices: if you post information online then you can’t expect it to be private; if you join a social networking site then you must want to share your information with everyone.  But the reality is much more nuanced. As danah boyd and others have argued, people want to share information with people they themselves have chosen, via privacy settings. PEW found that 71% of social networking users ages 18-29 have changed the privacy settings on their profiles to limit what they share with others online, and 58% keep some people from seeing certain updates. Contrary to what some tech moguls might want you to believe, online privacy among young people is alive and well.