You Might be Interested In

Day to day, our actions are being captured, and increasingly, it’s being done by surveillance cameras. This technology – like RFID tags – is being used by more organizations everyday to improve security and deter thieves. And while that’s a perfectly legitimate reason to employ cameras, organizations should also be ensuring their surveillance activities minimize the impact on people’s privacy.

With that in mind, we released new video surveillance guidelines earlier this month, setting out how organizations should evaluate the use of video surveillance and how to respect privacy rights and comply with the law.

And if our guidelines can be considered the Top Ten list on what to do when considering video surveillance, think of this video as the Top Ten list on what not to do.

While there are certainly some novel uses for RFID technology out there (like studying the secret life of bees), RFID systems are increasingly being used for the more practical purposes of improving productivity and enhancing security.

The increasing appetite among companies to use this technology to track their employees is a worrisome trend for the Office of the Privacy Commissioner. While we certainly recognize the business benefits of RFID systems, we believe they can also be used as surveillance tools, which raises important privacy concerns for employees.

Our office has just released a discussion paper outlining the steps organizations could consider, and questions that could be asked, before proceeding with RFID applications in the workplace. The paper includes some broad questions on the use of RFID technology, to which we invite stakeholders to submit their responses. We hope this paper will spark discussion on a growing trend with some serious implications.

We know you didn’t watch the Oscars last weekend. Neither did we. And according to the latest figures from the Nielsen Company, neither did many viewers. Nielsen has been tracking the habits of TV viewers for decades now, and their research figures prominently in the business decisions made by television and advertising industry heads.

Nielsen is now looking to expand its influence, hoping to eavesdrop on other activities – like web surfing, cell phone usage, and purchasing habits. They concede it’s a tough sell though – while many Nielsen families view their influence as tastemakers as a “point of pride”, they bristle at the idea of having many of their day-to-day activities tracked.

Still, Nielsen plans to go ahead with a number of pilot projects aimed at providing their clients with ever-more detailed information about their customers – from how often people look at TV screens in malls and stores to how much perspiration people produce when watching TV at home.

Today, we issued a news release celebrating Data Privacy Day, an initiative of the International Association of Privacy Professionals. In that release we made the assertion that  “We have seen a proliferation of identity theft and spam as well as a tripling of reported data breaches around the world last year” – based on an analysis of data breaches first reported in USA Today, and similar reporting by the Associated Press.

“Dissent,” who blogs at pogowasright, contacted me to question that analysis. Dissent’s dissection of the claim that breaches have tripled can be found here and here. His/her email suggested that maybe we were thinking of the records revealed as a result of breaches?

I think we can all agree it is hard to track whether a data breach has occured, unless it is then reported in the media.  Dissent’s analysis seems to make sense.

At the Office of the Privacy Commissioner, however, we are certain that there were a number of remarkable data breaches in 2007 – in Canada and abroad.

Whether we are talking about breaches themselves or the records they revealed, there were millions of personal records exposed because of poor record handling, inadequate security, lax staff procedures and disregard for privacy agreements.

And that has to change.

But we still appreciate Dissent for paying close attention. We need more like him/her.

As we close out 2007, we’d like to sound a note of caution for privacy rights in Canada. We are lucky to have a variety of protections for personal information and data at the territorial, provincial and federal levels. Nevertheless, the Commissioner took a moment last week to highlight some of the steps that need to be taken by individuals, corporations and the government in the face of continuing challenges:

“Heightened national security concerns, the growing business appetite for personal information and technological advances are all potent – and growing – threats to privacy rights,” said Commissioner Stoddart. “The coming year will be another challenging one for privacy in Canada.”

What challenges, you may ask? Privacy International, a London-based non-governmental organization, issued their annual report on privacy protection world-wide. Canada was one of three countries recognized as a world-leader, but we were criticized on several fronts:

• Federal commission is widely recognised as lacking in powers such as order-marking powers, and ability to regulate trans-border data flows
• Variety of provincial privacy commissioners have made privacy-enhancing decisions and taken cases through the courts over the past year (particularly Ontario)
• Court orders required for interception and there is no reasonable alternative method of investigation
• Video surveillance is spreading despite guidelines from privacy commissioners
• Highly controversial no-fly list, lacking legal mandate
• Continues to threaten new policy on online surveillance
• Increased calls for biometric documents to cater for U.S. pressure, while plans are still unclear for biometric passports

In Britain, the National Consumer Council and Childnet have released the results of an extensive series of surveys and interviews with children, youth and their parents. Their work sheds some light into these groups’ activities online, including participation on youth-oriented websites, how they react to advertising aimed at children and youth, and their attitudes towards privacy.

Here are some of the findings from fair game? Assessing commercial activity on children’s favourite websites and online environments.

• Nearly all (92 per cent) of the sites popular with children have a clearly-labelled privacy policy. But a quarter of third-party advertisers do not have a privacy policy on the websites that their adverts link to.
• None of the children and only a few of the parents in our research had read a privacy policy. Both children and their parents found the small-print off-putting and lacking in relevance.
• Few websites have privacy policies that children can understand, even if they try to read them; we found only eight policies on the websites popular with children likely to be understood by a 9-13-year-old.
• Five advertisers encouraged children to give away their friends’ details or send the information to a friend in return for free offers.

‘Is that the box down the bottom? Ticks. It’s whether they keep your information to their company or share it. When you sign up for anything it’s right down at the bottom and if you don’t tick it you automatically get everything’. ‘(It’s there) ‘cos they have to. By law. It’s just blurb isn’t it? It’s all there. You haven’t got time to read it’.

Mothers of 7-11-year-olds

Earlier this fall, we discussed the challenge delivered by Secretary Chertoff at the 29th International Conference: he argued that privacy rights must be balanced off against a country’s security needs.

In November, several prominent security and privacy advocates participated in a debate at the University of Virginia’s Miller Center of Public Affairs. The resolution?

“In the war against terrorism, and with advances in technology, Americans need to lower their expectations of privacy.”

Participating were Marc Rotenberg, Lord Alderdice, Douglas Kmiec, and K.A. Taipale.

Videos of their statements and rebuttals are available on YouTube and on the Miller Center website.

Here’s an excerpt from opening remarks by Lord Alderdice, the former speaker of the Northern Ireland Assembly:

“These are not just questions of law, politics, and the constitution; they are also very human questions. Invasion of one’s personal space creates feelings. Likewise, terrorism creates feelings. Sometimes these feelings are so powerful that we respond emotionally rather than reflectively and thoughtfully. When governments react emotionally, they very often make mistakes and the laws created are frequently counterproductive.”

This week, we’ve been speaking to the media* about an incident at the Passport Office: a person using their online application form found that they could access others’ personal documents by changing one variable in the URL displayed in their browser. The Globe and Mail and Slashdot report that this was likely the result of an error in the code behind the web page – or an omission in the code.

We’re still looking into the incident, but thought it was valuable to point out that not all data breaches are caused by fraud or theft. In some cases, personal information is left exposed because employees and organizations have left their data management systems unsecured.

They may have not updated their systems to the latest encryption standard, they may not require their employees to think up robust passwords, or they may have made a decision to wait for a more stable version of the software.

In the end, however, these organizations and their employees are making decisions about security of their clients’, customers’ and colleagues’ personal information.

And sometimes that personal information leaks out.

At that point, a software or hardware issue becomes a matter of personal concern. The appropriate reaction from an organization is contrition and an expressed dedication to resolve the breach quickly and fully.

Oh, and a commitment to reforming the personal or organizational habits that led to the lax security in the first place.

*As you may have noticed, “we” generally refers to Colin McKay, the Director of Communications. Other employees have blogged, and we expect more of their work in coming weeks.