MyDemocracy website not designed in a privacy sensitive way
Complaint under the Privacy Act (the Act)
Summary of Investigation
- The Office of the Privacy Commissioner of Canada (the “OPC”) received a complaint under the Privacy Act (the “Act”) against the Privy Council Office (“PCO”) in relation to the MyDemocracy.ca website (the “website”). The complainant alleged that, although the website indicated responses would be anonymous, the website used “Facebook Connect” tracking. As a result, the complainant raised concerns that the government may have been using tracking measures while at the same time publicly telling citizens that their responses were anonymous.
- We issued a Preliminary Report of Findings (“Preliminary Report”) to PCO on May 10, 2017, in order to provide PCO with our understanding of the facts and to set out our preliminary views in relation to this complaint. Our Preliminary Report also offered four recommendations to PCO with a view to promoting good privacy governance in any future initiatives. In its response to our Preliminary Report, PCO challenged some of the concerns raised by our Office; however, it submitted that the issues we identified serve as a valuable reminder that the Government needs to understand online tools to ensure that the safeguarding of individuals’ privacy remains a key priority.
- The OPC recognizes that the MyDemocracy initiative was designed to not only provide the Government with public opinion research, but also to engage as many Canadians as possible in a conversation about democracy through an innovative, online platform. However, despite this laudable objective, we are not satisfied that the MyDemocracy website was designed in a privacy sensitive way.
- Our review confirmed that the website design allowed for third party involvement that, in some cases, resulted in the disclosure of personal information to Facebook as soon as the MyDemocracy home page was loaded – before a user specifically opted to initiate or complete a social sharing action. While our investigation found no evidence that PCO was using measures to identify individual participants in the survey or to track individual responses to the survey questions, we remain concerned that IP addresses and other web browsing information was being shared with Facebook as an unfortunate result of the website’s design, thereby increasing the risk that users’ interaction with the website could not be truly anonymous. We are not satisfied that PCO obtained consent for the sharing of this personal information with Facebook. Consequently, we are not satisfied that PCO has met the disclosure provisions of section 8 of the Act, and we find this complaint to be well-founded.
- To this end, we reiterate our recommendations to PCO with a view to ensuring that privacy protection is a core consideration in the initial development and administration of any future similar initiatives.
- We take this opportunity to highlight PCO’s cooperation during our investigation of this complaint. We are pleased to note PCO’s commitment to protecting the privacy of Canadians and to ensuring that policies continue to adapt to the rapidly changing technological environment and support the Government’s efforts to engage Canadians in innovative ways.
- The rationale for our finding is presented below.
Background
- MyDemocracy.caFootnote 1 was a website that invited Canadians to “have your say about democracy.” According to the website, the purpose was “to create an innovative civic education and engagement application that will allow Canadians to learn more about their democratic values.” As part of the initiative, participants were asked to provide their opinions on a range of issues related to electoral reform. Participants then received feedback that would allow them to learn how their democratic values compared to other Canadians.
- After answering a series of questions, the participants’ results were displayed in the form of a voter group profile. Based on the responses, MyDemocracy associated participants to one of five results groups or “Archetypes”Footnote 2 (Guardians, Challengers, Pragmatists, Cooperators or Innovators) and compared the results with other Canadians. The website also encouraged participants to share their results with their friends and contacts using social media. In particular, the site contained links for Facebook and Twitter to facilitate social sharing (i.e., sharing buttons). It also contained links to other related websites that users could visit after they received their results.
- Participants could also voluntarily provide certain demographic information, including gender, year of birth, highest level of education, occupational area, combined household income before taxes, first language, identification with visible minority groups, and postal code. If participants chose not to submit the demographic information, they could still participate in the survey; however, their data could not be weightedFootnote 3 to make a more accurate inference about the Canadian population. The final MyDemocracy report included both the weighted and unweighted data.
- Participation in the MyDemocracy initiative was available until January 15, 2017. The initiative has now concluded and the findings are available online.Footnote 4
- In December 2016, media reports raised a number of concerns over the nature of the MyDemocracy website. This motivated our Office to conduct some preliminary technical analysis and to engage in consultations with PCO in relation to the website. As a result, our Office highlighted several concerns to PCO and made some suggestions to assist PCO in improving the measures in place to protect personal information. We identified the following main areas of concern:
- The demographic information collected goes beyond the required data elements listed in the Standards for the Conduct of Government of Canada Online Public Opinion ResearchFootnote 5 without apparent justification. We also highlighted that while the Privacy Notice outlined the purposes for the collection of demographic data, additional notification at the point of collection would be preferable.
- Visiting the website resulted in requests to the Google Analytics service. This means that the website facilitated the sharing of certain information with Google Analytics when an individual visited the website. We noted that PCO should review its use of Google Analytics to ensure that it is within the parameters outlined in the Treasury Board of Canada Secretariat’s (“TBS”) Standard on Privacy and Web AnalyticsFootnote 6.
- Requests were made to Facebook servers as soon as the MyDemocracy home page was loaded, even though there was no social sharing capability offered to participants until after the questions were answered and the results displayed. We noted that the website facilitated the sharing of certain information with Facebook when an individual visited the website, even before participants in the survey chose to use any social sharing buttons.
- We also found that information about some individual users was disclosed to Facebook via cookies. In particular, if a Facebook user was simultaneously logged into the Facebook service, their browser held Facebook cookies that contained a variety of information about them, including a value that uniquely identified the individual to Facebook (i.e. Facebook ID).
- Once a participant completed the survey, their individual results were displayed using a special web address (the results page URL). This URL contained a string of unique characters so that, if the URL was visited again, it would display the participant’s individual results.Footnote 7 We also noted that, when a participant shared their results with Facebook, the unique results URL and the type of voter that the participant was most aligned with (e.g., Pragmatist) were automatically made available to Facebook.
- PCO responded in a letter received on December 23, 2016, in which it provided our Office with additional information on the issues raised, and advised us of the measures it proposed to take to address some of our concerns.
- In the interim, the present complaint was received by our Office on December 8, 2016. PCO subsequently provided submissions in response to the complaint in a letter received on January 18, 2017. Following our review of PCO’s representations, our Office issued a Preliminary Report to PCO on May 10, 2017, and received its response on June 9, 2017.
- The present Report of Findings (the “Report”) serves to summarize the facts and the representations received, and presents the findings of our investigation. The OPC’s investigation and Report focus on PCO’s obligations under the Act as the government institution responsible for the MyDemocracy initiative. This Report does not otherwise examine the practices of Vox Pop Labs (the “Contractor”), who designed and operated the website on PCO’s behalf, or draw any conclusions whatsoever about the Contractor’s legal obligations. Further, this Report does not examine the practices of or draw any conclusions about the activities or obligations of third parties, such as Facebook.
Definitions and Key Concepts
- The following definitions will apply for the purposes of this Report:
- “Browser characteristics” or “browser information”: information related to the make and version of the browser a user uses to navigate the Internet (e.g., Internet Explorer, Firefox, Safari and Google Chrome). This information can include the type of browser and version, as well as browser settings such as language and fonts used.
- “Component”: the contributions from third parties to a website are usually in the form of components, which are small, discrete digital objects delivered to a user’s browser (e.g., images, fonts, advertisements, software libraries).
- “Cookies”: when you visit a website, not only are you offered information or services, but your computer may also be offered a “cookie.” A cookie is a small file that is passed from a website to your computer. The cookie is used to save information about the interaction between you and the site, such as login credentials, preferences, and any work in progress. The cookie file is automatically stored by your browser (e.g., Internet Explorer or Firefox) on the local hard drive, and it can later be retrieved by the website.
- “Facebook Connect”: an extension of the Facebook platform. It allows website developers to help their users to login to various services using their Facebook credentials and/or share with their friends. The MyDemocracy website installed the Facebook Connect service as a component on their website and then used the social sharing features of the service (i.e. a Facebook “share” button).
- “Facebook ID”: a string of numbers that connects a user to their Facebook account. A Facebook ID can be used to see a user’s Facebook profile and any public information, and also allows applications to personalize a user’s experience on Facebook by connecting with their Facebook account.
- “GET”: an HTTP request method to retrieve a particular file or page. The request sent from a browser usually contains a set of extra information including the requestor’s IP address and browser characteristics. This is often referred to as metadata.
- “Google Analytics”: a free Web analytics service that provides statistics and basic analytical tools for search engine optimization (“SEO”) and marketing purposes. Our technical analysis of the MyDemocracy website revealed that the Google Analytics service was also being used.
- “IP Address”: an Internet Protocol (IP) address is a unique string of numbers separated by periods that identifies each computer using the Internet Protocol to communicate over a network.
- “JavaScript”: JavaScript is a programming language commonly used in web development as a means to add dynamic and interactive elements to websites.
- “Link”: a link is a connection from a word, picture, or information object to another. By clicking on a link, you can move to a new web page, or a completely different website.
- “Referer”: metadata that is included in many requests to indicate which web page the user came from. If a referer header is included in a request to a third party, it can reveal the first party web page that contained the third party component.
- “Third Parties”: a third party is another organization that participates in, or facilitates, or adds content to the website. Such third parties commonly include web utility providers, social networks, etc.
- “URL”: a Uniform Resource Locator (URL) is the global address of documents and other resources on the Web. For example, the OPC’s website address – http://www.priv.gc.ca – is a URL.
PCO’s Representations
- According to PCO, the Government of Canada initiated a national dialogue on electoral reform by creating an innovative civic education and engagement application that would allow Canadians to learn more about their democratic values. PCO commissioned the Contractor to create an online platform designed to engage as many Canadians as possible in the conversation about strengthening democracy, and which would provide the Government with statistically valid public opinion research data. PCO submitted that empirically-driven archetypes were created that would encourage social media diffusion and conversation – a key strategy to drive participation and reach less-engaged audiences.
- PCO submitted that the importance of protecting personal information was considered throughout the development of the website. PCO asserted that a number of steps were taken prior to implementation to ensure that potential privacy risks were identified and mitigated before launch, and that the selection of demographic information for the initiative aligned with the Standards for the Conduct of Government of Canada Online Public Opinion Research. PCO stated that the initiative relied on having sufficient demographic data on participants to weight responses against existing population-level data, such as the Census or the General Social Survey. PCO reviewed each question and submitted that all demographic information requested as part of the initiative was required to perform statistical analysis. PCO also stressed that participants were advised on the website that responding to the demographic questions was optional, and that participants would still be presented with their full results should they decide not to complete the demographic questions.
- PCO submitted that it did not directly collect or receive any information from participants in the MyDemocracy initiative and that all data collection, administration, and analysis for the initiative were undertaken by the Contractor. Further, the demographic information that the Contractor collected was only disclosed to PCO in an aggregate, anonymized form as part of the final report on the initiative results. PCO submitted that demographics at this level of abstraction cannot be associated to an identifiable individual.
- PCO submitted that all responses to the survey questions remained anonymous. The application did not collect a participant’s name or similarly identifying information. It also submitted that at no point was a participant’s responses rendered identifiable to a third party, including as a result of the integration of the Facebook Connect functionality or use of Google Analytics as part of the MyDemocracy initiative.
- According to PCO, the website collected the transaction records that all websites have access to – for example, the IP address and browser information. PCO submitted that the web transaction data does not constitute identifiable information about an individual, that the Contractor had no means of linking IP addresses to identifiable individuals, and PCO at no time received information about individual IP addresses. PCO explained that once this data was used to validate unique responses, it was purged from the dataset. With respect to third parties, PCO submitted that they only received common web transaction data, such as the user's IP address, browser information, and the site URLs that the user viewed within the application.
- To address some of the early concerns raised by our Office, PCO asserted the following:
- PCO amended the Profile module of the website to provide additional information so that participants could make an informed choice on whether to answer the demographic questions. With this change, PCO explained that the purpose for the collection of the demographic data was available in the Frequently Asked Questions (“FAQs”) section, in the Privacy Policy, and on the actual page of the website where the information was collected.
- PCO submitted that the use of Google Analytics for MyDemocracy.ca is consistent with the applicable standards on privacy and web analytics, and is standard across Government of Canada websites. Google Analytics only collects the user's IP address, browser information (e.g., type of browser, language of use, etc.), and site URLs that the user has visited. No other information is shared via this service, and at no time would Google receive a participant's responses to any of the survey questions.
- To enable Facebook sharing, PCO submitted that the JavaScript library provided by Facebook must load in the header of the website to enable the feature that lets users share their results. Notwithstanding that users move through different modules when completing the MyDemocracy survey, the website was built as a single-page application and the header of the application is therefore on the landing page. PCO stated that, while this process does allow Facebook to identify if one of its users is visiting the MyDemocracy website, this is clearly explained in Facebook’s Data Policy.Footnote 8
- According to PCO, the original coding architecture of the website is the industry standard. However, to address our concerns, the Contractor made changes to the website to only activate the Facebook JavaScript once a user clicked the Facebook share button in the results module. In other words, the Facebook Connect JavaScript was loaded into the user’s browser when they first visited the site, but it was no longer activated prior to a user taking an action to share their results on Facebook. With this change to the website, PCO submitted that, whether someone is simultaneously logged in to Facebook or not, the only information that Facebook could have collected is a user's IP address and browser information, which PCO contended cannot be linked back to a specific individual. PCO stated that it would not have been possible to address the ability of Facebook to collect IP address and browser activity of users unless the Facebook sharing functionality was eliminated altogether. To do this would have likely decreased the reach of social media diffusion as a method of engagement, as a participant’s ability to share their results on social media was an integral part of the application.
- PCO reported that it also amended the Privacy Policy of the website to enhance clarity on the presence of third party components.
- PCO reiterated that third parties do not receive any information from users as a result of using MyDemocracy.ca other than the user's IP address, browser information, and site URLs that the user has viewed within the application. At no time would individual responses to survey questions be shared with third parties.
- PCO reported that amendments were also made to the contract between PCO and the Contractor to better reflect the intention of the parties that PCO would only receive aggregate information and the resulting analysis, and would not receive non-aggregated information at any point in the process.
- According to PCO, the complainant's suggestion that the use of the Facebook Connect functionality undermines the anonymity of a participant's responses to MyDemocracy.ca is not substantiated. PCO submitted that at no point were a participant's responses to the MyDemocracy questions rendered identifiable to the Contractor, the Government, to Facebook, or any other third party as a result of the integration of the Facebook Connect functionality, and participants' Facebook IDs are not collected by MyDemocracy.ca. Thus, there is no link established between Facebook Connect and MyDemocracy.ca that would permit an individual's responses to be identified through this mechanism.
- PCO is of the view that there was no breach of its obligations under the Act. However, it worked with the Contractor to introduce special measures to address the concerns of our Office in relation to third party sharing.
Preliminary Report of Findings
- Our Office issued a Preliminary Report to PCO in May 2017 in order to set out our preliminary views and recommendations. Our preliminary conclusions were based on our technical review of the website, including the links and components to facilitate social sharing, as well as PCO’s submissions to our Office and the changes PCO implemented to address some of our concerns.
- Based on the website’s original design, we found that certain information was shared with Facebook when any individual visited the MyDemocracy website. In particular, we found that the user’s IP address, browser characteristics and MyDemocracy URL was shared with Facebook as soon as the MyDemocracy home page was loaded. We also found that the unique results URL that was shown at the end of the survey and the participant’s results group (archetype) were also shared with Facebook before a user specifically opted to complete a social sharing action. In addition, our analysis revealed that for those individuals who visited the website and who were simultaneously logged into Facebook, identifying information such as a Facebook user ID was also shared in cookies, thereby linking all of the above information to an identifiable Facebook user.
- We found no evidence that PCO was using IP addresses or other data elements noted above to identify specific individuals; however, we were of the view that for those users who were logged into their Facebook account when visiting the website, the information shared with Facebook clearly constituted the personal information of the Facebook logged-in user as this could have been linked back to and identified the user via the Facebook ID.
- Furthermore, we indicated our preliminary view that even for users who were not logged-in to Facebook, there was a serious possibility that these individuals could have been identified using the information shared with Facebook, such as their IP address, particularly when combined with other information such as browser characteristics and site URLs the user had viewed, and thus, this constituted personal information. Further, we noted that as a matter of government policy, IP addresses and other information about web browsing behaviour are considered to be personal information.
- Our review confirmed that the sharing of this information would have taken place automatically upon visiting the homepage of the website, including IP address, browser characteristics, and the MyDemocracy URL, before an individual even had a chance to learn about the website’s practices and make an informed choice about whether or not to interact with the website. We highlighted to PCO that our technical analysis revealed that a different design of the website could have avoided the premature sharing of information with Facebook. We also noted that PCO chose to integrate the Twitter sharing functionality in a more privacy sensitive way.
- We acknowledged that PCO made changes to the website to address some of our early concerns. In particular, PCO engineered and implemented a custom approach to activate the Facebook Connect JavaScript only after a user clicked the Facebook share button in the results module. While this addressed some of our concerns, we found that there continued to be information shared with Facebook before a user initiated a social sharing action.
- We also acknowledged that PCO amended the Privacy Policy of the website to enhance clarity on the presence of third party components; however, we were not satisfied that this notice, even as amended, would have been sufficient to obtain meaningful consent from individuals to disclose this information. Of particular concern was the timing of the disclosure – i.e., upon loading the homepage of the website, before an individual had a chance to learn about the website’s practices.
- While not the main focus of the complaint and investigation, our review confirmed that some information was also being shared with Google as a result of the integration of the Google Analytics service. In so doing, Google also received the network characteristics, including IP address, as well as the MyDemocracy URL. We raised concerns to PCO that it was not clear that the requirements of the TBS Standard on Privacy and Web Analytics was followed in the development of the MyDemocracy website.
- Our Office also highlighted to PCO that it did not conduct a Privacy Impact Assessment (PIA) in relation to the MyDemocracy initiative, as required by the TBS Directive on Privacy Impact AssessmentFootnote 9. Given the nature of the MyDemocracy initiative and the personal information collected, PCO fell short of our expectations in this regard by failing to evaluate the effects of the initiative on individuals’ privacy.
- While the MyDemocracy initiative had concluded, we nevertheless took the opportunity to offer several recommendations to PCO with a view to promoting good privacy governance in any future initiatives. We recommended that:
- consideration be given to ensure that the necessary privacy assessments are conducted to determine whether a new or modified program or activity will have an impact on privacy and warrant the conduct of a PIA, in line with the TBS Directive on Privacy Impact Assessment;
- steps be taken to ensure that the use of third party components do not cause privacy risks to users, and (unless an appropriate exception to consent applies) any sharing of personal information only occurs with consent. For example, only after a user has deliberately initiated a social sharing action;
- at or before the time of collection, individuals are informed of all purposes for which their personal information will be used and/or disclosed. The Privacy Policy of a website must reflect the website’s privacy management practices regarding the collection, use and disclosure of personal information, and this information must be presented in a clear, concise and easy-to-find manner on the website (e.g., at key decision points);
- consideration be given to ensure that the appropriate requirements are met for the use of Web Analytics, in line with the TBS Standard on Privacy and Web Analytics.
- We also shared our views with PCO that the the demographic information that was collected for the purposes of the MyDemocracy initiative may in fact constitute personal information under the Act. To this end, we strongly urged PCO in any future initiatives to ensure that the collection of this information is not only directly related to its operating program or activity in accordance with Section 4 of the Act, but is also demonstrably necessary, in line with the TBS Directive on Privacy Practices.Footnote 10
- In response to our Preliminary Report and recommendations, PCO made the following comments:
- PCO reiterated that the inclusion of third party services in MyDemocracy.ca, such as Facebook Connect or Google Analytics, at no point jeopardized the anonymity of user responses, as users' responses were never shared with any third party and never associated with an identifiable individual. The Government of Canada did not, at any time, use "tracking measures" of the complainant's responses or those of any of the other 360,000 participants.
- PCO noted that to the extent that the results URL containing one of the five generic archetypes was at times shared, it was not "automatically" shared.
- PCO reiterated that a custom implementation of Facebook Connect was implemented which resulted in the unique results URL only being shared when Facebook users specifically opted to share their results by clicking the Facebook share button on the results page. Users' responses themselves were never disclosed to Facebook nor were they ever at risk of being disclosed.
- PCO submitted that the metadata transmitted to Facebook as a result of the integration of the sharing functionality into the MyDemocracy website are visible through routing networks, Internet Service Providers (ISP), etc. during the lifecycle of a request. This information cannot be hidden during transport. Its transmission is inherent to the fundamental architecture of the Internet. This information is also visible to Facebook's content delivery network (CDN) when loading their JavaScript files. However, this information does not contain Facebook session cookies and other personally identifying data.
- With respect to the different implementation of the Facebook and Twitter functionalities we referenced in our Preliminary Report, PCO submitted that Facebook has different limitations on sharing implementation. Namely, that Facebook requires the use of a JavaScript library while Twitter allows sharing via a URL, and while Facebook previously allowed sharing via URLs, PCO stated that that functionality was removed.
- PCO stated that to obtain a Facebook account, individuals must agree to Facebook's Terms of Service. In doing so, users agree that Facebook not only collects their browser data while they are logged in, but that Facebook will also be able to access data saved in browsers while not logged in. If a Facebook user does not wish to share his or her Internet activity and personal information with Facebook, they have a variety of options, such as using private browsing modes, accessing websites from a computer (and IP address) that they never use to log in to Facebook, clearing their browsing data before logging in to Facebook, or deleting their Facebook account.
- PCO stated that the Contractor had no mechanism to link the hundreds of thousands of IP addresses to individuals who visited the site. Consequently, PCO submitted that it is not clear that the information that was shared this way did result in a serious possibility that an individual could be identified, thus not meeting the threshold of "information about an identifiable individual" as prescribed by Section 3 of the Act.
- PCO submitted that it did not complete a PIA because the Government of Canada was not itself collecting any personal information, nor was a new social media account being established for the purposes of the MyDemocracy.ca initiative. In retrospect, PCO stated that it is unfortunate that one was not undertaken in the case of MyDemocracy.ca, as it may have revealed ways of further enhancing some design elements and would have been a best practice to conduct one. Going forward, PCO stated that it will be sure to undertake PIAs on the design and privacy implications of a new project.
- PCO explained that the MyDemocracy website was hosted on a third party web site (i.e. the Contractor’s), and not on the Government of Canada web site, which partially explains why a separate contract for the use of analytics was not put in place.
- PCO reiterated that the demographic data collected complied with the Standard for the Conduct of Government of Canada Public Opinion Research Online Surveys. It will continue to be judicious in determining what demographic data to collect in any future initiative of this nature.
Analysis
- In issuing our finding, we considered sections 3 and 8 of the Act.
- Section 3 of the Act defines personal information as information about an identifiable individual that is recorded in any form including, without restricting the generality of the foregoing: information relating to race, national or ethnic origin, colour, religion, age, marital status, education, medical, criminal or employment history, financial transactions, identifying numbers, fingerprints, blood type, personal opinions, etc.
- Information is considered identifiable when “there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other information”.Footnote 11
- Under section 8 of the Act, personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be disclosed by the institution except in accordance with one of the categories of permitted disclosures outlined in subsection 8(2).
- The following paragraphs outline our final analysis and conclusions in relation to this complaint investigation.
- Our investigation confirmed the following:
- The MyDemocracy website facilitated the sharing of information with Facebook when an individual visited the site due to a GET request (this request was used to load Facebook JavaScript components), including IP address, browser characteristics, and the MyDemocracy URL. This information was transmitted on the homepage of the website, before participants in the survey chose to use any social sharing buttons.
- Once a participant completed the survey, their individual results were displayed using a special web address (the results page URL). This URL was based on a random string of characters assigned to a participant’s unique set of aggregated results. When a social sharing action was started, our technical analysis confirmed that the unique results page URL was shared with Facebook through a referer header, even if participants did not complete the social sharing action. In other words, when a user clicked on the Facebook share button, the website launched a window to authenticate the user. At this point, before the user even logged into Facebook, the IP address, browser characteristics, and unique results URL were shared with Facebook.
- When a participant completed a social sharing action with Facebook, the unique results URL, as well as the type of voter that the participant was most aligned with (archetype), were also made available to Facebook through a referer header and cookie.
- For individual users that were simultaneously logged into the Facebook service, we found that information was also disclosed to Facebook via cookies. In particular, the individual’s browser held Facebook cookies that contained a variety of information about them, including a value that uniquely identified the individual to Facebook (i.e. Facebook ID). However, we note that the Contractor implemented a custom modification to the website during the investigation. As a result, cookie information for logged in Facebook users (and accordingly, the Facebook ID) was no longer transmitted until such time as the user decided to share their results.
- The website facilitated the sharing of information with Google Analytics when an individual visited the site due to a GET request, including IP addresses, browser characteristics, and the MyDemocracy URL.
- Our investigation found no evidence that PCO was using IP addresses or other data elements noted above to identify individual participants in the survey, or to track individual responses to the survey questions. We also found no evidence that individual responses to the MyDemocracy survey questions were disclosed to third parties.
- Notwithstanding the above, we are not satisfied that the MyDemocracy website was designed in a privacy sensitive way.
- According to PCO, the website was constructed as a single-page application, and Facebook Connect was initialized on the first page visited and not multiple times as the user was routed between the various endpoints in the application. PCO submitted that its original design of the website to load and activate the Facebook JavaScript library on the homepage is standard across all websites. It was also suggested that this design allowed for improved useability, given the time it takes to load the Facebook library.
- While the chosen design approach allows for all necessary components to be loaded as a single page, it did not preclude loading components, such as Facebook Connect, later in a user’s interaction with the website. In our view, PCO could have chosen an alternative design that only loaded the Facebook components when they were needed – i.e., when a user initiated a social sharing action after they completed the survey – by choosing to load components dynamically or to use static web pages.
- To eliminate the disclosure of the unique results URL when initiating a social sharing action, PCO could have also created a different referral page for the sharing activity. That is, if PCO wished to maintain the functionality of creating a unique results page for each participant in the survey, it could have designed the site to take participants to a generic results page (e.g., one for all participants assigned a certain results archetype) before initiating the sharing actions.
- Another alternative design would have been to have users visit a static greeting page that did not contain the third party components. This greeting page could have provided notice about the involvement of any third parties and sought consent from users before the third parties began receiving any data.
- In our view, an alternative design would not have decreased useability in this case. Our technical analysis revealed that the Facebook library can be loaded in approximately 300 to 400 milliseconds – the time it takes for the blink of an eye.
- We also refer to PCO’s statement that Facebook has different limitations than Twitter in that it requires the use of a JavaScript library, while Twitter allows sharing via a URL. PCO stated that the functionality for Facebook sharing via URLs was removed; however, we note that Facebook still allows sharing via a URL, as described in their documentation for developers.Footnote 12 Sharing via a URL works without JavaScript, which has the additional benefits of increasing load times and decreasing data transfers (by eliminating reliance on the relevant JavaScript libraries)Footnote 13.
- This leads us to our conclusions regarding the specific information that was shared. While there are clear examples of what constitutes personal information under the Act, information that at first glance does not appear to be about any particular individual can, when combined with other information and in certain contexts, be personal information, and can sometimes provide a fairly accurate picture of one’s personal activities, views, opinions, and lifestyle.
- An IP address can, in combination with other information, be used to build comprehensive profiles associated with an identifiable individual, and can be quite revealing about an individual’s Internet-based activities, as our research has shownFootnote 14. This was also recognized in a Resolution on Web Tracking and privacy at the International Conference of Data Protection and Privacy CommissionersFootnote 15, and has been recognized on a policy level within the Government of Canada.Footnote 16
- The addition of browser characteristics can make record linking more accurate since the set of characteristics can be quite unique.Footnote 17 One analysis of the common browser characteristics found in web logs showed that only 1 in 1,500 people shared the same characteristics.Footnote 18 The combination of IP address and browser characteristics can be quite powerful for matching different web activities. A recent research report found that this combined information could be used to recognize repeat visitors to a site with probabilities ranging from 75-90%.Footnote 19
- As highlighted in our Preliminary Report, it is PCO in this case, and not the third parties, that controls the online disclosure of personal information. Although third-party websites such as Facebook receive the information, the first-party services are in control of what components are included in their web pages and, subsequently, what information is collected from users, how it is used, and how it is disclosed.Footnote 20
- We considered PCO’s submissions that there was no way for the Contractor to link the hundreds of thousands of IP addresses to individual users – and therefore, not clear that the information that was shared this way did result in a serious possibility that an individual could be identified. PCO also submitted that the Government of Canada did not, at any time, use “tracking measures” of the complainant's responses or those of any of the other 360,000 participants.
- We acknowledge that our investigation did not uncover evidence that PCO had the ability to or was using IP addresses or other data elements noted above to identify specific individuals in the MyDemocracy survey. We also found no evidence that PCO was using measures to track individuals to link them to or reveal their survey responses. However, we are of the view that PCO needs to be mindful of the potential for the third parties it facilitates the sharing of information with to do so.
- To be clear, we do not have any evidence that Facebook was using measures to identify participants in the survey using the information it would have received from the website, nor have we consulted Facebook on this issue. In this regard, Facebook is not the subject of our investigation and we did not examine its practices.
- However, we found that the website design facilitated the transmission of IP addresses and the other data elements noted in this report which, in some cases, would have clearly constituted an individual’s personal information (i.e., in the case of logged-in Facebook users visiting the website, as this information could have been linked back to and identified the user via the Facebook ID). In other cases (i.e., logged-out and non-Facebook users), we are of the view that there would at least have been a risk that individuals could have been identified using this information.
- In this regard, we are of the view that advances in technology and data analytics have created risks that information obtained from individuals as they interact with various websites over time can be used to link individuals to their online activities. Further, as noted earlier, as a matter of government policy, IP addresses and other information about web browsing behaviour are considered to be personal information.
- Accordingly, as a best practice and to ensure compliance with the Act in cases where there is a serious possibility that individuals can be identified using IP addresses and other web browsing information, we would expect PCO to ensure the protection of this information in accordance with the Act, including ensuring consent is obtained for disclosures of such information unless an appropriate exception to consent applies. In our view, none of the exceptions to consent provided for under subsection 8(2) of the Act have been made out in the circumstances.
- We note that PCO referred to Facebook’s Terms of Service and the options available to Facebook account holders should they not wish to share their Internet activity and personal information with Facebook. PCO submitted that, under these terms, users have agreed to Facebook’s collection of their browser data and users have a variety of options to avoid sharing this information, such as using private browsing modes, accessing websites from a computer (and IP address) that they never use to log in to Facebook, clearing their browsing data before logging in to Facebook, or deleting their Facebook account.
- While we take no position on the adequacy of Facebook’s Terms of Service, in our view, the Terms of Service between Facebook and its account holders does not relieve PCO of its privacy obligations in the circumstances. In particular, we note that the website was a government initiative seeking citizen engagement under a central theme of anonymity. In this context, we are not convinced that website users would necessarily have expected the website’s integration of a third party component in this way.
- We acknowledge that PCO took steps to amend its Privacy Policy to enhance clarity on the presence of third party components. While this was a step in the right direction, we are not satisfied that the Policy, even as amended, would have been sufficient to obtain meaningful consent from individuals to disclose the information in question. Of particular concern to our Office is the timing of the disclosure – sharing of this information would have taken place upon visiting the homepage of the website, before an individual had a chance to learn about the website’s practices and make an informed choice about whether or not to interact with the website.
- The right information must be brought to an individual’s attention at the right time, and in a format that allows individuals to exercise meaningful control over their personal information. This is particularly key when promises, assurances, or claims of anonymity are made. In our view, individuals have a right to have a higher expectation of Government and that privacy protection will be a core consideration in the initial development and administration of these types of initiatives in order to protect the personal information of those individuals that may participate.
- We also note in this case that PCO could have chosen an alternative design that would have avoided this premature disclosure of information by only loading third party components when they were needed (i.e. when a user initiated a social sharing action), or sharing via URLs. As noted earlier, to eliminate the disclosure of the unique results URL when initiating a social sharing action, PCO could have simply created a different referral page for the sharing activity. That is, if PCO wished to maintain the functionality of creating a unique results page for each participant in the survey, it could have designed the site to take participants to a generic results page (e.g., one for all participants assigned a certain results archetype) before initiating the sharing actions.
Findings
- The OPC acknowledges that the Government of Canada must keep pace with and embrace modern technologies and the communication tools offered online. The Internet can provide innovative ways to strengthen, transform and improve the delivery of Government services and programs. Social media is one such tool that provides for increased connectivity and the opportunity to leverage social interaction as a means to engage with Canadians.
- We agree with PCO that innovation is inherently about learning and continuous improvement, and we also recognize that privacy must not be an impediment to innovation. However, the consequences of poor privacy insight can have an adverse impact on Canadians’ trust, particularly when promises of anonymity are made. The MyDemocracy initiative was an innovative platform to seek the opinions and views of Canadians; however, PCO should have been more prudent in assessing the initiative to ensure that privacy risks were identified and mitigated before the website was launched.
- Our investigation determined that the design of the MyDemocracy website included third party involvement that resulted in the disclosure of IP addresses and other browser characteristics to Facebook when the home page was loaded, even though there was no social sharing capability offered to participants until after the survey was completed. We concluded that in some cases this information could have been linked to specific individuals and thus would have constituted a disclosure of their personal information. We are not satisfied that PCO had consent for these disclosures.
- Accordingly, it is our view that PCO did not meet the requirements of section 8 of the Act, and we consider this complaint to be well-founded.
- We acknowledge that PCO made certain changes to address this issue, and also that our investigation found no evidence that PCO was using measures to identify specific individuals who visited the website, or measures to track individual responses to the survey questions; however, we remain concerned that IP addresses and other web browsing information was being shared with Facebook as an unfortunate result of the website’s design, thereby increasing the risk that website users’ interaction with the website could not be truly anonymous. In our view, a different website design would have been more appropriate to address the privacy risks noted in this Report.
Recommendations
- In concluding our investigation, we take this opportunity to reiterate the recommendations we made to PCO in our Preliminary Report. We hope that these factors provide some assistance to PCO and the Government of Canada in general in promoting good privacy governance in any future initiatives:
- Ensure that the necessary privacy assessments are conducted to determine whether a new or modified program or activity will have an impact on privacy and warrant the conduct of a PIA, in line with the TBS Directive on Privacy Impact Assessment;
- Take steps to ensure that the use of third party components do not cause privacy risks to users, and (unless an appropriate exception to consent applies) any sharing of personal information only occurs with consent – for example, only after a user has deliberately initiated a social sharing action;
- At or before the time of collection, ensure that individuals are informed of all purposes for which their personal information will be used and/or disclosed, and that this information is presented at key decision points;
- The Privacy Policy of a website should reflect the website’s privacy management practices regarding the collection, use and disclosure of personal information;
- Ensure that the appropriate requirements are met for the use of Web Analytics, in line with the TBS Standard on Privacy and Web Analytics, which aims to facilitate the use of web analytics in accordance with sound privacy practices that safeguard the privacy of visitors to Government of Canada websites.
- We agree with PCO that the Government needs to keep pace with the evolving landscape by offering services, providing information, and engaging with Canadians online. We are pleased to note that PCO recognized that the issues we identified serve as a valuable reminder about the need to understand online tools so that the safeguarding of individuals’ privacy remains a key priority. We are also pleased to note that, going forward, PCO has committed to undertaking PIAs on the design and privacy implications of new projects.
Annex
Definitions of the MyDemocracy.ca Archetypes:
1. Guardian – my democracy is “decisive and accountable”
Guardians tend to favour decisive governments that can take swift action and offer a clear line of accountability to voters. While they expect Members of Parliament to faithfully represent their constituents, they also believe, more than other groups, that party loyalty should be respected. They tend to believe that larger parties can govern and represent Canadians in a more efficient and effective way. Guardians are more likely to believe that there is an equal chance for candidates of all backgrounds to be elected, and are less likely to feel special measures are needed to increase the diversity of Members of Parliament. Guardians tend to strongly believe election ballots should be easy for voters to use and to understand. Guardians are less likely to see voter turnout as an area of concern and prioritize security of the vote more than other groups. More than other archetypes, they consider it important that people are free to choose to vote rather than being required to do so. Guardians are also the least likely to support moving from paper ballots to online voting.
2. Challenger – my democracy is “responsive and transparent”
Challengers typically believe that, above all, democracy should be responsive to citizens. They tend to be more skeptical of government and thus open to ideas that could enhance accountability of governments and give voters more control. They generally prefer governments that are decisive and are less likely to prioritize compromise with other parties. They usually expect parties to take responsibility for their decisions and for voters to have more ways to influence politics. To that end, Challengers are generally interested in voters having more options or additional ways to express their choices on the ballot during an election. Challengers are less likely than most to believe that special measures are needed to increase diversity in Parliament and are more likely to see voting as a personal choice than a duty of citizenship. They are split on the question of whether Canadians should have the option to vote online.
3. Pragmatist – my democracy is “balanced and straight forward”
Pragmatists generally want governments to strike a balance between decisive action and compromise. They tend to prefer a clear line of accountability to voters, but not at the expense of collaboration between parties. Pragmatists are split about whether special measures are needed to help increase the diversity of representation in Parliament. Pragmatists typically prefer that election ballots are easy to use and to understand. Pragmatists generally view voting as a democratic duty rather than a personal choice and are slightly more inclined to support mandatory voting. They are among the least likely archetypes to support online voting.
4. Cooperator – my democracy is “accessible and collaborative”
Cooperators are generally more open to modernizing our democracy. They tend to favour more cooperation in politics and the way that Parliament works. They typically prefer governments that build consensus and seek compromise with other parties. Cooperators are, as a whole, the most interested of any archetype in taking action to increase the diversity of representation in Parliament. They are more likely to want Members of Parliament to better reflect Canada’s diverse population. They tend to be very supportive of measures aimed at increasing the number of women and candidates from visible minority groups elected to Parliament. Cooperators also tend to support a greater diversity of ideas and political viewpoints represented in Parliament. Cooperators generally believe election ballots should be easy for voters to use and to understand, and that accessibility is more important for voters than having new ways to express their preferences on the ballot. Cooperators tend to be concerned about voter turnout. While they are open to online voting as a means to increase electoral participation, they are only somewhat in favour of the idea of mandatory voting.
5. Innovator – my democracy is “diverse and inclusive”
Innovators are generally among the most open to new ideas to improve the way Parliament works. Innovators tend to favour cooperation over competition when it comes to politics and to prefer governments that seek compromise with other parties. They typically support the idea of parties working together and sharing responsibility for decisions. Innovators are commonly interested in new ways to increase diversity of Parliament. They tend to prefer that Members of Parliament, as a whole, better reflect Canada’s diverse population, which includes having more women and candidates from visible minority groups elected. Of all the groups, Innovators are most likely to welcome having a greater diversity of ideas and political viewpoints expressed and represented in Parliament. They also tend to believe that voters should have more options or additional ways to express their choices on the ballot during an election. Innovators are generally quite concerned about voter turnout in Canada. They are the most open to the possibility of online voting as a means to increase electoral participation. Innovators are also the most likely to support the idea of mandatory voting as they tend to see voting as a democratic duty.
- Date modified: