Privacy Protection in the Era of ‘Big Data’ and of the Omnipresence of Computing Power: Predictive Analytics, Social Networks and Mobile Devices
Remarks at the Rendez-vous de la sécurité de l’information 2013
May 9, 2013
Address by Patricia Kosseim and Kate Wilson
Office of the Privacy Commissioner of Canada
(Check against delivery)
I am very pleased to be in your company this morning on the occasion of the seventh Rendez-vous de la sécurité de l’information, particularly here in Montreal, my home town, which brings back so many happy memories. I would like to thank the ASIMM for having invited me to speak to you today.
I am accompanied today by Kate Wilson, who is a lawyer at the Office of the Privacy Commissioner (OPC). We would be very pleased to answer your questions following my presentation.
The importance of privacy protection
I would like to begin my presentation with the following question: Does privacy protection necessarily run counter to progress and innovation?
Professor Julie Cohen examines this question in an article that will soon appear in the Harvard Law Review. Cohen suggests that privacy, contrary to its often negative reputation, rather than promoting the status quo, is a dynamic force that is essential to the development of individuals and to an innovative society.
The business perspective
Businesses seem to increasingly recognize the fundamental importance of privacy protection. A survey conducted among Canadian businesses in 2012 for the OPC seems to confirm this trend:
- Close to half the businesses (49%) indicated that protection of personal information was an important objective for them.
- 39% of these businesses believe that protection of personal information is a competitive advantage.
The perspective of Canadians
And what do Canadians think? Of course, the question is of interest to the OPC, so, last fall we conducted a survey among consumers. The findings are revealing:
- Two-thirds of Canadians are worried about privacy protection, and one quarter 25% of them said that they were extremely worried.
- Seven out of 10 respondents feel that there is less protection of their personal information in their daily lives than there was 10 years ago.
- 71% of respondents feel that protection of Canadians’ personal information will be one of the most important issues that Canada will have to face in the next 10 years.
- Yet, only 13% are confident that businesses take the protection of their personal information seriously; the percentage increases to 21% with respect to confidence in governmental institutions.
Three significant trends
With this backdrop in mind, I would like to give you an overview of the recent work of the OPC. I would like to discuss three often interrelated trends, which are the result of technological and socio-cultural change and which have a tremendous impact on privacy protection:
a) The first is the arrival of the era of big data: the increasingly common capacities to retrieve, analyze, combine, share and interpret quantities of data that would have been unimaginable in the past.
b) The second is the role of social networking in both the personal and professional spheres.
c) The third is the omnipresence in our daily lives of computing power, often found in smaller and smaller portable devices.
The range of the OPC’s activities that I will present to you reflects the diversity of our mandate and of the projects that we initiate in support of privacy protection, including investigations, research and increasing public awareness --- all this at the federal level, of course.
1) Big data and predictive analytics
For several years now, the OPC has taken an interest in the impact of big data on privacy protection.
Have you ever considered the magnitude of the phenomenon of big data? As authors Cukier and Schoenberger describe in an article that was recently published in Foreign Affairs:
In the third century BC, the Library of Alexandria was believed to house the sum of human knowledge. Today, there is enough information in the world to give every person alive 320 times [what] historians think was stored in Alexandria’s entire collection – an estimated 1,200 exabytes’ worth. If all this information were placed on CDs and they were stacked up, the CDs would form five separate piles that would all reach to the moon.
What is increasingly interesting, from the perspective of users of big data, is no longer the creation of a fact-based profile of what is, but to predict, based on the data, what might be – that is what the phenomenon of predictive analytics is about.
In 2012, we initiated an in-depth research project on predictive analytics, on some of its applications and on its possible consequences for privacy protection.
Predictive analytics, which it is important to distinguish from the simple process of “data mining,” entails a higher level of complexity; instead of simply noting the trends revealed by our behaviours, it tries to predict our intentions and our future behaviours.
As one of our researchers has so ably conveyed:
Big Data and intelligent predictive analytics could, on the one hand, help advance research, stimulate innovation and generate new approaches to a better understanding of the world and make important and socially valuable decisions in fields such as public health, development and economic forecasting. On the other hand, advanced analytics prompts increased data collection, sharing and linkages, and could also prove to be invasive, intrusive and discriminatory…
Predictive analytics also poses a very unique challenge: that of transparency. Most individuals are completely unaware of the existence of predictive analytics activities since they take place behind the scenes. The analytical process and the results obtained can be qualified as “opaque.”
Predictive analytics also forces us to review our understanding of certain fundamental privacy-related concepts, such as “personal information” and the “purpose” of data collection and use. How do we determine the precise moment when disparate pieces of data become personal information? How can the purpose of data collection be communicated in advance when it may not even be clear to the organization engaging in collection?
It is obvious that predictive analytics could have dramatic impacts in a number of areas; sustained, context-sensitive follow-up will be necessary in order to ensure that it is carried out in a manner that respects the privacy of the individuals concerned.
a) Online behavioural advertising
We recently looked at a phenomenon that increasingly relies on predictive analytics: that of online behavioural advertising.
Given the major growth of online tracking and targeting of individuals’ activities, in December 2011, the OPC issued guidelines on privacy protection specifically focussing on behavioural advertising.
Online tracking and targeting of individuals are increasingly of interest to the marketing sector, particularly in view of the continuous improvement in the capacity to process incredible amounts of data in order to identify habits, create detailed personal profiles of users and, with this information, predict behaviour.
When we issued these guidelines, our intention was to underscore a few “basic rules:”
- While an examination of the issue must be done on a case-by-case basis, online behavioural advertising will generally involve the use of “personal information”; it is reasonable to consider that there will often be a serious possibility that the disparate pieces of data gathered could be linked to a specific individual.
- While advertising may help subsidize the delivery of free online content, it is nevertheless essential that online advertising practices respect the fundamental principle of consent.
- Implied consent may be valid insofar as there is compliance with certain conditions, such as informing individuals of the purposes of the practice in a clear and understandable manner; at or before collection; allowing them an opportunity to easily opt-out of the practice; ensuring that the opt-out is immediate and persistent; ensuring that the information collected and used is limited to non-sensitive information to the extent practicable; and that it is destroyed or rendered anonymous as soon as possible.
- We have also indicated that an organization should not use technologies that are likely to interfere with a user’s ability to make a choice, such as so-called zombie cookies or super cookies.
- Lastly, as a best practice, given the challenge of obtaining meaningful consent from children, we have recommended that all online tracking and targeting of children be avoided.
Online behavioural advertising can therefore be considered a “reasonable” activity under the Personal Information Protection and Electronic Documents Act (PIPEDA), provided that it is carried out within these parameters.
2) Social networking: the impact of this cultural shift on individuals
The second phenomenon that I would like to talk about this morning is social networking. I know that Ms Boyle will give you a presentation this morning on the use of social networks in the workplace, but I would just like to point out to you two recent examples of the OPC’s work in this area.
a) The Nexopia investigation
In March 2012, the OPC completed an in-depth investigation of a complaint regarding the privacy practices and policies of Nexopia, a youth-oriented social networking site.
The investigation – which was initiated following a complaint filed by the Public Interest Advocacy Centre – was conducted under PIPEDA. It found that Nexopia was contravening several aspects of PIPEDA, which led to the formulation of 24 recommendations. The recommendations focussed on various aspects of the social network, including default privacy settings, the validity of consent upon registration and the sharing of personal information with third parties.
The Commissioner was satisfied with the organization’s response to most recommendations, but four of them, related to the retention of personal information, had still not been resolved by the end of the investigation.
Following the release of the Report of Findings, the Commissioner filed an application in the Federal Court seeking an order requiring Nexopia to stop retaining personal information indefinitely by adopting a delete function. Subsequent to the filing of the application, Nexopia underwent a change in ownership. Nexopia's new owner committed to addressing all of the recommendations set out in the Report of Findings by April 30, 2013. The Commissioner accordingly suspended the Federal Court application. As agreed, at the end of last month, Nexopia provided us with a description of the measures taken to follow up on the recommendations; we are now in the process of reviewing them.
b) LinkedIn and password theft
In June 2012, social networking was once again in the headlines when the LinkedIn professional network became prey to a cyberattack involving almost 6.5 million user passwords. These passwords were subsequently posted online.
Over the days and weeks that followed the cyberattack, LinkedIn co-operated with the Office of the Privacy Commissioner, as well as with its counterparts in British Columbia, Alberta and Quebec, in order to try to understand what may have happened to allow such a theft, but also to determine what cybersecurity measures the company would have to take to prevent the recurrence of an incident of this nature.
The incident was a reminder that cybersecurity constitutes an obligation of means, but not of results. We must expect that there will be other cyberattacks and even accept the fact that some are likely to succeed. What matters for organizations is that they establish and maintain a culture of cybersecurity, a culture that translates into continuous efforts in terms of prevention and rapid response in case of a successful attack.
3) Mobile Apps: the daily impacts of the omnipresence of computing power
The third trend I’d like to speak to you about is ubiquitous mobile computing in today’s society. Indeed, we are never far from some form of computing power. Not only do we see the enormous impact of mobile devices on the rhythm of our daily lives, we also note that the diversity of devices we rely on are themselves increasingly networked in order to facilitate the exchange and analysis of large volumes of data collected about us.
a) Mobile Apps: Guidelines “Seizing Opportunity: Good Privacy Practices for Developing Mobile Apps”
While the smart phone era brings unparalleled consumer connectivity and convenience, it also holds the potential for comprehensive surveillance of individuals.
Conveying meaningful information about privacy choices is also particularly challenging in the mobile space with a small screen and intermittent user attention.
In addition, the speed of the mobile application development cycle, the complexity of the mobile app ecosystem involving many players and the potential to reach hundreds of thousands of users within a very short period of time make this trend particularly complex and multi-dimensional.
In recognition of these phenomena, the OPC collaborated with its counterparts in Alberta and B.C. to produce a guidance document on the development of mobile apps in a manner that respects privacy.
Allow me to relay the gist of our guidance, which is directed particularly to mobile app developers:
- Mobile app developers are accountable for their conduct and their code. Regardless of whether they are part of a large company or in business on their own, they are responsible for any personal information collected, used or disclosed by their mobile app.
- It is important to be open and transparent about their privacy practices. They should inform users of their privacy practices in clear and understandable language and be sure to place the information in a way that is easily accessible to users.
- Collect and keep only what the app needs to function, and secure it.
- Obtain meaningful consent despite the challenge of a smaller screen; some options include layering the information, providing a privacy dashboard or using info graphics.
- Understand that the timing of user notice and consent is critical. Just-in-time notices using color or sound may be effective ways of getting users’ attention without causing notice fatigue.
I would invite you to consult not only our guidance document, available on our Web site, but also to download our own mobile app, launched in January 2013. Entitled “my PRIVACYapp,” the OPC app was designed to educate users on how to better protect personal information on their mobile devices. It is available for free download on Apple, Android or Blackberry devices.
b) Investigation into WhatsApp
On the compliance side, the OPC recently undertook an investigation in collaboration with its Dutch counterpart (the Dutch Data Protection Authority) concerning the treatment of personal information by WhatsApp Inc., a California-based mobile app developer known for its popular mobile messaging app.
The coordinated investigation was a global first, with two national data protection authorities conducting their work together to examine the privacy practices of a company with hundreds of millions of customers worldwide.
The investigation concluded that WhatsApp was in violation of both Dutch and Canadian privacy laws. Its practices violated certain internationally accepted privacy principles, mainly in relation to the retention, safeguard and disclosure of personal information. Our key findings were as follows:
Automatic upload and retention of all mobile contacts
To facilitate contact among its users, WhatsApp populates subscribers’ contact lists through the automatic uploading of the mobile phone numbers of individual users. However, even contact numbers of individuals who are not WhatsApp users are uploaded and retained in WhatsApp’s servers. Although the data are converted into hash values, we found that the encryption process used is still not sufficient to ensure practical anonymity.
At the time of the investigation, users on most operating systems had no alternative but to accept this automatic uploading and retention of all phone numbers in their address books as a condition of service. But, as a result of the investigation, WhatsApp indicated its intention to integrate functionality for all operating systems to allow users the option to manually upload and manage their own contact addresses, including “out of network” users.
Messages transmitted without encryption
At the time the investigation began, messages sent on WhatsApp were unencrypted, leaving them prone to interception, especially when sent via unprotected WiFi networks. In September 2012, in partial response to the investigation, WhatsApp introduced encryption to its messaging service.
Use of weak passwords for message exchanges
The investigation also revealed that WhatsApp was generating passwords for message exchanges based on device information, such as MAC addresses, that could be easily exposed. There was therefore a real risk that a third party could identify these passwords and then send and receive messages without the actual subscriber’s knowledge. The latest version of the app includes a strengthened level of password protection, using randomly generated keys for authentication.
While the OPC was pleased with WhatsApp’s responsiveness to the investigation, we will continue to monitor its progress in implementing our recommendations.
From time to time, it is important to recognize the extent to which the changes we are experiencing are fundamental.
As the authors Cukier and Mayer Schoenberger convey so compellingly:
Big data is poised to reshape the way we live, work and think. A worldview built on the importance of causation is being challenged by a preponderance of correlations. The possession of knowledge, which once meant an understanding of the past, is coming to mean an ability to predict the future. The challenges posed by big data will not be easy to resolve. Rather, they are simply the next step in the timeless debate over how to best understand the world.
If privacy is to play the role of innovation facilitator in the era of big data, we must also make sure that we bring innovative approaches to our work in protecting privacy.
Moreover, it is obvious that privacy cannot be protected after the fact; it is critical to think about it at the development stage of new projects and to make privacy protection an integral part of the development of any innovative process.
That being said, since innovation is fast-paced and generates changes the full impact of which are often difficult to predict, it is important to be transparent about the risks involved, to manage them effectively and to take responsibility for the outcomes that flow from our choices.
In conclusion, given the magnitude of the changes that we are facing, and in a spirit of innovation, allow me to answer your question succinctly: Should we dare to take risks? Yes, of course, but let us do it in an informed, transparent and responsible manner. We are counting on the members of your profession in the world of information security to support us along the way.
- Date modified: