Emerging tech – potentially awesome and a privacy quagmire

I attended an event last night where Duncan Stewart of Deloitte talked about their TMT predictions for 2016.

It reinforced for me that the future of tech and what it will do for us is potentially awesome.  But also at the same time the amount of information that is being collected and stored about each of us is staggering.  That creates real privacy challenges, and real possibilities for abuse.  And because the information is there, there is a tendency for government and business alike to want to use it.

One scary aspect is that the more we get used to more information being collected about us, the more complacent we get.  Our personal freaky line – the line at which we stop using services because we are concerned about privacy issues – moves a little farther away.  That is in spite of the fact that the more information there is about us, the more ripe for abuse it is, and the more that we temper or alter our behaviour because we know we are being watched.

Think for a moment about all the information that is increasingly being collected about us.

  • Smartphones that know our every move and the most intimate and personal aspects of our lives.
  • Intelligent cars that know where we go and how we drive.
  • The internet of things where the stuff we own collects information about us.
  • Wearable tech that collects information about our fitness, and increasingly our health.
  • The trend for information and services to be performed in the cloud rather than locally, and stored in various motherships.
  • Big data that functions by saving as much information as possible.
  • Artificial intelligence and cognitive learning tools that can turn data into useful information and make inferences based on seemingly unconnected information.
  • Blockchain technology that has the potential to record surprising things about us.

On top of all this, it is becoming increasingly harder to understand when our info is staying on our device, when it goes somewhere else, how long it stays there, who has access to it, when it is encrypted, and who has access to the encryption keys.

It is in this context, and the fact that we just don’t have the time to spend to understand and make all the privacy choices that we need to make, that the Privacy Commissioner of Canada last week released a discussion paper titled Consent and privacy: A discussion paper exploring potential enhancements to consent under the Personal Information Protection and Electronic Documents Act

The introduction states in part:

PIPEDA is based on a technologically neutral framework of ten principles, including consent, that were conceived to be flexible enough to work in a variety of environments. However, there is concern that technology and business models have changed so significantly since PIPEDA was drafted as to affect personal information protections and to call into question the feasibility of obtaining meaningful consent.

Indeed, during the Office of the Privacy Commissioner’s (OPC’s) Privacy Priority Setting discussions in 2015, some stakeholders questioned the continued viability of the consent model in an ecosystem of vast, complex information flows and ubiquitous computing. PIPEDA predates technologies such as smart phones and cloud computing, as well as business models predicated on unlimited access to personal information and automated processes. Stakeholders echoed a larger global debate about the role of consent in privacy protection regimes that has gained momentum as advances in big data analytics and the increasing prominence of data collection through the Internet of Things start to pervade our everyday activities.

Cross-posted to Slaw

Enemy of the State – still topical

I recently watched the 1998 movie Enemy of the State .  It is a spy thriller about a lawyer being smeared by politicians because they believe he has information that can implicate them in criminal matters – the murder of a politician who was opposing a privacy bill that is really a bill empowering mass surveillance.  They use sophisticated, unsavoury, unethical, and illegal methods to watch him, discredit him, and retrieve the evidence.  No one is watching the watchers, who are out of control.

While like any disaster movie the plot is a bit over the top, it was fascinating to watch the movie again from a 2016 lens.  I challenge anyone to watch it and still say “I have nothing to hide” to dismiss privacy and surveillance concerns.

In a related sentiment, a recent study confirms that the knowledge that we may be watched puts a chilling effect on what we do.  This Techdirt article is a good summary of that study.


Cross posted to Slaw.

The Surveillance Society is already here

Canadians often look at intrusive, anti-privacy surveillance in other countries, and at things like the NSA and Patriot Act in the United States and think we are above that. But it is becoming apparent that Canada is just as bad. We need to do better than this and move the pendulum back towards individual rights and freedoms, and away from a surveillance society that does very little if anything to actually protect us.

For example, it recently came to light that the Communications Security Establishment, or CSE, Canada’s equivalent of the NSA, monitors and stores emails sent to Canadian government agencies.

This kind of surveillance is usually justified as being necessary to deal with terrorism and threats to national security, and its effects are downplayed by comments like its just metadata, or Canadians aren’t targeted. But there does not seem to be any evidence that all this surveillance and collection actually prevents anything bad from happening. Metadata is every bit as personal, private, and informative as the data itself. Who is targeted does not change the fact that personal information on citizens is being collected and retained, and that this information has the potential to be abused and used for undesirable purposes.

Mathew Ingram puts it well in an article in the Globe entitled We can’t accept Internet surveillance as the new normal.

The only good news is that the ongoing revelations about the nature and type of spying – largely because of Edward Snowden – are creating a growing public backlash, and tech companies are working to make it harder to intercept communications. Bill C-51, the anti-terrorism bill currently in the hearing stage is a case in point, which has attracted a huge amount of criticism – both over a lack of oversight, and as to the intrusiveness and potential abuse of authority that could result.

See, for example, this Huff Post article entitled Edward Snowden Warns Canadian To Be ‘Extraordinarily Cautious’ Over Anti-Terror Bill, and Michael Geist’s article entitled Why The Anti-Terrorism Bill is Really an Anti-Privacy Bill: Bill C-51′s Evisceration of Privacy Protection 

There is even a website dedicated to stopping the bill.

Cross-posted to Slaw.

Privacy Commissioner issues guidance on police body cameras

The federal Privacy Commissioner has just released a report giving guidance on the privacy implications of police wearing body-worn cameras, and what police need to do to comply with privacy laws.

It points out that the issues around body-worn cameras are more complex than on fixed cameras.

As is usually the case with privacy issues, it is about balance – in this case balancing the advantages of the cameras with privacy concerns.

The report has this to say about balance:

There are various reasons why a LEA might contemplate adopting BWCs. LEAs could view the use of BWCs as bringing about certain benefits to policing or other enforcement activities.  For example, in addition to being used to collect evidence, BWCs have been associated with a decrease in the number of public complaints against police officers as well as a decrease in the use of force by police officers.  At the same time, BWCs have significant privacy implications that need to be weighed against the anticipated benefits.  As the Supreme Court of Canada has noted, an individual does not automatically forfeit his or her privacy interests when in public, especially given technological developments that make it possible for personal information “to be recorded with ease, distributed to an almost infinite audience, and stored indefinitely”. And as the Supreme Court added more recently, the right to informational privacy includes anonymity which “permits individuals to act in public places but to preserve freedom from identification and surveillance.”

It goes on to talk about the tests to determine if the intrusion is justified, and what uses and safeguards are appropriate.

Its worth a read even if just for its general discussion around cameras and privacy.

Cross-posted to Slaw


Stores tracking our cell phones

Today’s Slaw post:

Some retailers are following customer movement in stores by tracking cell phone movement.  From a legal perspective it raises issues around privacy and perhaps wiretapping laws.  To a great extent whether or not such activities comply are dependent upon the subtleties of how it is being done, and how anonymously it is being done.

The other issue – as is often the case when dealing with privacy related issues – is the customer acceptance or “creepiness” factor.  Some people would welcome getting a coupon on their phone while wandering through a store.  But for others it feels like surveillance and tracking that is just plain creepy.

The New York Times has a good article exploring some of these issues entitled Attention, Shoppers: Store Is Tracking Your Cell.

From the article:

Nordstrom’s experiment is part of a movement by retailers to gather data about in-store shoppers’ behavior and moods, using video surveillance and signals from their cellphones and apps to learn information as varied as their sex, how many minutes they spend in the candy aisle and how long they look at merchandise before buying it.

All sorts of retailers — including national chains, like Family Dollar, Cabela’s and Mothercare, a British company, and specialty stores like Benetton and Warby Parker — are testing these technologies and using them to decide on matters like changing store layouts and offering customized coupons.

But while consumers seem to have no problem with cookies, profiles and other online tools that let e-commerce sites know who they are and how they shop, some bristle at the physical version, at a time when government surveillance — of telephone calls, Internet activity and Postal Service deliveries — is front and center because of the leaks by Edward J. Snowden.

Legislators have too many control issues

That’s the title of my Slaw post for today.  It reads as follows.

The trend to more invasive surveillance and control by North American governments (indeed, by many countries that we consider civilized democracies), or their granting of too much control to others is disturbing. Too many things are making creeping (and sometimes creepy) inroads into privacy rights, along with the usual specious “if you’ve got nothing to hide… ” argument. Too many things are tending towards shoot first, ask questions later. And governments are too eager to look to ISP’s and others who run the internet pipes to control what flows through.

Some examples:

The proposed US SOPA (Stop Online Piracy Act) that is being loudly opposed. It has been characterised as net censorship, an attempt to regulate the internet, and breaking the internet as we know it. It could result in entire web sites being taken down based merely on an allegation that one post or comment infringes copyright.

The proposed Canadian Lawful Access legislation that would allow much more invasive internet information to be given to authorities without warrants. This resulted in a lengthy letter by the Privacy Commissioner to the Ministers responsible.

The increasing use of license plate cameras by police, such as in the Washington DC area. In its simplest, most privacy friendly form, car mounted or fixed cameras read car license plates and flag any that are contained in a database of stolen or suspect vehicles. No record is kept of any plates other than those of interest. But it has come to light that some of the systems store the details of every single plate that they capture, and retain that for long periods of time.


Surveillance society requires debate

That’s the title of my Slaw post for today.  It reads as follows.

There has been a lot written lately about the disturbing trend towards becoming a surveillance society. And the equally disturbing trend for governments to try to interfere with various kinds of communications to squash activity. Mathew Ingram has a good article about that on gigaom.

There is a great hue and cry about this when it occurs in countries that we feel suppress their people – but we are also seeing the trend in North America and Britain – such as the recent British riots and San Fransico’s Bart transit system shutdown of cell service.

And yet at the same time, authorities get upset at and try to stop people from photographing them doing their jobs – sometimes to the extent of trying to charge them with crimes such as wiretapping.

Along with that is the photographer as terrorist / criminal attitude that is seen far too often. That has been mentioned on Slaw before here and here. The latest example of that is a post on Techdirt that says police in Long Beach California have a policy that they can detain someone taking photos with “no apparent esthetic value”.

There is of course always some reason given for doing these things – but we can’t just let it be justified by some claim that it is necessary to stop violence or catch criminals. We have to consider many factors, including practical matters such as whether the actions are even effective to accomplish the stated goal, and how disruptive they are to others. We also need to think about issues like security vs privacy, and liberty vs control.

We need to think about these issues on matters such as the proposed lawful access laws.


Laws requiring data retention ill-advised

I’m not a fan of laws that require entities such as ISP’s to retain data about its customers so law enforcement can get to it.  To me, that flies in the face of privacy principles that say one should only retain personal information (both quantity and duration) to the extent it is required to fulfil the purpose of the services being offered.

I’m not convinced that the benefit to law enforcement outweighs the negative aspects of this – which range from costs to the entity retaining, the risk of abuse, and the risk of exposing it.   It is hard enough to protect the information that entities need, let alone information they don’t need.  And the more information you have, the more you are a target for malfeasers trying to get at it.

Mike Masnick of Techdirt has a post worth reading on the subject.  He refers to a researcher and author who says that a current US bill, the “Protecting Children from Internet Pornographers Act”  should be called the  “Forcing Your Internet Provider to Spy On You Just In Case You’re a Criminal Act of 2011”.

Unfortunately, we are heading down the same path here in Canada with the proposed lawful access statute.

Bill c-52 Investigating and Preventing Criminal Electronic Communications

David Fraser has a post worth reading entitled Investigating and Preventing Criminal Electronic Communications Act bill one step closer to (warrantless) surveillance state.

The bill has been called “lawful access” , or “awful access” depending on your perspective.  It will give more power to government authorities to get information from telecommunications service providers without a warrant.

David uses the example of secret police in Belarus who used this kind of power to identify people at an anti-government demonstration.

As he puts it “If we’re shocked at what repressive regimes are doing to their citizens, we shouldn’t be giving our own governments tools to be repressive.”

Plethora of Pending IT Legislation

That’s the title of my Slaw post for today.  It reads as follows.

Those who practice in the IT area have a lot of potential new law to digest.  The Federal government has several bills in various stages that will affect many businesses and organizations, and all of us as consumers.  These bills have been mentioned on Slaw, but I thought it was worthwhile listing them all in one place. 

Bill C-28    Fighting Internet and Wireless Spam Act.  

This bill brings in several anti-spam measures.  While this is welcome by most people, the language has the possibility to affect how typical businesses communicate.  Things that we may not consider to be spam might get caught by the act.  Since the penalties are significant, we will have to take a close look at this before it is in force to understand what it means for a typical business or organization. 

Bill C-29     An Act to amend the Personal Information Protection and Electronic Documents Act

This would make several amendments to PIPEDA.  Most of the amendments were expected, and are welcome as they address issues that have arisen from the current legislation.  There are a couple of new parts that could use some clarity, though.  Language that attempts to clarify what “lawful authority” is that allows one to release information to law enforcement doesn’t really seem to clarify what the threshold of proof is, or what to ask for.  It also contains language that requires notification of breaches in certain circumstances to both the privacy commissioner and the affected individuals.  The language has threshold tests – which on the surface are not as clear as they might be.   If this language stays, it may take a privacy commissioner decision and/or court decision to clarify the threshold.  The best source for more information is David Fraser’s blog

Bill C-32     Copyright Modernization Act.

This is the latest of several attempts over the years to amend the Copyright Act.  Controversial elements include digital lock provisions that will allow publishers to trump user rights.  There has been a lot written about this, including a book entitled From “Radical Extremism” to “Balanced Copyright”: Canadian Copyright and the Digital Agenda written by several copyright experts. The best source for more information about the bill is Michael Geist’s blog.

Bill C-51     An Act to amend the Criminal Code, the Competition Act and the Mutual Legal Assistance in Criminal Matters Act aka Investigative Powers for the 21st Century Act. 

There also appears to be at least one companion bill, C-52.  This is the latest incarnation of what has been dubbed a “lawful access” bill.   The bill essentially tries to give law enforcement more access to electronic communications.    Critics refer to the bills as “awful access”, and point to the erosion of privacy and the costs ISP’s will need to spend.  They also question the practical effectiveness of the measures.   This bill is hot off the press, and I have not had time to look at it – but in general I fall into the “awful access” camp.  Expect more commentary on this from both Michael and David.