Other PIAC Documents
Tell us your story!
Please contact us with your stories and questions.
Philippa Lawson, Counsel
Public Interest Advocacy Centre
PIAC is a federally incorporated non-profit organization which provides legal advice, representation, and specialized research to groups and individuals who are voicing public concern on issues of broad national interest and matters involving public utilities and essential services. Since its inception in 1976, the Centre has developed a reputation for providing effective consumer advocacy in the regulation of telecommunications, cable TV, broadcasting, energy, and transportation, as well as in the field of privacy and consumer protection generally.
In addition to its wide clientele and partner organizations, PIAC has a membership of organizations covering over 2 million Canadians. PIAC’s member organizations include the Alberta Council on Aging, Canadian Pensioners Concerned, Consumers Fight Back Association, Manitoba Society of Seniors, Ontario Coalition of Senior Citizen Organizations, One Voice – The Canadian Seniors’ Network, PEI Council of the Disabled, and Rural Dignity of Canada. PIAC also has a donor list of approximately 900 individual Canadians.
PIAC has been involved in privacy issues since the early 1990’s, when new telecommunications services affecting personal privacy (e.g., Call Display) were first offered. Since then, PIAC has developed significant expertise in the field of privacy: publishing a legal text, overseeing a national opinion survey, participating in the development of our national standard on data protection, CAN/CSA-Q830, and working with government and stakeholders to develop effective data protection legislation in Canada. PIAC counsel is frequently quoted by the media on privacy issues.
My comments today are from the perspective of a consumer advocate, and are therefore focused on privacy concerns of individuals in their roles as consumers in the marketplace, and in particular, the electronic marketplace. That is not to say that there are not enormous privacy concerns with respect to data collection and use by governments, or by private parties engaged in research or other non-commercial activities. These are equally important issues that governments should be addressing.
When we shop in the real world, nobody is watching our every move, monitoring the stores we visit, what we buy, the clothes we try on, or the products we look at. But when we go online, this is exactly what is happening. Through the use of computer technologies, private companies are collected detailed personal data about us, using it to target their advertising to us, and trading it in the marketplace. In fact, a huge industry in personal data collection has developed and is growing by leaps and bounds. Many websites depend on revenue from selling user data to third parties, or delivering specific demographics to advertisers. Ecommerce business models are often based on the collection and sharing of personal information. The more information they have about you, the more money they make. As one ecommerce CEO said, “if it’s a question of profit versus privacy, profits come first every time”.(1)
Consumer profiling is by no means unique to the online world: mail-order firms track consumer purchases in order to send catalogues specific to the consumer’s interest; supermarket chains offer club cards that keep detailed records of individual purchases, and magazines trade and sell subscription lists for profit. But Internet technology permits a whole new level of consumer surveillance that is not possible in the physical world. Websites can track not only every item you purchase, but also every site you visit, every page or product you look at. Combined with other, often publicly available data, Web-generated information creates an unprecedented level of detail regarding individual behaviour, tastes, habits, and interests – a profile like no other. Yet many – probably most – consumers are not aware of the extent to which they are being watched online.
Let me mention briefly some examples of the kind of systematic privacy invasions we are beginning to confront with the growth of ecommerce:
In addition to intentional information gathering, ecommerce has opened up new opportunities for unintentional leaks and outright theft of personal information. Once personal information is amassed in a computer database, a single security breach can release a huge amount of very sensitive information. Thieves can get access to credit card information; stalkers can find out where their victims reside; vandals can interfere with stored data. It is estimated that one half to three-quarters of all commercial websites can be hacked. Some hacking experts claim to have found a way in to every site they have examined, accessing sensitive customer data, and sometimes even executing financial transactions using someone else’s account.(4)
It’s therefore not surprising that hardly a week goes by without reports of security breaches at some major website – just last week, Microsoft had to shut down its Hotmail service for four hours while it fixed a problem that permitted attackers to penetrate user accounts via email.(5)
And then there are the investigative companies that specialize in collecting data on specific individuals and selling it to anyone who will pay the fee. If you are a frequent email user, you will likely have received at least one message claiming to “Find Anything About Anyone On The Net!” These companies are able to pull up addresses, phone numbers (even unlisted ones), physical descriptions, details of property ownership, past employment information, and social insurance numbers, for example. While this kind of service can be useful to creditors looking for evasive debtors, it can also be used by stalkers to locate their victims, as was the case in the death of a New Hampshire woman last fall.
Not surprisingly, all this collection and disclosure of personal information has resulted in a new wave of identity theft, as Internet sites offer easy access to financial and other personal information with little attempt to verify the customer’s legitimacy.(6) Once they’ve got your name and social insurance number, together with other personal information about you, imposters can open up charge accounts in your name and destroy your credit. It is estimated that 400,000 Americans will suffer identity theft this year, according to a report in PCWorld Magazine.(7)
In light of all of this, many just throw up their hands and say “there is no privacy on the Web – get used to it”. That’s certainly one way to look at it, but I would say that it is unnecessarily defeatist. It is possible, through a mix of legislated groundrules, voluntary codes of practice, and mass-marketed technological tools, to change the way that the Internet is evolving in respect of consumer privacy and to regain control over our personal information.
At the other end of the scale are programs like Zero Knowledge System’s “Freedom”, which permits users to remain anonymous as they surf the Net or send email. But most of these programs cost money, and don’t yet protect the user once he or she wants to transact online (Zero Knowledge is working on a system to do just that). Moreover, they put the onus on users to protect their personal information without giving them the legal rights to such protection.
Privacy-enhancing technologies are an important component of the solution to the problem of privacy and security on the Internet, but they cannot do the job themselves.
Industry self-regulation is another piece of the puzzle. Many businesses now recognize that protecting customer privacy and respecting the right of individuals to informational self-determination is good business practice in the long term, even when the immediate gains from unauthorized trading of personal information are large. Just this week, a number of the biggest American online providers together urged their compatriots to reign in data collection and trading practices, and to show government that they can and will self-regulate through effective codes of practice.
But voluntary privacy policies don’t seem to be working: a recent poll of web users found that only 38% think that most privacy policies are easy to understand.(8) Whether or not they are understandable, most voluntary privacy policies are incomplete, and come nowhere near meeting fair information standards, as set out in Canada’s new data protection legislation, for example. Moreover, many sites do not comply with their own policies: a recent study of health advice sites in the USA found that personal information was transferred to third parties in direct violation of stated privacy policies.(9) Efforts such as TRUSTe and BBBOnline’s Privacy seal in the USA have met with strong criticism by privacy advocates who point out that neither of these programs has yet withdrawn an endorsement from an approved site.
Legislation is clearly needed to back up self-regulatory efforts and to guide technological and market developments in the direction of socially desirable and acceptable information practices. This fact is gradually coming to be recognized in the US, as polls show an increasing public demand for law regulating how personal information can be collected and used on the Internet.(10) Just this past week, for example, the FTC published a rule requiring financial institutions (broadly defined) to notify customers about the collection of personal information and to offer choice as to how that data is subsequently shared. President Clinton recently announced proposals for legislated privacy protection aimed at giving consumers more control over their personal information. Canada is clearly ahead of its major trading partner in this respect, with the recent passage of Bill C-6 – a legislative initiative for which this government should be congratulated.
However, the passage of Bill C-6 is just the beginning. Rules are of little value unless they are enforced. Indeed, tolerance of non-compliance with legislation such as this can be damaging to the rule of law generally. It is essential therefore that government put its money where its mouth is, and back up the Protection of Personal Information Act with a strong compliance plan, including adequate resources to the Privacy Commissioner, who is now faced with the enormous task of educating industry and the public, helping and coercing businesses to comply, using his powers of publicity to obtain compliance, and taking cases to court where necessary.
Without sufficient resources to do this job effectively over the next few years, there is a serious risk that we will fall flat on our faces – that widespread violations of Bill C-6 will remain the norm, that businesses will see that they can get away with it, that consumers are no better off, and that the rule of law is irreparably damaged.
We have allowed technology and market forces to get ahead of our laws and social principles over the past several years. Business plans have been built up on the basis of unauthorized gathering and sharing of personal information. This makes it all the more difficult to implement fair information practices as set out in Bill C-6. There will be resistance, and there will always be those market players who try to get away with disrespect for the law – just as with misleading advertising, for example. If we are to create a culture of respect for privacy in the new wired world, the government must do more than just lay out the rules. It must take proactive steps to ensure that this legislation is honoured not only in the breach.
Bill C-6 gives complainants the right to sue for damages in Federal Court, where companies refuse to comply with the law. Instead of state prosecution, the regime shifts the burden of enforcement to citizens, who are now expected to take non-compliant companies to court. We are skeptical, to say the least, about the effectiveness of this approach. Nevertheless, if it is to be at all effective, complainants will need assistance. It will be the rare person who is able and willing to fund a lawsuit against a company for failure to comply with this Act. If the government is going to shift the burden in this manner, it should at the very least provide some kind of funding program, such as exists for Charter challenges under the Court Challenges Program, to permit individuals to exercise their rights under the new law.
With the growth of the Internet-based economy, national borders are increasingly meaningless. Privacy invasions cannot be stopped at the border. Canada cannot act alone in order to effectively protect its citizens from abusive practices. Not only is this a practical impossibility; it could raise trade barrier issues if countries do not move in tandem with each other. We should continue to work with our trading partners and multilaterally within international organizations to establish common standards of data protection world-wide.
The Canadian model, set out in the CSA International Privacy Code and Bill C-6, is a good basis on which to build international consensus. Canada should take advantage of its unique situation and move now to encourage the adoption of an international data protection standard based on its widely accepted model code and law. All that is needed is financial support to the Standards Council of Canada, in order for it to take on the job of developing international consensus around a data protection standard.
In this way, Canada would not only achieve a more level playing field for Canadian business and more meaningful protections for Canadian consumers – it would do so using the Canadian model as the basis for international agreement. Canada is uniquely poised to provide international leadership in this field. It would be a pity if we squandered this opportunity.
At the same time, we must recognize the fundamental nature of privacy as a human right – something that is essential to individual dignity and autonomy. Data protection standards for businesses should therefore flow from a recognition that individual privacy, at some point, should not be treated as a negotiable commodity in the marketplace. In this respect, we look forward to legislative initiatives aimed at establishing a general right to privacy.
We therefore recommend:
Simpson Garfinkel, Database Nation, (O’Reilly, Jan.2000) (www.databasenation.com)
Jeffery Rosen, “The Eroded Self”, The New York Times Magazine, April 30, 2000.
“Privacy 2000: In Web We Trust?”, PCWorld Magazine, May 8, 2000.
1. Rick Jackson, CEO of Privada, quoted in “Privacy 2000: In Web We Trust?”, PCWorld Magazine, May 8, 2000.
2. Jim Hu, “Start-up’s tracking software sets off privacy alarm”, CNET News.com, May 1, 2000.
3. “Weblining”, Business Week Online, April 3, 2000.
4. “ECommerce’s Dirty Little Secret”, PCWorld Magazine, May 8, 2000.
5. “Hotmail down due to hole”, WIRED News, May 10, 2000.
6. “Identity Thieves Find Easy Pickings on Web”, SPB News, May 10, 2000.
7. “They Know Everything About You”, PCWorld Magazine, May 8, 2000.
8. Poll for May issue of Wired magazine, reported in “Our Not So Private Lives”, Inter@ctive Week (ZDNet), May 1, 2000.
9. “Policies are no Insurance”, PCWorld Magazine, May 8, 2000.
10. A Business Week poll conducted in March, 2000 showed 57% of Americans polled in favour of legislated privacy protections on the Net.