Privacy and Security on the Internet
Submission to the Senate Subcommittee on Communications

Philippa Lawson, Counsel
Public Interest Advocacy Centre
1204 – 1 Nicholas St., Ottawa, ON K1N 7B7
pippa@web.net
http://www.piac.ca

Background on PIAC

PIAC is a federally incorporated non-profit organization which provides legal advice, representation, and specialized research to groups and individuals who are voicing public concern on issues of broad national interest and matters involving public utilities and essential services. Since its inception in 1976, the Centre has developed a reputation for providing effective consumer advocacy in the regulation of telecommunications, cable TV, broadcasting, energy, and transportation, as well as in the field of privacy and consumer protection generally.
In addition to its wide clientele and partner organizations, PIAC has a membership of organizations covering over 2 million Canadians. PIAC’s member organizations include the Alberta Council on Aging, Canadian Pensioners Concerned, Consumers Fight Back Association, Manitoba Society of Seniors, Ontario Coalition of Senior Citizen Organizations, One Voice – The Canadian Seniors’ Network, PEI Council of the Disabled, and Rural Dignity of Canada. PIAC also has a donor list of approximately 900 individual Canadians.
PIAC has been involved in privacy issues since the early 1990’s, when new telecommunications services affecting personal privacy (e.g., Call Display) were first offered. Since then, PIAC has developed significant expertise in the field of privacy: publishing a legal text, overseeing a national opinion survey, participating in the development of our national standard on data protection, CAN/CSA-Q830, and working with government and stakeholders to develop effective data protection legislation in Canada. PIAC counsel is frequently quoted by the media on privacy issues.

Consumer Privacy on the Internet

My comments today are from the perspective of a consumer advocate, and are therefore focused on privacy concerns of individuals in their roles as consumers in the marketplace, and in particular, the electronic marketplace. That is not to say that there are not enormous privacy concerns with respect to data collection and use by governments, or by private parties engaged in research or other non-commercial activities. These are equally important issues that governments should be addressing.
When we shop in the real world, nobody is watching our every move, monitoring the stores we visit, what we buy, the clothes we try on, or the products we look at. But when we go online, this is exactly what is happening. Through the use of computer technologies, private companies are collected detailed personal data about us, using it to target their advertising to us, and trading it in the marketplace. In fact, a huge industry in personal data collection has developed and is growing by leaps and bounds. Many websites depend on revenue from selling user data to third parties, or delivering specific demographics to advertisers. Ecommerce business models are often based on the collection and sharing of personal information. The more information they have about you, the more money they make. As one ecommerce CEO said, “if it’s a question of profit versus privacy, profits come first every time”.(1)
Consumer profiling is by no means unique to the online world: mail-order firms track consumer purchases in order to send catalogues specific to the consumer’s interest; supermarket chains offer club cards that keep detailed records of individual purchases, and magazines trade and sell subscription lists for profit. But Internet technology permits a whole new level of consumer surveillance that is not possible in the physical world. Websites can track not only every item you purchase, but also every site you visit, every page or product you look at. Combined with other, often publicly available data, Web-generated information creates an unprecedented level of detail regarding individual behaviour, tastes, habits, and interests – a profile like no other. Yet many – probably most – consumers are not aware of the extent to which they are being watched online.
Let me mention briefly some examples of the kind of systematic privacy invasions we are beginning to confront with the growth of ecommerce:

  • “Cookies” are now considered an essential tool of ecommerce. They are files sent by a website to your computer when you visit that website. When you return to that website, the cookie tells the site who you are (a unique computer ID), what your expressed preferences are with respect to that site, and where you’ve been on the Net. Cookies can therefore eliminate the need to repeatedly fill out a registration form every time you visit a website, and help online service providers to customize their service offerings based on the consumer’s preferences. But they also permit online advertisers and websites to surreptitiously track individual web surfing behaviour.

This month’s Consumer Reports magazine focuses on the use of cookies in online marketing. The lead article warns: “Bit by bit and click by click, intimate details of your personal life are piling up in enormous commerical databases – often without your knowledge or consent.”

  • Doubleclick is an online advertiser that uses cookies to track the surfing habits of Internet users. You don’t even have to click on the banner ad to be monitored in this way; every time you visit a webpage with a Doubleclick banner ad on it, that information is passed back to Doubleclick, which now has a database of the surfing habits of over 100 million Internet users. Last fall, Doubleclick bought an offline market research firm by the name of Abacus Direct, with the intention of linking its non-personal clickstream data with personal names, email addresses, offline purchasing habits, and other personal information held by Abacus. A huge consumer backlash in the USA caused the company to suspend its plans, at least temporarily.
  • Two other high profile websites, RealNetworks and Alexa, a subsidiary of Amazon.com, also stand accused of linking personally identifiable information with users’ Web trails. While these companies deny the charges and have taken measures to block such data matching, it is clear that the only thing stopping them from the privacy invasions of which they are accused is public pressure.
  • FreeAtLast.com, a new ISP, recently announced plans to offer free Internet access to people who agree to install software that, like Doubleclick, tracks their online behaviour and then uses the information to send targeted advertisements to them. While the ISP assures critics that it sill not connect individual names with clickstream data, it will have the capacity to do so.(2) This business model – offering free services in exchange for personal information – is becoming more and more common. It raises the question: do consumers appreciate the implications of this kind of exposure?
  • Along with the trend toward personalization and customization of products and services to individual consumers, companies are increasingly engaging in “weblining”, a practice similar to the practice of “redlining”, in which lenders and other businesses marked certain neighbourhoods off-limits. “Weblining” uses your online profile to determine your choices in products and services, and even the price at which they are offered to you. Geographic stereotypes are giving way to market segmentation based on all sorts of factors, including ethnicity, age, gender, and religion. The information-gathering capabilities of the Internet, together with the information-sorting capacity of computers, now permit companies to maintain the equivalent of profit and loss statements on every customer. Those judged of minimal value receive fewer offers, and fewer opportunities. The choices presented to you will be based on a computer program’s determination of what you would most like, which in turn is based on your data profile.(3)

Online Data Security

In addition to intentional information gathering, ecommerce has opened up new opportunities for unintentional leaks and outright theft of personal information. Once personal information is amassed in a computer database, a single security breach can release a huge amount of very sensitive information. Thieves can get access to credit card information; stalkers can find out where their victims reside; vandals can interfere with stored data. It is estimated that one half to three-quarters of all commercial websites can be hacked. Some hacking experts claim to have found a way in to every site they have examined, accessing sensitive customer data, and sometimes even executing financial transactions using someone else’s account.(4)
It’s therefore not surprising that hardly a week goes by without reports of security breaches at some major website – just last week, Microsoft had to shut down its Hotmail service for four hours while it fixed a problem that permitted attackers to penetrate user accounts via email.(5)

Online Investigative Services

And then there are the investigative companies that specialize in collecting data on specific individuals and selling it to anyone who will pay the fee. If you are a frequent email user, you will likely have received at least one message claiming to “Find Anything About Anyone On The Net!” These companies are able to pull up addresses, phone numbers (even unlisted ones), physical descriptions, details of property ownership, past employment information, and social insurance numbers, for example. While this kind of service can be useful to creditors looking for evasive debtors, it can also be used by stalkers to locate their victims, as was the case in the death of a New Hampshire woman last fall.

Identity Theft

Not surprisingly, all this collection and disclosure of personal information has resulted in a new wave of identity theft, as Internet sites offer easy access to financial and other personal information with little attempt to verify the customer’s legitimacy.(6) Once they’ve got your name and social insurance number, together with other personal information about you, imposters can open up charge accounts in your name and destroy your credit. It is estimated that 400,000 Americans will suffer identity theft this year, according to a report in PCWorld Magazine.(7)

Responses to the Privacy Problem

In light of all of this, many just throw up their hands and say “there is no privacy on the Web – get used to it”. That’s certainly one way to look at it, but I would say that it is unnecessarily defeatist. It is possible, through a mix of legislated groundrules, voluntary codes of practice, and mass-marketed technological tools, to change the way that the Internet is evolving in respect of consumer privacy and to regain control over our personal information.

Technological Fixes

Privacy-enhancing technologies and tools already exist to help consumers navigate the Internet without giving away more personal information than they wish to. Web browsers allow users to control the use of cookies on their computer – you can set your browser to warn you that a cookie is about to be deposited in your computer, at which point you can choose whether or not to accept it. Alternatively, you can set your browser to refuse all cookies, in which case you may not be able to access certain websites. According to a recent survey by Cyber Dialogue, an Internet customer relationship management company, over 46% of all Web browsers are set to accept all cookies indiscriminately, without any warning to the user. Most users simply don’t know how to adjust this feature, and even if they do, most users are unable to distinguish between good and bad cookies.
At the other end of the scale are programs like Zero Knowledge System’s “Freedom”, which permits users to remain anonymous as they surf the Net or send email. But most of these programs cost money, and don’t yet protect the user once he or she wants to transact online (Zero Knowledge is working on a system to do just that). Moreover, they put the onus on users to protect their personal information without giving them the legal rights to such protection.
Privacy-enhancing technologies are an important component of the solution to the problem of privacy and security on the Internet, but they cannot do the job themselves.

Voluntary Codes of Practice

Industry self-regulation is another piece of the puzzle. Many businesses now recognize that protecting customer privacy and respecting the right of individuals to informational self-determination is good business practice in the long term, even when the immediate gains from unauthorized trading of personal information are large. Just this week, a number of the biggest American online providers together urged their compatriots to reign in data collection and trading practices, and to show government that they can and will self-regulate through effective codes of practice.
But voluntary privacy policies don’t seem to be working: a recent poll of web users found that only 38% think that most privacy policies are easy to understand.(8) Whether or not they are understandable, most voluntary privacy policies are incomplete, and come nowhere near meeting fair information standards, as set out in Canada’s new data protection legislation, for example. Moreover, many sites do not comply with their own policies: a recent study of health advice sites in the USA found that personal information was transferred to third parties in direct violation of stated privacy policies.(9) Efforts such as TRUSTe and BBBOnline’s Privacy seal in the USA have met with strong criticism by privacy advocates who point out that neither of these programs has yet withdrawn an endorsement from an approved site.

Legislation

Legislation is clearly needed to back up self-regulatory efforts and to guide technological and market developments in the direction of socially desirable and acceptable information practices. This fact is gradually coming to be recognized in the US, as polls show an increasing public demand for law regulating how personal information can be collected and used on the Internet.(10) Just this past week, for example, the FTC published a rule requiring financial institutions (broadly defined) to notify customers about the collection of personal information and to offer choice as to how that data is subsequently shared. President Clinton recently announced proposals for legislated privacy protection aimed at giving consumers more control over their personal information. Canada is clearly ahead of its major trading partner in this respect, with the recent passage of Bill C-6 – a legislative initiative for which this government should be congratulated.

Implementation of Bill C-6

However, the passage of Bill C-6 is just the beginning. Rules are of little value unless they are enforced. Indeed, tolerance of non-compliance with legislation such as this can be damaging to the rule of law generally. It is essential therefore that government put its money where its mouth is, and back up the Protection of Personal Information Act with a strong compliance plan, including adequate resources to the Privacy Commissioner, who is now faced with the enormous task of educating industry and the public, helping and coercing businesses to comply, using his powers of publicity to obtain compliance, and taking cases to court where necessary.
Without sufficient resources to do this job effectively over the next few years, there is a serious risk that we will fall flat on our faces – that widespread violations of Bill C-6 will remain the norm, that businesses will see that they can get away with it, that consumers are no better off, and that the rule of law is irreparably damaged.
We have allowed technology and market forces to get ahead of our laws and social principles over the past several years. Business plans have been built up on the basis of unauthorized gathering and sharing of personal information. This makes it all the more difficult to implement fair information practices as set out in Bill C-6. There will be resistance, and there will always be those market players who try to get away with disrespect for the law – just as with misleading advertising, for example. If we are to create a culture of respect for privacy in the new wired world, the government must do more than just lay out the rules. It must take proactive steps to ensure that this legislation is honoured not only in the breach.
Bill C-6 gives complainants the right to sue for damages in Federal Court, where companies refuse to comply with the law. Instead of state prosecution, the regime shifts the burden of enforcement to citizens, who are now expected to take non-compliant companies to court. We are skeptical, to say the least, about the effectiveness of this approach. Nevertheless, if it is to be at all effective, complainants will need assistance. It will be the rare person who is able and willing to fund a lawsuit against a company for failure to comply with this Act. If the government is going to shift the burden in this manner, it should at the very least provide some kind of funding program, such as exists for Charter challenges under the Court Challenges Program, to permit individuals to exercise their rights under the new law.
Finally, we need to monitor the effectiveness of this new legislation in dealing with the privacy and security concerns of the new wired world. We should start thinking now about what kind of information we will need in order to conduct the five year review of the Protection of Personal Information Act, and we should start tracking that information as soon as the law is enacted. We will need to know if this law deals effectively with the various threats to privacy that continue to arise. Does it, for example, adequately reign in the use of cookies, for example? (Cookies use computer identifiers, not personal identifiers.) Does it ensure that consumer consent to secondary uses of their personal information is adequately informed and truly voluntary? Do any of the exceptions, such as disclosure for the purpose of debt collection, open up huge, unintended loopholes? This is a first attempt at legislating a whole new area of marketplace activity; it is unlikely to be perfect. We should be prepared to improve it after a few years of experience.

The International Context

With the growth of the Internet-based economy, national borders are increasingly meaningless. Privacy invasions cannot be stopped at the border. Canada cannot act alone in order to effectively protect its citizens from abusive practices. Not only is this a practical impossibility; it could raise trade barrier issues if countries do not move in tandem with each other. We should continue to work with our trading partners and multilaterally within international organizations to establish common standards of data protection world-wide.
The Canadian model, set out in the CSA International Privacy Code and Bill C-6, is a good basis on which to build international consensus. Canada should take advantage of its unique situation and move now to encourage the adoption of an international data protection standard based on its widely accepted model code and law. All that is needed is financial support to the Standards Council of Canada, in order for it to take on the job of developing international consensus around a data protection standard.
In this way, Canada would not only achieve a more level playing field for Canadian business and more meaningful protections for Canadian consumers – it would do so using the Canadian model as the basis for international agreement. Canada is uniquely poised to provide international leadership in this field. It would be a pity if we squandered this opportunity.

Privacy as a Human Right

At the same time, we must recognize the fundamental nature of privacy as a human right – something that is essential to individual dignity and autonomy. Data protection standards for businesses should therefore flow from a recognition that individual privacy, at some point, should not be treated as a negotiable commodity in the marketplace. In this respect, we look forward to legislative initiatives aimed at establishing a general right to privacy.

Recommendations

We therefore recommend:

  • that the Privacy Commissioner be provided with sufficient financial resources to effectively publicize, educate, obtain compliance and pursue non-compliant actors under the new data protection legislation;
  • that the effectiveness of the new law be monitored closely over the next five years, with a view to its Parliamentary review at that time;
  • that a fund be established, possibly as a new component of the existing Court Challenges program, to assist individual complainants in exercising their rights and enforcing the law via court actions, where appropriate;
  • that Canada take a leading role in the development of international standards of data protection through ISO, the International Organization for Standardization; and
  • that a general right to individual privacy be established in law.

Recommended Reading

Simpson Garfinkel, Database Nation, (O’Reilly, Jan.2000) (www.databasenation.com)
Jeffery Rosen, “The Eroded Self”, The New York Times Magazine, April 30, 2000.
“Privacy 2000: In Web We Trust?”, PCWorld Magazine, May 8, 2000.
1. Rick Jackson, CEO of Privada, quoted in “Privacy 2000: In Web We Trust?”, PCWorld Magazine, May 8, 2000.
2. Jim Hu, “Start-up’s tracking software sets off privacy alarm”, CNET News.com, May 1, 2000.
3. “Weblining”, Business Week Online, April 3, 2000.
4. “ECommerce’s Dirty Little Secret”, PCWorld Magazine, May 8, 2000.
5. “Hotmail down due to hole”, WIRED News, May 10, 2000.
6. “Identity Thieves Find Easy Pickings on Web”, SPB News, May 10, 2000.
7. “They Know Everything About You”, PCWorld Magazine, May 8, 2000.
8. Poll for May issue of Wired magazine, reported in “Our Not So Private Lives”, Inter@ctive Week (ZDNet), May 1, 2000.
9. “Policies are no Insurance”, PCWorld Magazine, May 8, 2000.
10. A Business Week poll conducted in March, 2000 showed 57% of Americans polled in favour of legislated privacy protections on the Net.