Appearance Before the Standing Committee on Industry

Re: Bill C-54, Personal Information Protection and Electronic Documents Act

Tuesday, February 9, 1999
Parliament Hill, Ottawa

Richard S. Rosenberg

Vice-President,
Electronic Frontier Canada

and Professor
Department of Computer Science
University of British Columbia
Vancouver, BC V6T 1Z4
e-mail address: rosen@cs.ubc.ca

Introduction

The organization that I represent today, Electronic Frontier Canada, has been in existence almost five years. On its Web page, the following statement of purpose appears: [1]

"Electronic Frontier Canada (EFC) was founded to ensure that the principles embodied in the Canadian Charter of Rights and Freedoms remain protected as new computing, communications, and information technologies are introduced into Canadian society."

EFC has often taken a position against government intervention in Internet activities. Probably most significant, is the continued resistance it has offered against attempts by governments to regulate content on the Internet. In fact, we are probably best known for our unwavering support of freedom of expression. However, in the area of the protection of personal privacy, we believe that government must play a major role for reasons to be set forth. Privacy is of great benefit to individuals, but it is an intangible good. On the other hand, it is often in the best interests of commerce if information is collected, because such information allows companies to (i) determine the interests of consumers (ii) determine the effectiveness of advertising, and (iii) tailor marketing campaigns to individual interests. These benefits have a tangible effect on increasing revenue; therefore, there will be a strong disincentive for the private sector to develop and implement privacy policies. The only exception is if privacy can be marketed as a motherhood issue, the way "green" products are currently handled. That is, a company can increase sales if it is seen as environmentally friendly. Similarly, at least in theory, one might choose Bank of Montreal over Scotiabank if it is known that Bank of Montreal has a superior privacy policy. But in practice, there is certainly considerable doubt that such a strategy would actually work. Thus, the Federal Government must take steps to protect its citizens because it is the right thing to do and because the economy will benefit as well from an increased trust in electronic commerce transactions

Let me state at the outset, that we, Electronic Frontier Canada (EFC), approve Bill C-54, in principle. For my part, I have studied and written about privacy issues for more than fifteen years, with a focus on the United States, the European Union and, of course, Canada. My position is best captured by the following [2]:

"There is a battle being fought in the U.S., and elsewhere, with respect to the protection of privacy on the Internet. In response to public concern, various government bodies in the U.S., Canada, and Europe have explored approaches to the protection of personal privacy on the Internet, with differing results. At the same time, Internet consumer and civil liberties groups, and business and newly emerging industry groups, have proposed their solutions to the perceived problems. In this paper, we will articulate the various positions and attempt to identify and evaluate the dominant themes. In the end, we will propose an approach that requires government intervention, sometimes referred to as the European model. "

This brief will be directed only towards Part 1, the Protection of Personal Information in the Private Sector, of Bill C-54. In the area of the protection of personal privacy, there seems to be no alternative to a legislative approach, as already implemented in the European Union with the Privacy Directive that took effect on October 25, 1998. In the U.S., a comprehensive legislative approach has so far been rejected, although in the last Congress a bill was passed protecting the privacy of children [3] and in the current one, it is anticipated that medical records will receive some form of government protection. With the passage of Bill C-54, the Canadian Parliament can bring privacy protection to Canadians in some, not all, of their Internet activities.

I would like to briefly point out a few areas in which privacy protection must be improved. These suggestions should be seen in the context of an overall approval of Bill C-54 and in the recognition of the realities of Canadian political and economic life that seem to preclude a stronger legislative approach. In this context, the following issues are of concern. As a general principle of electronic commerce, the default situation should be that no information is collected unless permission is given. That is, it should be the responsibility of the agency or company that wishes to obtain personal information to first secure permission. This principle conforms to a general requirement of informed consent that must underlie all transactions in recognition of the long-accepted Fair Information Practices [Note 1.]. A considerable amount of information is regularly collected on the Internet, usually without the awareness of the online consumer. "Cookies," the ubiquitous means by which Web behaviour is captured, is the prime exemplar of this concern. If the default condition as proposed is accepted, then cookies and other similar means for gathering online information will not operate in the background, hidden from the average person.

It is also important that the online consumer be informed that the protections offered by this Bill only apply to interprovincial transactions and to those between Canada and other countries. In the latter case, of course, Canada has little if any control over how other countries deal with the personal information of Canadians. Given that so much information about Canadians is stored and processed on American computers, the Canadian government must do all it can to protect such information. Finally, a number of specific points in the Bill will be addressed.

Informed Consent

Those supporters of a self-regulatory approach to privacy protection point out that it is clearly in the self-interest of industry to protect the personal information of its customers. Simply put they argue, it is good business to maintain a reputation for respecting consumer rights. In actual practice, however, the performance of industry leaves much to be desired. Consider the following from a press release of the U.S. Federal Trade Commission in June 1998. [4]:

Consumers have little privacy protection on the Internet, the Federal Trade Commission said today as it released its "Report to Congress on Privacy Online." The report, a comprehensive analysis of the effectiveness of self-regulation as a means of protecting consumer privacy on the World Wide Web, is the result of the Commission's three-year privacy initiative. It concludes that "industry's efforts to encourage voluntary adoption of the most basic fair information practices have fallen short of what is needed to protect consumers."

The Commission's survey of over 1,400 Web sites was broken down into six samples and also revealed that only 14 percent of the sample (674) reflecting all U.S. commercial web sites provide any notice of their information collection practices. Fewer still -- approximately two percent -- provide a comprehensive privacy policy.

Thus, I would argue strongly that when a person visits a Web site, no personal information be collected until a choice is presented and an affirmative action is taken. That is, the default condition should be that the company obtains no information until the user gives his or her permission. In this regard let me describe the operation of that ubiquitous Web activity, the depositing of cookies.

Cookies

The following description is taken from [2]:

"Cookies are probably the most widely used tool to gather information about visitors to Web sites. Although most Internet users are familiar with the term, both the uses and misuses of cookies are largely a mystery. Cookies (or persistent client side information) are pieces of text deposited by a Web server either on the user's hard drive or at the visited Web site. Their ostensible purpose is to provide the Web site with information about visitors to assist them more efficiently on subsequent visits. See [5] and [6] for more information. However, there are a number of privacy concerns; for one thing, the user may not wish to have this information collected and stored, and for another, he or she may be concerned about other uses to which the information may be put. It is possible to be informed by the browser that a request is being made for a cookie to be deposited, but only if an option on the browser is set in advance, a feature not generally advertised. Furthermore it may be virtually impossible to visit some sites if permission to deposit a cookie is not given."

It should be noted that in browsers such as Netscape's Communicator or Navigator and Microsoft's Internet Explorer, the default condition is that no notification is given to the user that cookies are being deposited. That is, for most users no information is supplied , when initiating browser activities, that cookies are being deposited. It is necessary that an informed user select the Preferences option under the Edit tab of the Netscape menu, for example, and then select the Advanced option and click on the appropriate cookies option. Unless one is a dedicated and well-informed Internet user, it is difficult to acquire the necessary knowledge. Furthermore, if the option to be informed about cookies is selected, it becomes extremely inconvenient to carry on browser activities because of the frequency with which requests are made. Thus even many informed users may reluctantly turn off the request condition, in order to facilitate ease of use. It is because of such applications of the technology, that provide optimal conditions for the gathering of information in a largely surreptitious manner, that I would argue for the default position given above. Bill C-54 as written assumes that businesses will operate in an open manner and provides no reason for changing such practices as have just been described.

The Occurrences of "Should " in Schedule 1

Bill C-54 states in Division 1, Paragraph 5. (2), "The word 'should', when used in Schedule 1, indicates a recommendation and does not impose an obligation."

Clauses 4.2.3 and 4.3.6

By my count, the word "should" appears eleven times in Schedule 1. Thus in all these contexts no obligation is imposed. Many of these occurrences seem to define a reasonable mode of operation but not all. For example, Clause 4.2.3 reads in part, "The identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected. . . " Note that 4.2 Principle 2 - Identifying Purposes reads "The purposes for which information is collected shall be identified by the organization at or before the time the information is collected." Based on the discussion presented above, I would argue that this occurrence of "should" must be replaced by "shall" if online consumers are to be protected. In addition, the default condition must obtain; otherwise much of the intended protection is illusory. This argument is also intended to apply to Clause 4.3.6, which reads in part, "An organization should generally seek express consent when the information is likely to be considered sensitive." Surely in such cases, the consumer can only be protected if organizations are required to seek informed consent, in the full meaning of this term as applied to electronic transactions. If a consumer is unaware that information is being collected, then no consent at all has been obtained. This situation would be a serious failing in implementing the intent of the Bill and I would argue that it be rectified.

Clause 4.3.7 (b)

Furthermore, Clause 4.3.7 (b) is a clear example of the wrong default condition, at odds with the arguments made here. It reads, "a checkoff box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties." I would argue that such an option must be made available to individuals. It cannot be the case that one should assume that permitting an organization to collect and use personal information implies the right of that organization to sell or transfer such information to third parties, unless explicit permission has been obtained. To do otherwise would be a clear violation of the third principle of Fair Information Practices, namely, "There must be a way for an individual to prevent information about him that was obtained for one purpose from being used or made available for other purposes without his consent." The way must be up front, clear, and explicit. This is one case where a certain degree of organizational inconvenience, irrelevant in the defense of the right to privacy, is necessary in order to provide effective privacy protection.

Clause 4.9.3

Clause 4.9.3 reads in part, "In providing an account of third parties to which it has disclosed personal information about an individual, an organization should attempt to be as specific as possible." This statement is just too weak in an age when vast amounts of information are collected, sold , and resold in a global traffic of personal information, for the benefit of direct marketing, credit, and retail industries. Informed consent as an overriding principle could limit the ceaseless flow of information that operates beyond the purview of the individual. If a company profits by the collection, processing, and sale of personal information it must be required to obtain permission from the customer. The default condition should not be that once collected transactional information is owned by the company that provides the product or service. The information is not a cost-free bonus. If the company wants to use it beyond the immediate purposes of the transaction it must obtain the unambiguous approval of the customer.

Clause 4.10.2

Let me turn to Clause 4.10.2 under Principle 10 - Challenging Compliance. This clause reads in part, "The complaint procedures should be easily accessible and simple to use." Why permit organizational discretion in this crucial situation? Principle 4 of the Fair Information Practices states that, "There must be a way for an individual to correct or amend a record of identifiable information about him." It is necessary that the complaint procedure must be "easily accessible and simple to use." Organizations should have no option. How difficult is it to have clear and straightforward procedures presented on a Web page linked in an obvious fashion to the organizations home page? Thus, while the Internet facilitates commercial transactions, it can also facilitate consumer privacy awareness in an effective manner with visually pleasing, informative information, including restrictions on the use of cookies and similar devices, consent boxes to tick off, and contact information for more details. None of these requirements is burdensome, compared to the effort necessary to establish a commercial Web presence.

Coverage of Bill C-54

I am aware that in effect the Bill depends on the Trade and Commerce powers of the Federal Government to achieve its intent. As such, intraprovincial activities are unregulated for three years after the legislation comes into effect. [Subsection 30. (2)] For this period, how will the consumer determine whether or not his or her privacy rights are being protected by Bill C-54? There are more difficulties in respect to jurisdiction. Given that so much personal information on Canadians flows to the U.S. where it is stored, processed, transferred and generally used beyond the jurisdiction of the Canadian Government, what real protection does the Bill offer? It will be necessary, at the least, for Canada to obtain the agreement of U.S. companies that do business in Canada, that personal information of Canadians that is transferred to the U.S. receive protection equivalent to that in force in Canada. I can imagine that Canada will be in a similar situation to the European Community when its Privacy Directive came into force last year. Whether the Bill should be amended to reflect these concerns, I do not know, but they should not be ignored, if the aim of the legislation is to offer Canadians meaningful and workable privacy protection. In fact, I would go further and urge Canada to take the lead in developing rules for the global movement of personal information.

I would also like to comment on subsection 24. (c), "The Commissioner shall encourage organizations to develop detailed policies and practices, including organizational codes of practice, to comply with sections 5 to 10 ..." Let me encourage parliament to strengthen this statement. Based on the arguments made in this submission, it must follow that the protection of privacy intended to be in force by this Bill requires that companies publicly adhere to a common, well-understood and well-advertised code, that is CAN/CSA-Q830-96 (as modified by suggestions made herein). Why should it not be incumbent upon all companies that collect personal information to adopt this "Code for the Protection of Personal Information" publicly? Wouldn't it be more straightforward for all companies to be required to give notice that they have in place policies that adhere to the code, upon the legislation coming into effect than for them to come aboard gradually, or not at all?

Final Remarks

Although many examples could be offered to demonstrate that technological developments contribute to a relentless assault on personal privacy in the age of the Internet, only one recent event will be briefly described here because it is illustrative of several critical points. On January 22 of this year, Wired News, among many news agencies, reported the following [8]:

"Intel Thursday said that its next-generation processors include a feature that will identify online users as they traverse the Web.

Intel says its Processor Serial Number Control utility will protect e-commerce transactions. When the feature is activated, the computer's identifier can be matched against the sensitive information the user inputs, validating the exchange. Intel (INTC) also claims that the new utility will make pirating software more difficult.

Pirates are unimpressed. Privacy advocates are worried.

Their fear is that the feature can be used to identify users who visit sites without making a purchase, even when they haven't voluntarily given out their information."

There is more. On January 25, The New York Times reported a plan by privacy advocacy groups to call for a boycott of Intel products [9]:

"While Intel has touted the new technology, to be included in their upcoming Pentium III chips, as an advancement for secure electronic commerce, privacy advocates fear it will mark the end of anonymity on the Internet and allow companies to collect detailed profiles of consumers, which could then be resold.

The campaign against Intel, which is being organized by a group called Junkbusters and the Electronic Privacy Information Center, adopted a parody of the company's ubiquitous 'Intel Inside' logo, using the familiar Intel swirl with the words, 'Big Brother Inside.'

And finally, the following day, Intel responded to privacy concerns [10]:

"Intel Corp. backed away on Monday from a plan to embed an identifying signature in its next generation of computer chips, bowing to protests that the technology would compromise the privacy of users.

On Monday, Intel said it would modify the identification system in the new chips so that it is automatically disabled unless the computer user voluntarily turns it on. The company said it would also offer free software to allow customers to turn off the feature permanently.

'We've always understood that there are security questions that get raised when someone is providing identification in a transaction,' Tom Waldrop, an Intel spokesman, said in explaining the reversal. 'Whether an individual is showing a driver's license of handing over a credit card number, it always raises a privacy question. We have done things to address that. You have to weigh the positive value of having more secured Internet transactions, more secure electronic commerce, against any privacy concerns.' "

Note that, although it protested, Intel agreed to set the default condition to off unless the owner decides that the security and anti-piracy benefits over-ride the loss in privacy. But in the end, it must be the consumer that takes a positive step to set a condition or to give permission for an action to be initiated. That Intel was so insensitive to the heightened concern about privacy issues that exists within the Internet community is somewhat surprising, but quite revealing and instructive. This story has one more interesting wrinkle that lends support to our case. In a recent article posted in the form of a FAQ (Frequently Asked Questions) on Zdnet, the author notes that [11],

"Contrary to what you might have heard or read, Intel's design for the Pentium III does not -- at least, as of this writing -- turn the serial number off by default. According to Intel, the serial number feature is active when the computer is powered up and must be turned off by software. (Once it's been turned off, it will not turn on again until power is removed and reapplied.)

What Intel is proposing is to provide a software utility that runs when the PC starts up -- say, from your CONFIG.SYS file if you're running Microsoft Windows -- that turns the serial number off unless you elect to leave it on. But there are problems with this scheme. If you aren't running the latest software, but instead upgrade your motherboard or move your hard disk to a new machine, the Intel utility won't be present on your system; the serial number feature will then stay on. If you're running an alternative operating system, such as Linux or NetWare, there might not be any built-in utility for it that disables the serial number."

The Intel case is not unique; it is an important example, however, of an endless stream of technological innovations that have societal implications, in this instance privacy. Only a vigilant community can recognize these threats and take actions to combat them. The burden on the individual is too great to act alone, to say nothing of being positioned to identify the assaults on privacy. Legislation such as Bill C-54 is desperately needed to safeguard all Canadian Internet users but only if that legislation incorporates effective and workable privacy defaults, that place the burden on companies to provide the facilities outlined above. A strengthened Bill C-54 would provide continuing protection against the threats of an ongoing stream of new and powerful devices and methods. Canadians deserve no less.

Notes

1. Fundamental Principles of Fair Information Practices [7]

There must be no personal-data record-keeping systems whose very existence is secret.

There must be a way for an individual to find out what information about him is in a record and how it is used.

There must be a way for an individual to prevent information about him that was obtained for one purpose from being used or made available for other purposes without his consent.

There must be a way for an individual to correct or amend a record of identifiable information about him.

Any organization creating, maintaining, using or disseminating records or identifiable personal data must assure the reliability of data for their intended use and must take precautions to prevent misuse of the data.

References

[1] Electronic Frontier Canada Web site: <http://efc.ca>.

[2] Richard S. Rosenberg, Privacy protection on the Internet: the marketplace versus the state. Wiring the World: The Impact of Information Technology on Society, IEEE Society on Social Implications of Technology, Indiana University South Bend, June 12-13, 1998, pp. 138-147.

[3] Children's Online Privacy Protection Act of 1998

Available at the Web page with URL: <http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=105_cong_bills&docid=f:s2326is.txt.pdf>

[4] "FTC Releases Report on Consumers' Online Privacy," June 4, 1998. Available at the Web page with URL: <http://www.ftc.gov/opa/9806/privacy2.htm>. The report itself, "Privacy Online: A Report to Congress," is available at the Web page with URL: <http://www.ftc.gov/reports/privacy3/priv-23a.pdf>.

[5] CIAC Information Bulletin, I-034: Internet Cookies, Computer Incident Advisory Capability, U.S. Department of Energy. Accessed from the Web page with URL: <http://ciac.llnl.gov/ciac/bulletins/i-034.shtml> on March 14, 1998.

[6] R. O'Harrow Jr., "Picking up on 'cookie' crumbs," Washington Post, March 9, 1998, p. F 25.

[7] Records, Computers, and the Rights of Citizens, U.S. Dept. of Health, Report to the Secretary's Advisory Committee on Automated Personal Data Systems (Washington, D.C., 1973), p. 41.]

[8] Sprenger, Polly, "Pirates Sneer at Intel Chip," June 22, 1999. Wired News. Available at Web page with URL: <http://www.wired.com/news/print_version/technology/story/17478.html?wnpg=all>

[9] Clausing, Jeri, "Boycott of Intel Planned, January 25, 1999, The New York Times. Available at the Web page with URL: <http://www.nytimes.com/library/tech/99/01/cyber/articles/25privacy.html>.

[10] Clausing, Jeri, " Intel Alters Plan Said to Undermine PC Users' Privacy," January 26, 1999, The New York Times. Available at the Web page with URL: <http://www.nytimes.com/library/tech/99/01/cyber/articles/26internet.html>.

[11] Glass, Brett, "Serial Number Really on by Default," Zdnet, January 30, 1999. Available st the Web page with URL: <http://www.zdnet.com/zdhelp/static/p3/p3_3.html>.

Publications by Richard S. Rosenberg with Specific Reference to Privacy Issues:

Books:

The Social Impact of Computers, Second Edition. (San Diego, CA: Academic Press) 1997, 522 pp. (First Edition 1992.)

Computers and the Information Society (New York: John Wiley & Sons) 1986, 397 pp.

Papers:

Privacy protection on the Internet: the marketplace versus the state. Wiring the World: The Impact of Information Technology on Society, IEEE Society on Social Implications of Technology, Indiana University South Bend, June 12-13, 1998, pp. 138-147. Also available at the Web page with URL: <http://www.ntia.doc.gov/ntiahome/privacy/files/5com.txt)>.

The workplace on the verge of the 21st century. ETHICOMP98, The Fourth International Conference on Ethical Issues of Information Technology, Erasmus University, The Netherlands, 25 to 27 March 1998.

The politics of privacy on the information highway. Global Networking '97 Joint Conference, Vol. II, pp. 174 - 183. June 15 -18, 1997, Calgary, Alberta.

The politics of privacy on the global information highway. Culture and Democracy Revisited in the Global Information Society, May 8 - 10, 1997, Corfu, a Working Conference organized by Working Group 9.2: Social Accountability of Computing, International Federation for Information Processing.

Other Activities:

Visiting Professor, Technical University of Darmstadt, May-June 1998. Gave four lectures on privacy issues at Darmstadt and at the University of Bonn.

Interview and participation in a piece for the CBC National Magazine on threats to personal privacy with Hana Gartner, May 18, 1998.

Invited by Industry Canada to participate in a workshop to review the White Paper, The Protection of Personal Information, January 1998. Ottawa, February 4 -5, 1998.

Invited participant to a U.S. NRC Workshop, What Everyone Should Know About Information Technology, Irvine, CA, January 14-15, 1998.