Re: Bill C-54, Personal Information Protection and Electronic Documents Act
Tuesday, February 9, 1999
Parliament Hill, Ottawa
Richard S. Rosenberg
Vice-President,
Electronic Frontier Canada
and Professor
Department of Computer Science
University of British Columbia
Vancouver, BC V6T 1Z4
e-mail address: [email protected]
Introduction
The organization that I represent today, Electronic Frontier Canada,
has been in existence almost five years. On its Web page, the
following statement of purpose appears: [1]
"Electronic Frontier Canada (EFC) was founded to ensure that
the principles embodied in the Canadian Charter of Rights and
Freedoms remain protected as new computing, communications, and
information technologies are introduced into Canadian society."
EFC has often taken a position against government intervention
in Internet activities. Probably most significant, is the continued
resistance it has offered against attempts by governments to regulate
content on the Internet. In fact, we are probably best known for
our unwavering support of freedom of expression. However, in the
area of the protection of personal privacy, we believe that government
must play a major role for reasons to be set forth. Privacy is
of great benefit to individuals, but it is an intangible good.
On the other hand, it is often in the best interests of commerce
if information is collected, because such information allows companies
to (i) determine the interests of consumers (ii) determine the
effectiveness of advertising, and (iii) tailor marketing campaigns
to individual interests. These benefits have a tangible effect
on increasing revenue; therefore, there will be a strong disincentive
for the private sector to develop and implement privacy policies.
The only exception is if privacy can be marketed as a motherhood
issue, the way "green" products are currently handled.
That is, a company can increase sales if it is seen as environmentally
friendly. Similarly, at least in theory, one might choose Bank
of Montreal over Scotiabank if it is known that Bank of Montreal
has a superior privacy policy. But in practice, there is certainly
considerable doubt that such a strategy would actually work. Thus,
the Federal Government must take steps to protect its citizens
because it is the right thing to do and because the economy will
benefit as well from an increased trust in electronic commerce
transactions
Let me state at the outset, that we, Electronic Frontier Canada
(EFC), approve Bill C-54, in principle. For my part, I have studied
and written about privacy issues for more than fifteen years,
with a focus on the United States, the European Union and, of
course, Canada. My position is best captured by the following
[2]:
"There is a battle being fought in the U.S., and elsewhere,
with respect to the protection of privacy on the Internet. In
response to public concern, various government bodies in the U.S.,
Canada, and Europe have explored approaches to the protection
of personal privacy on the Internet, with differing results. At
the same time, Internet consumer and civil liberties groups, and
business and newly emerging industry groups, have proposed their
solutions to the perceived problems. In this paper, we will articulate
the various positions and attempt to identify and evaluate the
dominant themes. In the end, we will propose an approach that
requires government intervention, sometimes referred to as the
European model. "
This brief will be directed only towards Part 1, the Protection
of Personal Information in the Private Sector, of Bill C-54. In
the area of the protection of personal privacy, there seems to
be no alternative to a legislative approach, as already implemented
in the European Union with the Privacy Directive that took effect
on October 25, 1998. In the U.S., a comprehensive legislative
approach has so far been rejected, although in the last Congress
a bill was passed protecting the privacy of children [3] and in
the current one, it is anticipated that medical records will receive
some form of government protection. With the passage of Bill C-54,
the Canadian Parliament can bring privacy protection to Canadians
in some, not all, of their Internet activities.
I would like to briefly point out a few areas in which privacy
protection must be improved. These suggestions should be seen
in the context of an overall approval of Bill C-54 and in the
recognition of the realities of Canadian political and economic
life that seem to preclude a stronger legislative approach. In
this context, the following issues are of concern. As a general
principle of electronic commerce, the default situation should
be that no information is collected unless permission is given.
That is, it should be the responsibility of the agency or company
that wishes to obtain personal information to first secure permission.
This principle conforms to a general requirement of informed consent
that must underlie all transactions in recognition of the long-accepted
Fair Information Practices [Note 1.]. A considerable amount of
information is regularly collected on the Internet, usually without
the awareness of the online consumer. "Cookies," the
ubiquitous means by which Web behaviour is captured, is the prime
exemplar of this concern. If the default condition as proposed
is accepted, then cookies and other similar means for gathering
online information will not operate in the background, hidden
from the average person.
It is also important that the online consumer be informed that
the protections offered by this Bill only apply to interprovincial
transactions and to those between Canada and other countries.
In the latter case, of course, Canada has little if any control
over how other countries deal with the personal information of
Canadians. Given that so much information about Canadians is stored
and processed on American computers, the Canadian government must
do all it can to protect such information. Finally, a number of
specific points in the Bill will be addressed.
Informed Consent
Those supporters of a self-regulatory approach to privacy protection
point out that it is clearly in the self-interest of industry
to protect the personal information of its customers. Simply put
they argue, it is good business to maintain a reputation for respecting
consumer rights. In actual practice, however, the performance
of industry leaves much to be desired. Consider the following
from a press release of the U.S. Federal Trade Commission in June
1998. [4]:
Consumers have little privacy protection on the Internet, the Federal Trade Commission said today as it released its "Report to Congress on Privacy Online." The report, a comprehensive analysis of the effectiveness of self-regulation as a means of protecting consumer privacy on the World Wide Web, is the result of the Commission's three-year privacy initiative. It concludes that "industry's efforts to encourage voluntary adoption of the most basic fair information practices have fallen short of what is needed to protect consumers."
The Commission's survey of over 1,400 Web sites was broken down
into six samples and also revealed that only 14 percent of the
sample (674) reflecting all U.S. commercial web sites provide
any notice of their information collection practices. Fewer still
-- approximately two percent -- provide a comprehensive privacy
policy.
Thus, I would argue strongly that when a person visits a Web site,
no personal information be collected until a choice is presented
and an affirmative action is taken. That is, the default condition
should be that the company obtains no information until the user
gives his or her permission. In this regard let me describe the
operation of that ubiquitous Web activity, the depositing of cookies.
Cookies
The following description is taken from [2]:
"Cookies are probably the most widely used tool to gather
information about visitors to Web sites. Although most Internet
users are familiar with the term, both the uses and misuses of
cookies are largely a mystery. Cookies (or persistent client side
information) are pieces of text deposited by a Web server either
on the user's hard drive or at the visited Web site. Their ostensible
purpose is to provide the Web site with information about visitors
to assist them more efficiently on subsequent visits. See [5]
and [6] for more information. However, there are a number of privacy
concerns; for one thing, the user may not wish to have this information
collected and stored, and for another, he or she may be concerned
about other uses to which the information may be put. It is possible
to be informed by the browser that a request is being made for
a cookie to be deposited, but only if an option on the browser
is set in advance, a feature not generally advertised. Furthermore
it may be virtually impossible to visit some sites if permission
to deposit a cookie is not given."
It should be noted that in browsers such as Netscape's Communicator
or Navigator and Microsoft's Internet Explorer, the default condition
is that no notification is given to the user that cookies are
being deposited. That is, for most users no information is supplied
, when initiating browser activities, that cookies are being deposited.
It is necessary that an informed user select the Preferences option
under the Edit tab of the Netscape menu, for example, and then
select the Advanced option and click on the appropriate cookies
option. Unless one is a dedicated and well-informed Internet user,
it is difficult to acquire the necessary knowledge. Furthermore,
if the option to be informed about cookies is selected, it becomes
extremely inconvenient to carry on browser activities because
of the frequency with which requests are made. Thus even many
informed users may reluctantly turn off the request condition,
in order to facilitate ease of use. It is because of such applications
of the technology, that provide optimal conditions for the gathering
of information in a largely surreptitious manner, that I would
argue for the default position given above. Bill C-54 as written
assumes that businesses will operate in an open manner and provides
no reason for changing such practices as have just been described.
The Occurrences of "Should " in Schedule 1
Bill C-54 states in Division 1, Paragraph 5. (2), "The word
'should', when used in Schedule 1, indicates a recommendation
and does not impose an obligation."
Clauses 4.2.3 and 4.3.6
By my count, the word "should" appears eleven times
in Schedule 1. Thus in all these contexts no obligation is imposed.
Many of these occurrences seem to define a reasonable mode of
operation but not all. For example, Clause 4.2.3 reads in part,
"The identified purposes should be specified at or before
the time of collection to the individual from whom the personal
information is collected. . . " Note that 4.2 Principle 2
- Identifying Purposes reads "The purposes for which information
is collected shall be identified by the organization at or before
the time the information is collected." Based on the discussion
presented above, I would argue that this occurrence of "should"
must be replaced by "shall" if online consumers are
to be protected. In addition, the default condition must obtain;
otherwise much of the intended protection is illusory. This argument
is also intended to apply to Clause 4.3.6, which reads in part,
"An organization should generally seek express consent when
the information is likely to be considered sensitive." Surely
in such cases, the consumer can only be protected if organizations
are required to seek informed consent, in the full meaning of
this term as applied to electronic transactions. If a consumer
is unaware that information is being collected, then no consent
at all has been obtained. This situation would be a serious failing
in implementing the intent of the Bill and I would argue that
it be rectified.
Clause 4.3.7 (b)
Furthermore, Clause 4.3.7 (b) is a clear example of the wrong
default condition, at odds with the arguments made here. It reads,
"a checkoff box may be used to allow individuals to request
that their names and addresses not be given to other organizations.
Individuals who do not check the box are assumed to consent to
the transfer of this information to third parties." I would
argue that such an option must be made available to individuals.
It cannot be the case that one should assume that permitting an
organization to collect and use personal information implies the
right of that organization to sell or transfer such information
to third parties, unless explicit permission has been obtained.
To do otherwise would be a clear violation of the third principle
of Fair Information Practices, namely, "There must be a way
for an individual to prevent information about him that was obtained
for one purpose from being used or made available for other purposes
without his consent." The way must be up front, clear, and
explicit. This is one case where a certain degree of organizational
inconvenience, irrelevant in the defense of the right to privacy,
is necessary in order to provide effective privacy protection.
Clause 4.9.3
Clause 4.9.3 reads in part, "In providing an account of third
parties to which it has disclosed personal information about an
individual, an organization should attempt to be as specific as
possible." This statement is just too weak in an age when
vast amounts of information are collected, sold , and resold in
a global traffic of personal information, for the benefit of direct
marketing, credit, and retail industries. Informed consent as
an overriding principle could limit the ceaseless flow of information
that operates beyond the purview of the individual. If a company
profits by the collection, processing, and sale of personal information
it must be required to obtain permission from the customer. The
default condition should not be that once collected transactional
information is owned by the company that provides the product
or service. The information is not a cost-free bonus. If the company
wants to use it beyond the immediate purposes of the transaction
it must obtain the unambiguous approval of the customer.
Clause 4.10.2
Let me turn to Clause 4.10.2 under Principle 10 - Challenging
Compliance. This clause reads in part, "The complaint procedures
should be easily accessible and simple to use." Why permit
organizational discretion in this crucial situation? Principle
4 of the Fair Information Practices states that, "There must
be a way for an individual to correct or amend a record of identifiable
information about him." It is necessary that the complaint
procedure must be "easily accessible and simple to use."
Organizations should have no option. How difficult is it to have
clear and straightforward procedures presented on a Web page linked
in an obvious fashion to the organizations home page? Thus, while
the Internet facilitates commercial transactions, it can also
facilitate consumer privacy awareness in an effective manner with
visually pleasing, informative information, including restrictions
on the use of cookies and similar devices, consent boxes to tick
off, and contact information for more details. None of these requirements
is burdensome, compared to the effort necessary to establish a
commercial Web presence.
Coverage of Bill C-54
I am aware that in effect the Bill depends on the Trade and Commerce
powers of the Federal Government to achieve its intent. As such,
intraprovincial activities are unregulated for three years after
the legislation comes into effect. [Subsection 30. (2)] For this
period, how will the consumer determine whether or not his or
her privacy rights are being protected by Bill C-54? There are
more difficulties in respect to jurisdiction. Given that so much
personal information on Canadians flows to the U.S. where it is
stored, processed, transferred and generally used beyond the jurisdiction
of the Canadian Government, what real protection does the Bill
offer? It will be necessary, at the least, for Canada to obtain
the agreement of U.S. companies that do business in Canada, that
personal information of Canadians that is transferred to the U.S.
receive protection equivalent to that in force in Canada. I can
imagine that Canada will be in a similar situation to the European
Community when its Privacy Directive came into force last year.
Whether the Bill should be amended to reflect these concerns,
I do not know, but they should not be ignored, if the aim of the
legislation is to offer Canadians meaningful and workable privacy
protection. In fact, I would go further and urge Canada to take
the lead in developing rules for the global movement of personal
information.
I would also like to comment on subsection 24. (c), "The
Commissioner shall encourage organizations to develop detailed
policies and practices, including organizational codes of practice,
to comply with sections 5 to 10 ..." Let me encourage parliament
to strengthen this statement. Based on the arguments made in this
submission, it must follow that the protection of privacy intended
to be in force by this Bill requires that companies publicly adhere
to a common, well-understood and well-advertised code, that is
CAN/CSA-Q830-96 (as modified by suggestions made herein). Why
should it not be incumbent upon all companies that collect personal
information to adopt this "Code for the Protection of Personal
Information" publicly? Wouldn't it be more straightforward
for all companies to be required to give notice that they have
in place policies that adhere to the code, upon the legislation
coming into effect than for them to come aboard gradually, or
not at all?
Final Remarks
Although many examples could be offered to demonstrate that technological developments contribute to a relentless assault on personal privacy in the age of the Internet, only one recent event will be briefly described here because it is illustrative of several critical points. On January 22 of this year, Wired News, among many news agencies, reported the following [8]:
"Intel Thursday said that its next-generation processors include a feature that will identify online users as they traverse the Web.
Intel says its Processor Serial Number Control utility will protect e-commerce transactions. When the feature is activated, the computer's identifier can be matched against the sensitive information the user inputs, validating the exchange. Intel (INTC) also claims that the new utility will make pirating software more difficult.
Pirates are unimpressed. Privacy advocates are worried.
Their fear is that the feature can be used to identify users who
visit sites without making a purchase, even when they haven't
voluntarily given out their information."
There is more. On January 25, The New York Times reported a plan
by privacy advocacy groups to call for a boycott of Intel products
[9]:
"While Intel has touted the new technology, to be included in their upcoming Pentium III chips, as an advancement for secure electronic commerce, privacy advocates fear it will mark the end of anonymity on the Internet and allow companies to collect detailed profiles of consumers, which could then be resold.
The campaign against Intel, which is being organized by a group
called Junkbusters and the Electronic Privacy Information Center,
adopted a parody of the company's ubiquitous 'Intel Inside' logo,
using the familiar Intel swirl with the words, 'Big Brother Inside.'
And finally, the following day, Intel responded to privacy concerns
[10]:
"Intel Corp. backed away on Monday from a plan to embed an identifying signature in its next generation of computer chips, bowing to protests that the technology would compromise the privacy of users.
On Monday, Intel said it would modify the identification system in the new chips so that it is automatically disabled unless the computer user voluntarily turns it on. The company said it would also offer free software to allow customers to turn off the feature permanently.
'We've always understood that there are security questions that
get raised when someone is providing identification in a transaction,'
Tom Waldrop, an Intel spokesman, said in explaining the reversal.
'Whether an individual is showing a driver's license of handing
over a credit card number, it always raises a privacy question.
We have done things to address that. You have to weigh the positive
value of having more secured Internet transactions, more secure
electronic commerce, against any privacy concerns.' "
Note that, although it protested, Intel agreed to set the default
condition to off unless the owner decides that the security and
anti-piracy benefits over-ride the loss in privacy. But in the
end, it must be the consumer that takes a positive step to set
a condition or to give permission for an action to be initiated.
That Intel was so insensitive to the heightened concern about
privacy issues that exists within the Internet community is somewhat
surprising, but quite revealing and instructive. This story has
one more interesting wrinkle that lends support to our case. In
a recent article posted in the form of a FAQ (Frequently Asked
Questions) on Zdnet, the author notes that [11],
"Contrary to what you might have heard or read, Intel's design for the Pentium III does not -- at least, as of this writing -- turn the serial number off by default. According to Intel, the serial number feature is active when the computer is powered up and must be turned off by software. (Once it's been turned off, it will not turn on again until power is removed and reapplied.)
What Intel is proposing is to provide a software utility that
runs when the PC starts up -- say, from your CONFIG.SYS file if
you're running Microsoft Windows -- that turns the serial number
off unless you elect to leave it on. But there are problems with
this scheme. If you aren't running the latest software, but instead
upgrade your motherboard or move your hard disk to a new machine,
the Intel utility won't be present on your system; the serial
number feature will then stay on. If you're running an alternative
operating system, such as Linux or NetWare, there might not be
any built-in utility for it that disables the serial number."
The Intel case is not unique; it is an important example, however,
of an endless stream of technological innovations that have societal
implications, in this instance privacy. Only a vigilant community
can recognize these threats and take actions to combat them. The
burden on the individual is too great to act alone, to say nothing
of being positioned to identify the assaults on privacy. Legislation
such as Bill C-54 is desperately needed to safeguard all Canadian
Internet users but only if that legislation incorporates effective
and workable privacy defaults, that place the burden on companies
to provide the facilities outlined above. A strengthened Bill
C-54 would provide continuing protection against the threats of
an ongoing stream of new and powerful devices and methods. Canadians
deserve no less.
Notes
1. Fundamental Principles of Fair Information Practices [7]
There must be no personal-data record-keeping systems whose very existence is secret.
There must be a way for an individual to find out what information about him is in a record and how it is used.
There must be a way for an individual to prevent information about him that was obtained for one purpose from being used or made available for other purposes without his consent.
There must be a way for an individual to correct or amend a record of identifiable information about him.
Any organization creating, maintaining, using or disseminating
records or identifiable personal data must assure the reliability
of data for their intended use and must take precautions to prevent
misuse of the data.
References
[1] Electronic Frontier Canada Web site: <http://efc.ca>.
[2] Richard S. Rosenberg, Privacy protection on the Internet: the marketplace versus the state. Wiring the World: The Impact of Information Technology on Society, IEEE Society on Social Implications of Technology, Indiana University South Bend, June 12-13, 1998, pp. 138-147.
[3] Children's Online Privacy Protection Act of 1998
Available at the Web page with URL: <http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=105_cong_bills&docid=f:s2326is.txt.pdf>
[4] "FTC Releases Report on Consumers' Online Privacy," June 4, 1998. Available at the Web page with URL: <http://www.ftc.gov/opa/9806/privacy2.htm>. The report itself, "Privacy Online: A Report to Congress," is available at the Web page with URL: <http://www.ftc.gov/reports/privacy3/priv-23a.pdf>.
[5] CIAC Information Bulletin, I-034: Internet Cookies, Computer Incident Advisory Capability, U.S. Department of Energy. Accessed from the Web page with URL: <http://ciac.llnl.gov/ciac/bulletins/i-034.shtml> on March 14, 1998.
[6] R. O'Harrow Jr., "Picking up on 'cookie' crumbs," Washington Post, March 9, 1998, p. F 25.
[7] Records, Computers, and the Rights of Citizens, U.S. Dept. of Health, Report to the Secretary's Advisory Committee on Automated Personal Data Systems (Washington, D.C., 1973), p. 41.]
[8] Sprenger, Polly, "Pirates Sneer at Intel Chip," June 22, 1999. Wired News. Available at Web page with URL: <http://www.wired.com/news/print_version/technology/story/17478.html?wnpg=all>
[9] Clausing, Jeri, "Boycott of Intel Planned, January 25, 1999, The New York Times. Available at the Web page with URL: <http://www.nytimes.com/library/tech/99/01/cyber/articles/25privacy.html>.
[10] Clausing, Jeri, " Intel Alters Plan Said to Undermine PC Users' Privacy," January 26, 1999, The New York Times. Available at the Web page with URL: <http://www.nytimes.com/library/tech/99/01/cyber/articles/26internet.html>.
[11] Glass, Brett, "Serial Number Really on by Default,"
Zdnet, January 30, 1999. Available st the Web page with URL: <http://www.zdnet.com/zdhelp/static/p3/p3_3.html>.
Publications by Richard S. Rosenberg with Specific Reference to Privacy Issues:
Books:
The Social Impact of Computers, Second Edition. (San Diego, CA: Academic Press) 1997, 522 pp. (First Edition 1992.)
Computers and the Information Society (New York: John Wiley
& Sons) 1986, 397 pp.
Papers:
Privacy protection on the Internet: the marketplace versus the state. Wiring the World: The Impact of Information Technology on Society, IEEE Society on Social Implications of Technology, Indiana University South Bend, June 12-13, 1998, pp. 138-147. Also available at the Web page with URL: <http://www.ntia.doc.gov/ntiahome/privacy/files/5com.txt)>.
The workplace on the verge of the 21st century. ETHICOMP98, The Fourth International Conference on Ethical Issues of Information Technology, Erasmus University, The Netherlands, 25 to 27 March 1998.
The politics of privacy on the information highway. Global Networking '97 Joint Conference, Vol. II, pp. 174 - 183. June 15 -18, 1997, Calgary, Alberta.
The politics of privacy on the global information highway. Culture
and Democracy Revisited in the Global Information Society, May
8 - 10, 1997, Corfu, a Working Conference organized by Working
Group 9.2: Social Accountability of Computing, International
Federation for Information Processing.
Other Activities:
Visiting Professor, Technical University of Darmstadt, May-June 1998. Gave four lectures on privacy issues at Darmstadt and at the University of Bonn.
Interview and participation in a piece for the CBC National Magazine on threats to personal privacy with Hana Gartner, May 18, 1998.
Invited by Industry Canada to participate in a workshop to review the White Paper, The Protection of Personal Information, January 1998. Ottawa, February 4 -5, 1998.
Invited participant to a U.S. NRC Workshop, What Everyone Should
Know About Information Technology, Irvine, CA, January 14-15,
1998.