The Globe & Mail
Thursday, March 4, 1999

Privacy czar raps absence of on-line protection

Commissioner says electronic commerce will stagnate
until regulations establish trust on the Internet

by Tyler Hamilton

TORONTO -- Ann Cavoukian, privacy commissioner for Ontario, says the real boom in electronic commerce expected by consumers and businesses simply won't happen until an environment of trust is established on the Internet.

That message has been echoed by the U.S. Commerce Department, which warned recently that the potential for E-commerce will be held back unless privacy concerns are made a top priority.

The problem, says Ms. Cavoukian, is that the hype associated with on-line commerce is pushing businesses to quickly jump onto the Internet and consider privacy issues an afterthought.

Even when privacy is top of mind, mistakes can still happen. That was the case in January when a person visiting the popular Air Miles Web site discovered that thousands of confidential customer files had been left accessible for all browsing eyes to view.

The company that runs the Air Miles site quickly fixed the problem, but in the process, many of its customers began to question whether the guarantees of privacy attached to their data could be trusted in the future. The Air Miles breach is one of many examples of supposedly private information left vulnerable on the Internet.

Ms. Cavoukian discusses the impact of the Air Miles story, the growing problem of identity theft, why consumers feel compelled to give false information over the Internet, and what people can expect from the passage of Bill C-54, legislation to make private-sector organizations more responsible for the privacy of consumers.

Do you believe that the Air Miles breach was a necessary reminder of how vulnerable some of these sites can be?

Absolutely. You need examples like this, instances where security is clearly breached, to remind companies that you need to devote the resources and money to basic security protection. It has traditionally been very low on the totem pole of priorities for company spending. I think increasingly, more money is being devoted to it, but not enough. Hopefully, this will be a wake-up call.
Many people downplayed the Air Miles breach because it didn't contain credit card numbers and other more sensitive information. Was it that serious?
Privacy is very subjective. To some people, certain information will be extremely valuable and to others, it won't mean anything, and that's the whole notion of personal choice.

But these pieces of information -- a name, address, a number of other identifiers -- can be used to acquire other pieces of information, such as credit cards. It just opens the door to obtaining jobs, loans, mortgages, et cetera. It is extremely valuable information. Not so much the fact of what it reveals in and of itself, but the fact it can be used as a tool to acquire other pieces of personal information. That's what identity thieves relish. It's like a gold mine to them.

Is identity theft -- collecting information on people so you can assume their identity, perhaps to carry out illegal activities -- a big problem?

It's an enormous problem. Identity theft is an epidemic in the United States. It's the leading form of consumer fraud, and we have no reason to believe that this isn't going to be growing.
You say you're skeptical of the present-day hype associated with how well E-commerce is doing -- that the only money being made is from gambling, pornography, music and software sites. When do you think E-commerce will substantially expand beyond those areas?
In the context of consumer-to-business commerce, I don't think you're going to have a huge increment in the line of success until you have some consumer confidence built in.

In every privacy survey, people talk about the absence of trust. That is still the prevailing issue and people don't have confidence in the Web sites they're visiting or that their personal information is going to be protected. In fact, a number of people who I know, when they go to Web sites they'll give a maiden name or something and then within weeks they're inundated with E-mails and various [junk mail].

So clearly, there are abuses in terms of the uses of your information that you're not aware of. I think that has to shift before you see a dramatic increase in consumer-to-business E-commerce.

Are people being encouraged to give false information over the Internet because of this privacy concern?
It looks like the trend now is that a number of people on the Web are giving out false information in response to demographic data asked of them when they go to a Web site.

Why are they doing this? They want to advance to the next screen and obtain the information they went there for, and they're prevented from doing that unless they give some information.

Now if I was that company, what would I want? I sure as hell wouldn't want someone lying to me, falsifying information, and then I, the business, operating on the basis of that information in terms of developing my marketing strategy.

To me, there is far less value, in fact there's harm, in false information. What that would suggest is as a business you should be encouraged to have very transparent practices and openness in policies.

Many people are resigned to the fact they no longer have control over their privacy. Do you believe people still have control?
Of course. I don't subscribe to that defeatist mentality in terms of privacy. All you have to do in Canada is look at the public sector -- you have enormous privacy rights in terms of all levels of government. And in terms of the private sector, with the passage of Bill C-54 federally that will extend to the provinces.

But even beyond the legislation, all the companies that have adopted the CSA (Canadian Standards Association) code . . . they have all chosen on a voluntary basis to adopt privacy practices for their businesses.

But is enforcement of these codes of conduct lacking?
The enforcement issue is very important. But the other thing that's important is [right now] you have no way of ensuring a level playing field, that all organizations will abide by a policy you have in place.

The Canadian Direct Marketing Association, for example, has a wonderful policy -- but they only represent 80 per cent of direct marketers. So how do you make sure that everybody follows it? If you don't have a law in place, you can't mandate that you must follow this practice.

What happens when these companies go bankrupt and decide to shop around customer information?
My guess is, if we had Bill C-54 and if you were regulated by it, you would not be at liberty to just sell that information without consent. That would extend beyond bankruptcy. But right now? Without any regulation, it's an open playing field.
You mentioned that privacy management as a profession is a new industry that will continue to grow, along with the momentum in E-commerce. Can you explain?
I see the development of intelligent software agents. These agents could be a real threat to privacy because they could disclose a great deal of personal information about you to a number of other sites or agents. Or, they could be extremely protective of privacy -- they could operate under a pseudonym representing you, they could be your shield beyond which your personal information is protected. I think there will be different privacy enhancing technologies that will provide some notion of privacy management in terms of managing your information.

Copyright © 1999 by The Globe & Mail. All Rights Reserved. Reprinted with permission.