The Globe & Mail
Monday, May 4, 1998
pages B1,B5

Ottawa targets Big Brother

Planned privacy legislation seen as unenforceable

by Geoffrey Rowan, growan@globeandmail.ca

There are no secrets in the 20th century and there's no place to hide, which makes Ottawa's plan to craft a privacy law by 2000 roughly akin to taming a sandstorm.

Your E-mail can be scanned surreptitiously, at home or at work. Your every commercial move, every item in your shopping cart, every credit card purchase, and bank machine transaction is recorded, compared, and massaged to reveal details about your buying patterns.

As the world becomes more wired, and personal information is increasingly captured, categorized, sifted, and sold, many governments are looking at the rights of individuals and the question of who owns personal information and how it should be used.

In survey after survey, most people say they value privacy and feel they are legally entitled to it, but nowhere, except in Quebec, is personal privacy enshrined in law.

"The trouble with privacy is that its protection is not exactly based on the Charter of Rights", said Richard Rosenberg, vice-president of Electronic Frontier Canada and associate professor in the computer science department of the University of British Columbia.

"Even in the United States, privacy isn't in the Constitution or in the Bill of Rights."

European nations have passed, or are considering, a range of privacy legislation. In the United States, the Clinton administration has told industry to come up with its own guidelines for handling personal information or else government will step in and legislate.

In Canada, the federal government said in September, 1996, that it will adopt privacy legislation that covers the private sector by 2000.

Last December, it offered a glimpse at what might be in such a law and began asking for public input on the issue. The challenge of crafting such a law is clear from the initial reaction to the government's proposals.

Privacy is like motherhood. Everybody supports it, but few want to go through the delivery process.

Because Canada's law hasn't been written yet, nobody knows how onerous that process will be, but Ottawa has given some hints.

It is considering requiring companies to:

Enforcement of the law would likely be complaint driven, although even that assumes a huge infrastructure to have any meaningful effect. And even with a staff of investigators technically skilled enough to search electronic data bases for violations and abuses, anyone with criminal intent could easily encrypt their data using unbreakable codes, or could simply store it in computers outside of the country.

Many individuals, including civil libertarians and business people, who don't want another layer of bureaucracy or don't see the point in creating unenforceable legislation, don't want to see a law passed.

"Because of the initiatives we have undertaken, we don't feel the banking industry needs any more regulation", said Linda Routledge, director of consumer personal affairs for the Canadian Bankers Association.

"The federally regulated institutions are doing fairly well. ... They are some of the better players in the marketplace. The attention should be directed at some of the people who are more abusers of privacy."

She wouldn't single out any specific abusers, but pointed in general at bank competitors, such as U.S. financial institutions, which make unauthorized use of information about their customers.

The Internet world views the proposed law with mixed feelings.

The Internet is so important to business that it will behave responsibly to respect individual privacy, said IBM spokesman John Warner. "Our sense is the private sector may not need any help from government in order to solve these problems."

Some technology companies feel that government involvement could create a bunch of new problems for the industry.

If the development of legislation "goes in the wrong direction and people who aren't fully informed of the technical limitations are pushing things in the wrong direction, it could really make it difficult operationally", said Ron Close, president of the Internet service provider Netcom Canada.

So far, it is not heading in the wrong direction, Mr. Close said. But if ISPs are required to police their customers or develop and maintain an onerous bureaucracy, it will affect their ability to perform, he said.

Electronic Frontier Canada, a Waterloo, Ont.-based group that generally pushes for hands-off policies toward electronic commerce, is officially in favour of privacy guidelines and perhaps even legislation that spells out how private companies should deal with the collection and dissemination of personal information, president David Jones said.

But Mr. Rosenberg, EFC's vice-president and the one in charge of tracking the legislative effort for the organization, thinks what Ottawa has proposed is "skimpy" and sees a conflict between the two governmental parents of the initiative.

Industry Canada's mandate is to promote commerce and the Justice Department's job is to protect the rights of Canadians -- and he includes privacy as one of those rights.

The loss of individual privacy in a highly technological society is real and can range from the nuisance of junk E-mail to catastrophically bad credit ratings or even blackmail, if you've rented a movie, sent an E-mail, or visited a Web site that you'd rather the world didn't know about.

In one apocryphal story making the rounds on the Internet, a clergyman in the United States committed suicide when his Internet service provider blackmailed him with proof that he had downloaded pornography, said author Dan Brown, who began researching the privacy issue for his novel, Digital Fortress.

He said he believes the suicide story, although he hasn't been able to confirm it, because it came from "a trusted agent from the U.S. Commission on Secrecy", and because it makes sense.

"The people running these small Internet services are just regular people who are trying to make a buck, and they've got access to all this information about us."

Mr. Brown said he's certain the U.S. government is monitoring the E-mail of its citizens because he saw the results of one such investigation.

He was an English teacher at the Boston-area prep school Phillips Exeter Academy in 1995 when Secret Service agents arrived on campus one day looking for a student.

It turned out that the student, in an E-mail conversation with a friend, wrote that he thought an idea of President Bill Clinton's was stupid and that the president should be shot.

The idle threat was uncovered by software that "sniffs" or searches data either as it flows over the Internet or when it is stored on a server computer, looking for keywords that indicate a threat to the president.

Another story making the rounds on the Internet involves a Utah clergyman, who sent an E-mail to his sister in Boston, in which he told her about a group of teen-agers who baked him some brownies. According to the story, which FBI officials in three cities said they could not confirm, a typo transformed the words "baked brownies" into "naked brownies".

As the tale goes, FBI officials monitoring Web traffic for signs of child pornography, saw the note and investigated, only to find out that it came from a church where regular meetings of the Cub Scouts and Brownies were held.

"It is so plausible", Mr. Brown said. "It's very similar to what happened at Phillips Exeter. Key words were scanned using a ferret or a sniffer."

You should have no doubts, Mr. Brown said. If you live in a modern society, you are being watched.

Copyright © 1998 by The Globe & Mail. All Rights Reserved. Reprinted with permission.