Today’s Slaw post

Big data is a hot trending tech issue. Wikipedia defines big data as “a term applied to data sets whose size is beyond the ability of commonly used software tools to capture, manage, and process the data within a tolerable elapsed time. Big data sizes are a constantly moving target currently ranging from a few dozen terabytes to many petabytes of data in a single data set.”

The initial issue with big data is the ability to actually work with massive data sets – how to store, search, and manipulate it. But the tools to do that are becoming more sophisticated, and attention is turning to how to take advantage of big data. This McKinsey report entitled Big data: The next frontier for innovation, competition, and productivity is a good summary of the possibilities. There is potential for increased profit margins for retailers, reduced costs for healthcare, product improvements and more.

This all sounds good. Consider for a moment though that big data means massive databases that include huge amounts of customer information. And the information that governments have on us is massive as well. It will be tempting to amass as much data (including personal information) as possible, as the more data is there, the more information that can be learned from it. That flies in the face of privacy principles that say one should only collect the smallest amount of personal information you need for the immediate purpose, and should not keep it for longer than you need it for that purpose.

It is possible to anonymize personal information to avoid the issue, but that is done on a sliding scale – a little anonymization makes it easy to recombine it with other information and figure out who the individuals are – a lot of anonymization makes the data less valuable.

Big data uses that determine generic things like trends and product features are one thing – but it can also be used for targeting individuals for things like advertising and medical treatment. Individuals may welcome or be horrified by that, depending on the use and personal viewpoints.

Another concern is the creeping (and creepy) trend towards industry and government big brother type uses.

It has been pointed out that big data needs to be complemented by “big judgment” . As this Harvard Business Review article entitled Good Data Won’t Guarantee Good Decisions points out, “At this very moment, there’s an odds-on chance that someone in your organization is making a poor decision on the basis of information that was enormously expensive to collect.” That sentiment may very well apply to poor decisions on the privacy aspects of big data as well.

For the London Free Press – April 16, 2012 – Read this on Canoe

INFORMATION CAN BE USED IN NUMEROUS UNDESIRABLE WAYS

Social media and smartphone apps have made it easier than ever to communicate personal information to friends and family. News, photos and your location can be shared within seconds. But this also means this information is accessible to strangers like never before.

This can occur in more ways than a simple Google search or scan of a Facebook profile. The (now disabled) app Girls Around Me recently stirred up considerable controversy. The app used GPS data to find a user’s location, then displayed information about people who had been in the area and checked in on foursquare, such as their interests, friends, and photos. This happened without the knowledge of those people.

As outrageous as this seems, the personal information disclosed through the app is all information the individuals themselves have posted on Facebook and foursquare and designated as public. If it’s OK to access it through Facebook or foursquare, why are we so upset about accessing it through an app like Girls Around Me?

Context is the distinguishing factor. On Facebook or foursquare, most strangers who view information are somehow connected through six degrees of separation. The information is there, but not easily or readily accessible on a single-purpose consolidated basis.

On the other hand, Girls Around Me marketed itself as a tool for men “looking for love or just after a one-night stand,” a sort of dating site lacking the consent or even the knowledge of the participants.

Although the information was made publicly available by the individuals in question, they never intended for it to be gathered and used in such a way. There is an element of surprise and shock at this use of public information. The fact this is even possible makes people feel vulnerable — and while this may be legal, it seems very wrong. Social norms dictate if you are having a conversation in public, those who can hear but aren’t involved will not join in, but will pretend they cannot hear you. By taking public, yet personal, information and broadcasting it through an app, Girls Around Me flies in the face of the idea of “practical obscurity.”

foursquare has denied the app access to its data, making Girls Around Me effectively useless and Apple has also pulled it from the App Store. However, the privacy concerns remain. It is likely other apps and services will access similar information in the future and use it in unforeseen ways. The lesson here is that in the digital age, public information is extremely accessible and can be used in many unforeseen and undesirable ways.

If you are making an app that uses publicly available personal information, you can’t just think you can use that information as you please. Consent to use personal information is contextual — the legal concept is informed consent. And never underestimate the creepiness factor and the wrath of surprised or outraged individuals.

That can shut down a service faster than any privacy commissioner.

Today’s Slaw post:

The issue of corporate or government employers asking for social media login ID’s and passwords for job seekers has reared its head again. See this CBC article entitled U.S. job seekers get asked for Facebook passwords. And see this article I wrote a year ago on the subject. This is wrong on so many levels that it is hard to believe anyone would ask for that.

It is not unusual for employers to look at what job applicants are posting on publicly accessible areas of facebook and twitter. We can debate what influence that should have on the hiring decision, and whether the use of certain information found there might violate hiring laws.

But no one should ever be asked to give up a logon ID or password to anything to get a job. It is the equivalent of asking to tap a job seeker’s phone and listen to all their calls, or to plant a GPS enabled audio and video recording device on the person as they carry out their lives.

And since the employer has access to the person’s social media accounts, it allows the prospective employer to impersonate the individual if they chose to do so, and to obtain other personal information that would enable identity theft. I’m surprised employers would put themselves in a position where they could be accused of doing that.

It violates privacy rights, and the terms of use of most sites. One of the scary aspects is that it demonstrates that the employer does not understand the basic concepts of privacy, security, confidentiality, and breaching terms of use. If they can’t get these basic issues right in the employee context, it doesn’t give much comfort that they understand or properly deal with these issues regarding the information of their customers or constituents in general.

In many cases job seekers will hand over the passwords becasue they are desperate to get a job – even though they know they are being asked to do something wrong. Not exactly a good way to start off an employment relationship.

For the London Free Press – March 5, 2012 – Read this on Canoe

The Ontario Court of Appeal just released its decision in Jones v Tsige, recognizing for the first time there is a tort of invasion of privacy in Ontario.

The gist of the facts in Jones was a bank employee looked up banking information about another bank employee who was in a common-law relationship with the defendant’s former husband. She looked at the information at least 170 times over four years, but didn’t publish, distribute or record it.

That was clearly contrary to bank policy and privacy legislation, and she was disciplined for it by the bank when it came to light.

The issue in this case was whether the victim could sue for damages. The Court of Appeal decided she could, awarding $10,000 in damages.

Until this decision, it was generally felt one couldn’t sue or collect damages for breach of privacy in Ontario.

Previous Ontario trial-level decisions concerning the existence of a tort of invasion of privacy were at best conflicting with the historic, if not conventional, view the tort of invasion of privacy did not exist.

The Jones decision stated that:

It is appropriate for this court to confirm the existence of a right of action for intrusion upon seclusion. Recognition of such a cause of action would amount to an incremental step that is consistent with the role of this court to develop the common law in a manner consistent with the changing needs of society.

“Intrusion upon seclusion” happens when one intentionally intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns, in a situation where the invasion would be highly offensive to a reasonable person.

Leading up to this decision, a number of judges at the trial level had refused to strike out claims made under the tort of invasion of privacy at the pleadings stage, as they were unsure if the tort existed.

That’s the title of my Slaw post for today.  It reads as follows.

With Parliament back in session, we are seeing more attention on the proposed “lawful access” legislation. There is good reason for that. Many of us believe the proposed legislation is an affront to privacy, and gives law enforcement overly intrusive rights without court supervision that will in practice be no more than expensive, invasive, privacy offensive security theatre.

In this CBC interview, Ann Cavoukian, the Ontario Privacy Commissioner, does an excellent job of explaining the issue. Well worth investing 7 minutes to watch.

For more details see the Privacy Commissioner’s website.

That’s the title of my Slaw post for today.  It reads as follows.

Getting the privacy balance right is not easy, from both theoretical and practical perspectives. As examples, here are some recent developments that go both ways.

Pro Privacy

• Proposed Bill C-12 amendments to PIPEDA that would mandate privacy breach notification in certain circumstances.
• The Ontario Court of Appeal decision in Jones v Tsige that created a tort of breach of privacy, or “intrusion upon seclusion” for intentional, offensive privacy invasions.
• The US Supreme court decision in US v Jones that decided police need to get a warrant before attaching a GPS tracking device to a vehicle.

Anti Privacy

• Proposed Bill C-12 amendments to PIPEDA that encourage private entities to give personal information to law enforcement without warrants.
• Proposed “Lawful Access” legislation that allows police to obtain a significant amount of information about our mobile phone and internet accounts without a warrant, and would require ISP’s to retain certain information about us.
• The Supreme Court of Canada’s refusal to hear the appeal of the Leon’s case where the Alberta Court of Appeal said that license plates are not personal information.

For the London Free Press – January 23, 2012 – Read this on Canoe

The Office of the Privacy Commissioner of Canada (OPC) recently tabled its Annual Report on the Privacy Act. The airport scanner issue receiving much of the press, however there are a number of other noteworthy items in the report. The Privacy Act is the legislation that applies to the Canadian federal government.

Regarding airport scanners, the major concern is whether the Canadian Air Transport Security Authority (CATSA) and the airport screeners it hires under contract are respecting the privacy rights of travellers. While some elements of good privacy management were found, an audit performed earlier in the year identified a number of areas for concern. Of particular note was the security over the images produced by the full-body scanners. Despite being strictly prohibited, a cellphone and closed-circuit television camera were found in the room where officers were viewing the images. These issues were discovered during the audit and were addressed by CATSA.

CATSA has also suggested a plan to observe passengers in the airport pre-boarding areas for suspicious behaviour. OPC expressed a number of concerns including the potential for inappropriate risk profiling based on characteristics such as race, ethnicity, age or gender.

The report also looked at various forms of biometric information such as fingerprints and facial images. Although the collection of biometric information can lead to highly reliable identification systems — certainly more reliable than paper systems — the collection and use of this information has also raised significant privacy concerns. While biometric information has the potential to bolster identification systems, it can also lead to privacy concerns regarding covert collection of data, cross-matching and unwanted secondary disclosure. To aid organizations looking to utilize biometric information, the OPC has prepared a primer that helps to identify the pros and cons of biometric data systems.

Also addressed in the report was a complaint made by an individual who was asked by Canada Post to provide identification in order to terminate the rental of a postal box. After review, OPC found that Canada Post has a statutory obligation to provide a secure postal service and that the collection of personal information was consistent with that mandate. The purpose of the data collection was to ensure that postal boxes were not being used or closed fraudulently and further to aid in the investigation of illegal goods shipments. OPC determined that the collection of data for these purposes was reasonable and that the complaint made was not well founded.

Privacy issues are often a balancing act between too much and too little. OPC’s annual report looks to identify areas of concern and make recommendations as to how to strike an appropriate balance. Governments require personal information to properly exercise their functions, however the question quickly becomes “how much collection and use is too much?” A complete copy of OPC’s Annual Report to Parliament is on OPC’s website at www.priv.gc.ca.

The Ontario Court of Appeal just released its decision in Jones v Tsige saying that there is a tort of invasion of privacy in Ontario.  Until this decision, it was generally felt that this right did not exist in Ontario.  The court also refers to the tort as intrusion upon seclusion.

The gist of the case is that a bank employee looked up banking information on someone she knew (another bank employee who was in a common-law relationship with the victim’s former husband) - at least 174 times over a 4 year period.  That was clearly contrary to bank policy and privacy legislation, and she was disciplined for it by the bank when it came to light.

The issue in this case was whether the victim could sue for damages for it.  The Court of Appeal decided she could, and awarded $10,000 in damages.

To be actionable:

• the defendant’s conduct must be intentional, including recklessness;
• the defendant must have invaded, without lawful justification, the plaintiff’s private affairs or concerns;
• a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish.

It does not apply to intrusions into every private or personal matter. The decision says that it is only intrusions into matters such as:

• financial or health records
• sexual practices and orientation
• employment
• diary or private correspondence

For a more detailed analysis, see these posts by Omar Ha-Redeye on Slaw and David Fraser

That’s the title of my Slaw post for today.  It reads as follows.

Ann Cavoukian – the Ontario Privacy Commissioner – has written an excellent op-ed in the Financial Post entitled Beware of ‘Surveillance by Design’.

It starts off with:

I feel the need to raise a growing concern regarding the lack of understanding of a key privacy issue – the ease of data linkages in an ever-increasing online world.

In this day and age of 24/7 online expanded connectivity and immediate access to digitized information, new analytic tools and algorithms now make it possible, not only to link a number with a name, but also to combine information from multiple sources, ultimately creating an accurate profile of a personally identifiable individual.

The Commissioner weighs in on the controversial Alberta Leon’s case that decided license plates are not personal information – which differs from other provinces.

She also expresses her concerns about the pending federal “lawful access” laws, saying that:

In my view, this represents a looming system of “surveillance by design,” that should concern us all in a free and democratic society.