Embedding privacy measures into emerging technologies such as biometrics, radio-frequency identification (RFID) and CCTV surveillance cameras might be the only solution if Canadians want to avoid 1984, according to Ontario Privacy Commissioner Ann Cavoukian.
At a presentation to University of Waterloo faculty and students this week, Cavoukian unveiled a plan that called for more “positive-sum, privacy-enhancing” solutions in potentially intrusive tracking, verification and surveillance technologies. She said that unlike the prevailing view to this point, which says that the more security you embed into a technology, the less privacy you will have, Canada needs to develop “transformative technologies” that address both concerns.
“The beauty of these transformative technologies will be that it can literally transform what is normally considered a privacy-invasive technology – such as a video surveillance camera – into a privacy protected technology,” Cavoukian said. One such example, she said, could be found in the Toronto Transit Commission’s (TTC) new CCTV image encryption pilot project. Using a visual coding process designed by two University of Toronto professors, both the shape and texture of people being filmed on the transit systems’ video cameras will be fully encrypted and invisible to TTC staff.
“Ninety-nine per cent of the time, you don’t need to have surveillance footage of people that are walking through the subway stations,” Cavoukian said. “But let’s say there was an incident one night and the police needed to get the footage for an investigation. In that scenario they would need two signatures – including one from the police chief – to sign off on the decryption key and view the video.”
Another technological trend that has come under fire in recent years for its potential privacy challenges is the use of RFID tracking devices. Cavoukian said using a “clipped tag” RFID, developed by IBM Corp., allows for the tracking chips to be turned off when they are no longer being used.
“Why should the chips be on all the time?” she asked. “The potential for data leakage and information being transmitted through the airways is always possible with RFID, so we want companies to look at turning them off and protecting privacy.”
But while all of these privacy-enhanced measures would seem to be a no-brainer on paper, the fact remains that little motivation exists for companies to invest in them. David Fewer, staff counsel with the University of Ottawa’s Canadian Internet Policy and Public Interest (CIPPIC), said that while he was encouraged by the Privacy Commissioner’s announcements, a lot of work still needs to be done to get the private sector on-board.
“The public sector clearly has privacy obligations, but in a perfect world, I’d like to see the private sector leading the way and corporations competing on privacy,” Fewer said.
The roadblock to that, he said, is that privacy enhancing technologies are often viewed as a cost by major corporations. Fewer added that it will likely be the role of statutes such as PIPEDA (Personal Information Protection and Electronic Documents Act) and other Ontario privacy laws to push companies toward investing in these privacy-enhancing technologies.
“As of now, industries will only be forced to do it when faced with an obligation to do so by regulators or when they make some kind of mistake in the marketplace and are forced to implement these technologies by some kind of legal action,” Fewer said.”
A related area of interest to Fewer and CIPPIC digital rights management (DRM) is the potentially intrusive role of digital rights management (DRM) technologies – an access control tool used by publishers or copyright holders, designed to securely manage the use of digital information and combat piracy.
In a 2007 study, CIPPIC found that DRM technology was often being used to collect, use and disclose consumers’ personal information for secondary purposes, without giving the user adequate notice or the opportunity to opt-out of collection. The report investigated DRM systems used in 16 different digital products and services including Apple’s iTunes Music Store, Microsoft’s Office Visio, and Symantec’s Norton SystemWorks 2006.
“In the Canadian marketplace we found that there is simply widespread non-compliance of PIPEDA,” Fewer said. CIPPIC also found it particularly troubling that companies using DRM to deliver products and content failed to document in their privacy policies the DRM-related collection of personal information.
“If there’s personal information collection use or disclosure going on, there has to be consent and the form of consent has to be appropriate to the circumstances,” Fewer added.