In preparation for the next review of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), the Office of the Privacy Commissioner of Canada (OPC) has been hosting a series of one-day panel discussions in cities across Canada.
Following discussions in Montreal and Toronto on topics such as online tracking, profiling and targeting, the 2010 Consumer Privacy Consultations recently stopped in Calgary to discuss the privacy implications of cloud computing.
Elizabeth Denham, assistant privacy commissioner of Canada, said the OPC intentionally chose to discuss complex issues on technologies that will have an impact on privacy regulation now and in years to come. The goal is to listen to the audience, she said, in her opening remarks at the Calgary event.
The OPC is asking whether PIPEDA is the right framework and model or if new technologies are stretching Canadian law, said Denham. The OPC needs to think about what is happening to people’s privacy in the cloud and how they can gain control over their personal data, she said.
The most critical privacy implications for everyday Canadians – and where the OPC should focus its efforts – were raised in a four-member panel discussion moderated by Shane Schick, editor-in-chief of IT World Canada Inc.
Brad Templeton, director of San Francisco-based privacy rights organization the Electronic Frontier Foundation, said the biggest threat is that Canada “only has limited authority over most of the companies providing these services.”
Privacy issues related to the cloud will become an international problem that is not within the scope of Canadian law, he said, and there is nothing stopping companies from moving to jurisdictions that provide them with legislative advantages.
Daniel Koffler, chief technology officer at Montreal-based Syntenic Inc., said his key concern is the “real lack of strategic discussion” in Canada.
“In the U.S., they not only have the largest cloud providers and social networking sites, but they are developing a national cloud strategy … we don’t see similar trends here,” he said.
There is strategic value in having “pure bred Canadian cloud providers” that fall into Canadian jurisdiction, which would also provide an option that Canadian government and military can use, said Koffler.
Doug Jones, cloud computing unit executive at IBM Canada Ltd., said he is concerned that users are unable to make informed choices about what to use cloud computing for. “Right now, I think it’s difficult for end users to research all those vendors and make a choice,” he said.
The solution to this problem, according to Jones, is education.
Koffler suggested there be consequences for companies that fail to adhere to their privacy policies. “If a Web server is making an assertion about privacy, there should be some way of verifying that and consequences if you don’t follow,” he said.
Templeton disagreed, pointing out that privacy policies often include a reference that allows the company to change their privacy policy at any time. “I don’t think we have success from privacy policies at all,” he said.
He suggested the OPC continue its education programs and recommend to Canadian parliament that the law is clear about protecting data that is moved to a third party.
Jones said PIPEDA has been technology-neutral for many years. He suggested keeping regulation in place and keeping it technology-neutral.
Declan McCullagh, senior correspondent for the CBS News Web site, said his current concern is location privacy and issues related to data collected through transceivers in handheld devices and laptops that track end users’ locations, which is recorded and stored by cellular providers.
McCullagh also thinks companies “aren’t doing enough” data mining and suggested they “should be doing more.” Data mining is just another phrase for analyzing, he said.
End users shouldn’t be surprised when companies share their information on social networking sites, according to McCullagh, because the point of a social network is to be social and share information.
Highlighting a recent Pew Research Center survey on Reputation Management and Social Media, McCullagh said almost 40 per cent of users with online profiles have disabled their privacy settings and suggested that people are becoming exhibitionists.
Templeton disagreed with McCullagh and flipped the Pew survey stats. According to Pew’s summary report, “65 per cent of adult social networking users have changed the privacy settings on their profile to limit what they share with others online.”
Templeton warned that running a police state is not a question of implementation, but a question of policy. He also expressed concern over the inability of individual users to negotiate privacy policies, as negotiations typically take place between parties of equal power, he said.
There is also strong market pressure to become less private and advancements in data mining, voice recognition and face recognition technologies will lead to “time traveling robots” in the future, he said.
The fundamental theorem of privacy is that “no one cares about privacy until there is an invasion,” said Templeton. He suggested the solution is to not use the current cloud architecture, but to engineer a new one.
Koffler injected “a word of caution” to regulatory issues. Social network reach is a form of capital that enterprises and individuals can cash in on and Canadians need to make sure that regulations don’t impede on this, he said.
If multiple privacy commissioners made different requests from Facebook, for example, and this resulted in different versions of Facebook depending on the jurisdiction individuals are located in, this could end up hurting small businesses by restricting their default reach, he said.
The issues that arise from cloud computing haven’t changed – it’s the scale that is different, said Jones. “It’s not a new technology. It’s a way of consuming IT differently,” he said. And the reason cloud computing has changed so rapidly is due to end user adoption, he said.