Online privacy: Q + A with Jennifer Stoddart Anthony Reinhart October 13, 2011 Communitech She launched the world’s first investigation into Facebook’s privacy settings, took Google to task for its Street View and Buzz programs, and in the process, gave Canada a strong and credible voice in online privacy. Jennifer Stoddart, Canada’s Privacy Commissioner, is now well-known among regulators around the world who face the same challenge she does: keeping personal information safe from, and the public wise to, a mounting array of increasingly sophisticated threats. Many of these threats lurk behind some of our most beloved – and in the digital media industry, most lucrative – activities: social networking, online shopping, web surfing, mobile computing. As part of an ongoing series of interviews with online privacy experts, Communitech asked Stoddart what concerns her most in the realm of online privacy today, and about the role Canada’s tech community might play in alleviating those concerns. Q – What proportion of your work is devoted to online privacy versus other types of privacy concerns? A – Even if I put all the accountants in the office to work on it, I couldn’t give you an exact figure, but it’s clear that since the advent of social networks and even before, we’ve been moving to a greater preoccupation with online issues. In fact, if you’ve been following the changes in PIPEDA [Personal Information Protection and Electronic Documents Act], I got a very important amendment this spring; important to me because it will allow us to shift our resources increasingly to technology driven issues, because this is what affects most Canadians. Q – What trends are causing you greatest concern right now in the realm of internet and technology-related privacy? A – I’ll talk about two. One is, as I once said, perhaps irreverently, that companies kind of innovate first and send the lawyers in to mop up afterwards. That is still a trend, but I prefer to think about it now as a question of, what are the incentives so that privacy and personal information protections are built into the product or service right at the beginning? It’s clear to my mind that we don’t have enough incentives; that if there’s a problem, we’ll fix them later, and we have to change that structural paradigm. We have to change the rules by which companies innovate to say, “Innovate for privacy, and if you don’t, either in terms of reputational harm or in terms of monetary penalties, it won’t be worth your while.” My office is giving a lot of attention to that coming up to the PIPEDA review. Every five years there’s a review of the private sector law, so you’ll be hearing more about that from us in the coming months. I think the second issue is the whole issue of security. We don’t have a specific mandate over security, but as you know, Canada’s laws on privacy say that you have to keep the data secure to keep it private. I was shocked last spring at the string of data breaches, and in fact, I took advantage of being at the Canada 3.0 conference in Stratford to say that I thought there should be significant monetary penalties for data breaches. I stayed by that position. There was some legislation reintroduced this fall, but it doesn’t yet provide for monetary penalties. That’s fine if it goes ahead; I think something is certainly better than the status quo, but I think we really have to look at rejigging the incentive system. I read that my British colleague is talking about jail time in terms of information violations. Now, this may be in a particular UK context, but things are very serious and so some of the regulators are looking at much more serious consequences for violations of privacy laws. Q – In the face of all the advancements we’re seeing – and some may call them regressions, depending on where they’re coming from – how do you counter the increasingly popular argument that privacy is dead, or that we’re entering an era of democratization of surveillance? How do you bear up against the relentless expansion of these capabilities? A – That’s a question I often ask myself: As the landscape changes, what is the role of a privacy commissioner, and what could I be usefully doing? First of all, there’s a question of the value of privacy. From a value that we took for granted a generation ago, this value has become very high on people’s lists of things that they cherish. The poll that we did this year shows how important privacy is for Canadians, and in spite of what we often read, it’s extremely important for younger generations. They have a very clear notion of what’s private to them and what’s not private, and as we found in this poll, they’re a lot better at protecting their privacy than the older generation. Yes, the reality is changing; yes, there are more possibilities for surveillance, but there is also a huge coalescing of reaction against surveillance that we didn’t see even 40 or 50 years ago. We’re asking for more transparent government; we’re asking that police forces, domestic surveillance organizations, be accountable in a public way the way we didn’t a long time ago. We’re increasingly seeing large social networking giants bowing to public pressure and public reaction in terms of bringing out a product that does not seek people’s consent or makes their personal information known in a way that they’re not aware of. Given the kind of technology that we’re dealing with, and given the advantages this technology brings – I mean, we’re largely in love with the technology because it allows us to do fun and often very useful things; it brings interest and information and pleasure to our experience as humans – I think that, by and large, we’re dealing with this in a fairly healthy way here in Canada. Q – Which companies are setting a good example in proactively protecting people’s privacy? A – That’s kind of a loaded question for a privacy commissioner because we’re supposed to be fair and objective. There are different cases and exceptions, but I would say that, in adapting to this new law over the last 15 years or so, Canadian banks have generally done a good job. That doesn’t mean I don’t have issues with them now, or ongoing issues, or that we don’t have quite heated discussions sometimes, but I think banks were traditionally in the business of protecting personal information, so this came fairly naturally to them. The other company I have mentioned is a global company, it’s based out of the United States, and that’s Hewlett-Packard. One of the reasons I’m impressed by the work of Hewlett-Packard is that it has deliberately chosen Canadian privacy standards, of the kind that are embodied in PIPEDA, to try and organize its own internal use of personal information. As far as I know, it’s the only global company that has said specifically that they have done this. They have tried to take that as the very high but practical standard for implementation of global business, and said “If we can meet this, we can meet requirements probably anywhere in the world.” So they seem to me to be a good example. Q – When you raise privacy concerns with people in the tech sector, are they generally receptive? Hostile? Surprised that people would have a problem with what they’re doing? A – There’s a variety of reactions. It depends if you’re meeting folks in Canada, where there’s a different regulatory environment, or in Europe, which shares the same privacy standards, or in the United States, where private-sector privacy is still being articulated by the Federal Trade Commission. In the beginning, I think there was, quite frankly, a problem taking us seriously. I don’t think we have that problem now; I think most companies certainly know who we are and respect the message that we’re sending out. First we used to get brushed off, but we were persistent, and I’d say now we’re taken seriously and we get serious answers. Q – Recently, Google executive chairman Eric Schmidt admitted that the real-name registration requirement for Google+ users will help the company build new products. Perhaps that’s no surprise, but what does it say that he would come out and admit this, and what do you make of those who know this and yet still register for something like Google+? A – I didn’t see that particular comment of Mr. Schmidt’s, but I’m not surprised. There are huge debates going on about anonymity, who’s online under their real name, their blogging name, a pseudonym, who should be able to know their real name, whether you have a right to anonymity. All of this is part of the debate on what shape the internet should take and how it should be directly or indirectly regulated, but there’s also the reality that I think you alluded to, that the internet is made profitable by electronic commerce, and more recently, by the commodification of personal information. Increasingly, the commodification of personal information has become the most lucrative activity on the internet. Q – In your perfect world, what would people who work in Canada’s tech sector be doing to strengthen online privacy and awareness of its importance? A – I’m happy that you’re asking that question. I’ve long wondered if there’s not a niche market for products that allow the user greater control over their personal information. And it would seem to me that if we’re developing products for a niche market that probably would emerge globally, that Canadians, with their relatively strong privacy legislation and their cultural sense of privacy, would be in a great position to develop this. So I would encourage all the inventors and the innovators in your region to think about that; to cater to a privacy-conscious market. Q – Do you use any social media? A – No I don’t, not at this job. Q – Why do you use a BlackBerry? A – I’m not sure my office would let me use any other kind of phone; we’re very conscious of not only privacy but security here at my office, obviously. This is a government-issued BlackBerry, and this is what’s recommended formally by all the specialists in the Canadian government, and there are reasons for that, particularly because of its encryption capabilities, remote wiping and so on. So, as long as I’m with this office, I will be using that kind of technology. Q – Is there anything else you’d like to say to Waterloo Region’s tech community? A – Well, you may know this, but Mr. Mark McArdle has just joined our advisory committee and our technologists are talking to him. So we’re very interested in getting more of a direct working link with the kind of knowledge that exists in the Waterloo tech community, and how it can be brought to bear on privacy challenges. Second in an ongoing series.