Privacy takes a holiday

Maybe the task of protecting one’s on-line privacy should be considered as paramount to the public as is the issue of protecting one’s own Constitutional rights: if you won’t do it for yourself, no one will do it for you.

On-line privacy has become a thorny issue of late, particularly when major newspapers stir up the masses by railing against measures taken by private enterprise to protect themselves from criminal activity. Take the recent incident involving Ontario’s casinos. When it came to the forefront of public knowledge that patrons entering a casino are subjected to a computerized face-recognition program which scans images taken from video cameras inside the establishment the media blow-up that ensued probably caused more panic amongst gaming enthusiasts than was warranted. The same major newspapers didn’t seem to flinch last August when casinos in British Columbia acknowledged they installed biometric software known as the Computerized Arrest and Booking System (CABS) for the same purpose. CABS is commonly used by the Royal Canadian Mounted Police for identifying arrested individuals who don’t want to cooperate with them. And need it be mentioned that automatic teller machines (ATMs) have had video cameras for over a decade?

Be that as it may, the personal computer has indeed become far too personal. It’s common knowledge private businesses collect data on individuals who grace their Web sites, and many have come under fire by privacy rights groups for doing so.

“Privacy issues will be the defining issue in this decade,” said George Radwanski, Canada’s Privacy Commissioner in Ottawa. “It used to be that privacy was protected by default. Now, literally by the click of a keyboard, an organization can compile an extensive set of information about you. [Society] has to go to considerable trouble to protect that privacy.”

Ottawa’s introduction of the Personal Information Protection and Electronic Documents (PIPED) Act on Jan. 1 is designed to show some guidance in the face of the new economy with regards to the collection, storage and transmission of personal information by organizations involved in commercial activities.

For now, the law applies to personal information on clients and employees in the federally-regulated private sector, such as airlines, banking, broadcasting, inter-provincial transportation and telecommunications. The law will also apply to all organizations that disclose personal information for consideration outside a province or the country. Come Jan. 1, 2002, the PIPED Act will also apply to personal health information.

Professor and chair Nigel Horspool at the University of Victoria’s computer science department said Ottawa’s attempt to curtail on-line privacy invasion is well intended but will have little impact.

“The real problem with regards to the accumulation of private information is it will continue…[the Act] will be ineffective,” he said. “I’d be very worried if sales people knew about me. I’d be a sitting duck.”

Meanwhile in the U.S., legislation that’s intended to offer American Internet users privacy protection was introduced in the House of Representatives in late January. Three different bills have been proposed. Two deal with cookies and one addresses commercial data mining practices. Each requires a Web site to notify surfers if personal information is being collected and explain how data and profiles will be used. However, it does not restrict what the site can do with accumulated user profiles.

“There are lots of ways to regulate privacy; one way is social pressure,” remarked Richard Smith, chief technology officer at the Privacy Foundation at the University of Denver in Colorado. “Other privacy industry people I’ve spoken to have talked of the new Canadian law (PIPED Act) very positively. In the U.S. there are a few different bills proposed and each varies in quality. The scuttlebutt coming out of Washington is that one of them will be passed before the end of the year; whether it proves to be good or bad remains to be seen.”

The Privacy Foundation – a non-profit and non-partisan organization dedicated to research on privacy issues – listed commercial data mining as one of the top privacy invasion-related issues of 2000.

The Foundation cited, for changing its privacy policy last September to warn its estimated 20 million customers data will be considered a marketable asset if the company ever sells off operations, and, for putting their customer database on the auction block following bankruptcy, as two examples of questionable business practises. The Foundation also identified workplace surveillance as a rising threat to individual security.

“It’s partially due to the addictive nature of the Internet; employees may spend too much time on sports Web pages or porn sites,” Smith said. “Legally, yes (companies have a right to monitor its staff), but there’s a balance that’s needed here. People already mix their personal lives with their working lives, companies don’t need to monitor individuals in such a Draconian way. It’s like killing a fly with a sledgehammer.”

IDC Canada research director Kevin Restivo in Toronto made little effort to disguise his thoughts on corporate monitoring at the office. “Surveillance in the workplace harkens back to a darker era,” he said. “Why would anyone want to work for a corporation that employs these methods?”

Which raised a valid point from a recruitment perspective: should companies be required by law to reveal to a potential hire that they will be monitored while they settle into their new surroundings?

“Companies need to make clear right from the get-go if they’re monitoring their employees, why they do it, and for what purpose,” Smith stated. “There are some companies out there that offer their staff portals to do personal stuff.”

Smith added he expected companies – particularly those in high-tech sectors – will tout spy-free workplaces as a future fringe benefit.

Watching The Watchers

Conspiracy theorists might find it tough to swallow any federal government’s jibe on privacy legislation and regulations that are designed to protect an individual’s privacy. One needs only to read the glut of stories circulating about government agencies that are allegedly caught infringing on the very privacy they’ve sworn to ensure.

Consider, for instance, the multinational eavesdropping system Echelon or the Americans’ Federal Bureau of Investigations’ contentious Carnivore e-mail monitoring software. In fact, Echelon – a system which monitors global telecommunications traffic – is so secretive that few countries have acknowledged its existence despite their alleged involvement with it. IDG News Service reported on Jan. 22 that a public hearing in the Dutch Parliament will be conducted on Echelon after Holland acknowledged the existence of the system, and following similar hearings in France and Belgium. According to the report, Canada’s government is among those that are privy to Echelon.

“Echelon is supposedly run by the NSA (National Security Agency) in the U.S. If you think of the CIA as spies on the ground, the NSA are more military and they listen in on telecommunications,” Smith explained. “The system allows them to listen in on satellite traffic. The NSA has an annual US$20 million budget, so they can do pretty sophisticated things. Countries like France are upset about the existence of [Echelon] because we’re supposed to be friends and the director of the NSA admitted its results are sometimes used for commercial purposes. I believe Canada too is apart of this.”

And lest we forget, Canadians were the unknowing victims of a secret database compiled by the Human Resources and Development Canada branch of the federal government – the Longitudinal Labour Force File – which contained personal details about every Canadian.

“I don’t have a problem with the government having information about me, I have nothing to hide,” Horspool said. “My thought on [Ottawa’s compiling of information on Canadians] is it’s valid only if we have a democratic government that we feel can be trusted.”

Asked for her view on the now-defunct HRDC database, Lawson said it’s just one of many issues highlighted each year that points to the need for reform of the Privacy Act – the law which governs the use of confidential information within the public sector.

“I don’t take the view of the National Post and others that suggests the government wants to do anything with private information,” she remarked. “Actually, the government has been restricting itself for a long time, but the problem is with the rise of new technologies and communications. The Act is out of date.

Rise Of The CPO

Another IT industry first: the Chief Privacy Officer (CPO) has become a standard executive position of large corporations within the last three years.

The post – a position recently-mandated by PIPED – entails coordinating a company’s strategic, legal and technical teams to protect consumers and/or enforce the enterprise’s privacy policies.

“I think it’s important from both an employee’s and a consumer’s perspective that one person is designated as responsible for privacy-related issues,” Lawson said.

Smith shares Lawson’s view on the inclusion of a CPO in the corporate boardroom, but he cautioned against the likelihood of abuse.

“There is the potential of political abuse if the boss doesn’t like you. The problem is data compiled through the CPO about an employee’s Web surfing travels can become a big concern.”

The Privacy Foundation has formed a team of business, law and technical researchers to study workplace surveillance issues and intends to release its findings in the first quarter of 2001.

Smith added two-thirds of major American firms conduct some type of in-house electronic surveillance and that 27 per cent of all firms surveyed by an American Management Association study said they monitor e-mail.