Monday, June 14, 2021

Ontario privacy boss slams geo-location as privacy risk

TORONTO—Ontario privacy commissioner Ann Cavoukian announced the release of a white paper on privacy of geo-location services in a keynote at the SC Congress Data Security Conference and Expo at the Metro Toronto Convention Centre on Tuesday.

The paper, Wi-Fi Positioning Systems: Beware of Unintended Consequences, was prepared in consultation with former Microsoft Corp. chief architect of identity Kim Cameron.

“There are very good uses for geo-location data,” Cavoukian said. But the persistence of a mobile device’s media access controller (MAC) address ties location information to the user. Unintended uses of the data must be part of any privacy risk analysis, Cavoukian said.

Recently, a media storm erupted over the storage of location data on Apple Inc.’s iPhone. The phones keep a history of a user’s location data. While CEO Steve Jobs did a good job of allaying user fears by insisting that Apple does not and will not collect user data, Cavoukian said, it was a reactive response.

In the days following the news, Cavoukian said, colleagues on social network LinkedIn issued a bounty on Apple’s privacy officer, since no one could find out who Apple’s privacy point person was.

“There was actually a reward for anyone who could find Apple’s privacy officer,” she said.

Four principles should be applied when collecting geo-location data, she said: Transparency, giving users clear notification at the outset that the data is being collected; requiring the user’s consent for data being collected by making the data collection opt-in, rather than opt out, by default; anonymized data; and minimizing the data collected.

“That will enable you to avoid the enormous duty of care” that goes with collecting user data, she said.

Cavoukian’s keynote, which opened the conference, hammered home her now-familiar Privacy by Design (PbD) principle, attacking what she calls the “zero-sum” thinking that pits privacy against security.

“You have to deliver privacy as a core functionality,” she said. Privacy must be part of the standards creation process, not applied afterward. At that point, she said, “you’ve already lost the battle.”

Rather than focus on what embedding privacy costs an organization, focus on what it saves a corporation. There’s not only the fallout from a breach—in penalties, brand damage and lawsuits—but also the fact that, according to Doug Westlund, CEO of N-Dimension Solutions Inc., a Richmond Hill, Ont., smart grid security solutions vendor, it costs three to five times more to build privacy into an existing after a breach than it does to build it into the system up front.

PbD was adopted as a standard at an international conference of privacy commissioners in October 2010, and its seven principles have been translated into 21 languages.

But, Cavoukian acknowledges, PbD’s principles are more easily applied to new systems than existing ones.

“Privacy by Design is ideal for an emerging system,” she said. But organizations with huge legacy systems face a more daunting challenge.

At the next international privacy commissioners’ conference this October in Mexico City, Cavoukian will host a workshop, sponsored by American Express Inc. and Ernst & Young, on translating PbD’s seven core principles for application to legacy systems. Privacy by Redesign, as she’s dubbed it, will aim to refresh legacy systems to prevent data leakage, she said.

Would you recommend this article?

0
0

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Dave Webb
Dave Webb
Dave Webb is a freelance editor and writer. A veteran journalist of more than 20 years' experience (15 of them in technology), he has held senior editorial positions with a number of technology publications. He was honoured with an Andersen Consulting Award for Excellence in Business Journalism in 2000, and several Canadian Online Publishing Awards as part of the ComputerWorld Canada team.

Related Tech News