You Want Total Privacy Online? – Do Nothing!

By: Lee Rickwood

January 28, 2010

Privacy by Design embodies the notion of making privacy a default, like embedding privacy tools and technologies directly into a product or device or service itself so that the protection is there from the get-go.

But, to Dr. Ann Cavoukian, Ontario’s Privacy Commissioner, Privacy by Design (PbD) is more than an esoteric concept – it is a firm and actionable methodology.

Ont-Priv-Commiss

“Embedding privacy into technology in a proactive way, before the fact, moves you beyond compliance,” Cavoukian states.

“Complying is after the fact; PbD is preventing privacy abuses before hand. Privacy as a default is going to be the strongest protection you can have,” she said in a phone interview.

Our discussion took place on the day before one of the Commissioner’s big highlight events – the second annual Privacy by Design Challenge.

Today’s (January 28) event in Toronto coincides with International Data Privacy Day (did you know there was one?).

The PbD gathering will focus on the implementation of privacy into new technologies, business practices, and networked infrastructures. In particular, image encryption technology that makes privacy the default for video surveillance will be showcased this time around.

But while enthusiastically anticipating the event, the Commissioner also shared her thoughts on current consumer technology, and how such common gadgets as a USB memory stick can be used to both protect, and inadvertently damage, personal data privacy.

She  recalled the recent story about a Durham Region (Ontario) health care facility, from which some 84,000 patient files were compromised when a staffer took home a memory stick – and lost in it transit!

The files were not encrypted, and the data was certainly valuable –to more folks than the patients themselves, unfortunately!

Apparently, a new staff member just was not aware of the procedure for data protection and encryption that, in fact, the Commissioner had mandated more than two years earlier.

“We previously had issued a warning to Sick Kid’s Hospital, that all data must be locked down if it is to be transported by mobile device,” Cavoukian explained. “That order extends to all health care providers in the province.”

(As an aside, one of my many USB sticks has privacy by design – there is a six-digit code I have to enter before the thing boots up! Then, if I desire, I have another layer of protection by encrypting the data itself.)

Corsair's Flash Padlock

Corsair's Flash Padlock

As required by the regs, the Durham health care provider has to notify its patients – all 84,000 of them – about the data breach. Not surprisingly, people freaked out – and many called or wrote to the Commissioner to find out what could be done.

Well, the data’s gone – but the aggrieved parties have some tremendous tools for claiming and obtaining compensation, she said.

“In the case of identity theft, you can seek damages, both in terms of the actual harm suffered as a victim of theft, but also you can seek damages for mental anguish or psychological harm.”

Armed with evidence of identity theft (like a letter from the breaching party), and an Order like the Commissioners (basically already determining guilt due to its issuance, subject to appeal), one can proceed by showing the actual harm that was done.

However, as Cavoukian cautioned, “In case of ID theft, most cases don’t even surface before a year has elapsed. Don’t think ‘all is well’ because nothing has happened.”

Yikes! Nothing is not good in this case.

But doing nothing is in fact one of the Commissioner’s working metaphors for data safety.

“It is the ‘No Action’ mode. If I do nothing, will I have the data privacy and personal information security that I want? If the answer is ‘Yes’, you have privacy by design,” she explains.

In the Durham example, would PbD have prevented the data loss? Perhaps.

If the real workplace default was ‘no data copy without encryption’, well, that might have worked. If, by design, all memory sticks were locked by a password, well, that might have helped, too.

When doing nothing – that is, when using the default settings – can ensure privacy, well, that will be a major accomplishment.

But, as the Commissioner enjoined, good design must be accompanied by good training.

Employees, certainly, must be trained to respect data and regard its security as a top priority at all times. Employees on the frontline and employees at the top of the corporate pyramid.

Consumers, too, need training or heightened awareness of data privacy and security issues. We have to use the tools that are provided, but even if such tools are in place, we must think before we post…or copy…or hit send.

The Commissioner is sympathetic to the potential dilemma, though: “Consumers should not have to think about data privacy at every step they take. They can’t be expected too, what with technology turning on a dime.

That’s why it should be the default.

“We know that, whatever the default is, it rules! More than 80 per cent of settings are based on default. And we want privacy to prevail.”

But consumers can always ask the critical question, the Commissioner added, of any service provider, be it public or private sector: ‘How are you safeguarding my information? You have just collected valuable data …how are you protecting it?’

“If there’s no answer, well, you know there is a problem. Go up the line. Ask the managers. Just by posing the question, you can alert people to think about the rules, and to act upon them,” Cavoukian advises.

And you can let them know you are watching them, and their privacy practices. (Oh, surveillance – we’ll talk about that issue in another blog post.)

submitted by Lee Rickwood

# # #

For now, what’s your tech?

Your privacy routine? Using technical tools, like encryption and solid passwords? Using attitudinal tools, like pointed questions and informed choices? Or, is it typing in ‘password’ in all cases?


3 comments

  1. lee says:

    i agree the Day needs more publicity…

    ironically, the news this time around was more data breeches – stolen laptops with unencrypted data still couldn’t get most mainstream media to mention the Day, or the many activities connected with it.

  2. Buddy says:

    Great article! Very informative. Thanks for including the follow-up. Privacy SHOULD be a default. Oh, and I’ve never heard of International Data Privacy Day — definitely could use more publicity.

  3. Lee Rickwood says:

    A short follow-up on International Data Privacy Day and the Privacy by Design Challenge:

    Ironically (sadly, foolishly, illegally?) on the Day came a couple more Canadian stories about the loss of data and control over personal information.

    The confidentiality of some 8,000 more names and associated personal information files were ‘lost’ when laptops stolen from an agency office – data not encrypted! And yet again, Canada’s federal privacy commission is looking at Facebook, and its security tools (or lack thereof) for really protecting the personal info it gathers.

    Having previously promised to address such issues, the Commissioner’s office is now responding to still more complaints, and planning to hold public hearings about recent developments on the social networking site.

    So, it was both a bit inspiring and disconcerting to attend the provincial privacy commissioner’s event.

    She spoke with passion (her word) about online security and the protection of personal privacy, saying they were “[I]ntegrally tied to freedom and democracy. We shouldn’t trade one for the other, and I am asking you to join me in saying no…. NO! to the trade of personal freedom or privacy for security. I reject the zero sum game, and I ask you to join me. We can have one with the other,” she said in her opening remarks, standing in front of a big slide reading: Privacy = Freedom.

    It’s very much like the line from Old Ben (not Kenobi, Franklin): “They that give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.”

    She introduced a special guest, the Premier, who briefly addressed the crowd of privacy and data professionals – he gave support to her and her office’s initiatives, sure, but he put out what I saw as a rather misplaced reference to the excellence the province shows in its privacy initiatives, mentioning the health care industry as an example.

    I’m thinking maybe he should read whatsyourtech – or any other reports about a long list of data breaches and losses connected to that ministry and the many hospitals, offices and agencies in the province.

    But, as was planned for the Toronto event, a parade of Canadian technologists, researchers, not-for-profit representativess and the like shared news of their recent developments, aimed at integrating privacy into new products and services by design, ahead of the fact and not afterward.

    There’s lots of reference material on the PbD site, but I’ll be looking to report in particular on developments in video surveillance, driven by a Toronto tech start-up company that hopes to instill much more personal identity protection into the world’s mushrooming number of video surveillance cameras and networks – both public and private.

    Good luck – but until then – ha ha, don’t look up!

Leave a Reply

Your email address will not be published. Required fields are marked *