Mass identity theft at Desjardins and Equifax. Large-scale manipulation of the electoral process. The outrageous commodification of personal information. We are entering a new form of cyber capitalism. In this Wild West, worried citizens are right to want the sheriff back in town.
People have never been as worried as they now are about protecting personal information. And with reason. Thanks to the Cambridge Analytica Scandal—named after the political consulting firm that used personal information of 87 million Facebook users, including 600 000 Canadians—we now know large-scale attempts to manipulate data took place both during the American presidential elections of 2016, and the Brexit vote the same year.
Such scandals are proliferating in cyberspace. In June 2019, hackers stole the personal information of credit union Desjardins Group’s 4.2 million clients. In another case involving the credit card company Capital One, 106 million clients, including 6 million Canadians, had their personal information stolen. These spectacular cases are just the tip of the iceberg of the problem of personal information manipulation in the shadowy world of cyberspace.
The U.S. government forced Equifax to pay $700 million in damages and announced a $5 billion fine for Facebook’s mismanagement of the Cambridge Analytica scandal. Companies in Europe have been required to pay billions of euros in fines, representing as much as 4% of their revenues. Meanwhile, in Canada, the Office of the Privacy Commissioner (OPC) has no power to take punitive action. In April 2019, the OPC criticized Facebook for failing to cooperate with Canadian authorities, but all it can really do is take the American multinational to court in the hopes a judge will find it guilty and impose a penalty. And that would take a year or two at the earliest.
With such concerns in mind, the federal government is planning a reform aimed at strengthening laws to protect privacy and personal information in Canada. Howard Dean, a certified professional accountant and author of numerous studies for the Consumers’ Council of Canada (see Studies), says that not too long ago, most people thought of privacy as a secondary concern. It has now become a central preoccupation for consumers, who fear being targeted by manipulation and identity theft.
The whole privacy issue has become a rat’s nest. The global economy is organized around harvesting personal information. It’s incredibly valuable to businesses and they use it without scruples. Consumers don’t understand what’s going on and the government has been slow to act.”
Howard Deane, Chartered Professional Accountant and author of several studies by the Consumer Council of Canada
Times have certainly changed. Google and Facebook are now two of the richest and most influential businesses on the planet. Thanks to innovations such as Internet cookies and connected objects and ambitious projects to collect public data, like Google Street View, personal information has become the basic resource in the brand new surveillance economy. Every question entered into a search engine, or addressed to a voice assistant, every emoji or trip that uses geo-location is immediately transformed into behavioural data. This data is then analyzed using algorithms in order to arrive at ever more precise predictions about how we will act in the future.
We have entered into a new era of capitalism that is evolving without regulation of any kind. Data is the imperative for capitalism now. Companies have to capture as much as possible and individual consent just gets in their way.”
John Lawford, Executive Director and General Counsel of the Public Interest Advocacy Centre (PIAC) in Ottawa, referring to the title of a new book that is causing a stir, The Age of Surveillance Capitalism (see sidebar)
According to Alexandre Plourde, a lawyer and analyst at Option consommateurs, the fact that privacy issues were long considered insignificant, even esoteric, is a big part of the problem. “Personal information is no longer an “insignificant” issue when the secret service has to get involved! Nor is it strictly limited to consumer issues. The harm in using it is not just economic. It’s actually affecting us as voters, as taxpayers, even as citizens.”
LAWS THAT NEED TO BE REVISED
Most Canadian provinces have laws that protect privacy and personal information and access to information in the public sector, but only three have one for the private sector. The federal government has two laws. The first, The Privacy Act, applies strictly to federal institutions: it was passed in 1983, in an age when fax machines were avant-garde technology. In 2001, a new law was passed that applies to the private sector: the Personal Information Protection and Electronic Documents Act (PIPEDA). But even that comparatively short time ago, Google was only a small, money-losing project and the future founder of Facebook, Mark Zuckerberg was just finishing high school.
At the outset, the PIPEDA was not intended to be a law, more a sort of code of honour negotiated between various organizations and companies such as the Public Interest Advocacy Centre (PIAC), Bell Canada, the Royal Bank, the Canadian Marketing Association could abide by. It wasn’t until the end of the negotiations that the Canadian government realized it should be creating a law. Alexandre Plourde says the law itself is not the problem.
If a company is collecting personal information about its customers and communicating that information to others, it should inform these customers about what it is doing. The confidentiality policy should explain this transparently, and be written in clear language. Companies should use the information they collect in a responsible manner and only use what’s necessary for their own needs. The information should be accurate, the companies should protect it, and customers should be allowed to access their personal information.”
Alexandre Plourde, lawyer and analyst at Option consommateurs
It worked pretty well in the first years, John Lawford explains, as long as companies continued to work according to the logic that they were accumulating data to help sell their products or services. “Things started to fall apart after that because the companies the OPC had to deal with were seeing the value of personal information increase, and they became businesses whose core activity was selling personal information, rather than businesses that sold personal information on the side.”
But two problems cropped up with PIPEDA right after it was passed. First, the law was already out of step with technological developments. And more importantly, it had no teeth. When the federal government passed the legislation, it didn’t give itself any power to clamp down on companies that took the collection of personal information lightly. In certain cases, the law provides so little power of enforcement that Canadians actually get more protection—by default—from foreign laws. “The American law for protecting minors under 13 years of age is stricter. American companies apply their own law in Canada, since Canada is generally viewed as an extension of the American market,” says John Lawford, who has filed numerous complaints about Canadian companies refusing to respect the basic principles of Canadian information protection legislation.
Meanwhile, public authorities in Canada are just waking up to the problem. In 2018, the Canadian government started requiring companies to divulge all cases of personal information theft to the OPC. “Twenty years ago, the police didn’t get involved in cybercrime. They were completely hands off when it came to this issue,”says Alexandre Plourde. “First they started taking action against online sexual offences, then against the Dark Web. That was when the authorities realized they would have to start protecting privacy online.”
Since 2018, the federal government has been carrying out large-scale consultations aimed at reforming PIPEDA. While the government hasn’t yet proposed any concrete measures to increase privacy protection, it has stated clearly that serious action must be taken to restore public confidence. The OPC is more explicit than the government about what has to be done: it says it needs to able to penalize companies and impose sanctions. It also says it needs the power to investigate companies without waiting for a complaint to be filed. In response, the federal government increased the OPC’s budget by 15%. This is considerably less than the 50% increase the OPC asked for, but more than what other institutions received. “When Daniel Therrien, a discreet civil servant, was named Commissioner by Steven Harper, I was afraid he would be complacent,” Lawford says. “But he turned out to be very good. He believes strongly in reinforcing the notion of consent.”
WHAT ARE WE CONSENTING TO ANYWAY?
The idea of consent is at the core of any discussion about privacy and protection of personal information. Each year, consumers “accept” dozens of confidentiality policies, user policies, and contractual terms and conditions for everything from browsers, hardware, software, and apps, but also for contests and sales contracts for automobiles and home appliances. On top of that, retailers ask customers for their telephone numbers and email addresses so that they can send them their receipt or get them to fill out a survey. But their real objective is to compile as much information on each consumer as possible. Harvesting customer information has become a never-ending cycle. Two researchers at Carnegie Mellon University, Lorrie Faith Cranor and Aleecia McDonald, calculated that we would need to spend 76 days a year – ten whole weeks – to actually read and understand all the policies we agree to.
Businesses treat the consent obtained through such policies as if it gives them the “right” to use the customer’s personal data however they want, even to modify those very agreements without notification. These are exactly the tactics the OPC reproached Facebook for in April 2019: allowing third parties non-authorized access to the personal information of millions of users, even that of “friends of friends.” ; not providing adequate monitoring; and failing in their responsibility to protect personal information. They did this without obtaining valid consent or providing adequate monitoring to protect users against unauthorized access, while failing in their responsibility to protect the personal information of Canadians.
In 2018, the OPC issued a new directive specifying the conditions under which consent could be considered valid, particularly in the case of minors.
User agreements are presented as 25-page-long confidentiality agreements and no one reads them. “It’s illogical to say that a non-negotiable confidentiality agreement with no opt-out clause is the same thing as giving consent to the unfettered use of one’s personal information.”
In John Lawford’s view, businesses are taking advantage of the reform to weaken the notion of consent, in particular by not requiring consent in certain specific circumstances. These “circumstances,” however, are not stipulated in the discussion paper produced by Innovation, Science and Economic Development Canada, the agency responsible for the PIPEDA and its reform, potentially leaving them open to interpretation. “Self-determination is at the core of the PIPEDA. The basic principle is that individuals should have control over their information at all times and shouldn’t have to play the game by Google’s rules,” says Lawford.
The Internet of objects is also posing some new, unforeseen problems. “If there are 8 connected objects in a room with 100 people moving around in it, how do you obtain consent for each person, for each object?” Alexandre Plourde asks. “I’m not comfortable with the idea of waiving consent in certain situations. It’s a blank check for businesses to collect information. Where are the protections? It would be different if the public powers could truly monitor what’s going on.”
The rise of artificial intelligence is also creating new challenges. Algorithms could soon be making decisions about individuals’ insurability and creditworthiness by cross-referencing databases with information acquired through “consent” that is anything but informed. How will people know what information is being used? How will they be able to get information erased that is incorrect, out of date or irrelevant?
Howard Deane believes consumers need to push back. “But they should start by being consistent,” he says. “There’s a lot of carelessness and negligence out there. It seems everyone wants to protect their personal information on principle, but when strangers ask if they can use it, sometimes consumers give their consent and sometimes they don’t. Whenever such requests are presented as a condition of sale, no one asks for an explanation, far less for a justification.”
When the public and politicians demand more accountability about the use of personal information, companies refuse based on three stock arguments.
The first is depersonalization: they say the information collected is, de facto, anonymous, because the names have been removed from it. “It’s an old ploy,” says Alexandre Plourde. “Removing a name from personal information doesn’t make it anonymous. If there’s a birthdate, an IP address and a postal code, it’s pretty easy to find someone’s name.”
The second argument the companies give for collecting data is that the service is “free.” If a service is provided free of charge, isn’t it only natural that the company would ask for something in return? This “something” most often turns out to be your personal data. The Supreme Court of Canada has recognized the economic nature of this “exchange.” But the corollary should be compliance with the highest standards of consent, not the opposite.
“It’s too complicated,” is the third excuse businesses give to avoid being held accountable for the personal information they collect. Businesses say that complicated consent rules are “unproductive” or “unmanageable.” That argument makes Howard Deane laugh. Deane, who worked for the consulting firm KPMG for 30 years, has been on both sides of the fence. Companies like Google and Facebook have become masters in the art of managing unimaginably complex algorithms that use enormous quantities of information to predict behaviour with an astounding degree of accuracy, he says. Then they turn around and argue that managing a consent form with ten questions about how users can authorize the use of their personal information is “too complicated.” “The people who run these companies are sharp, they’re bright, they’re not careless or thoughtless. I’ve come to the conclusion that if it’s not being done, it’s because they don’t want to do it.”
THERE’S A NEW SHERIFF IN TOWN
Alexandre Plourde believes Canada needs to waste no time getting up to speed when it comes to laws protecting personal information. “The European Union is already acting. It has replaced its old guidelines on the protection of personal information with more restrictive, general regulations that apply to all its members. The EU has reinforced the principle of consent and introduced the “right to forget” and the right for minors to have personal information erased. The regulations are very strict. Facebook and Google could be faced with billions of euros in penalties.
There are many possible ways of solving these problems, a number of which could be implemented immediately without changing any laws. The first would be just to “send for the sheriff” to enforce the existing laws. That would simply require giving more power to existing regulatory organizations such as the OPC, which have little, if any, at the moment. In the United States and Europe, companies are being fined sums in the hundreds of millions, even billions of dollars.
When companies are threatened with the risk of substantial fines, most of them suddenly find a solution.”
To make the sheriff’s job easier, legislators also need to do their job and improve regulations in the digital universe by adopting stricter standards for managing personal information. At the moment, cyberspace is governed in large degree by anarchy.
For instance, consumers’ rights organizations have started demanding that all inessential information gathering online should become optional and voluntary (opt-in). Right now, the opposite is the norm: consumers only have the possibility of opting out, if in fact that possibility is offered.
Consent should also be obtained through the use of forms that are written in clear language. “There should be a summary of salient points throughout the document. There should also be a table of contents,” specifies Howard Deane, who maintains that presentation is important. “The terms and agreements should appear in the same format as the marketing material. It’s fine for companies to present a consent contract in small characters as long as they put the advertising in small characters too!”
Howard Deane believes artificial intelligence can work to consumers’ advantage. He suggests creating a “privacy calculator” app that consumers could use to manage the level of privacy in the different agreement forms they encounter. “The app could tell you if you are consenting to something you normally would have refused. Since credit cards are used for all transactions, credit companies could offer the app as part of their service package.”
John Lawford believes the new privacy standards should include time limits. There’s no justification, he says, for companies hanging on to information about someone who hasn’t been a client for the last 20 years. Instead, there should be a policy of default removal. “It’s the new economic frontier. How do we put people back into the system?”
Pierre Trudel, a professor in the Faculty of Law at the Université de Montréal, proposes another approach: to treat personal data as an essential “resource” (in the same way as natural resources, such as water and air). In the Québec daily Le Devoir, he writes: “Digital society requires a legal framework that guarantees integrity and trust within connected worlds. (…) To ensure balance, a legal framework is needed that will protect data and ensure that the value it generates is shared equitably. It’s not enough to sing the usual refrain about the importance of privacy.”
Alexandre Plourde sees other advantages in this – for one, the State would be able to share information that could spur research that contributes to the common good. “At the moment, the collection of information is monopolized by private enterprise. It’s being used strictly for commercial purposes. That information could contribute to public well-being instead. The State should grant researchers the right to use information in the interests of improving the health system, education, transport or the environment. In short, the information could be used not to monitor everyone, but to create a better world.”
THE BOOK EVERYONE IS READING
We’ve entered a new era of capitalism. That’s the idea behind The Age of Surveillance Capitalism (Public Affairs, 2019). In this 691-page tome, Harvard University professor Shoshana Zuboff explains in fine detail how individual behaviour is now being digitally harnessed to exploit and ultimately control us. It’s not a new form of classic capitalism, the author says, but a new method of social control. “A global architecture of behaviour modification threatens human nature in the twenty-first century just as industrial capitalism disfigured the natural world in the twentieth,” she writes.
Calling on citizens and legislators to resist, the author argues there’s nothing inevitable about what’s unfolding. Companies might argue they have “no choice,” that they are following the “dictates of technology,” but in fact, business leaders have simply come up with a libertarian justification for orchestrating people’s behaviour without any accountability. An essential read.
- Improving Online Agreement: It’s not Rocket Science, Howard Deane, Consumers Council of Canada, 2015
- Dynamic Pricing – Can consumers achieve the benefits they expect?, Howard Deane, Consumers Council of Canada, 2017
- Proposals to modernize the Personal Information Protection and Electronic Documents Act, Government of Canada, 2019
- The Privacy Box: Enabling Consumer Choice and Meaningful Consent in Online Privacy, Alysia Lau, Public Interest Advocacy Centre (PIAC), 2017
- Paying for oblivion: legal and commercial aspects of the right to be forgotten in Canada, Alexandre Plourde, Option consommateurs, 2016
- How Free is “Free?”: Setting limits on the collection of personal information for online behavioural advertising? Alexandre Plourde, Option consommateurs, 2015