The world is abuzz with privacy news this month. So much so that I spent a morning last week being interviewed by every CBC Radio station in British Columbia. What’s up with that? You got me, they like their privacy in BC I guess. But I’m even making it into the francophone media! So let’s dive in with all the privacy news du jour.
Facebook – Cambridge Analytica
This is what all the kids are talking about. In case you have been living under a rock, there has been a data scandal! Or a data breach! Or something. Let’s do some FAQs:
What the F happened?
There was this academic named Aleksandr Kogan, and he created one of those quizzes on Facebook like “Which Spice Girl Are You?” that people like to do. About 300,000 Facebook users did the quiz. When they did, they did in fact agree to turn over some personal information. The problem is, the quiz also collected information about the 300,000’s friends, so the quiz collected information on about 50 million Facebook users. The data ended up in the hands of Cambridge Analytica, who used it (allegedly) to elect Donald Trump President of the United States.
Whoa, what’s up with the friends’ data thing? That doesn’t sound cool.
I agree! But back in 2014 when the quiz ran, this was perfectly fine by Facebook’s rules. That specific rule has since been changed.
Was this a “data breach”?
That is a tough question to answer. I personally say no, others say yes. In my mind, a data breach is when data is “stolen”, or a when a hole in security allows someone to get data they otherwise would not have access to, or the data is unintentionally released as a result of the security flaw. This was not those things.
On the other hand, you could say that because the data ended up where it wasn’t supposed to (in the hands of Cambridge Analytica), without authorization, it is in fact a breach. That’s what The Guardian called it, and they broke the story!
So what was it, according to you?
It’s a thing. A Data Thing. (TM Allen Mendelsohn)
Did the Data Thing violate the law?
Well probably! Data protection laws (like Canada’s PIPEDA) work on the principle of enlightened consent, meaning if you are giving up your personal information to a private company, you have to agree to it, and have to know what they will do with it and why they want it. It’s unlikely that people would have agreed to turn over their information if they knew that it would be used to elect Donald Trump! Though Kogan disagrees:
“We made clear the app was for commercial use – we never mentioned academic research nor the University of Cambridge,” Kogan wrote. “We clearly stated that the users were granting us the right to use the data in broad scope, including selling and licensing the data. These changes were all made on the Facebook app platform and thus they had full ability to review the nature of the app and raise issues. Facebook at no point raised any concerns at all about any of these changes.”
So what is your opinion on all this?
To quote myself from a bunch of media appearances, “I am not fucking surprised at all” (though I am pretty sure I didn’t swear on the CBC). Facebook’s entire business model is based on collecting data from its users. There is a quote in online circles that people have been repeating a lot in the last week – “When something online is free, you’re not the customer, you’re the product.” That’s Facebook (and a crapload of other companies) in a nutshell – they can give you a valuable free service because your data is more valuable to them than your money. That massive misuse of Facebook user data hasn’t happened (or been revealed!) before is the surprise.
At the very least, this Data Thing has made the general public much more cognizant of their online privacy and data, which is always a good thing. And the Office of the Privacy Commissioner has launched an investigation, so, uh, that will do nothing.
Is there other bad news about Facebook on the privacy front this month?
Glad you asked.
Facebook scraping call and text message data from Android phones
A few days ago, Ars Technica put together a report with the headline “Facebook scraped call, text message data for years from Android phones”. WHOA if true! (It’s true). It started when a guy in New Zealand downloaded an archive of his data from Facebook, and found that Facebook “had about two years’ worth of phone call metadata from his Android phone, including names, phone numbers, and the length of each call made or received.” Oof. Ars Technica confirmed it through the reporter’s own data.
So what’s the deal? Well it is pretty simple! When you downloaded Facebook Messenger or Facebook Lite onto your Android phone, you were asked for permission for Facebook to access your Android’s phone contacts. That permission is useful, in that it helps Facebook find friends for you. In a certain version of Android, that permission was “bundled” with permission to access call and text logs. So two for one! A later version of Android split those permissions, but many Android users don’t update to newer versions. Looks like Facebook was collecting this data all the way up to October 2017. Yikes! Let’s just ask one question here:
Should we blame Facebook here?
Well yes and no. It was in fact Google, who makes Android, who bundled those permissions. Facebook just did what probably many many other app developers did and collected some information. But at the same time, they love that information! Remember, it’s money to them. So, uh, lots of blame to go around.
A Random Privacy Story – From me!
Here’s a funny (not funny haha, but funny OMFG) story. Literally while I was writing this blog post, I received an email from Pages Jaunes (Yellow Pages) with the headline (I’m translating) “Need a Dentist? Yellow Pages can help!” About an hour ago I had Googled Montreal Dentists (for my own oral hygiene reasons) and ended up on yellowpages.ca. Coincidence? I THINK FUCKING NOT.
Gmail and Google are free services. I am the product.
Finally – Big News out of the House of Commons! Canadian Privacy Law to be fixed forever
This probably deserves its own post, but I am busy media whoring. Remember about 10 paragraphs ago when I said the Office of the Privacy Commissioner’s investigation of Facebook will do nothing? It’s because PIPEDA, our federal privacy / data protection law is a worthless piece of junk. Well, maybe I am being a bit harsh. It’s just worthless. The reason is because while it has some lovely principles, it has no teeth, no real way to enforce it. Massive data breach by a private company affecting millions of Canadians? The Privacy Commissioner gets to write a strongly-worded letter, and only if people ask him to. Well that is about to change! Maybe!
At the end of February, the Standing Committee on Access to Information, Privacy and Ethics, which goes by “ETHI” because Access to Information and Privacy are not as important as Ethics I guess, released a report. Yay, a report! The report is entitled Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act (that’s the PDF, here is some badly-organized and formatted HTML), and it is a doozy! Basically 100 pages of why PIPEDA sucks. At least the government recognizes it. The whole thing is worth a read, as they say on the internet.
So as they explain how PIPEDA sucks, and what a bunch of Committee witnesses said about an issue, they make 19 important recommendations. I am not reviewing all of them, because yegads, but let’s comment on a few of the bigger ones.
Recommendation 2: opt-in consent by default
Well duh, of course that should be a thing. Since the whole regime is based on consent (and will stay that way, that was Recommendation 1) you best believe this should be an opt-in world.
3: That the Government of Canada consider implementing measures to improve algorithmic transparency.
I don’t know what this means. I’ll get back to you.
Ok I’m back. It means that if companies like, I don’t know, Facebook, use fancy computer algorithms to display content to you, they should be open or “transparent” about how those algorithms work. Good luck with that.
Let’s put a few of the next recommendations together, and I’ve bolded the key bits:
11 That the Government of Canada consider including in PIPEPDA a framework for a right to erasure based on the model developed by the European Union that would, at a minimum, include a right for young people to have information posted online either by themselves or through an organization taken down.
12 That the Government of Canada consider including a framework for the right to de-indexing in PIPEPDA and that this right be expressly recognized in the case of personal information posted online by individuals when they were minors.
14 That PIPEPDA be amended to make privacy by design a central principle and to include the seven foundational principles of this concept, where possible.
Welcome to Europe everyone! What does this have to do with Europe? Allow me to explain. On May 25 2018, the GDPR, the General Data Protection Regulation, will go into effect in Europe. It will be the strongest data protection / privacy law in the history of the universe. The GDPR will apply to Canadian companies if they collect data from Europeans, take more of a look into GDPR and the legal sides to it by searching into law firms that handle GDPR compliance issues such as Sidley Austin or others. Canada wants to fix PIPEDA to make it more in line with the GDPR, as those bolded phrases are GDPR concepts. Why? Let’s look at a couple of other recommendations:
17 That the Government of Canada work with its European Union counterparts to determine what would constitute adequacy status for PIPEDA in the context of the new GDPR.
18 on legislative amendments required to maintain the adequacy status:
a) That the Government of Canada determine what, if any, changes to PIPEDA will be required in order to maintain its adequacy status under the GDPR.; and
b) That, if it is determined that the changes required to maintain adequacy status are not in the Canadian interest, the Government of Canada create mechanisms to allow for the seamless transfer of data between Canada and the European Union.
So what’s this adequacy status thing you keep bolding? Stop asking questions! OK I’ll explain because it’s important. Under the old European Data Directive that the GDPR is replacing, it was determined by Europe that Canada had “an adequate level of protection” because of PIPEDA, and so it was cool if you transferred personal data to Canada. These “adequacy decisions” were very rare and valuable – the USA didn’t even have one! (Well they sort of do but it’s complicated). The problem is that with the GDPR, every expert (like me I guess?) predicts that Canada will lose its adequacy status because the GDPR is much tougher than the old European data law and PIPEDA is worthless, as I’ve already mentioned. So the Committee recognizes this and realizes we have to fix PIPEDA to make sure we can keep our adequacy status so we can continue to freely do business (at least from the data side) with Europe. Which brings us to our final 2 recommendations:
15 That PIPEDA be amended to give the Privacy Commissioner enforcement powers, including the power to make orders and impose fines for non-compliance.
16 That PIPEDA be amended to give the Privacy Commissioner broad audit powers, including the ability to choose which complaints to investigate.
These powers have been way too long coming. And will further make our law more like the GDPR. So get to work, Parliament! Business privacy is very important, no business wants their data breached and put out there for rival companies to use, this is why third party risk management is important to ensure that any business is done securely and safely between the parties.