Leakage! Errrr, web leakage!

Shred baby, shred!Is your privacy online being shredded to bits? The Office of the Privacy Commissioner sure thinks so! This week, they released the results of a study they did of 25 major Canadian websites, which showed that 11 of them were engaging in “web leakage”. So which companies are leaking your personal information? Let’s find out!

Ha! Fooled you. I wish I could tell you the websites, but the Office of the Privacy Commissioner (OPC) won’t release them. What a tease.

Let’s take a step back here and I’ll explain what’s going on. So the OPC found that internationally there was a considerable amount of web leakage. They decided that maybe it was going on in Canada too, so over the past summer they decided to investigate by researching 25 websites. The OPC describes web leakage as something way less sexy than it could be:

“Web leakage” involves the disclosure of a website user’s personal information to third-party sites – without proper knowledge or consent.

Well that sounds bad. And it is! But maybe not to the extent that the OPC says, but I’ll get to that in a minute. Here’s why web leakage is bad, according to the OPC:

  • Why is web leakage a privacy concern?

A tenet of good privacy is to allow individuals to make informed choices about whether to share – or not share – their personal information.

It is a privacy concern if websites are disclosing personal information without making users aware of this practice and seeking their consent.

Ominous! So the OPC picked out 25 Canadian websites to check if there was leakage. Again, they won’t tell us which ones, but they say the sample:

represented a range of sectors, including media, shopping and travel services. All are sophisticated websites operated by large organizations which account for billions in combined annual revenues.

Let the guessing commence! I vote for Amazon.ca at the top of the list. Anyway, it is important to note a few things about the methodology of the study. First, the information was being passed on to third parties only when users signed up for something, so users had voluntarily disclosed that information. Second, the study did not identify whether the leakage was intentional or unintentional. These have important ramifications, and I’ll get to that in a minute too.

So who or what are these third parties that are receiving the personal information? Well the OPC won’t tell us that either! It’s almost like they are hiding information from us. They will tell us they generally fall into three categories – web analytics, companies that serve up online ads, and “e-flyer” companies that send out, well, e-flyers. Basically companies that are monetizing the internet without selling stuff.

Now, all of this is bad according to the OPC because it violates Canadian Privacy Law. They don’t say what law exactly, but I can tell you it’s PIPEDA, the Personal Information Protection and Electronic Documents Act. And what part of PIPEDA is violated? Well, all of it no doubt! PIPEDA’s Schedule 1 has a long list of nebulous “principles” which companies must adhere to, or they are breaking the law. In this case, I would say the OPC would say that these companies are violating Principle 4.3 the most:

The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information

Go back up and look at the OPC’s definition of web leakage. It says “knowledge and consent.” The definition fits the crime. QED.

All leakage is not the same

OK, it’s commentary time! First, we have to ask what information is being shared. Fortunately, the OPC provides a handy summary chart which outlines the info being shared. It includes names, usernames, email addresses, postal codes, and locations. There is no question that sharing of email addresses with third-parties is complete bullshit. If you are a website operator, you really should not be sharing that with any third party unless you got explicit permission to do so.

But location? Postal code? Releasing that data to third parties helps you. I get to see an ad for a restaurant in Montreal (where I live) instead of one in Calgary (where I don’t live). I get special offers for businesses that are near me. That’s the way the internet works, FFS! To group those companies who only leak this geo-data (and look at the summary table, there are several of those) with companies shipping off your email addresses is ridiculous, and undercuts the whole study imho.

And let’s go back to this breaking the law business. The OPC has completely ignored the role of Terms of Use and Privacy Policies of websites. You know what those are by now, the legal documents that govern the relationship between website operator and user. When you use a website, you are governed by those documents. And those documents will say if the information you supplied to the website may be transferred to third parties in certain circumstances. Here, read this from Amazon.ca:

Does Amazon.ca Share the Information It Receives?
Information about our customers is an important part of our business, and we’re not in the business of selling it to others. We share customer information only as described below(…)

Promotional Offers: Sometimes, we send offers to selected groups of Amazon.ca customers on behalf of other businesses. When we do this, we don’t give that business your name and address

But they do give them everything else, including your email address and location! By signing up for Amazon (remember, in all OPC case studies it was from users who had signed up), you have consented to this policy. Hell, you may have even clicked a little box that said so, so you gave explicit permission. And you are presumed to have read it (even though you probably didn’t), so you are presumed to know about it. Knowledge and consent! No PIPEDA violation now.

And not distinguishing between intentional and unintentional leakage? Well, I’ve got a real problem with that. I’ve even heard that many people use Amazon Web Services to store their data and to deliver content, as well as using it for other business operations too. And this data leakage can also happen to them, especially if their network isn’t secure. That’s why it’s a good job that places like Cobalt (https://blog.cobalt.io/what-you-need-to-know-about-aws-pentesting-d2aee7a279de) can conduct penetration testing to help make sure that all of their details, and their computer network, is as secure as possible. And when it comes to Amazon, this will be particularly important. There is a massive difference between selling off my email address and an automatic process that grabs my postal code so I can get a 2-for-1 beer coupon from Hurleys. The circumstances matter.

I don’t want it to appear as if I am defending the practice of web leakage. I am not; personal information should be sacrosanct. But without divulging the companies involved, without any sort of proper legal analysis, without determining the circumstances of the leakage, by just screaming out and fear-mongering for all to hear “YOUR PERSONAL INFORMATION IS BEING SHARED WITHOUT YOUR PERMISSION!1!!!11!!” without delving a little deeper, the OPC is undermining its own conclusions and doing everyone, consumers and companies alike, a disservice.




Leave a Reply

Your email address will not be published.