Dealings with Facebook better, says privacy commissionerShe has faced down Facebook and taken federal public servants to task for misusing their beloved BlackBerries. The spreading use of social media, smartphones and other second-generation web channels and tools has put Privacy Commissioner Jennifer Stoddart front and center in the discussion of online security in Canada.
Entering her eighth year as the country's privacy watchdog, her job has increasingly focused on issues related to technology. In her annual report to Parliament on activities related to the Privacy Act, Stoddart noted: “I am apprehensive about a future in which technological pressures and the imperatives of national security threaten to erode Canadians' hard-won rights to privacy.”
Following the release of her report, she agreed to an interview with SC Magazine Canada.
SC Magazine Canada: In your annual report, you write that the Privacy Act requires some “much-needed rejuvenation.” What would be at the top of your list in terms of online communications?
Privacy Commissioner Jennifer Stoddart: One thing is the importance of mandatory privacy impact assessments, or PIA within the federal government. If you didn't do a PIA in the paper world it might not have been quite so dire as it can be in the online world, so we're saying that they should be mandatory within government in the online world. There's also a huge anachronism in the Act, which was written in about 1982 or '83, in that it only applies to recorded information. Now, with advances in genetics, online technology, nanotechnology and so on, the concept of when things are recorded or not recorded is not as relevant as it used to be. The issue now is personal information per se, not whether it has been recorded. I am also concerned that the federal government doesn't keep any kind of tally that we can find related to the disclosure of personal information to foreign states. That would be very useful. It doesn't necessarily need to be public – it could be overseen by a special commissioner or something – but we don't have a clear compilation of how much of Canadian's personal information is in the hands of foreign governments.
SC: You also anticipate what's ahead for the Fighting Internet and Wireless Spam Act. What are your hopes for anti-spam legislation?
Stoddart: First of all, I hope that it gets through Parliament. The bill still hasn't passed both houses. I'm particularly concerned that it moves ahead because we're about five to six years behind most other countries in the G8 and other countries we work with or compare ourselves to. This is hugely important, and it's going to be a priority for my office. I've been told that the bill could be given royal assent by Christmas, which would be very good news indeed.
SC: One of the challenges you face appears to be informing Canadians of privacy issues they're not aware of, related to emerging technologies. Do you feel there needs to be more proactive outreach or education for consumers?
Stoddart: Absolutely. What we've been trying to do is leverage our education program to network with other community groups, school groups, teacher associations, consumer groups and so on, in order to get the messages across. Increasingly, we're trying to prepare either generic information or information that can be targeted to youth, seniors, or Canadians with disabilities, so that groups that are working with these different segments of the population could use the information to increase digital literacy and awareness.
SC: You're perhaps best known for your disputes with Facebook during the past 18 months. What is your office's relationship with Facebook now? Is there a collaborative approach, or does the company continue to go its own way as it develops new applications.
Stoddart: It's a bit of both. Facebook obviously has its own agenda. They're going to continue to innovate. We have our work to do and our legislative mandate. We keep getting complaints about Facebook. We have a couple of ongoing complaints that raise important questions, and we continue to pursue those. Facebook now has good legal representation here in Canada, which facilitates our dialogue and means that Facebook is taking privacy legislation in Canada more seriously than it initially seemed to do. So, I guess I'd say that our dealings with Facebook are certainly a lot easier for us, because they're now mediated by a Canadian lawyer. I think the dialogue has really improved, and Facebook realizes that it has to comply with the privacy legislation in the jurisdictions where it's offering its services.
SC: One of your major findings in 2010 was the misuse of PIN-to-PIN messaging on federal employees' BlackBerries. With social networking increasing within the federal government, is there a need for a more comprehensive approach to security training and risk assessment?Stoddart: I'm glad the Clerk of the Privy Council is embracing new technologies and encouraging civil servants to use them in a thoughtful way. I was disappointed that in our wireless audit we found that so many departments and agencies were deliberating flouting or ignoring the instructions that came down from the Communications Security Establishment Canada (CSEC) [Canada's national cryptologic agency]. I'm only a watchdog. I'm not responsible for issuing the policies or seeing that they're observed. But I think there was a clear warning message, and I would think that, within the federal government, things are going to be tightened up, because there's a certain amount of cyber terrorism that's going on. There are a lot of dangers to unsecured information, so I am concerned. But I'm confident that the federal government will get a tighter grip on this.
SC: Overall, looking at your office's workload and focus over the past year, the traditional notion of “privacy” seems to be increasingly replaced by “security.” Is your office adequately resourced for these new areas of focus, and is there a need for an information technology watchdog in addition to your role?
Stoddart: Obviously, the two concepts overlap and you can't have privacy if you're not secure or your personal integrity is not secured. I tend to see IT as an enabler, though. Like all tools, IT shapes the environment and the work processes that are involved in its use, so I don't see it as something that's different in terms of preserving privacy. Perhaps the government might want some IT adviser to make recommendations on the use of new technology. But the IT is so widespread that I think it would be better for individual departments and agencies to incorporate the knowledge of information technology and its impact on society into their work. In terms of our own resources, given the state of the Canadian economy and the larger global economic issues, I'd say we're adequately resourced for the moment. My challenge, and I've been communicating this to my staff, is to change our ways of doing business – particularly using information technologies – so that we don't either fall behind or need more resources. I'm trying to work within our existing framework and make use of other approaches. We may find other ways to work to stay within our budget and get the same, or hopefully better, results.