Information & Ethics Committee on Oct. 28th, 2010

Thank you very much. It's indeed a privilege to be here. We thank you for inviting us to appear before you as you conclude, I believe, your study on street-level imaging technology. We're here to assist you in any way we can.

I'm Patricia Kosseim, general counsel. As the chair already indicated, with me are Dan Caron and Dr. Andrew Patrick, from our IT advisory services. On behalf of the Privacy Commissioner, I would like to relay her regrets at not being able to be here in person, as she is currently out of the country.

I'm going to give a brief overview of some recent developments that have occurred in this area since you last heard from former assistant commissioner Elizabeth Denham, who appeared before this committee in October 2009.

Prior to Google Street View being launched in Canada last year on October 7, 2009, the Office of the Privacy Commissioner of Canada, along with our provincial counterparts from British Columbia, Alberta and Quebec, issued a Fact Sheet on street-level imaging entitled "Captured on Camera: street-level imaging technology, the Internet and you". The purpose of that sheet was to offer Canadians more information on the privacy implications of street-level imaging technologies.

We outlined our views to businesses rolling out such technologies. We asked them to take the following steps.

They had to be proactive and creative to ensure that Canadians know when they may be photographed.

These businesses should also employ proven and effective blurring technologies for faces and vehicle licence places.

Third, they must offer fast and responsible mechanisms to allow any images to be blocked or taken down upon request.

Lastly, they must have a good reason to keep original, unblurred images and they must also protect them with appropriate security measures.

Since our last appearance before this committee in October 2009, the Office of the Privacy Commissioner of Canada has continued to stress the importance of ensuring that privacy remains an utmost consideration in the development of new products and services. However, events of the last year show that organizations need to build greater personal information protections into their new products while they are being developed. The incident involving Google's collection of Wi-Fi payload data from its street-level imaging vehicles is an important lesson in that regard.

In May 2010, Google discovered that in an effort to collect information about Wi-Fi access points to enhance its location-based services, its Street View cars had inadvertently been collecting payload data from unsecured wireless networks. Essentially, payload data is information about the communications that run through these networks. Google promptly grounded its Street View cars, stopped the collection of Wi-Fi network data, and segregated and stored by country all of the data already collected.

Pursuant to the Personal Information and Protection of Electronic Documents Act--PIPEDA--as you know well, the commissioner may initiate a complaint in respect of an organization's personal information management practices if she believes there are reasonable grounds to investigate the matter. On June 1, 2010, our office sent a letter to Google stating that the commissioner in this case and as per her statutory discretion found reasonable grounds to investigate and had initiated three complaints against the company.

The complaints initiated by the commissioner were: first, that Google's collection, use, or disclosure of payload data was done without the prior knowledge and consent of the individuals affected; second, that Google's collection of payload data was done without prior identification of the purposes for which they were collecting this data; and third, that Google's collection of payload data was not limited to that which was necessary for the purposes identified.

In the course of our investigation, representatives from our office, including Dr. Patrick, went to the Google Mountain View facility on July 19, 2010, to review samples of the payload data collected by Google. Following the investigation, which included several exchanges between our office and Google, the commissioner issued her preliminary letter of findings on October 19, 2010.

As the commissioner stated in her recent appearance before you on October 19, her investigation found that Google had inappropriately collected personal information of Canadians from unsecured wireless networks. In some cases, that personal information was highly sensitive, including complete emails, user names and passwords, and even medical conditions of specified individuals. Unfortunately, this collection of data was due to an error that could have been easily avoided if Google's own procedures had been followed.

Essentially what happened here was that the engineer who developed the code to sample categories of publicly broadcast Wi-Fi data also included code allowing for the collection of payload data, thinking that this type of information might be useful to Google in the future. The engineer had identified what he believed to be "superficial" privacy concerns, but contrary to company procedure failed to bring these concerns forward to product counsel, whose responsibility at Google would have been to address and resolve these concerns prior to product development.

The investigation revealed that a number of privacy protection principles under PIPEDA had been violated, and accordingly, in her preliminary letter of findings, the commissioner recommended that Google re-examine and improve the privacy training it provides to all its employees, with the goal of increasing staff awareness and understanding of Google's obligations under privacy laws. She also recommended that Google ensure it has an overarching governance model in place that includes effective controls to ensure that all the necessary procedures to protect privacy have been duly followed prior to the launch of any product, as well as clearly designated and identified individuals actively involved in the process and ultimately accountable for compliance with Google's obligations under privacy laws. Finally, she recommended that Google delete the Canadian payload data it collected, to the extent that it is allowed to do so under Canadian and U.S. law. If the Canadian payload data cannot immediately be deleted for legal or other reasons, the data must be properly safeguarded, and access to it should be restricted.

At this time, the commissioner considers the matter to be still unresolved. The matter will be considered resolved only upon receiving, either by or before February 1, 2011, confirmation from the company that it has implemented the above recommendations, at which point the commissioner will then issue her final report and conclusions accordingly.

We look forward to Google's implementation of our recommendations and hope that they will from now on ensure both in procedure and in practice that effective measures for protecting personal information are built into their new technologies at the very early stages of product conception and development. Our office will continue to ensure that the protection of privacy remains a key consideration for organizations prior to launching the products or services, so that Canadians may benefit from creative and innovative products secure in the knowledge that their personal information is being protected and that their rights as consumers are fundamentally respected.

Thank you.

Thank you for that question.

Mr. Chair, I will address it in three subparts.

The first was a question as to whether or not we are confident that Google will be implementing the recommendations. We have not received any official response from Google. We have read the newspapers, as all of you have, in terms of the statements they have made to the press indicating that they have already undertaken major steps to remedy the problem, but we await Google's official response.

The reason the commissioner issued a preliminary letter of findings is that she doesn't want just undertakings: before concluding the matter and determining whether it is fully resolved or not, she wants proof and evidence that the recommendations have actually been implemented. She is waiting for actual implementation, and not just undertakings. That's the first question.

The second question was on whether we're worried about the data that has been improperly collected. I believe that in the course of the investigation, that was one of the elements that was investigated. The security measures that Google has taken to protect and segregate the data that were improperly collected have been found to be adequate. They have secured the data. They have limited the number of copies. They have secured the information in a secure location, and I think the investigation concluded at that point that it is sufficiently safeguarded pending and awaiting its ultimate destruction.

The third question was on more stringent actions being taken in Europe. I'll answer with respect to two things. The first is in respect of the improper collection of Wi-Fi data, which is the outstanding issue right now.

All data protection commissioners around the world, as you know, have different powers. Some have powers to impose and levy fines or impose criminal sanctions. They all have different powers. In terms of the different reactions, in large measure I would say they're not reflective of interpreting the situation at different levels of severity, but that they vary because of the different powers commissioners have under their respective jurisdictions.

Our commissioner has exercised all of her powers under PIPEDA in order to complete the investigation and in order to bring Google, through her ombudsman role, to implement its recommendations before she concludes the matter and further explores other avenues available to her under the act.

Those are my comments in terms of different reactions in Europe and elsewhere around the world to the Google Wi-Fi matter and the improper collection of payload data.

In respect of its street-level imaging technology and the deployment of that technology generally, I'd say there has been more coalescence and harmony around accepted practices. You're absolutely right to indicate that our best practices, issued in conjunction with our provincial counterparts, indicate that one best practice for the deployment of this technology is to notify neighbourhoods before you come through with your Google cars or any other cars. That notification can either be by way of a public means of announcement or by having cars properly labelled, etc. There are best practices that have been recommended and followed.

Well, it varies. Even in Europe, it varies from one jurisdiction to another. Her powers under PIPEDA do vary from those of commissioners who have powers to impose fines, for instance.

The model under PIPEDA has worked well to date. She has used all the powers available to her in this case and in others, and hopefully there will be a productive conclusion. Her powers--

It is less than in some other jurisdictions, yes.

Yes.

I'll answer the first question, with your permission, Mr. Chairman, and then I'll ask my colleague to answer the member's second question.

First, was it crazy to say there was a mistake? Yes. Should that mistake have been prevented? Yes. Had Google adopted procedures to ensure such a mistake would not occur? Yes. Were the procedures followed? No, and that's where the commissioner reacted more strongly, for Wi-Fi, as in the case of Google Buzz and Google Street View. The commissioner's key message was that, when these new technologies are developed, the procedures to ensure protection must be put in place and followed from the product design and development stage, not just when an error occurs. That's the key message. These measures must be immediately followed and there must be control mechanisms to ensure they are followed in every case.

Would it be preferable to harmonize reactions to the various technologies developed by Google? That is the wish of many commissioners around the world who have powers in the privacy field. They increasingly want to work together to face large global businesses like Google. Now, the possibility of doing so varies from one commissioner to the next since they don't all have the same powers regarding the exchange of information with their counterparts elsewhere in the world.

Consequently, with regard to Bill C-28 before you, the Fighting Internet and Wireless Spam Act, it would make a key amendment to the Personal Information Protection and Electronic Documents Act that would enable our commissioner to freely exchange the information that she receives in the context of her investigations with her counterparts elsewhere in the world so as to be able to react in a more concerted and harmonized manner and deal with large businesses such as Google.

With your permission, I'll ask Dr. Patrick to answer your next question.

Thank you for the question.

Commissioner Stoddart was not in attendance with me in California. It was myself and Dr. Whalen, who's also a technical analyst. What we saw there was what is described in the report and the statement that we've read. We saw examples--and we only looked for examples--of personal e-mails, personal communications, names, addresses, web traffic being requested and replied to, chat messages, those kinds of things. Our strategy was simply to get an idea of the extent of the data, the nature of the data, to see examples of personal information and then to stop. That's exactly what we did.

Yes, we did. We got a very good reception. We were able to witness how the data was being stored, how it was being encrypted. We got full technical support, which is what we were looking for. We were there to do a technical analysis. We got full support. We were given instructions on how the data is stored in Google's proprietary formats, how it can be read, how to search. We got very good cooperation.

It doesn't happen overnight. We know that there are a number of areas in which Google and many other companies are working. There's a real emphasis on personalized services, various kinds of services, services that you will carry in your pocket. So these are location-based services that will know where you are, what your interests are, and will provide recommendations. This is a big area where many companies are working.

We also know, for example, that Google is moving into the entertainment business and is launching a home television service. Again, this will have the possibility of being personalized towards your viewing habits and your desires. Both of those have potential for having privacy implications since both of those are things that we're carefully monitoring.

Thank you.

There's a variety of different dangers. There are obviously personal safety dangers. If people are able to use location technologies in order to track someone's physical whereabouts and they want to do that person harm, if the data is not properly controlled, then there's that danger. There's also an issue of more expanded commercial services, commercial use of the data. An example of this is whether the data about where you are could be used for more and more advertising.

No, we have no knowledge of any such collection nor of any intention to collect Wi-Fi radio signals or payload data. We have no knowledge of that.