Evidence of meeting #28 for Access to Information, Privacy and Ethics in the 40th Parliament, 3rd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was know.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Patricia Kosseim  General Counsel, Office of the Privacy Commissioner of Canada
Andrew Patrick  Information Technology Research Analyst, Office of the Privacy Commissioner of Canada
Daniel Caron  Legal Counsel, Legal Services, Policy and Parliamentary Affairs Branch, Office of the Privacy Commissioner of Canada

The Chair Liberal Shawn Murphy

I will now call the meeting to order and welcome everyone.

This meeting, colleagues, is a regular meeting of the Standing Committee on Access to Information, Privacy and Ethics. It's a continuation of our study on street imaging applications, in particular dealing with the situation concerning Google, Canpages, etc.

We were hoping to have officials from the Office of the Privacy Commissioner of Canada and officials from Google and Canpages here at the same time, but that didn't work out. The Google people are coming next Thursday. We will have Mr. Jacob Glick with us for the first hour next Thursday, November 4.

However, we're very pleased to have with us today, to deal with this particular issue, three officials from the Office of the Privacy Commissioner of Canada. The committee would like to welcome first Patricia Kosseim, general counsel. She's accompanied by Daniel Caron, legal counsel, legal services, policy and parliamentary affairs branch; and Andrew Patrick, information technology research analyst.

I believe Madame Kosseim will give the opening remarks for the office. I will now invite her to give her opening remarks.

Again, welcome.

Patricia Kosseim General Counsel, Office of the Privacy Commissioner of Canada

Thank you very much. It's indeed a privilege to be here. We thank you for inviting us to appear before you as you conclude, I believe, your study on street-level imaging technology. We're here to assist you in any way we can.

I'm Patricia Kosseim, general counsel. As the chair already indicated, with me are Dan Caron and Dr. Andrew Patrick, from our IT advisory services. On behalf of the Privacy Commissioner, I would like to relay her regrets at not being able to be here in person, as she is currently out of the country.

I'm going to give a brief overview of some recent developments that have occurred in this area since you last heard from former assistant commissioner Elizabeth Denham, who appeared before this committee in October 2009.

Prior to Google Street View being launched in Canada last year on October 7, 2009, the Office of the Privacy Commissioner of Canada, along with our provincial counterparts from British Columbia, Alberta and Quebec, issued a Fact Sheet on street-level imaging entitled "Captured on Camera: street-level imaging technology, the Internet and you". The purpose of that sheet was to offer Canadians more information on the privacy implications of street-level imaging technologies.

We outlined our views to businesses rolling out such technologies. We asked them to take the following steps.

They had to be proactive and creative to ensure that Canadians know when they may be photographed.

These businesses should also employ proven and effective blurring technologies for faces and vehicle licence places.

Third, they must offer fast and responsible mechanisms to allow any images to be blocked or taken down upon request.

Lastly, they must have a good reason to keep original, unblurred images and they must also protect them with appropriate security measures.

Since our last appearance before this committee in October 2009, the Office of the Privacy Commissioner of Canada has continued to stress the importance of ensuring that privacy remains an utmost consideration in the development of new products and services. However, events of the last year show that organizations need to build greater personal information protections into their new products while they are being developed. The incident involving Google's collection of Wi-Fi payload data from its street-level imaging vehicles is an important lesson in that regard.

In May 2010, Google discovered that in an effort to collect information about Wi-Fi access points to enhance its location-based services, its Street View cars had inadvertently been collecting payload data from unsecured wireless networks. Essentially, payload data is information about the communications that run through these networks. Google promptly grounded its Street View cars, stopped the collection of Wi-Fi network data, and segregated and stored by country all of the data already collected.

Pursuant to the Personal Information and Protection of Electronic Documents Act--PIPEDA--as you know well, the commissioner may initiate a complaint in respect of an organization's personal information management practices if she believes there are reasonable grounds to investigate the matter. On June 1, 2010, our office sent a letter to Google stating that the commissioner in this case and as per her statutory discretion found reasonable grounds to investigate and had initiated three complaints against the company.

The complaints initiated by the commissioner were: first, that Google's collection, use, or disclosure of payload data was done without the prior knowledge and consent of the individuals affected; second, that Google's collection of payload data was done without prior identification of the purposes for which they were collecting this data; and third, that Google's collection of payload data was not limited to that which was necessary for the purposes identified.

In the course of our investigation, representatives from our office, including Dr. Patrick, went to the Google Mountain View facility on July 19, 2010, to review samples of the payload data collected by Google. Following the investigation, which included several exchanges between our office and Google, the commissioner issued her preliminary letter of findings on October 19, 2010.

As the commissioner stated in her recent appearance before you on October 19, her investigation found that Google had inappropriately collected personal information of Canadians from unsecured wireless networks. In some cases, that personal information was highly sensitive, including complete emails, user names and passwords, and even medical conditions of specified individuals. Unfortunately, this collection of data was due to an error that could have been easily avoided if Google's own procedures had been followed.

Essentially what happened here was that the engineer who developed the code to sample categories of publicly broadcast Wi-Fi data also included code allowing for the collection of payload data, thinking that this type of information might be useful to Google in the future. The engineer had identified what he believed to be "superficial" privacy concerns, but contrary to company procedure failed to bring these concerns forward to product counsel, whose responsibility at Google would have been to address and resolve these concerns prior to product development.

The investigation revealed that a number of privacy protection principles under PIPEDA had been violated, and accordingly, in her preliminary letter of findings, the commissioner recommended that Google re-examine and improve the privacy training it provides to all its employees, with the goal of increasing staff awareness and understanding of Google's obligations under privacy laws. She also recommended that Google ensure it has an overarching governance model in place that includes effective controls to ensure that all the necessary procedures to protect privacy have been duly followed prior to the launch of any product, as well as clearly designated and identified individuals actively involved in the process and ultimately accountable for compliance with Google's obligations under privacy laws. Finally, she recommended that Google delete the Canadian payload data it collected, to the extent that it is allowed to do so under Canadian and U.S. law. If the Canadian payload data cannot immediately be deleted for legal or other reasons, the data must be properly safeguarded, and access to it should be restricted.

At this time, the commissioner considers the matter to be still unresolved. The matter will be considered resolved only upon receiving, either by or before February 1, 2011, confirmation from the company that it has implemented the above recommendations, at which point the commissioner will then issue her final report and conclusions accordingly.

We look forward to Google's implementation of our recommendations and hope that they will from now on ensure both in procedure and in practice that effective measures for protecting personal information are built into their new technologies at the very early stages of product conception and development. Our office will continue to ensure that the protection of privacy remains a key consideration for organizations prior to launching the products or services, so that Canadians may benefit from creative and innovative products secure in the knowledge that their personal information is being protected and that their rights as consumers are fundamentally respected.

Thank you.

The Chair Liberal Shawn Murphy

Thank you, Madame Kosseim.

We're now going to start the first round. That's seven minutes each. We're going to start with Madam Fry, seven minutes.

Hedy Fry Liberal Vancouver Centre, BC

Thank you very much. I understand what you've said, and I understand that you're waiting until January. In the meantime, am I understanding that Google has denied any doing of this intentionally? It was all sorry, we made a mistake, people weren't properly trained, etc.

In the meantime, do you feel comfortable that you can accept Google's word that they are going to comply at least with the intent if not with all of the things they said they would do? And there is a real concern that employees at Google, if they have access to this information, could personally use it in instances when they know some of the people and could go out there and either psychologically or whatever, blackmail, use this against a person they happen to know in personal conversations. Are you satisfied that this isn't happening? That's my first question.

Secondly, you know that in Europe they have taken far more stringent steps than I think the Privacy Commissioner is suggesting to Google here, which is kind of that Google get its act together, do what it's supposed to do. In Italy and in Europe, they don't seem to think so. What they're asking is that Google vans have stickers saying that they are collecting payload data and that they notify the communities through which they're going, three days before they go there, both in terms of some kind of communiqué, posters, or whatever, and on radio and in newspapers, so that people can shut down some of the things that they're doing at the same time. Because this is a real invasion of privacy. This could be serious in many instances. It could lead to all kinds of complications for people, not only in terms of embarrassment, but in terms of theft. People will know a lot of things about when people are home, where they're going for holidays, and could therefore know that their homes are ready for rifling. There could also be situations in which a person is having a simple conversation that is misinterpreted by someone to be criminal activity when it isn't.

So I think this is a huge issue and I would like to have your answer on these two questions. One, are you satisfied? Do you trust Google at this point in time? And, two,what about the European regulations?

3:40 p.m.

General Counsel, Office of the Privacy Commissioner of Canada

Patricia Kosseim

Thank you for that question.

Mr. Chair, I will address it in three subparts.

The first was a question as to whether or not we are confident that Google will be implementing the recommendations. We have not received any official response from Google. We have read the newspapers, as all of you have, in terms of the statements they have made to the press indicating that they have already undertaken major steps to remedy the problem, but we await Google's official response.

The reason the commissioner issued a preliminary letter of findings is that she doesn't want just undertakings: before concluding the matter and determining whether it is fully resolved or not, she wants proof and evidence that the recommendations have actually been implemented. She is waiting for actual implementation, and not just undertakings. That's the first question.

The second question was on whether we're worried about the data that has been improperly collected. I believe that in the course of the investigation, that was one of the elements that was investigated. The security measures that Google has taken to protect and segregate the data that were improperly collected have been found to be adequate. They have secured the data. They have limited the number of copies. They have secured the information in a secure location, and I think the investigation concluded at that point that it is sufficiently safeguarded pending and awaiting its ultimate destruction.

The third question was on more stringent actions being taken in Europe. I'll answer with respect to two things. The first is in respect of the improper collection of Wi-Fi data, which is the outstanding issue right now.

All data protection commissioners around the world, as you know, have different powers. Some have powers to impose and levy fines or impose criminal sanctions. They all have different powers. In terms of the different reactions, in large measure I would say they're not reflective of interpreting the situation at different levels of severity, but that they vary because of the different powers commissioners have under their respective jurisdictions.

Our commissioner has exercised all of her powers under PIPEDA in order to complete the investigation and in order to bring Google, through her ombudsman role, to implement its recommendations before she concludes the matter and further explores other avenues available to her under the act.

Those are my comments in terms of different reactions in Europe and elsewhere around the world to the Google Wi-Fi matter and the improper collection of payload data.

In respect of its street-level imaging technology and the deployment of that technology generally, I'd say there has been more coalescence and harmony around accepted practices. You're absolutely right to indicate that our best practices, issued in conjunction with our provincial counterparts, indicate that one best practice for the deployment of this technology is to notify neighbourhoods before you come through with your Google cars or any other cars. That notification can either be by way of a public means of announcement or by having cars properly labelled, etc. There are best practices that have been recommended and followed.

Hedy Fry Liberal Vancouver Centre, BC

Thank you.

I think it was indicated that I have one more minute.

Do you believe that the commissioner's power with regard to certain sanctions, whether fines or criminal sanctions, is the same as it is for commissioners in Europe? Is it less than in Europe?

3:45 p.m.

General Counsel, Office of the Privacy Commissioner of Canada

Patricia Kosseim

Well, it varies. Even in Europe, it varies from one jurisdiction to another. Her powers under PIPEDA do vary from those of commissioners who have powers to impose fines, for instance.

The model under PIPEDA has worked well to date. She has used all the powers available to her in this case and in others, and hopefully there will be a productive conclusion. Her powers--

Hedy Fry Liberal Vancouver Centre, BC

Is her power less than that found in many European jurisdictions?

3:45 p.m.

General Counsel, Office of the Privacy Commissioner of Canada

Patricia Kosseim

It is less than in some other jurisdictions, yes.

The Chair Liberal Shawn Murphy

Thank you very much, Madam Fry.

Go ahead, Madam Freeman, for seven minutes.

Carole Freeman Bloc Châteauguay—Saint-Constant, QC

I want to thank you for being here today, Ms. Kosseim, Mr. Caron and Mr. Patrick.

I'd like to talk about Google. I find it somewhat hard to accept what is going on with this international business. It's everywhere, it sets up everywhere, and I must say it acts somewhat cavalierly. I think that it's completely crazy to say that this was a mistake. When you have Google's powers, technology and structure, if you are a socially responsible business, you ensure that training is provided and that it is serious. Google gathers information on people's private lives in such a way... In fact, my personal information and yours are becoming products in the market.

This multinational is establishing itself in all countries. One commissioner protects personal information in Germany, another does the same thing in Australia, and there is one in Canada and another in Quebec. Can't you agree to try to standardize the requests made to Google? It seems to me that it's currently David vs. Goliath. Every time you make a move, Google develops a new technology, and there may be a mistake. That's my first question.

I would like to put the second to Mr. Patrick. Did he go with Ms. Stoddart to visit Google this summer? Did he make the trip?

3:50 p.m.

General Counsel, Office of the Privacy Commissioner of Canada

Carole Freeman Bloc Châteauguay—Saint-Constant, QC

I would have liked to know how that went and what he saw. What new technologies can we expect from Google or other companies that, once again, might not respect people's privacy? Can someone answer?

3:50 p.m.

General Counsel, Office of the Privacy Commissioner of Canada

Patricia Kosseim

I'll answer the first question, with your permission, Mr. Chairman, and then I'll ask my colleague to answer the member's second question.

First, was it crazy to say there was a mistake? Yes. Should that mistake have been prevented? Yes. Had Google adopted procedures to ensure such a mistake would not occur? Yes. Were the procedures followed? No, and that's where the commissioner reacted more strongly, for Wi-Fi, as in the case of Google Buzz and Google Street View. The commissioner's key message was that, when these new technologies are developed, the procedures to ensure protection must be put in place and followed from the product design and development stage, not just when an error occurs. That's the key message. These measures must be immediately followed and there must be control mechanisms to ensure they are followed in every case.

Would it be preferable to harmonize reactions to the various technologies developed by Google? That is the wish of many commissioners around the world who have powers in the privacy field. They increasingly want to work together to face large global businesses like Google. Now, the possibility of doing so varies from one commissioner to the next since they don't all have the same powers regarding the exchange of information with their counterparts elsewhere in the world.

Consequently, with regard to Bill C-28 before you, the Fighting Internet and Wireless Spam Act, it would make a key amendment to the Personal Information Protection and Electronic Documents Act that would enable our commissioner to freely exchange the information that she receives in the context of her investigations with her counterparts elsewhere in the world so as to be able to react in a more concerted and harmonized manner and deal with large businesses such as Google.

With your permission, I'll ask Dr. Patrick to answer your next question.

Dr. Andrew Patrick Information Technology Research Analyst, Office of the Privacy Commissioner of Canada

Thank you for the question.

Commissioner Stoddart was not in attendance with me in California. It was myself and Dr. Whalen, who's also a technical analyst. What we saw there was what is described in the report and the statement that we've read. We saw examples--and we only looked for examples--of personal e-mails, personal communications, names, addresses, web traffic being requested and replied to, chat messages, those kinds of things. Our strategy was simply to get an idea of the extent of the data, the nature of the data, to see examples of personal information and then to stop. That's exactly what we did.

Carole Freeman Bloc Châteauguay—Saint-Constant, QC

What kind of welcome did you get? Did you have access to everything you wanted?

3:50 p.m.

Information Technology Research Analyst, Office of the Privacy Commissioner of Canada

Dr. Andrew Patrick

Yes, we did. We got a very good reception. We were able to witness how the data was being stored, how it was being encrypted. We got full technical support, which is what we were looking for. We were there to do a technical analysis. We got full support. We were given instructions on how the data is stored in Google's proprietary formats, how it can be read, how to search. We got very good cooperation.

Carole Freeman Bloc Châteauguay—Saint-Constant, QC

From what you could see, what new technologies can we expect from Google? They aren't just created overnight.

3:50 p.m.

Information Technology Research Analyst, Office of the Privacy Commissioner of Canada

Dr. Andrew Patrick

It doesn't happen overnight. We know that there are a number of areas in which Google and many other companies are working. There's a real emphasis on personalized services, various kinds of services, services that you will carry in your pocket. So these are location-based services that will know where you are, what your interests are, and will provide recommendations. This is a big area where many companies are working.

We also know, for example, that Google is moving into the entertainment business and is launching a home television service. Again, this will have the possibility of being personalized towards your viewing habits and your desires. Both of those have potential for having privacy implications since both of those are things that we're carefully monitoring.

Carole Freeman Bloc Châteauguay—Saint-Constant, QC

Geolocation is already underway. It's possible to find people and that's already a problem.

Could you describe for us the potential privacy threats that the other technologies you've just described pose?

October 28th, 2010 / 3:55 p.m.

Information Technology Research Analyst, Office of the Privacy Commissioner of Canada

Dr. Andrew Patrick

Thank you.

There's a variety of different dangers. There are obviously personal safety dangers. If people are able to use location technologies in order to track someone's physical whereabouts and they want to do that person harm, if the data is not properly controlled, then there's that danger. There's also an issue of more expanded commercial services, commercial use of the data. An example of this is whether the data about where you are could be used for more and more advertising.

The Chair Liberal Shawn Murphy

Merci, Madame Freeman.

We're now going to move to Mr. Siksay, seven minutes.

Bill Siksay NDP Burnaby—Douglas, BC

Thank you, Chair.

Ms. Kosseim, Canpages also used similar technology, also had a process to do a similar thing in terms of street-level imaging. Do we know if they collected payload data as well in the course of doing their photography for their application?

3:55 p.m.

General Counsel, Office of the Privacy Commissioner of Canada

Patricia Kosseim

No, we have no knowledge of any such collection nor of any intention to collect Wi-Fi radio signals or payload data. We have no knowledge of that.

Bill Siksay NDP Burnaby—Douglas, BC

In your introduction today and in comments from folks, from the commissioner and others, it seems like what we thought Google was doing was a photographic process that was linked to some kind of cartographic process. Your description today of what we thought they were up seems to all pertain to photography. Did we know before May, when the Germans discovered the Wi-Fi, that they were looking for Wi-Fi access points? Did we know that was part of what they were doing before May 2010, or was the commissioner under the impression that it was a photographic process?