Information & Ethics Committee on June 7th, 2012

Evidence of meeting #44 for Access to Information, Privacy and Ethics in the 41st Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.

A recording is available from Parliament.

On the agenda

Privacy and social media

Committee Business

MPs speaking

Also speaking

Elizabeth Denham Commissioner, Office of the Information and Privacy Commissioner of British Columbia

Ann Cavoukian Commissioner, Office of the Information and Privacy Commissioner of Ontario

Clerk of the Committee Mr. Chad Mariage

12:35 p.m.

Commissioner, Office of the Information and Privacy Commissioner of Ontario

Dr. Ann Cavoukian

There are several things we can do. Obviously, raising awareness and education is our job, and we're getting the word out there strongly. You should know that internationally, word about privacy by design is growing. As I mentioned, in 2010 it was made an international standard. If you go to our website, www.privacybydesign.ca, there's a lot of information that we share regularly.

Most organizations do PIAs, privacy impact assessments, when a new technology or a new best practice or process is introduced. You can require, or certainly request, that in the PIA process, privacy by design is reflected. If I can again encourage you to go to our website, last year we had a PBD PIA. PBD is privacy by design. This PIA was specifically developed to reflect the requirements of privacy by design in the PIA. It's one of the essential tools in any practice. When you have a new technology or business practice, you do a PIA to identify the privacy risks and address them before the program or business practice becomes operational.

By requiring the seven foundational principles of privacy by design to be reflected in the PIA, and thereby reflected in the new program or business practice, you can be assured, at least, that the issues are being addressed. The kind of data minimization you were speaking to earlier that would speak to preventing unintentional access to the data used for other purposes, the harms that arise when data are used in ways that were never intended—all the problems we are so concerned about—can be addressed right from the beginning. That's the beauty of privacy by design. It tries to identify the privacy harms right at the initial stages, when the technology is emerging or the program is just being developed.

If you embed privacy protective features at the nascent stage, right at the beginning, it's much easier to minimize the harm and address it before the program is operational or the technology is fully operational. It makes a big difference. I would point you to the PIA process as an ideal place. Also, we have it on a CD. I can send it to anyone who's interested.

How do you do privacy by design? I was asked in 2010, when privacy by design was made an international standard, if my office could offer some assistance to other regulators around the world on how to do this privacy by design thing. How do you actually operationalize it?

We developed a curriculum that I think is very accessible. It walks you through the various steps of the principles and how you would do it. I make that available to anyone who's interested. We've shared it with many universities and Intel and other companies. All the tech companies have it. It basically walks you through how you do privacy by design.

Thank you.

12:40 p.m.

NDP

Charmaine Borg NDP Terrebonne—Blainville, QC

Thank you very much.

We would like to get a copy of that CD. That would be in the committee's interest.

You did not get a chance to explain how biometric encryption operates. Could you explain to us in detail how it works? How can we ensure that we are not collecting data on everyone who enters a building or browses a website?

12:40 p.m.

Commissioner, Office of the Information and Privacy Commissioner of Ontario

Dr. Ann Cavoukian

Okay, I'd love to do that. It's really quite simple, though it sounds very complex.

Imagine your pictures being taken or your fingerprints being taken. The normal process involved in facial recognition programs or biometric programs is, as I said, to capture what is called a biometric template, which is a digital representation of the essential features of your face or your finger. That template is what is captured in the database and that is what is used for purposes of comparison.

The problem is, as I said, if the police come knocking on the door with a court order. You have to give them access to the database. They will be able to match that template of your face, the digital representation of your face, with a face that they might have taken a picture of at a crime scene. They get a match, and boom, your information is used for another purpose that was never intended.

Au contraire, with biometric encryption, what does it do that's different? It uses the unique features of your face or your finger to encrypt or code some other data: a PIN number, an alphanumeric, something meaningless, a nonsense number—it doesn't matter. And that biometrically encrypted data, this other data, is what's kept in the database.

So there are two things. If the police come knocking on the door, what do they get? You have to open the database to them. First of all they get nothing, because without your actual face present, one can't decrypt or decode what is in the database. So first of all, they can't get access to it even though you're going to open the doors.

Okay. What if there's a brute force attack? This happens. There are great hackers out there. What if they break into the database? What do they get? They get nothing of value. They don't get your face or your finger. They get this other meaningless nonsense number that was encrypted using the unique features of your face or finger, so they get garbage. Be my guest; they're not going to get anything of value. The beauty of it is that, for the purpose for which it was intended, it works perfectly. And if you go to our website, you'll see that the University of Toronto worked with the OLG, the Ontario Lottery and Gaming Corporation, to perfect the system. They reached levels of not only privacy but security and accuracy that were unprecedented for biometrics.

The large company Morpho out of Paris, France, which is the leading biometric company in the world—they just bought Sagem, which used to be the leading company; it's now Morpho—is looking at biometric encryption to develop a prototype, a pilot that it's going to be working on in the fall on how we can incorporate biometric encryption into a hardware device or something. So people are looking at this around the world. It's in its infancy.

But the beauty of the OLG example is that I can guarantee to all the regular patrons of the casinos in Ontario that they don't have to worry about their facial images being captured when they go out for an evening's recreation. I can also assure the addicted gamblers who want to be kept out that there will be a much greater success of having their wishes abided by through this program.

The success rate, if you will—it's called the hit rate—of the program of self-excluded people has grown, tripled and quadrupled. Before, we had very little for identifying these poor individuals. Now the success rate is through the roof, and there are something like 15,000 addicted gamblers in the province who have signed up for this program. We can help them do what they want us to do and keep them out, while not impacting the privacy of anyone else. And we've also told these individuals that, while they will be kept out of this program, their information will not be used for any other purpose whatsoever—no secondary use, full stop.

12:45 p.m.

NDP

The Chair NDP Pierre-Luc Dusseault

Thank you. I'm going to have to stop you in order to give Mr. Calkins the last five minutes of speaking time.

12:45 p.m.

Conservative

Blaine Calkins Conservative Wetaskiwin, AB

Thank you very much, Chair. It's Blaine Calkins day at the committee today.

Ms. Cavoukian, I want to explore this digital template you talked about. It sounds to me as if it's actually part of the encryption key. Do I understand that correctly?

12:45 p.m.

Commissioner, Office of the Information and Privacy Commissioner of Ontario

Dr. Ann Cavoukian

Under biometric encryption, the encryption key would in fact be the facial image or the finger. The unique features of your biometric would become, in effect, the equivalent to an encryption key that would then encrypt some other data.

12:45 p.m.

Conservative

Blaine Calkins Conservative Wetaskiwin, AB

But that encryption key, in order to be decrypted by a friendly user, would have to be known, so the multiplier for that encryption key would be what? The algorithm would be—

12:45 p.m.

Commissioner, Office of the Information and Privacy Commissioner of Ontario

Dr. Ann Cavoukian

The decryption key resides on your face or finger. The biometric would be the decryption key.

That's why, if the police came knocking at the OLG, they could say, “You're welcome to the database.” They don't possess the decryption keys. The decryption keys reside on the facial images of the individuals participating in this program.

12:45 p.m.

Conservative

Blaine Calkins Conservative Wetaskiwin, AB

That's good. It brings a new meaning to the words “destroy the key”. I guess we're going to have to be a little careful there. It was very comforting to know that my facial image was of little or no value, but I know you didn't mean it that particular way. I'm just being silly, of course.

Thank you for that explanation. I understand it perfectly well. It's how I suspected it was going to work.

I want to talk about the deletion of information. I was an Oracle database administrator. Whether it's a relational database or whether it's an object-oriented database, whatever the case may be, the data is stored in various forms, depending on the system being used. Very often, in the design of user interfaces and so on, information is collected, or sometimes we ask for our information to be taken out of a database, and the difference between deactivation and deletion is quite significant because we can deactivate records. We can make it look as if somebody is no longer a customer, no longer a client, but we still retain all the data for past transactions in the database.

We may be required to keep that information for tax purposes, for various legal or statutory reasons. But at some point in some of these transactions, where people's privacy is given up for the use of free application software on a mobile application, that's a completely different transaction.

I'm wondering if you, Dr. Cavoukian, or you, Ms. Denham, can speak about what you do when a user or a citizen requests the deletion of information. What can be done to better protect those Canadians?

12:50 p.m.

Commissioner, Office of the Information and Privacy Commissioner of British Columbia

Elizabeth Denham

That's a very important question. A basic privacy principle is the right to be forgotten, so in our laws, organizations can only retain information as long as they need it for business purposes and then it should be destroyed.

I led the Facebook investigation in 2009 in the federal office, and this was a real sticking point in that investigation. We found quite a difference between deactivation of someone's account and deletion of the data. The recommendation coming out of the federal commissioner's office was to make it easy for people to delete their accounts, and be clear on the difference between deactivation, which is really putting the data offline, just in case the user changes her mind down the road and wants to be back on Facebook, versus deletion, which I believe takes about 30 days and then all the data is deleted.

We wanted the company to make it really easy for individuals to choose which option and to make sure it's done.

Getting back to order-making powers, the federal privacy commissioner is an ombudsman, and she can make recommendations. At the end of the day, my colleague Ann Cavoukian and I, with our order-making powers, can order a company to delete data, and it has to do so within 30 days. Under my law it's 30 days. That is a very powerful tool.

12:50 p.m.

Commissioner, Office of the Information and Privacy Commissioner of Ontario

Dr. Ann Cavoukian

Thank you, Commissioner Denham. Like you, we have order-making power, and we can order the cessation or the destruction of collections of personal information that have been collected contrary to the act.

I did that a few years ago with the Ottawa police, believe it or not. They had collected information that I ordered destroyed. I had the pleasure of meeting Vern White, who was then the police chief in Ottawa and is now Senator White.

So we do have, in terms of what comes under our jurisdiction, the ability to order the destruction of these collections. Then we can ask for third-party audits to ensure that the data has been destroyed, although I had no concerns with the Ottawa police doing so.

As Commissioner Denham mentioned, the right to be forgotten is extremely important. It features prominently in the new EU data protection regulation that has been drafted.

Also, it is becoming more and more important because of the limited control you have in online social media and other fora in terms of online access. Is it really being destroyed? Is it being deactivated? How long...? What assurances do you have?

I'm going to suggest to people that you have very few or virtually no assurances in terms of private sector information that exceeds, certainly, my jurisdiction, and that may exceed others' jurisdictions. Even our ability to audit is very difficult to do. It takes a lot of effort. What the FTC and other organizations are doing now is building in the need for independent third-party audit, so that if the destruction of records has been ordered or required, it can then be confirmed after the fact.

But I just want to point you to one thing, and I'll say this as my final comment. Over time, I think it's going to become increasingly more difficult if companies and governments don't follow privacy by design in terms of proactively offering privacy as the default feature. You're not going to be assured of privacy or a destruction of your records. It's going to be a free-for-all.

We've been working with the University of Toronto to develop a new concept called SmartData. If you go to our website, you'll see that we just had an international symposium on SmartData, which is the developing of virtual tools that will work for the data subject and will be your virtual agent online to protect your data and act on your behalf in a contextual way.

I'm not going to take any more of the committee's time, but I just wanted to point you to SmartData. You can go to it on our website or we can send you some information. Again, we're calling it the embodiment of privacy by design—to basically give consumers, the users, the tools that will enable them to also protect their own data.

Thank you.

12:55 p.m.

NDP

The Chair NDP Pierre-Luc Dusseault

Thank you. Thank you a second time for being available to make your presentations today.

I hope we will be able to access the document you mentioned, Ms. Cavoukian, and that we can forward it to every committee member through the clerk. Thank you for being here.

We will suspend proceedings for a few minutes and then, as you know, come back for the last five minutes to talk about committee business.

Thank you.

12:55 p.m.

NDP

The Chair NDP Pierre-Luc Dusseault

We will resume the meeting.

Mr. Andrews wanted to say a few words.

12:55 p.m.

Liberal

Scott Andrews Liberal Avalon, NL

Thank you, Mr. Chair.

As committee members know, I did apologize in camera at our last meeting, and I will do it in the public portion of the meeting. That's why I asked that we stay in public.

My apologies.

12:55 p.m.

NDP

The Chair NDP Pierre-Luc Dusseault

Mr. Andrews apologized here in public.

Is there something else on the committee's business agenda that we wanted to discuss?

I wanted to make a few announcements. In particular, I submitted the report of the Société du Vieux-Port de Montréal this morning. So it has been tabled in the House.

The correction that we wanted to make to the lobbying report has also been made. It has been accepted by the House by unanimous consent. That is what I wanted to tell you.

Did Ms. Borg want to add something?

12:55 p.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

I just wanted to follow up on the other day—

12:55 p.m.

NDP

Charmaine Borg NDP Terrebonne—Blainville, QC

Okay.

12:55 p.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

Sorry.

Because there were two incidents the other day, and I'm concerned about the protocol with media. Because what happened to Mr. Andrews could happen to anybody when you're not paying attention. You're focused, and if someone taps you on the shoulder and says, hey, what do you have...? I'm just concerned.

It might have been...you know, the media might not have been paying attention, but do we have a protocol in terms of the role, of the limits, of journalists who approach the table while we are doing our work?

Because I think we need to just make that a clear position—that while we are doing the work of the ethics committee, we should not have journalists coming up and tapping us on the shoulder while we're working. I think we need some kind of.... We don't need to make a big statement, but we have to have a clear working understanding about how we're going to work together.

12:55 p.m.

NDP

The Chair NDP Pierre-Luc Dusseault

The clerk tells me that certain existing rules are supposed to govern the work of journalists in committee meetings. I am going to hand the floor over to him.

12:55 p.m.

The Clerk of the Committee Mr. Chad Mariage

Thank you, Mr. Chair.

In February 2009, a memorandum of understanding between the parliamentary press gallery and the House of Commons was reached. It was based on an initial report and a trial run that was a result of a study done by the procedure and House affairs committee.

I can distribute that directive to members, if you're interested.

12:55 p.m.

NDP

The Chair NDP Pierre-Luc Dusseault

Mr. Harris, you have the floor.

12:55 p.m.

Conservative

Dick Harris Conservative Cariboo—Prince George, BC

Just as a point of clarification, I believe within the protocol it is not permissible for a reporter, a member of the press, to come and interrupt a member sitting in a committee meeting. Is that correct?

If that is the correct protocol, and it certainly must be understood by the reporters who work on the Hill day after day, then there was a breach of protocol by that reporter who did approach a member. Whether she caught him by surprise or not, she bears a lot of the responsibility.

This committee, if she's breached protocol, would be well in its right to issue a complaint via the Speaker, or directly against her, and remind her of the protocol and not to let it happen again.

12:55 p.m.

NDP

The Chair NDP Pierre-Luc Dusseault

Mr. Butt, do you wish to add something?

12:55 p.m.

Conservative

Brad Butt Conservative Mississauga—Streetsville, ON

That was basically my point. I think there is a rule right now about reporters approaching the committee table while committee's in session. It's absolutely prohibited. That's my understanding, and that's what it should be.

The reporter should have known the difference. I think she did catch Mr. Andrews off guard, and I think that was unfortunate. I think I would agree with Mr. Harris that the reporter bears very much the blame. She's not brand new around here. She's been around here quite awhile, so she clearly knows what the rules are.

I don't think there's any question that this is the rule. You do not approach the committee table while committee is in session—period.

1 p.m.

NDP

The Chair NDP Pierre-Luc Dusseault

I would like to add that we normally do not allow journalists to be around the table during a public meeting. Perhaps we could remind journalists of those rules through the president of the Parliamentary Press Gallery in the House of Commons. We could remind them of the rules, Mr. Andrews.