Information & Ethics Committee on June 7th, 2012

Okay, I'd love to do that. It's really quite simple, though it sounds very complex.

Imagine your pictures being taken or your fingerprints being taken. The normal process involved in facial recognition programs or biometric programs is, as I said, to capture what is called a biometric template, which is a digital representation of the essential features of your face or your finger. That template is what is captured in the database and that is what is used for purposes of comparison.

The problem is, as I said, if the police come knocking on the door with a court order. You have to give them access to the database. They will be able to match that template of your face, the digital representation of your face, with a face that they might have taken a picture of at a crime scene. They get a match, and boom, your information is used for another purpose that was never intended.

Au contraire, with biometric encryption, what does it do that's different? It uses the unique features of your face or your finger to encrypt or code some other data: a PIN number, an alphanumeric, something meaningless, a nonsense number—it doesn't matter. And that biometrically encrypted data, this other data, is what's kept in the database.

So there are two things. If the police come knocking on the door, what do they get? You have to open the database to them. First of all they get nothing, because without your actual face present, one can't decrypt or decode what is in the database. So first of all, they can't get access to it even though you're going to open the doors.

Okay. What if there's a brute force attack? This happens. There are great hackers out there. What if they break into the database? What do they get? They get nothing of value. They don't get your face or your finger. They get this other meaningless nonsense number that was encrypted using the unique features of your face or finger, so they get garbage. Be my guest; they're not going to get anything of value. The beauty of it is that, for the purpose for which it was intended, it works perfectly. And if you go to our website, you'll see that the University of Toronto worked with the OLG, the Ontario Lottery and Gaming Corporation, to perfect the system. They reached levels of not only privacy but security and accuracy that were unprecedented for biometrics.

The large company Morpho out of Paris, France, which is the leading biometric company in the world—they just bought Sagem, which used to be the leading company; it's now Morpho—is looking at biometric encryption to develop a prototype, a pilot that it's going to be working on in the fall on how we can incorporate biometric encryption into a hardware device or something. So people are looking at this around the world. It's in its infancy.

But the beauty of the OLG example is that I can guarantee to all the regular patrons of the casinos in Ontario that they don't have to worry about their facial images being captured when they go out for an evening's recreation. I can also assure the addicted gamblers who want to be kept out that there will be a much greater success of having their wishes abided by through this program.

The success rate, if you will—it's called the hit rate—of the program of self-excluded people has grown, tripled and quadrupled. Before, we had very little for identifying these poor individuals. Now the success rate is through the roof, and there are something like 15,000 addicted gamblers in the province who have signed up for this program. We can help them do what they want us to do and keep them out, while not impacting the privacy of anyone else. And we've also told these individuals that, while they will be kept out of this program, their information will not be used for any other purpose whatsoever—no secondary use, full stop.

Under biometric encryption, the encryption key would in fact be the facial image or the finger. The unique features of your biometric would become, in effect, the equivalent to an encryption key that would then encrypt some other data.

The decryption key resides on your face or finger. The biometric would be the decryption key.

That's why, if the police came knocking at the OLG, they could say, “You're welcome to the database.” They don't possess the decryption keys. The decryption keys reside on the facial images of the individuals participating in this program.

That's a very important question. A basic privacy principle is the right to be forgotten, so in our laws, organizations can only retain information as long as they need it for business purposes and then it should be destroyed.

I led the Facebook investigation in 2009 in the federal office, and this was a real sticking point in that investigation. We found quite a difference between deactivation of someone's account and deletion of the data. The recommendation coming out of the federal commissioner's office was to make it easy for people to delete their accounts, and be clear on the difference between deactivation, which is really putting the data offline, just in case the user changes her mind down the road and wants to be back on Facebook, versus deletion, which I believe takes about 30 days and then all the data is deleted.

We wanted the company to make it really easy for individuals to choose which option and to make sure it's done.

Getting back to order-making powers, the federal privacy commissioner is an ombudsman, and she can make recommendations. At the end of the day, my colleague Ann Cavoukian and I, with our order-making powers, can order a company to delete data, and it has to do so within 30 days. Under my law it's 30 days. That is a very powerful tool.

Thank you, Commissioner Denham. Like you, we have order-making power, and we can order the cessation or the destruction of collections of personal information that have been collected contrary to the act.

I did that a few years ago with the Ottawa police, believe it or not. They had collected information that I ordered destroyed. I had the pleasure of meeting Vern White, who was then the police chief in Ottawa and is now Senator White.

So we do have, in terms of what comes under our jurisdiction, the ability to order the destruction of these collections. Then we can ask for third-party audits to ensure that the data has been destroyed, although I had no concerns with the Ottawa police doing so.

As Commissioner Denham mentioned, the right to be forgotten is extremely important. It features prominently in the new EU data protection regulation that has been drafted.

Also, it is becoming more and more important because of the limited control you have in online social media and other fora in terms of online access. Is it really being destroyed? Is it being deactivated? How long...? What assurances do you have?

I'm going to suggest to people that you have very few or virtually no assurances in terms of private sector information that exceeds, certainly, my jurisdiction, and that may exceed others' jurisdictions. Even our ability to audit is very difficult to do. It takes a lot of effort. What the FTC and other organizations are doing now is building in the need for independent third-party audit, so that if the destruction of records has been ordered or required, it can then be confirmed after the fact.

But I just want to point you to one thing, and I'll say this as my final comment. Over time, I think it's going to become increasingly more difficult if companies and governments don't follow privacy by design in terms of proactively offering privacy as the default feature. You're not going to be assured of privacy or a destruction of your records. It's going to be a free-for-all.

We've been working with the University of Toronto to develop a new concept called SmartData. If you go to our website, you'll see that we just had an international symposium on SmartData, which is the developing of virtual tools that will work for the data subject and will be your virtual agent online to protect your data and act on your behalf in a contextual way.

I'm not going to take any more of the committee's time, but I just wanted to point you to SmartData. You can go to it on our website or we can send you some information. Again, we're calling it the embodiment of privacy by design—to basically give consumers, the users, the tools that will enable them to also protect their own data.

Thank you.

Thank you, Mr. Chair.

In February 2009, a memorandum of understanding between the parliamentary press gallery and the House of Commons was reached. It was based on an initial report and a trial run that was a result of a study done by the procedure and House affairs committee.

I can distribute that directive to members, if you're interested.