Information & Ethics Committee on Nov. 1st, 2012

Thank you very much.

Hello, I am Jane Tallim, co-executive director of MediaSmarts. With me is Matthew Johnson, who is our director of education and resident privacy expert. Thank you so much for inviting us here today.

We've been following the testimony to this committee with great interest and the many excellent recommendations that you've received so far. We've also noticed the number of expert witnesses who have stated that education, especially for children and youth, is an essential part of a comprehensive approach to addressing online privacy issues.

With this in mind, we would like to focus our remarks on how digital literacy, and in particular privacy education, can help young people develop good privacy habits for social media and other online activities.

Today's presentation is very timely because next week is Canada's annual Media Literacy Week. It's co-led by the Canadian Teachers' Federation and us. This year's theme is “Privacy Matters”. On Monday we'll be in Montreal hosting a youth panel exploring this topic to launch the week.

For those of you who aren't familiar with our organization, MediaSmarts is a national not-for-profit centre for digital and media literacy. We work to ensure that children and youth have the critical thinking skills to engage with media as active and informed digital citizens.

We were launched in 1995 as Media Awareness Network through a CRTC initiative on television violence. The commission's policy on this issue stated that although industry self-regulation and TV classification systems would play a role, public awareness and media literacy programs represented the primary solution to TV violence.

The same thinking applies today to online privacy. Given the inherent difficulties legislators face keeping up with constantly evolving platforms and applications, education plays a critical role in helping Canadians of all ages understand their rights and manage their privacy and personal data.

Digital literacy is the term we use to describe the range of skills needed by young people to make wise, informed, and ethical online decisions. Privacy management is one of these core skills.

Our digital literacy resources and programs are informed by our ongoing research project, Young Canadians in a Wired World. This is Canada's longest running and most comprehensive investigation of the behaviours, attitudes, and opinions of Canadian children and youth with respect to their use of the Internet.

One of our key areas of inquiry is young people's understanding and behaviours relating to online privacy, including the types of privacy invasions they encounter, and the role of adults in building awareness and influencing behaviours.

We recently launched phase three of the young Canadians project with funding from the Office of the Privacy Commissioner of Canada. Dr. Valerie Steeves of the University of Ottawa, who is our lead investigator, presented our qualitative findings to this committee in May, so you've already had a snapshot of how online surveillance has become a reality for today's youth.

Although young people find the constant surveillance annoying, persistent myths about stranger danger and Internet risks encourage them to buy into the idea that they need to be monitored to keep them safe online. The constant surveillance by parents, schools, and corporations, and young people's acceptance of it is cause for concern. Privacy is a fundamental human right, and continuous surveillance chips away at our private space. Moreover, this constant scrutiny undermines the mutual trust, confidence, and communication between adults and youth that is essential to giving young people the autonomy they need to develop digital life skills.

Finally, if youth grow up in an environment where surveillance at home and at school is normal and accepted, they are less likely to be aware of or to exercise their privacy rights regarding corporate surveillance.

We're going to be heading into classrooms across the country next February with our national survey to explore many of the privacy issues that emerged in the qualitative study. Specifically, we want to learn where the gaps are in digital literacy skills so we can address them in educational materials for classrooms and communities. For example, we'll be asking students if anyone has ever taught them how to read privacy policies or terms of use on websites.

Drawing from past young Canadians research findings, we have developed an extensive collection of resources on privacy management, ranging from games to teach good privacy habits to young children, to a comprehensive professional development workshop that trains teachers in how to address and improve the state of privacy as it pertains to the online activities of their students.

In our educational materials we focus on encouraging youth to make good choices about their own privacy, and also on teaching privacy ethics. Not only is it important to have our privacy respected and protected, we need to respect and protect the online privacy of others. This idea is most immediately relevant when it comes to social interactions online, but it has implications for corporate uses of privacy as well. One reason we place privacy education in the context of digital literacy is that, as other presenters have noted, privacy is not a stand-alone issue. It intersects with safety, cyber security. cyber bullying, authentication of information and digital citizenship.

An important part of digital citizenship is understanding and exercising your rights, both as a citizen and a consumer. To do that, youth need to know that their personal information has value and that they have legal and contractual recourse in protecting it.

Perceived importance of information privacy is a critical factor in determining how well young people manage their online privacy. With children going online at increasingly younger ages, this sense of that personal information is valuable and belongs to oneself is important to cultivate, even at the primary level. For example, we have a Privacy Pirates game on our website, which was funded by Google. It helps younger students start to understand this concept.

Support for the critical importance of privacy education for youth has precedent in Canada and internationally. In 2008, Canada's privacy commissioners and privacy oversight officials passed a resolution on children's online privacy, where they committed to improve the state of privacy as it pertains to the online activities of children and youth by implementing public education activities to increase their awareness of online privacy risks. Since that time, the Office of the Privacy Commissioner has produced several excellent educational resources and has funded organizations, including ours, to produce privacy education materials.

In February of this year, the OECD adopted a recommendation on enhanced children's online protection, recognizing that the protection of children online encompasses content risks, contact risks, consumer risks, and risks relating to information security and online privacy. The OECD recommends that national governments foster awareness raising and education as essential tools for empowering parents and children, and develop responses that include all stakeholders, and integrate a mix of public and private, voluntary and legal, awareness raising, educational, and technical measures.

Good comparative models for Canada are Britain and Australia. Both have strong digital literacy components in their national digital strategies. In Australia, the federal regulator, ACMA, produces many resources addressing children's online privacy concerns. In the U.K., they've coined the notion that Britons should bear a digital entitlement, which includes not only access but also the right to basic digital literacy skills, including privacy.

The notion of privacy education for all is essential to fostering informed citizens who recognize and challenge invasive practices online. As several witnesses have noted, when the public pushes, the industry tends to pull back.

It's a widely held belief that young people, whether they be Facebook addicts or aspiring YouTube celebrities, don't care about privacy. This isn't true. In fact, the way youth understand privacy may be more relevant than how most adults view it, because they see it not as a matter of deciding whether or not to share, but as having control over the things they want to share.

To support youth, we need to widen the current focus on privacy safety risks to include privacy rights, ethical use, recourse mechanisms, and the civic and democratic dimensions of privacy. Privacy education must be supported on a national level, both through the K to 12 curriculum in schools and public awareness campaigns to inform ail Canadians.

Thank you.

Thank you very much. I trust you can hear me okay.

I thank you for the opportunity to appear before your committee and to speak about this important issue.

I am a professor of political science at the University of Victoria and have been studying privacy protection issues for nearly 30 years in Canada and internationally. I've written or edited six books on the subject and numerous articles. I'm currently in receipt of a grant from the Social Sciences and Humanities Research Council to study privacy protection of social media. I'm also working on this same subject under a contributions grant from the Office of the Privacy Commissioner of Canada.

The privacy questions raised by social networking services are broad and dynamic, as you've no doubt discovered. Social networking challenges some of the traditional approaches and assumptions behind our privacy protection laws. As you've just heard, it requires extensive education.

The Privacy Commissioner of Canada has already outlined the privacy principles that should apply to social media. Her office has been at the forefront of global efforts to ensure that big data companies abide by established privacy rules and practices. But social media is not just out there, and it's not just about Facebook, it's also about our own organizations and our own practices.

Rather than discuss social networking in all its manifestations, I want to address an area of social networking and privacy that is far closer to your own experiences and lives as politicians. I want to raise a set of questions about how your own political parties use social networking services, and indeed, other sources of personal information to build databases about Canadian citizens.

I have just co-authored a report on privacy in Canada’s political parties for the Office of the Privacy Commissioner. This work was started back in 2011 and was published earlier this year. I'd like to take this opportunity to summarize the main findings, because I think this relates closely to the subjects of your inquiries.

Canada’s federal political parties can and do collect a large amount and variety of information on Canadian citizens: on voters, volunteers, donors, members, and supporters. A disparate and fluctuating number of employees and volunteers might also have access to these data, individuals who may have no privacy and security training. Increasingly, these data are communicated through highly mobile and dispersed electronic formats, and increasingly, they are captured through the observation of social networking activity.

Canadian parties now operate extensive voter management databases; they have been doing so for some time. There are the Conservatives' constituent information management system, CIMS, Liberalist, and NDP Vote. The foundation of these databases is the electoral list provided under the authority of the Elections Act by Elections Canada, but upon that framework, a large and increasing range of other data about voters is added and analyzed.

These data come from a variety of sources: telephone polling, traditional canvassing methods, petitions, letters, commercially available geo-demographic and marketing databases, and indeed, from social networking services. Overall, however, for a variety of reasons, the contents of those systems are shrouded in some secrecy.

As new technologies pioneered in U.S. elections increasingly play a role in modern campaigning, so the range and variety of personal data available to parties will increase, and so will the concerns about the protection of personal privacy.

Here are some examples: smart phone applications for political canvassers; targeted online advertisement software; targeted e-mail campaigns, which match IP addresses with other data sets showing party affiliation, donation history, and socio-economic characteristics; sophisticated market segmentation strategies aligning online and offline behaviour; extensive use of robocalling and robotexting; and, of course, the use of social networking and social media to plan campaigns, to target likely voters and donors, and to measure impact and engagement.

Social media not only provide a convenient method to target likely supporters, but also to capture increasingly refined information about the preferences and behaviours of voters, and their contacts and their friends. These developments have received much attention in the current U.S. election cycle. One of the most notable trends is the increasing use of customized and targeted political advertisements based on the digital trails individuals leave through their social networking activities. A recent report suggests there were no fewer than 76 different tracking programs that were observable on www.barackobama.com.

Surveillance during Canadian elections is less extensive and is less intrusive—well, so far. Nevertheless there have been a number of recent controversies that have raised concerns about the practices of political parties and have raised the profile of this issue.

The Privacy Commissioner has also received a number of complaints and inquiries about the activities of our political parties over the last several years, and they've also been raised to some extent in the provinces. However, she can do little to address these inquiries because, unlike in most other democratic countries, Canadian federal privacy protection law does not cover our political organizations.

Parties do not engage in much commercial activity and are therefore largely unregulated under the Personal Information Protection and Electronic Documents Act, PIPEDA, or substantially similar provincial laws. They're not government agencies and therefore are unregulated by the Privacy Act. The only federal law that really governs their privacy practices is the Canada Elections Act, but that legislation only applies to those voter registration data collected and shared with parties and candidates under the authority of that legislation.

Parties are also exempt from the new anti-spam legislation, Bill C-28, as well as from the do not call regulations administered through the CRTC. Thus, for the most part, individuals have no legal rights to learn what information is contained in party databases, to access and correct those data, to remove themselves from the systems, or to restrict the collection, use, and disclosure of their personal data. For the most part, parties have no legal obligations to keep that information secure, to only retain it for as long as necessary, and to control who might have access to it.

Virtually every other public or private organization in Canada must abide by these basic rules, so why should political parties be different? Of course, I concede that political parties play a critical role in our democracy. Parties need personal information to mobilize and to educate voters and for a variety of other reasons, and it has been claimed that these important functions outweigh the arguments for regulation and that therefore voluntary self-regulation will suffice, but as our report demonstrates, the current voluntary policies of our main federal political parties are incomplete, and they are inadequate.

From the point of view of an ordinary supporter or contributor, or potential voter who wishes to exercise control over his or her personal information, the existing voluntary privacy commitments of Canada’s main federal parties are often difficult to find, often inconsistent, and often somewhat vague.

No party is any better or worse than any other here—I'm not picking winners or losers—but there's little evidence, frankly, that any of your parties has given sustained consideration to privacy and to the risks associated with amassing vast amounts of personal data. For example, there's no link to privacy on the home pages of either the Liberals or the NDP, the last time I checked. There is a link on that of the Conservative Party, which is fairly prominent, but their policy is also somewhat incomplete, and it contains vague assertions and exemptions.

It would be my preference for Canadian federal political parties to be brought within the statutory requirements of PIPEDA and therefore under the authority of the Privacy Commissioner of Canada. I would urge the committee to consider that. However, in the meantime I think more can be done on a voluntary basis.

I think it would be a good idea—and I have read that some political parties have already done this, but it's not necessarily prominent—that all federal political parties declare that they voluntarily abide by the obligations in PIPEDA. It would be a good idea for them to revise their privacy policies and base them on the 10 privacy principles upon which PIPEDA is based, and to publish these more prominently. I think all parties should appoint a responsible official, the equivalent of a chief privacy officer, who would have overall responsibility for the collection, use, and dissemination of personally identifiable information. All political parties should adopt appropriate risk management strategies in case of data breaches. Data breaches are seen in many other areas of our life, in the public and the private sector. I think there should be training of staff and volunteers on privacy and security issues.

It may be that some of those activities are already occurring. I don't wish to be too critical, but my point is that it's not necessarily obvious, and therefore it's very difficult for individuals and ordinary voters and supporters, etc., to find out what their rights are.

These questions are not just about privacy. Lack of attention to the protection of personal information can erode the trust that Canadians have in the political parties and in our democratic system. In an age of social networking, being more proactive about privacy protection and providing those necessary assurances is also good organizational practice.

In summary, I applaud the committee’s attention to these challenging issues concerning social media and to the practices of big data companies such as Facebook and Google. There's been a great deal written about that subject, and I can certainly talk about those wider issues. At the same time, little attention has been given to the questions that I raise here, which I think are very much related to the topic of your inquiry and, of course, to your own individual work.

I would encourage you, therefore, to think about what I've said and to work within your own organizations to get your own houses in order and to encourage your respective parties to follow the same set of information privacy principles that apply to most other Canadian organizations.

I fear that controversies about parties and privacy protection of voters will only continue. The appropriate management of personal data in an era of extensive online social networking is not only in the interests of individual citizens, but also in the interests of your own parties and of the long-term health of our political system.

Thank you very much for your attention.

We are quite optimistic. We made a submission to the government consultations for the digital economy and are still quite hopeful that, as it has been in other countries, digital literacy will be a core pillar of any national strategy.

We were also very heartened in reading Janet Goulding's testimony, that she indicated the importance of digital literacy skills development throughout her testimony.

One of the challenges in Canada, though, is that education tends to fall provincially, and the federal agenda is a little different. We have all sorts of good work being done. For example, HRSDC focuses on work skills development. Really, we need some leadership in that public piece, that entitlement piece in the U.K. which I alluded to, as well as in ensuring that Canadian youth are also well equipped to be citizens in the digital world.

I'd like to add that you're absolutely right that simply providing tools to protect privacy is not enough.

We know this from a study that was done at Columbia University in the United States. It found that of the participants in the study, and these were students ages 18 to 25, 95%, or almost all of them, had changed their privacy settings on Facebook and felt confident that these settings reflected their desired privacy. However, when their profiles were studied, it was found that every single one of them had either shared things they did not intend to share, or in a lesser number of cases, had kept things private that they had desired to share.

Even though there is an awareness, and even if they have the tools, we know that the understanding of how to use those tools effectively does not come without education.

Traditionally, the most effective responses are comprehensive partnerships. In its recommendations as well, the OECD was stressing the importance of having community, education, government, and the private sector work together to create these comprehensive approaches.

It is currently being evaluated, but in the U.K. they created the concept, as I said, of a digital entitlement. With that they've prevented the siloing of digital literacy skills development among the general public and their being classified as just work skills development.

There are many programs that were initiated in the U.K. There is Go ON UK, which is a foundation now, which has all sorts of training and educational resources for the general public. They are also very interested in reaching more vulnerable sectors of the public. They've created something that is a national campaign, which anyone can access and use.

Legislation may well play a role. Certainly our position is that young people do need to understand what they're agreeing to. They need to understand when they use any service what information they are giving out, what information about their activities may be collected, and what will be done with that information by either the operator of the service or third parties to whom it may be sold. How this transparency comes about may well be from a combination of legislation, industry regulation, consumer action, which we have seen has been very effective. However, in whichever case it is, we do need the additional pillar of privacy education so that young people are able to understand that this information is available to them and to make use of it in an effective way.

With our young Canadians survey next year, we will be going into classrooms from grade 4 to grade 11. We will have a wide range of information. We do two versions of the survey: one for younger students in grades 4 to 6, and one for students in grades 4 to 11. Outcomes for various digital literacy skills, privacy included, are throughout the curriculum in Canada, but as you can imagine, it varies from province to province. That's one of the things we would really like to see leadership in. Some provinces do it better than others. Some provinces start with younger ages than others.

When she talked to you last spring, I think Professor Steeves mentioned that part of our qualitative phase of the young Canadians project was teacher interviews, which we did as well. The teachers had tremendous insight as well. Many of them really do want to start integrating technology into their classrooms in authentic ways so they can begin to develop these skills. Of course they also need training, support, and curriculum outcomes that give them some guidance as to what skills youth need.

I think there are pieces there. What's really needed perhaps is a comprehensive framework that looks at those core competencies that are needed relating to privacy education and other digital literacy skills so our teachers have some guidance and consistency in how they're taught.

To add to that, you had asked how it is we can teach privacy skills to different ages. I'll answer, just from our perspective, that all of our resources are created by educators as well as by people who are experts in digital literacy issues, including privacy.

That means everything we do is based in part on our understanding of pedagogy and cognitive development. We base it on what young people are able to understand at different ages. Also, it comes from our own research and awareness of research being done around the world, so that we're able to listen to young people and know what it is they're concerned about in terms of privacy and other issues at different ages. We use that as a beginning point to get them interested.

That's a big part of our research. Why we conduct our research is to understand that, as has been shown again and again in research around the world, young people do care about privacy. To be able to make them aware of the issues, we have to talk about it in a language that is relevant to them.

That's something that is germane, and I know you've heard a lot of testimony about how you almost have to be a legal professional to understand many of the privacy policies. There is best practice out there. Sara Grimes alluded to a few children's sites that do an exceptional job. I think that's part of it. I think it's about lauding the companies that are very respectful, that try to be transparent, that put things up very clearly and are easily understood, that only ask for the most necessary information.

It's a combination of educating parents and educating children as well, so that young people who are too young to really understand what the big picture is can have a trusted adult with them, to help them go through it and understand. We have no problems with children having fun online, and most do in commercial environments. They're being sold to one way or another. The important thing is for children to understand that these fun playgrounds are there because companies want to sell them things. They can still have fun, but it's about developing that understanding.

The federal role can provide leadership in supporting gatherings, events, facilitating opportunities for multiple stakeholders to come together and conceptualize what this framework might look like, what the needs are. What really is apparent in countries where they have digital literacy as a pillar in their national strategy is this notion that it's not just government led, it's not industry led, it's not just community led, that you really do have to bring multiple stakeholders together to work together.

Another point where it is relevant is that educating young people is only half the job. The other half is educating parents and grandparents and the general public. That's definitely a role the federal government can play.

Our own research showed that one of the reasons parents and young people both tended to accept the idea of surveillance—even though young people were doing a lot of things to escape surveillance, they accepted the idea that they would be subject to it—was they all subscribed to a number of inaccurate notions about online risks. There was still a sense, even though this has been thoroughly debunked by research, that anyone online is constantly subject to the risk of assault by online predators.

Parents told us they felt a pressure to spy on their kids. If young people are being spied on by their parents, if they grow up their whole lives being spied on by their parents, by their schools, they're going to accept this as normal and they're not going to question corporate or other forms of surveillance. They're going to come to believe that surveillance is normal, and rather than use above-ground tools, the tools that are effective, they're going to use a variety of other tools that are less effective—and we know a few of them from our research—to try to subvert this surveillance rather than control their information.

This is a question to be asking, yes.

One of the things that is currently occurring in the U.S. election cycle is the integration of different forms of data from different sources. The availability of personal data in the U.S. is far more extensive than it is here. The integration of marketing data, geo-demographic data, as well as the tracking of online behaviour, is becoming very extensive. It has allowed American political parties in a far more sophisticated way than before to segment the electorate, to divide up the electorate, and to target supporters and potential supporters according to increasingly precise demographic characteristics.

On the face of it, there's nothing in principle wrong with that, but the United States doesn't have any privacy protection rules anywhere near as strong as those in Canada. Yet in Canada, we have seen that political parties here have learned from time to time from their American counterparts.

I would raise the question about whether or not what has been going on in the U.S. might be seen here in the future and whether those kinds of practices are going to raise the concerns of Canadian citizens to the extent that it will be a far more high-profile issue than it is at the moment.

There's the lack of transparency. There's the use of tracking devices on websites, spyware that links personal characteristics and personal browsing behaviours to other features. Our privacy protection rules are based on a notion of transparency, consent, and notification when information is being captured about you.

As I've said, there are very few rules that apply in the U.S. Those kinds of practices challenge the basic notion that underpins the kind of privacy protection rules that underpin PIPEDA in Canada, and which suggest that when information is collected about you, you know who is collecting that information, what information it is, and the purposes for which it's going to be used. You have a right to see that information and to correct it if it's inaccurate. You have a right to control to whom that information is communicated.

Those fair information principles underpin our federal and provincial and public and private sector laws in Canada.

It is the lack of transparency, to answer your question more directly, that I think is the most troubling.

Yes, of course.

Political parties use social networking. Political parties use social media. Political parties use social media in order to communicate with potential voters, donors, etc., but through that communication they are able to capture vast amounts of information about the individuals.

To clarify, I am certainly willing to speak more generally about the issue of social media and privacy. I have done other work on this. However, when I decided what to speak about here, I thought it was an opportunity to raise this issue, as I had done a study for the Privacy Commissioner of Canada on that question, and the issue of social networking and social media features prominently in that analysis.

I understand what you're saying, and I'm willing to answer any question about this issue. I'm also willing to answer questions more broadly about the subject of your committee, about Facebook, about Google, and about the issues concerning the protection of privacy more generally.

You've touched both elements. As we said, a comprehensive approach has a public education direction as well as school-based education.

To deal for a moment with the public education agenda, Go ON UK is just one example of a program that's intended to educate the general population. There are all sorts of support mechanisms within it to facilitate the general public in various community hubs, etc.

Canada actually had an excellent network for this type of public education through the community access program, which was disbanded in April this year. It's a bit of a shame because we had an excellent infrastructure that was already very engaged in the community. You didn't have to push out too much; people knew they were there and could go for education, instruction, help. They were particularly good at reaching a more vulnerable population as well.

Having those hubs is very important to the public education agenda. Consistency and leadership within the schools is also important, making sure, for example, that this education starts in the early years. There are provinces that certainly have outcomes and expectations for privacy education in their curricula, but they don't start until secondary school, and we all know that kids are online far before they hit middle school.

Having that consistency, having a framework that is pedagogically sound and is evidence based would be very helpful, and then supporting it with the necessary training for our educators.

Yes.

Just to clarify, it's our research that is studying grades 4 to 11. There are a number of reasons for this. One is so that we can compare data with earlier surveys that covered that age range. But our resources cover the full K to 12 curriculum.

We've made an effort in the last few years to produce more digital literacy resources for younger children, because we know that young people are going online earlier and earlier. It's particularly true with the introduction of touch screen tablets, which are very kid-friendly. It's not at all unusual these days for parents to report that their kids are going online for the first time at the age of two.

We also know from our own research and research done around the world that the landscape online for young people is tremendously commercialized; that the majority of the sites most popular with young people are commercial sites. So it's really important that they develop these digital literacy skills as early as possible.

I will start with the obvious. Considerable funding has been dedicated in these countries to promoting a digital agenda that facilitates digital literacy skills development. It's largely to—

Oh, my gosh. In Australia, I believe it's hundreds of millions of dollars just for the digital literacy pillar. It's on top of their digital economy plan. You also have quality places created for children online as part of the strategy for children to learn and develop skills.

You were talking about really young children going online, and how on earth they can understand what they're being exposed to. That's where supporting parents and grandparents and adults who are in kids' lives becomes essential in helping people in the general public understand what constitutes a quality website for a child. We all understand that minimal information is needed for a child to participate in online environments. Therefore, understanding exactly what is needed in order to be able to say that a site is respectful of the children who are coming to it is part of that broader education piece, so that adults feel comfortable taking their children to these various web environments.

I'd like to add to that.

It's important to know as well that when young people go online, not only are they subject to the same privacy risks as adults, but they're actually subject to greater risks. We know from research done around the world that young people are tracked online more aggressively than adults.

For instance, a Wall Street Journal investigation found that on average, children's websites had 30% more tracking devices than adult websites. Similarly, a Federal Trade Commission study was done that looked at 400 mobile apps aimed at kids, and of course these, as we said, are on the devices most popular among younger children, things such as the iPhone or the iPad. They found that fewer than one in fifty actually said what personal information was being collected or how it was being used.

There is really aggressive tracking of kids. There is really aggressive commercial targeting of kids, more than adults are suffering. As you say, they have tremendous difficulties understanding what they are consenting to, if indeed it is possible for children to consent in those situations.

The Privacy Commissioner would be better positioned to specifically address whether she feels she has sufficient power to work with companies. Certainly having these standards, whether they are entrenched in legislation, or whether it is decided that these should be self-regulatory codes and guidelines, as has been done in other media, when these standards are put out, they do become the benchmark. They become the bar that companies are expected to reach one way or another.

I will add very briefly that whatever regulation or legislation takes place, it is really important that the education piece be there, to make sure young people are aware of the rights they have under legislation or regulation.

Research has shown that a large proportion of young people in the United States believes the law in that country protects their privacy more than it actually does. There is definitely an inaccurate sense among young people of how much they are protected.

We don't know whether that's true in Canada yet, but there's every reason to believe that it is.

Thank you for your question.

The project has centred at Queen's University and we're looking at various trends in surveillance that have occurred over the last 10 or 15 years or so. There are several things that we would point to.

First, there is the fact that surveillance has become more mobile. It's become more general. It's not just about who you are; it's about where you are.

Surveillance has become more embedded in material objects. We don't necessarily know that we're being watched. Surveillance is also something that is not just done between big organizations and individuals. It's also something that happens from peer to peer.

There are a variety of trends that are occurring, and social networking and social media are central to all of those trends. That's why I have difficulty saying that social media and social networking are things that are out there, things that big corporations do. They are deeply embedded in all of our organizations.

With respect to privacy, it is true that our privacy protection rules need to be considered and updated in relation to social media, and particularly with respect to this issue. Our laws, such as the Privacy Act and PIPEDA, were developed with the notion of a distinction in mind between an organization and a subject, or between a controller of data and an individual. Now that distinction has broken down as social media sites are producing and selling data that is actually generated by users. It's that notion of user-generated data that really does challenge some of the existing principles within our privacy protection laws.

I want to say something in response to the previous question about enforcement powers.

The Privacy Commissioner of Canada has ombudsman powers. I am in favour of broader enforcement powers. They're certainly necessary in the light of these rapid changes in technology. More enforcement powers would create a greater certainty for consumers and indeed for businesses.

It would establish a clearer jurisprudence where the rules and the investigation reports would have a clearer legal standing than they perhaps do at the moment. It's also a little odd that some of our provincial commissioners, such as in Quebec, British Columbia, and Alberta, do in fact have enforcement powers under their respective privacy laws, when the Privacy Commissioner does not.

It is a deep concern, as companies such as Facebook and Google are increasingly using facial recognition. The ability to identify somebody more precisely from simply taking a picture of them is something that should be of concern to all of us. It would encourage greater stalking, cyber-stalking and other stalking. More broadly, I think it raises another trend that I was alluding to, that the distinction between personal information and non-personal information is becoming increasingly difficult to identify.

We tend not to think about personal information anymore, or personally identifiable information, but whether it is personally identifiable information, and facial recognition, the ability to link up a face or an image to a real individual is an example of the increasing identifiability of all of us online.

Sure. I'll start, and then I know Matthew will have lots to say.

I think one of the issues you mentioned is that training is so germane. Professional development training is almost going the way of the dodo bird. I believe at the Ottawa Board of Education there are currently two professional development days a year, and there are teachers who are teaching many different subjects, as well.

I also think our faculties of education are struggling to keep up with the whole change in education at all the levels you alluded to. We need to better train our teachers to teach through technology and teach about technology.

Absolutely.

A study was done just last year with pre-service teachers, or teacher candidates, in Ontario. They said overwhelmingly that they did not feel they were being prepared to deal with the various digital issues they were going to face in the classroom. One of the ones they touched on was cyber-bullying, which is top of mind for many people. That too has a privacy dimension, because much of cyber-bullying does relate to unethical use of other people's privacy and personal information, their images, for instance, in many cases.

That's one of the reasons we have to address privacy. It's from a perspective of not only protecting your own personal information but also dealing with privacy in an ethical way. That relates to the corporate collection of privacy, because if we inculcate young people with the idea that privacy has an ethical dimension, they'll expect and indeed demand that their personal information be treated ethically by the spaces, the corporations, to whom they give it.

Certainly.

The education piece fits squarely into that. When you're looking at data retention, you're looking at corporate responsibility, being amenable to removing images and data at a certain point.

The education piece is really important, though, especially with youth. You could have a company that is very respectful of this, that doesn't retain profiles after a certain time period after they're closed. However, if a young person, or anyone, has been indiscreet in over-sharing photos, texts, or anything like that, these images and texts have a life of their own beyond the courtesy of the company where those were posted.

It's a double issue there. The education piece is central in just thinking about what you post online, especially for youth.

Thank you for your question.

I'll bring it even closer to home. An initiative in the United States is a digital literacy corps of young people who are trained to go out into the community and provide training to members of communities in various cities across the country.

Looking at these and other initiatives, we found it sad that we have an excellent system set up that is very well respected, that is doing good work, that is reaching those people who might be more difficult to reach, and that we denied it funding. It's sad because at the end of the day we're going to have to go back and reinvent the wheel, and we'll probably come up with another CAP system, when we actually have systems that are invested in communities and are well respected and are doing good work in communities.

Yes.

I will continue on with the trends. The collection of biometrics at the border is something which the Privacy Commissioner has expressed a great deal of concern about.

It depends a bit on what you mean by a biometric. That's a word that's not used consistently, but it speaks to my broader points. The nature of information is changing and the ability to monitor people is changing as a result of changes in the way we think about identifying people.

Perhaps I could add something historically to emphasize my point.

There was a time, maybe 30 or 40 years ago, when we knew when information was being captured about us because we filled out a form. We were asked for a certain amount of information and we filled our a census form or an application form, or something like that. Now, increasingly, we do not know when that is happening. Furthermore, we don't necessarily know the nature of the information itself. We don't know how we are being identified. One of the larger trends, in addition to those that I mentioned earlier, is that we don't know, as individuals, how organizations are actually identifying us. We don't know how that happens online, and we certainly don't know how it's happening with respect to biometrics. Yet our laws tend to be based on a fairly dated notion of what personal information is and is not, and it's creating challenges for the Privacy Commissioner here and for her colleagues internationally.

I hope that h as addressed part of your question, at any rate.