Thank you very much for inviting me to participate in what I think is an important initiative. The Privacy Act is out of date, and Canadians urgently need a new and strong law that speaks to the tremendous technological changes and political economic shifts that have occurred since the 1980s.
In general, I am in agreement with and grateful for the proposals made by the Privacy Commissioner. At the same time, I should make it clear that I am not a lawyer, and nor do I have any legal expertise. I speak as a university professor who has been engaged in the social sciences. I direct the Surveillance Studies Centre at Queen's University.
My last book was Surveillance after Snowden. The large-scale team project I direct at the moment is called Big Data Surveillance. The book that I'm currently working on is The Culture of Surveillance. I mention these simply to give you some sense of the angle from which I am coming and from which I speak, which is the broad context of this act rather than the details.
Let me start by pointing out that there's a publication our research team brought out a couple of years ago. It's called Transparent Lives: Surveillance in Canada. It's a highly accessible study of the trends in surveillance today. I commend it to the committee. You can get it from any good bookstore, or it is downloadable online.
It is also available in French, under the title Vivre à nu: La surveillance au Canada.
This book encapsulates the key issues about surveillance in the 21st century and gives a comprehensive background, for anyone who would like to see it, for the need for a changed privacy law.
The trends that it examines, and for which it offers Canadian examples, include the rapid pace of increasing surveillance, the role of security concerns in prompting surveillance, the blurring of public and private sectors—Snowden's disclosures make this very clear—the ambiguity of personal information, the growth of mobile and location-based surveillance, the embedding of surveillance in everyday environments—sometimes discussed as the Internet of Things—the growth of biometrics, and social surveillance on Facebook, Twitter, and other media.
The Privacy Act is premised on some rather fixed ideas about personal information in terms of who collects it and where, if at all, it travels. Today, fluidity rather than fixity is the order of the day. Words such as “databases” define the old document, and this suggests silos in contrast to the multiple conduits through which data flow today. Information was seen then as pertaining to those specific sites, and sharing information could only happen under certain circumstances.
There still, of course, need to be limits on this practice, as we've just heard, and it has to be acknowledged at the same time that information sharing today exists on a scale that wasn't dreamed of in the 1980s, a scale that would be very difficult to quantify, let alone control.
It also occurs across boundaries assumed by the distinction between government activities and commercial ones in the two main federal laws of 1982 and 2004. The easy traffic in each direction between these domains was never envisioned in the 1982 act, and this is a key issue to be confronted in any review.
At the same time, surveillance can and does happen without there being any obvious handles for identifying personal information. The very category of personal information is badly blurred today. Once you could have imagined that this category would cover such matters as name, address, telephone, and perhaps some official identifier such as the social insurance number. Today, license plates captured by highway cameras count, and although this is controversial, so do IP addresses on computers.
Moreover, one can be identified through facial recognition. The software, for example, that is routinely used by Facebook doesn't even require a Facebook account in order for it to function. Indeed, it's relatively straightforward to identify people with no obvious identifying information provided. A Montreal study recently showed that 98% could be positively identified with birthdate, gender, and postal code without names and addresses being known.
The post-Snowden debate over whether or not metadata around phone and Internet messages count as personal data is another example. This is supposedly contextual, sometimes dismissed misleadingly as phone book-like information rather than content, but metadata is frequently more revealing, not less.
The two items mentioned refer to socio-technical and political-economic changes that have occurred over the past 40 years, and I wish to turn to matters of research and education, on which the commissioner also speaks.
On the one hand, much more research is required to properly understand the momentous changes that have occurred since the 1980s. It must be stressed that these are both socio-technical and political-economic changes and cannot safely be reduced to technical and legal categories.
For a number of years the commissioner has overseen a very successful program of funded research under the contribution scheme, but given the magnitude of the issues and their centrality to matters from national security to domestic life, much more is needed if the law governing the uses of personal data is to be kept up to date in a way that genuinely addresses all whose lives are touched by surveillance of all kinds, which is everyone.
This research program could be expanded under the act as a background to the revision of the Privacy Act, but it could also be widened by requests for surveillance and privacy research by the Tri-Council or by the Royal Society of Canada for a dedicated report on surveillance and privacy law in Canada. I suggest that such study is needed before the law can be revised.
On the education front, it is clear that much has to be done here, and this too could be coordinated by the Privacy Commissioner with an expanded brief.
In the 1980s, computing still meant primarily what were called “mainframes”, and the era of personal computing—not to mention the popular diffusion of distributed systems, mobile devices, and the cloud—was yet to flower. In that decade, if you wished to connect with others, for example, or with what would emerge in the 1990s as the Internet, you had to use a cumbersome system of plugging your land-line phone handset into rubber sockets—I don't know if anybody remembers that; it was called an acoustic coupler—to create a very uncertain data link modem.
Today computer devices and networks have proliferated in ways that demand fresh approaches to what I think should be called “digital citizenship suitable for all ages”. All Canadians need to know their rights, understand the issues, and engage actively and in an informed way. This is not a minority option. This is not something on the side. This again could be initiated by the commissioner. It could accompany the new law and could refer to the work of many other agencies where such matters are central, and in my little brief I've put some references for you.
While I believe all the above are essential components of a revised privacy law, it seems to me that the nature of the debate also has to shift to consider carefully the underlying ethical direction that should be encouraged to enable the most just and fairest uses of digital media and personal information and to exploit the best purposes of the great potential of digital technologies.
The very notion of privacy, of course, has undergone considerable change since the 1980s. These are not minor or peripheral matters and cannot be addressed in merely technical or legal ways. It's not only that privacy in some narrow sense might be violated by the misuse of these powerful technologies, but rather that our opportunities to live as free and fulfilled human beings are enhanced or curtailed by surveillance, whether by government or corporation.
As Eric Stoddart argues, much monitoring and tracking today is the surveillance of others. We would do well to consider how surveillance could be harnessed for human flourishing, which would be surveillance for others.
Thank you very much.