Mark S. Fox is associate director at the University of Toronto’s School of Cities and a professor of industrial engineering and computer science.
In our electronic age, privacy has become a public concern of paramount importance. Much Canadian discussion has been engendered by Sidewalk Labs’ Quayside development in Toronto, but Canadians need to recognize that we live in what Nova Spivack has called a postprivacy world. Just as a vault is designed to make stealing our money difficult, but not impossible, for the most persistent thieves, measures such as privacy by design, computer security, and data trusts only make it difficult, but not impossible, to invade your privacy. This means we need to make sure that organizations that collect and aggregate our data – building remarkably detailed profiles of us – bear liability when the data they aggregate are leaked or stolen.
George Orwell wrote in 1984 of a “telescreen” in every home that monitored behaviour and could never be turned off. Today, we carry everywhere an object that can collect data beyond Orwell’s wildest imagination, and our greatest anxiety is that its battery might run out while we’re away from home. Though they may not be at the disposal of a totalitarian dictatorship, our smartphones produce data trails that can capture and communicate more information than we can imagine.
Our smartphones produce GPS data, which can be captured by many of our apps. We provide vast quantities of data voluntarily to sites such as Facebook, which can also monitor the websites and places we visit while we are signed in. Google does not provide us with free services, such as mail, maps, an Android smartphone operating system and search, out of the goodness of its heart. It does so to accumulate a vast “vault” of data about its users, which can be aggregated to generate comprehensive profiles of just about every internet user. These are sold to advertisers and others, and even if the data are anonymized, it is not difficult to reidentify its subject.
For example, phone companies sell anonymized data about the movement of smartphones; namely which cell towers a smartphone is communicating with over time. Other companies purchase these data and are able to provide more precise information, e.g., within a few metres, about the location of the smartphone over time. By combining these data with street maps, home ownership, yellow pages, etc., it is not difficult to narrow the phone user down to a relatively small number of people – where they live, work and play.
There are several different types of data aggregators. Firstly, there are those who aggregate our data with our explicit consent. For example, we give consent to our financial services providers to share our data with credit agencies such as Equifax when we apply for loans, credit cards and other financial services. Other aggregators collect our data with less explicit consent, such as marketers who mine the digital traces we leave online. With smartphone tracking data, our “likes” on Facebook and our Google search histories, they may well know more about our interests and our daily movements than our own friends and family. Our consent is implied by our use of the services, but we are rarely given a clear idea of how our data are being used. Finally, some aggregators acquire our data entirely without our consent, stealing our identities through a combination of available and stolen data.
The 2017 breach of Equifax’s database justifiably alarmed millions of people whose entire financial history may have been exposed. The Equifax breach was investigated by the U.S. Senate and the Office of the Privacy Commissioner of Canada. Significant security and privacy issues were uncovered. Equifax eventually provided free credit monitoring and identity-theft insurance for U.S. social security number holders. But Canadians only received four years of free credit monitoring. Is this enough in a postprivacy world?
When automakers sell a car, they are liable when that product is defective. At minimum, they must recall the product and effect repairs to make the vehicle safe. Their liability goes considerably further, however – if people have been harmed by the defect, automakers must compensate the injured parties. Likewise, when our data are stolen, we should be compensated.
Recent privacy acts, such as the European Union General Data Protection Regulation and California’s Consumer Privacy Act can impose fines on companies on a per-incident basis for data breaches of personal information. Both also allow consumers the right to take action if their personal data have been breached – CCPA allows damages between US$100 and US$750 per consumer per incident.
What should Canada do? Canada’s current Personal Information Protection and Electronic Documents Act relies largely on self-enforcement by companies, which are expected to act on complaints they receive from consumers. The Privacy Commissioner is not empowered to levy fines, and even if the Commissioner takes a company to court, the potential fines are minimal.
Canada needs updated federal legislation that explicitly makes aggregators meaningfully liable to the people whose personal data are breached. With legislated minimum damages multiplied by the thousands or millions of victims, it would be enough to make aggregators increase their systems’ security and think twice about what data they aggregate. Without aggregator liability, privacy regulations will simply lock the front door while leaving the back door wide open.