Protecting privacy

As Canada’s privacy commissioner, Daniel Therrien is responsible for protecting Canadians while respecting our individual rights.

Whether it is cyberbullies targeting school kids, big business luring consumers, or government and police forces spying on or profiling citizens, the threats to privacy are numerous. And today the analysis of "big data" accumulated through electronic devices and the web and the sprawl of social media are compounding those threats.

On the Wikipedia page about Quebec’s Minister of Health and Social Services, Gaétan Barrette, an anonymous poster replaced Barrette’s photo with a drawing in which his face resembled a potato. This prank, added to countless others, prompted the minister to lash out publicly against cyberbullying. "Social networks have allowed a culture of intimidation to develop that was not there before. It’s endless. We have to put an end to it," he said, as reported by Montreal daily La Presse.

While a politician can be expected to have a thick skin, it’s a different story with children and adolescents. In some cases the cyberbullying has been so severe that the outcomes were dire. Since 2012, three Quebec adolescents have committed or attempted suicide after being bullied at school and online.

The increasing threat to privacy that bullying and cyberbullying poses has pushed those acts to the fore- front of public awareness to the point that only four days after starting as Canada’s Privacy Commissioner, Daniel Therrien’s first official mandate was to deal with the issue. "Bill C-13, presently under study [which seeks to increase the federal government’s surveillance powers] proposes to make the intimidation of people through the Web a crime," Therrien says. "We approve this measure, because [cyberbullying] is a social evil."

In the new networked world in which many of us participate, threats to privacy abound. The two greatest, according to many experts, stem from big data and the Internet of things.

"Big data refers to taking vast amounts of information and linking it with other types of data, like that from credit cards, health insurance, Internet searches, shopping patterns and loyalty programs," says Kris Klein, partner at law firm nNovation LLP, in Ottawa.

Although in its infancy, the Internet of things has an even greater potential to create integrated profiles of people. "It is the project of having your thermometer, your car, your phone, your fridge, just about everything linked to the Internet and emitting information," says Micheal Vonn, policy director at the BC Civil Liberties Association in Vancouver. "It represents an unprecedented gathering of data about our daily lives."

As an example of what a statistical and mathematical analysis of big data can produce, take the 2012 Target case. According to The New York Times, a Minneapolis man confronted a Target store manager. "My daughter got this in the mail!" he raged, brandishing coupons in the manager’s face. "She’s still in high school, and you’re sending her coupons for baby clothes and cribs? Are you encouraging her to get pregnant?"

A few days later, the father called to apologize. It turns out his daughter was pregnant, and by sifting through masses of data Target discovered this well before the father did.

Many other attacks against privacy are much more vicious than Target’s marketing offensive — which is replicated by many other companies. They constitute the growing field of cyber criminality: hacking, identity theft, phishing and spam are among the most notorious. Some cybercrimes get more media attention, such as the recent iCloud photo hacking scandal that revealed pictures some celebrities would have preferred to keep private.

But such high-profile hacks are not the most pernicious. At the time all eyes were turned toward the iCloud penetration, a much more worrying invasion, which received little media attention, was being perpetrated against the IT infrastructure of the JPMorgan Chase bank.

Canada has had its share of high-profile cyber piracy acts, for example when hackers penetrated vulnerable systems at Canada Revenue Agency or breached student loan files at Human Resources and Skills Development Canada.

Yet, incentives to properly protect such information are not really in place, says Tamir Israel, staff lawyer at the University of Ottawa’s Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic. "If you get hit through the web, for example, the cost of embarrassment is not commensurate with the cost of increasing your security budget."

The difference in penalties between the new antispam law and the previous federal privacy laws is astonishing, according to Tricia Kuhl, a partner at Blake Cassels & Graydon LLP in Montreal. While penalties for breaches to the antispam law can go up to $1 million for individuals and $10 million for corporations, they are in the range of $10,000 to $100,000 in the federal privacy legislation, she says.

Where incentives to invest in security do exist, as in the regulatory framework of banks, they often miss the target. A study by PricewaterhouseCoopers, The Global State of Internet Security, finds that in 2013, 44% of financial institutions’ security investment was driven by regulatory compliance, not by security threats as they emerged in an ever evolving cyber landscape.

To fight cybercrime, the federal Bill C-13, currently under study, proposes many levels of authority to access sensitive information.

"We oppose the expansion of gathering powers of police forces," Vonn says. "The current powers are sufficient." Her concerns are directly related to big data analytics and the tremendous powers of tracing and profiling they give. "Many people say that your licence plate number entails no privacy issue," she says. "But if you have a licence plate analysis algorithm to map everywhere your car has been, it’s not your plate that’s at issue here, but the fact that we can know all your whereabouts, for example that you’ve been to a specific political meeting at such a date and hour."

"Twenty years ago, police could not just confiscate the filing cabinets of an accounting firm," says Montreal lawyer Jean-Claude Hébert. "Police had to determine what they were looking for beforehand. Today, they leave with all the disk drives of a firm’s computers, which contain a lot more than filing cabinets."

The Communications Security Establishment of Canada, one of Canada’s key security and intelligence organizations, also is a cause of worry to many. "It has broad powers to gather from telecom networks a vast amount of information about Canadians, well beyond what is needed for its purpose of protecting national security," says Israel. "This agency collects everything and then tries to sort it out. We want to limit what it can do and force it to effect targeted searches that correspond to specific threats. You can’t turn everyone into a suspect."

A prevalent worry in civil rights defence groups is that, under the guise of protecting the public from cybercriminals and terrorists, government and corporations are paving the way to a future police state.

"There isn’t even a need for a regime change," Israel says. "A lot of harm is already happening." Currently, many Canadians suffer from unwarranted restrictions: their names are added in error to no-fly lists and it’s nearly impossible to have them erased, they can’t get jobs because police records keep on file charges that were subsequently unsubstantiated, and journalists worry about talking to anonymous sources for fear that the government will be able to trace them back. "There already is a chill on the democratic process," he says.

However, the greatest threat to privacy could be citizens themselves and the erosion of their own sense of privacy. The way many people reveal their private lives through social media suggests they see no problem in having corporations or governments stock up on every bit of information available.

That worries Jacques Dufresne, who, as creator of online Encyclopédie de L’Agora, knows the Internet well. "I’m very critical of the transparency that we see everywhere," he says. "We’re sliding very rapidly toward [Aldous] Huxley’s Brave New World."

Up to the late 1980s, Dufresne says, people saw in Huxley’s classic tale a list of things to avoid to escape dehumanization: sexuality without affectivity, the disappearance of the father, of the mother, of the nation, the rupture of the link to nature and to the past, the rejection of death, euthanasia and a notion of perfection modelled on that of machines. In a paradoxical and ominous twist of history, "far from being things to avoid, most of these tendencies are perceived today as signs of progress," he says.

Canada, which was at one time at the forefront of privacy protection, may now be losing its edge. "The right to privacy is highly threatened presently by certain laws and governmental practices," says Hébert.

Klein gives Canada a score of B-minus for its preservation of the right to privacy, a much lower grade than he would have given five or six years ago. Vonn also gives a grade of 70%, while Israel has a harsher evaluation: C. Barely passing grades.


Daniel Therrien is Canada’s Privacy Commissioner — he took office on June 5, 2014. The experience he brings to his responsibilities hinges on the role he played as co-leader of the negotiation team in the adoption of the privacy principles governing the sharing of information between Canada and the US under the Beyond the Border accord of 2011. Therrien is a consummate public servant who, after graduating in law from the University of Ottawa, has devoted his career to the federal government in many areas: correctional services, immigration, justice. The following is an edited and condensed interview with him in his office in Gatineau, Que.

What is the extent of your responsibility as Privacy Commissioner?
DT: I am responsible for upholding two laws: the Privacy Act, which covers the personal information-handling practices of the federal government; and the Personal Information Protection and Electronic Documents Act, usually referred to as PIPEDA, Canada’s private sector privacy law.

What powers are at your disposal?
DT: I can investigate complaints, conduct audits and pursue court action under the two federal laws. I also report publicly on the information-handling practices of public and private organizations. Finally, I can research, or support research, into privacy issues and promote public awareness of privacy issues.

Your reach will be increased with the adoption of Bill C-13. What are your considerations on it?

DT: This law seeks to give additional tools to police forces to investigate cybercrimes. Among these tools, some facilitate access to information held by telecommunications companies. I think the law goes too far in certain aspects and is likely to result in gathering data on individuals who have done nothing wrong. An IP address and websites, for example, can give a very precise idea of a person’s interests.

What do you think of C-13’s stipulation that "reasonable suspicion" be sufficient ground for judicial authorization to access certain sensitive data?

DT: We believe, as I said in my submission to the House of Commons, that suspicion is too low a threshold for such potentially revealing information in a digital era when every transaction, every message, every online search and every call or movement leaves a recorded trace.

Our proposition is that, before receiving information from telecom companies, police forces should have preliminary elements of proof. Also, those who receive this information should show transparency.

Transparency is a recurring theme, on your part, for government bodies as well as for private organizations.

DT: Indeed. Companies must also be transparent concerning what they want from the data they collect. They have the legal obligation to say for what purpose they do it.

What is the track record of companies on this point?
DT: It is mixed. In 2013 we verified more than 300 websites, along with 18 other countries, for a total of more than 2,000 sites visited. (It was part of the Office of the Privacy Commission’s first global privacy sweep. Sweepers raised one or more concerns related to the findability, contactability, readability and relevance of privacy-related information in 50% of cases. Many gave inadequate information, while 21% of websites swept had no privacy policy at all. For more details go to

Many critics consider that privacy in Canada is increasingly sacrificed to national security issues. What do you think?
DT: It’s not an either/or choice. The state has a duty of protection. But it must make sure that the measures it exercises don’t breach the rights of citizens. The means must be proportional to the threat involved.

Some consider that some organizations, notably the Communications Security Establishment of Canada, go too far.

DT: For the past two years, we have heard about practices by security organizations and police forces, carried out with the aim of protecting Canadians, that prompt us to ask questions concerning the respect of privacy rights.