Privacy by Default: A Privacy and Cyber-security imperative in the IoT and Big-Data Age

The rapid growth of big data technologies and Internet of Things (IoT) devices mandates the modernization of the Canadian privacy legislation, which establishes protection from both private companies and government agencies. The necessity of the upcoming reforms to the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act was illustrated during the debate over Cyber Security on the first day of the  2017 Canadian Telecomm Summit (CTS17). The issue is twofold: data storage and usage by Internet giants and IoT manufacturers; and access and storage of individuals’ personal information by government agencies, notably law enforcement, on public security pretences.

Technology, though, is developing at such a pace that any proposed legislation, however foresightful, will soon be outdated. Thus, Privacy by Design (PbD), the concept proposed by Dr. Ann Cavoukian, Executive Director of the Privacy and Big Data Institute at Ryerson University (and former Information and Privacy Commissioner of Ontario), is an astute solution to privacy protection that does not rely exclusively on legislation. Dr. Cavoukian suggests that privacy be coded or embedded into the design of information technology, networked infrastructure, and business practices. This proactive and non-remedial approach is user-centered and promotes transparency, incorporating the objectives of legislative reform efforts.

 

PbD has already been adopted in foreign jurisdictions. For instance, the European Union (EU) is a pioneer in implementing an up-to-date privacy regime that takes the PbD concept into account. Article 25 of the EU General Data Protection Regulation 2016/679 (GDPR), effective May 25th, 2018 onwards, stipulates that data protection measures are designed into the development of business processes for products and services. Meanwhile, the State of California looks to be taking the lead in legislating on privacy for IoT devices. In particular, Senate Bill 327 will create a mandate under California law, pursuant to which all IoT devices will have built-in security features appropriate to the device, as well as the information collected.

 

Embedding security features into IoT devices also ensures protection from cyber attacks. Network-connected devices can be commandeered by hackers to bring down websites or networks. As panelist Gary Sockrider, Principal Security Technologist at Arbor Networks, mentioned, the technology to allow carriers to stop these attacks exists; what remains is to understand how it works.

 

From a maufacturing perspective, IoTs can be designed to ensure both security and privacy. However, as Stewart Cawthray, General Manager of Network Security for Rogers Communications’ Enterprise Business Unit, observed, embedding these features into IoT devices will probably increase their cost. Therefore, in an industry where competitors often strive to have more affordable products, IoT manufacturers need to identify specific commercial benefits for being the most secure in the market. Eventually, the ultimate choice should be given to customers, who will decide whether they want to invest more in devices with embedded security, or in less expensive ones with add-on (albeit compromisable) security features.

 

Yet, PbD alone is insufficient to promote privacy, absent a stricter regime on how (online) service providers obtain users’ meaningful consent. Most online agreements to-date include terms of service (ToS), which further permit service providers – along with the third parties they contract with – to keep, analyze and sell their users’ data. By incorporating click-to-agree clauses into ToS, users wishing to access the respective services are left with no choice but to agree to give away their privacy rights. The majority of users are not incentivized to read the terms they agree to, since they are not in a position to negotiate a new agreement. As Dr. Cavoukian posited, a drastic reform is required on this front: ToS should prevent service providers from using their customers’ personal data by default, unless opt-in consent has been obtained, also entailing specific conspicuous disclosures. For instance, Article 4(11) of the GDPR provides that ‘consent’ of the data subject comprises any freely given, specific, informed and unambiguous indication of the former’s wishes, by which they, through a statement or a clear affirmative action, demonstrate that they agree to the processing of their personal data.

 

Dr. Cavoukian also pointed to other risks from privacy and security breaches, related to remote home health care, closed-circuit television camera (CCTC) or surveillance cameras in mass transit systems, smart meters and the smart grid, near field communications, radio-frequency identification (RFIDs) and sensor technologies, big data and data analytics, and internet protocol address location (IP Geolocation). Interestingly, the latter is expected to be addressed by the United States (US) Supreme Court in Carpenter v. United States, notably vis-à-vis the warrantless access to information pertaining to individuals’ past locations based on cellphone use.

 

Recent Canadian jurisprudence, on the other side, has attempted to strike a balance among privacy rights, and the investigative power of law enforcement, with particular regard to telecoms’ compliance with formal search warrants and production orders. In R v TELUS Communications the Supreme Court of Canada (SCC) interpreted the meaning of the word “intercept”, as defined under Part VI of the Criminal Code, in a broad fashion. It did so to protect individual privacy interests in communications. In specific, assessing whether a general warrant power can authorize the prospective production of future text messages from a service provider’s computer, Abella J. maintained that Canadians have a reasonable expectation of privacy in their voice communications; these must not be intercepted without compliance with the due process provisions of part VI of the Criminal Code. Technical differences inherent in new technology should not determine the scope of protection afforded to private communications, which should be extended to traditional voice communications and text messaging alike.

 

Similarly, the Ontario Superior Court in R v Rogers Communications Partnership examined, inter alia, if there is a reasonable expectation of privacy in the records to be produced  in compliance with the police’s “tower dump” production orders to further an investigation into a string of jewelry store robberies; and if so, whether the telecoms have standing to assert it on behalf of their thousands of affected subscribers. While the Court answered both issues in the affirmative, it also formulated specific guidelines which respect the information needed to obtain production orders: a statement or explanation is required that demonstrates that the officer seeking the order is aware of the principles of incrementalism and minimal intrusion, and has tailored the requested order with that in mind; an explanation as to why all of the named locations or cell towers, and all requested dates and time parameters, are relevant to the investigation; an explanation as to why all types of records sought are relevant; any other details or parameters which might allow the target of the production order conduct a narrower search and produce fewer records; and a request for a report based on specified data instead of a request for the underlying data itself, are also required. The police should also include confirmation that the types and amounts of requested data can be meaningfully reviewed.

 

Ensuring privacy is more crucial than ever, especially in light of the accusations coming from the United Kingdom’s current Prime Minister, Theresa May, that internet companies are providing a “safe space” for extremism, and her proposal to “regulate cyberspace to prevent the spread of extremism“. However, neither regulating against extremism nor the familiar ‘nothing to hide’ argument are sufficient reasons to leave the door open for potential privacy breaches. Similarly, tech firms, privacy campaigners and academics point out that providing “back doors” underestimates the entire purpose of privacy, while allowing both law enforcement agencies and outlaws to open and bypass these safeguards.

 

In Canada,  the Anti-terrorism Act 2015 (former Bill C-51) was criticized for entailing numerous privacy implications, as it provided several federal government agencies with almost limitless powers to monitor and profile ordinary Canadians, with a view to identifying security threats.  Notably, in a 2016 decision the Federal Court ruled that retention of bulk metadata used by the  Canadian Security Intelligence Service’s data-analytics program violates federal laws, namely the 1984 CSIS Act. Thus, on the 20th of June 2017 the Government introduced Bill C-59: An Act respecting national security matters, which attempts to clarify, among other Bill C-51-related issues: what type of activities the Canadian Security Intelligence Service (CSIS) could employ in order to comply with the Charter, and the information sharing process between federal institutions for national security purposes under the SCISA. Bill C-59 aims at: strengthening national security agencies’ accountability through the creation of a new, comprehensive national review body, the National Security and Intelligence Review Agency (NSIRA); enhancing oversight through the creation of an Intelligence Commissioner; and increasing transparency through a commitment to share national security information with Canadians.

 

By way of conclusion, the imperative of increasing the privacy threshold both from a legislative and  industry practice standpoint is highlighted from the vast number of compromisable interconnected devices that have become an integral part of our everyday life. Additionally, storage of private information obtained via these devices by big data companies for either commercial or surveillance uses, makes it obvious that a proactive approach is required. This can be best achieved by embedding privacy and security not only into the design of information technology, but also to every networked infrastructure and business practice. Failure to do so is not limited to merely jeopardizing business reputation and risks from class action liability; non-compliance with international standards may as well hinder commercial relations, similarly to the effect of the US Safe Harbour agreement , which has been found invalid by EU courts.

 

Yonida Koukio is an IP and Business Law LL.M. Candidate at Osgoode and an IPilogue editor.

 

***

 The Canadian Telecom Summit brings together the leadership of Canada’s telecom, broadcast, and IT industries. For its 16th year, the CTS focussed on “Competition, Investment and Innovation: Driving Canada’s Digital Future” and featured keynote presentations and panel discussions on the range of issues facing industry and public policy makers in Canada. IP Osgoode and the IPilogue team members thank the CTS’ organizers (Mark Goldberg and Michael Sone) and Wind River for their generous support to allow us to attend.