The $4 trillion question
How can we protect online privacy without stifling innovation?
Adam Kardash, head of Osler’s privacy and data management practice group
Economists will tell you that trust is necessary for a stable economy. So what are we to make of growing concerns about what businesses do with the personal data of internet users?
Poll after poll shows that consumers simply don’t trust companies with their data and are losing faith in government’s ability to protect their personal information. Meanwhile, regulators around the world struggle to keep pace with technology and business models that are, by nature, anti-privacy; at the same time they worry that overly stringent rules could dampen growth in the digital economy which is expected to contribute an estimated $4-trillion to major economies.
“Today, the digital economy is the economy,” Navdeep Bains, Canada’s minister of innovation, science and economic development, said in a speech last year. In fact, mass data has become a valuable asset. Whether it’s vacuumed up by mobile or other internet devices, consumer data increasingly drives business decisions. Web-based giants like Google and Facebook are earning fat profits from targeted advertising.
No wonder lawmakers are caught in a dilemma. They know that cutting off access to data by introducing new laws, or even enforcing existing ones, could be viewed as catastrophic for the constellation of firms that depend on it.
And yet, in an age when consumers are growing wise and wary of being tracked for commercial purposes, it’s worth asking whether relentless data-mining and profiling is a desirable long-term business strategy.
“People are waking up to this. It’s going to restrict growth,” said Ann Cavoukian, former Information and Privacy Commissioner for Ontario and director of the Privacy and Big Data Institute at Ryerson University, referring to potential losses due to user mistrust. “Regulators should be out there, speaking to companies, talking about embedding privacy. At the moment, business views privacy as a negative, but in reality, privacy breeds innovation.”
The internet is ushering in major breakthroughs in communications, health, and even climate change, but it is also saturated with worrying trends in addition to commercial profiling.
Catastrophic security breaches like the 2013 hack of more than one billion Yahoo accounts and last October’s partial web shutdown have reinforced the reality that the online world is not always a safe place. Allegations that Russia interfered in last year’s U.S. election and had a role in spreading fake news has fuelled calls in Western democracies to better prepare for the increasing threat of cyber-assaults. And thanks to Edward Snowden’s revelations, people are genuinely afraid of government snooping, a fear that the Trump administration has done little to assuage. Critics are already up in arms about the now infamous executive order, arguing that it strips Canadians and other foreigners of the limited digital privacy protections they had enjoyed until now in the U.S. For now though, the order does not appear to grant further powers to U.S. law enforcement or intelligence to force businesses to disclose information about Canadians. At some point, policy makers may have to look into where the commercial mining of personal data intersects the political world.
“We are right at the point where enormous benefits are just around the corner. But widespread distrust will hurt the potential of new technologies reaching people,” said Timothy Libert, a doctoral candidate at the Annenberg School for Communication at the University of Pennsylvania and a research fellow at the Alexander von Humboldt Institute for Internet and Society in Berlin. He points to ad-blocking software designed to remove advertising content from websites as a reaction to a regulatory failure.
Virtual private network providers are also reporting an upsurge in downloads from consumers willing to take steps to protect their online privacy.
But while there are some controls, users lack easy-to-use and effective choices in terms of privacy. Governments and tech companies need to work much more closely to arrive at a place where privacy is real and accessible, and where the spirit of privacy laws is also followed.
“That Canadians would feel uninformed and not able to control their personal information given the speed and breadth of technological change and the resulting impact on their privacy rights is hardly surprising,” Canadian Privacy Commissioner Daniel Therrien said in his annual report to Parliament in September. “This suggests greater action is needed from regulators, legislators, the courts, business leaders and policymakers to protect citizens.”
At the moment, it’s unclear how much consumers understand about the true “costs” of using these services, the ultimate use of the information that is shared, and the profiling potential of these technologies. At the very least, better education and more transparency is needed, some say.
“Privacy preferences vary among individuals, over time, and between stated belief and actual practice,” Bryant Walker Smith, assistant professor of law at the University of South Carolina, said in an e-mail. “I would like a more candid conversation about data collection and especially use, particularly when that use may be adverse to the individual.”
“The regulator's role [should be] to inform consumers about the trade-offs, and make companies be more transparent about how data is being used,” said Niraj Dawar, a marketing professor at the Ivey Business School in Toronto. “Right now, there is no privacy, or very little. But consumers are willing to give up huge amounts of information in exchange for convenience.”
Willing perhaps. But there is ample evidence they are uncomfortable about doing so. Reports show users are troubled by social networks’ constant changes to privacy settings, stalking advertising and the extent to which they are monitored. According the Office of the Privacy Commissioner of Canada’s own data, 90 per cent of Canadians “are very concerned about their inability to protect their privacy.”
“People hate it; that we know. They’re creeped out by it,” said John Lawford, executive director of the Ottawa-based Public Interest Advocacy Centre (PIAC). “People are right to be concerned. Nobody knows how much information [companies] have collected, and will keep. Forever.”
Tracking your every move
In the old days, businesses would mainly advertise in newspapers, on television or through direct mail campaigns. It was an anonymous, scattergun approach; no one knew who would see the ad. The internet changed all that by customizing and personalizing advertisements –predicting what people want to buy. Though much of the data is used to create better services for users, and to offer benefits like discounts, tech companies are tracking everything users do online by providing services such as e-mail, search engines and social media.
“Facebook has a particularly comprehensive set of dossiers on its more than two-billion members,” investigative journalists at ProPublica wrote in a report in September. “Every time a Facebook member likes a post, tags a photo, updates their favorite movies in their profile, posts a comment about a politician, or changes their relationship status, Facebook logs it. When they browse the Web, Facebook collects information about pages they visit that contain Facebook sharing buttons. When they use Instagram or WhatsApp on their phone, which are both owned by Facebook, they contribute more data to Facebook’s dossier.”
Information is also collected, combined, used and sold by most retailers, data brokers, financial services and many other companies. Through various devices including Wi-Fi, Bluetooth and location services, companies can tell almost everything about individuals, even “interests” most people would rather not share. And thanks to machine learning, a subset of artificial intelligence, marketers can infer even more information by comparing it to previously determined patterns in a larger population. While some people like the “personalization” that this process enables, many do not like being profiled.
And that is influencing people’s behaviour. According to eMarketer, about a quarter of all U.S. internet users used ad-blocking technology to stop online ads in 2016. Ad-blockers, however, do not stop firms from gathering data, nor do “do not track” privacy settings, which observers say are routinely ignored.
Almost half of U.S. households questioned said they held back from financial transactions, buying goods or services, or using social networks because of concerns about privacy and security, according to a study conducted by the National Telecommunications & Information Administration.
Popular culture also reflects our unease. Before the emergence of the technology that is now capable of analyzing billions of pieces of data – and storing it very cheaply – people assumed that anonymity was a given. “On the Internet, no one knows you’re a dog,” ran a popular New Yorker cartoon in the early 1990s. Decades later, T-shirt slogans have turned darker: “If you are not paying for it, you're the product.” Within the space of two decades the internet has changed from a mostly entertainment and information space, to a giant market, where the commodity bought and sold is harvested personal information.
Often overlooked in the discussion is how little choice consumers have in deciding whether or not to engage with websites. “The internet is as important as water. It must be seen as such,” says PIAC’s Lawford. From buying a plane ticket to maintaining a professional profile, and even completing homework assignments, most adults and children in developed economies have to use the internet to function in the modern world.
The growing network of physical objects connected by IP addresses – known as the “Internet of Things” – is only reinforcing that trend.
“There’s no doubt that tracking is one of the main worries for consumers and it’s only going to get worse with the Internet of Things,” said David Martin Ruiz, senior legal officer at BEUC, the European Consumer Organisation. He was referring to a network of connected wireless devices inside baby monitors, fridges, thermostats, locks and many other household items.
Analysts predict the IoT will contribute an estimated $4-trillion to $11-trillion a year by 2025, making it particularly vulnerable to hacking and privacy breaches. “Smart” homeowners, in effect, would enable companies to have access to their every movement. For IoT to succeed on a mass scale, it requires complete confidence in the firms involved.
“Providing meaningful interfaces to end-users to genuinely put them in control of their personal data is one way of building such trust,” said Cigdem Sengul, a senior researcher at London-based Nominet who works on IoT privacy. “The key is to give people control over their data.”
In the future, companies may focus more on privacy-friendly products, but for the most part, tracking is “ubiquitous. It’s really the water you swim in,” said University of Pennsylvania’s Libert. “No matter what you do, no matter where you go” even on websites that have no overt commercial intent, “your data is being collected and shared by many companies,” Libert added. “The question is: How do we walk back from here?”
Canadian regulators say they are aware of these issues, though it’s not obvious what they intend to do about them, or how committed the government is to beefing up existing privacy laws. At the moment, the Office of the Privacy Commissioner, which is mainly “reactive,” does not have the power to levy fines or make new laws.
“In both the public and private sectors, it’s clear that we need to update the tools available to protect Canadians’ personal information,” Therrien added in his speech. “Not doing so, in my view, risks eroding the trust and confidence citizens have in federal institutions and in the digital economy.”
Even tech companies acknowledge the concerns. “Giving people control over what they share is at the core of everything we do,” Facebook responded in an e-mail when asked about profiling and the negative portrayal of web firms as data miners. “We do not share information that personally identifies you with advertising, measurement or analytics partners unless you give us permission.”
Still, it’s difficult to see how seriously tech firms will take people’s privacy given the profitability of exploiting personal information, and governments’ reluctance to put restrictions on a fast-growing, trillion-dollar industry. “I think the past decade has shown a consistent willingness of the large tech companies to push the envelope on privacy,” Michael Geist, a law professor at the University of Ottawa, said in an e-mail. “Laws can create some limits, but regulators are at a distinct disadvantage in resources and jurisdictional limitations.”
More than just consent
Given people’s unease, will it be more productive and lucrative for firms in the longer term to give users real control over their personal information – and for regulators to nudge them towards that goal?
“It’s possible that under the right conditions, people would be willing to share more if there is trust that companies won’t abuse the access,” said PIAC’s Lawford. “The problem is we are not having this conversation. We are having the consent conversation.”
In Canada, privacy law requires that any disclosure of personal financial information for uses not previously identified to the consumer requires the consumer's informed consent.
In the U.S., home to the world’s biggest web companies like Google and Facebook, advocates are calling for greater controls, but legislation remains a patchwork. “The U.S. approach is essentially that companies have to live by their privacy promises and [various regulators] will enforce those promises,” added Geist, who holds the Canada Research Chair in Internet and E-commerce Law. “In Canada, we go further. There are legislative limits about what companies can do and there is a system of enforcement on top of that.”
Meanwhile, European regulators are taking a more muscular approach: In 2018, the General Data Protection Regulation will become the gold standard that current Canadian rules may have trouble matching.
The new legislation is designed to give people greater control over their data while keeping the idea of proportionality, and increasing tech firms’ obligations towards users. It will also provide clarity to businesses, which will now have to work within one framework for all 28 EU countries. Under the new rules, consent must be freely given, specific and informed – and inactivity does not imply consent. Firms will have to notify users, in much plainer language, about how their personal information is being collected, stored and shared – and keep a record of that consent. Consent can be withdrawn and users have the right to be forgotten. Privacy by design and privacy by default – ideas pioneered by Dr. Cavoukian – will need to be considered at the initial design stages
of a project as well as throughout the life cycle of the relevant data-processing.
However, it’s still unclear how effective the new legislation will be. Question marks remain over how the new EU regulations will be interpreted and enforced.
It’s an issue that preoccupies Canadian regulators, and the OPC is studying possible changes – from enhancing consent to finding alternatives to the current consent authority. It’s also asking whether its own powers ought to be increased.
In 2016, the privacy watchdog released a discussion paper on consent, seeking comments from privacy stakeholders.
Predictably, consumer advocates and the tech industry differ on approaches to making laws more relevant, especially in an era where consent templates rival the word counts of major works of literature. Consumers called for more “informed” consent, including opt-in clauses. They also want the existing legislation to have more bite. The OPC noted that submissions from individuals tended to make the case for stronger enforcement and auditing powers for privacy commissioners.
“All the ingredients for informed and meaningful consent are present – they’re just not enforced,” Lawford said.
At the same time, submissions from the legal community generally supported the position that the Personal Information Protection and Electronic Documents Act, which sets the rules for handling personal information in the private sector, is adequate to address the challenges referred to in the discussion paper without amendment. Proponents of this position caution regulators not to muddy the waters for the tech industry, with some calling for a more flexible consent regime, along with increased corporate responsibility.
“Stifling innovation is the biggest risk,” said Adam Kardash, head of Osler’s privacy and data management practice group. “We already have a legislative framework and an enforcement authority, which seems like a system that should be kept in place. What could be useful is some surgical changes, including broadening the grounds on consent.”
It’s unclear where the Canadian government stands on the issue. In various speeches, Navdeep Bains has stressed the importance of creating an encouraging environment for entrepreneurs in Canada, which is trying to pivot from natural resources toward high-value-added tech industries.
Even so, privacy advocates on both sides of the Atlantic say current consent laws, even if flawed, are necessary, if only to keep up with European legislation. Indeed, the adequacy of Canada’s regulations under the 1995 Data Protection Directive for transfers from the EU to Canada of personal information subject to PIPEDA could otherwise be at risk with the new GDPR. Since 2001, Canadian businesses have relied on this determination for the legal transfer of personal data from Europe without the need to take additional measures.
“Canada’s regulations are now deemed adequate, but if you weaken that legislation, it could create problems,” said BEUC’s Ruiz Martin.
But the question all over the world remains: What do consumers want? Some say the only way privacy will be protected is if voters become more engaged. ”What could change things is people at the grass roots level demanding privacy,” Lawford said. “Otherwise, the government and regulators will simply choose to read the law in favour of tech companies that have
a much stronger voice."
It’s possible that technology may also solve the privacy issue, said Ivey’s Dawar. He says the combination of end-to-end encryption, with artificial technology as the connection to the various platforms, can ensure individuals’ privacy, offer greater functionality and provide data flow to corporations. In the future, users will likely be given the option to not be tracked, but to ensure better convenience most will likely opt to share information with AI components.
Says Dawar: “The boundaries of what we consider private will need to change.”
Agnese Smith is a regular contributor based in London, UK.