Anti-fraud capabilities are touted as a major component of the proposed BC Services Card. While the government is almost certainly overstating the issue of fraud, the political rhetoric around fraud doesn’t inherently mean that proposed anti-fraud mechanisms will be similarly overstated. Indeed, many of the Services Card’s suggested changes could be helpful in limiting the issuance of fraudulent identity documents; adding a card holder’s photo, an expiry date, and anti-counterfeiting technologies to new medical CareCards could be quite helpful in ascertaining, and addressing, fraud levels. Unfortunately, the biometric systems that will also be linked to the Services Cards are unlikely to significantly defray fraud.
In this post I continue my analysis of the BC Services Card, this time with a focus on the cards’ integration with biometric analysis technologies. I begin by giving a primer on the origins of biometric analysis for identity documents in BC, and then move to outline how the government asserts that the biometric analyses should work. I then explain why adopting biometric identifiers matters: why don’t they tend to work? what is at stake in their inclusion? I conclude by (re)suggesting some entirely reasonable security processes that might defray fraud without needing the cards’ proposed biometric properties.
For the past several years I’ve had the privilege of working with excellent colleagues, Rob Wipond and Kevin McArthur, in opposing how Automatic License Plate Recognition (ALPR) systems are deployed in BC. It’s been a long slog, and taken a long time, and led to an awful lot of writing, but after a favourable decision by the BC Privacy Commissioner about the technology (short: it’s permissible, in limited circumstances, so long as local police don’t upload innocent license plates snapped by the cameras, and confirm the validity of algorithmically identified guilty plates) it looked like the tides had turned.
And then we learned that the Commissioner’s decision wouldn’t necessarily apply to the RCMP. In response, Vincent Gogolek of the BC Freedom of Information and Privacy Association wrote piece about the limits of the BC Commissioner’s mandate, titled “It Takes Two To Kill Illegal Police Licence Surveillance.” His argument was that stopping the worst surveillance practices linked with ALPR would require ruling by the provincial and federal privacy commissioners. We also learned that some provincial police forces – which fell under the purview of the BC Commissioner – were refusing to comply with the Commissioner’s decision. This latter issue led Wipond to publishing an article titled “So it’s illegal surveillance, so what?”
For the past several months I’ve been conducting research with academics at the University of Victoria to understand the relationship(s) between social networking companies’ data access, retention, and disclosure policies. One element of of this research has involved testing whether these networks comply with the Personal Information Protection and Electronic Documents Act; do social networks provide subscribers access to their personal data when a subscriber asks? Another element has involved evaluating the privacy policies of major social networks: how do these companies understand access, retention, and disclosure of subscriber data? We’ve also been investigating how law enforcement agencies access, and use, data from social networking companies. This research has been supported by funding provided through the Office of the Privacy Commissioner of Canada’s contributions program. All our research has been conducted independently of the Office and none of our findings necessarily reflect the Commissioner’s positions.
Colin Bennett presented a draft of one of the academic papers emergent from this research, titled “Forgetting, Non-Forgetting and Quasi-Forgetting in Social Networking: Canadian Policy and Corporate Practices.” It was given at the 2013 Computers, Privacy and Data Protection Conference. Below is the abstract of the paper, as well as a link to the Social Science Research Network site that is hosting the paper.
In this paper we analyze some of the practical realities around deleting personal data on social networks with respect to the Canadian regime of privacy protection. We first discuss the extent to which the European right to be forgotten is, and is not, reflected in Canadian privacy law, in regulation, and in the decisions of the Office of the Privacy Commissioner of Canada. After outlining the limitations of Canadian law we turn to corporate organizational practices. Our analyses of social networking sites’ privacy policies reveal how poorly companies recognize the right to be forgotten in their existing privacy commitments and practices. Next, we turn to Law Enforcement Authorities (LEAs) and how their practices challenge the right because of LEAs’ own capture, processing, and retention of social networking information. We conclude by identifying lessons from the Canadian experience and raising them against the intense transatlantic struggle over the scope of the new Draft Regulation.
Download paper at SSRN (Download from alternate source)
Canadian news routinely highlights the ‘dangers’ that can be associated with social networking companies collecting and storing information about Canadian citizens. Stories and articles regularly discuss how hackers can misuse your personal information, how companies store ‘everything’ about you, and how collected data is disclosed to unscrupulous third parties. While many of these stories are accurate, insofar as they cover specific instances of harm and risky behaviour, they tend to lack an important next step; they rarely explain how Canadians can get educated on data collection, retention, and disclosure processes.
Let’s be honest: any next step has to be reasonable. Expecting Canadians to flee social media en masse and return to letter writing isn’t an acceptable (or, really, an appropriate) response. Similarly, saying “tighten your privacy controls” or “be careful what you post” are of modest value, at best; many Canadians are realizing that tightening their privacy controls does little when the companies can (and do) change their privacy settings without any notice. This post is inspired by a different next step. Rather than being inspired by fear emergent from ‘the sky is falling’ news stories, what if you were inspired by knowledge that you, yourself, gained? In what follows I walk you through how to compel social networking companies to disclose what information they have about you. In the process of filing these requests you’ll learn a lot more about being a member of these social networking services and, based on what you learn, can decide whether you want to change your involvement with particular social media companies.
I start by explaining why Canadians have a legal right to compel companies to disclose and make available the information that they retain about Canadian citizens. I then provide a template letter that you can send to social networking organizations with which you have a preexisting relationship. This template is, in effect, a tool that you can use to compel companies to disclose your personal information. After providing the template I explain the significance of some of the items contained in it. Next, I outline some of the difficulties or challenges you might have in requesting your personal information and a few ways to counteract those problems. Finally, I explain how you can complain if a company does not meet its legal obligation to provide you with a copy of your personal information. By the end of this post, you’ll have everything you need to request your personal information from the social networking services to which you subscribe. Continue reading