Just before Christmas, Swikar Oli published an article in the National Post that discussed how the Public Health Agency of Canada (PHAC) obtained aggregated and anonymized mobility data for 33 million Canadians. From the story, we learn that the contract was awarded in March to TELUS, and that PHAC used the mobility data to “understand possible links between movement of populations within Canada and spread of COVID-19.”
Around the same time as the article was published, PHAC posted a notice of tender to continue collecting aggregated and anonymized mobility data that is associated with Canadian cellular devices. The contract would remain in place for several years and be used to continue providing mobility-related intelligence to PHAC.
Separate from either of these means of collecting data, PHAC has been also purchasing mobility data “… from companies who specialize in producing anonymized and aggregated mobility data based on location-based services that are embedded into various third-party apps on personal devices.” There has, also, been little discussion of PHAC’s collection and use of data from these kinds of third-parties, which tend to be advertising and data surveillance companies that consumers have no idea are collecting, repackaging, and monetizing their personal information.
There are, at first glance, at least four major issues that arise out of how PHAC has obtained and can use the aggregated and anonymized information to which they have had, and plan to have, access.
First, I think that the repurposing of Canadian cellular networks for things like pandemic mobility tracking—without the knowledge of subscribers, though ostensibly with their consent vis-a-vis the largely unread Terms of Service—is a big deal. Such a use is, functionally, a repurposing of a mass communications system (that includes population surveillance/mobility surveillance for network maintenance/planning) for a health related purpose (i.e., health mobility surveillance). This constitutes a shift from one use of data that few subscribers would object to–using mobility information to improve and enhance cellular network quality– to one that is demonstrably more controversial. Put slightly differently, I would argue that TELUS and other Canadian telecommunications companies have qualitatively changed the nature of the data which has been collected as a result of repurposing it. Moreover, it’s important to recognize that this kind of mobility data could be used for a range of additional ends, inclusive of developing or monitoring government policies associated with migration policies, industrial policies, environmental policies, and so forth.
With regards to collecting geolocation information from application ‘vendors’ on Canadians’ mobile devices–such as from advertising companies that regularly operate without end-users’ awareness or meaningful consent–I think that PHAC is demonstrating moral turpitude in supporting this sector’s ‘pandemic pivot’. Moreover, the data that is provided to PHAC lacks demographic information and, as such, provides only crude assessments of population mobility (unless, of course, it can be or is combined with other datasets to increase the utility of the data in question. There is no indication that PHAC is doing so.). The efficacy of this information in assisting PHAC’s public health mandate remains unclear at time of writing.
Second, I think that how this mobility data was obtained by PHAC, and subsequently revealed to the public, showcases a significant failure of the existing privacy, transparency, and accountability laws in Canada. Once again, data which was provided to private companies (or quietly obtained by advertising or data brokerage vendors) has been disclosed or sold to government (in an anonymized/aggregated fashion) absent individuals’ obvious knowledge and meaningful consent, and then used by government largely without the knowledge of parliamentarians or citizens.
In April 2020 there was public discussion of the prospect of using cellular networks for different kinds of mobility surveillance. At the time, governments in Canada did not indicate that they were planning on tracking population mobility by way of Canada’s telecommunications networks. Obviously this position changed over the course of 2020, but it remains unclear what led to the change or why the new policy was never made public.
I have some sympathy for everyone in government, the private sector, and the public who were generally trying to do something (anything!) at the earliest point in the pandemic to mitigate its spread and understand the links between policies and limiting social contacts. However, for PHAC to have not raised the collection of mobility data with the public at all is deeply troubling. Further, the fact that PHAC wasn’t legally obligated to clearly and poignantly explain that it was obtaining telecommunications mobility data, nor data from data brokerage/advertising companies that have geolocation tracking permissions on Canadians’ mobile devices, arguably showcases that Canada’s laws do not, in fact, adequately require government to communicate how it collects and uses personal information, nor require private companies to similarly provide meaningful notification to their subscribers of the sales of their (aggregated and anonymized) personal information.
Third, I think that the disclosure of this kind of information from private companies underscores the need to reform the voluntary public transparency reports that some telecommunications companies release. When I last looked at these reports, none indicated that this kind of mass disclosure of their subscribers’ personal information (in an aggregated/anonymized format) was occurring. This kind of omission reveals that transparency reports have been overly focused on addressing a subset of disclosures to government (i.e., those principally linked to law enforcement and security agencies requests, and disclosures to first responders) and do not adequately account for the range or breadth of information that these companies directly or indirectly disclose to federal, provincial, or municipal agencies, and potentially to private parties as well.
When it comes to the data brokerage and advertising companies that operate silently on individuals’ mobile devices, the collection and subsequent sale of the data is done largely without the knowledge (and certainly without the meaningful consent) of users and this underscores that this market writ large is widely under regulated. Laws that prohibit the silent collection of geolocation information, and other sensitive data from mobile phones, is needed in order to bring some discipline to an incredibly opaque sector of the digital economy.
Fourth, the federal Privacy Act is a very leaky piece of legislation. Once an agency obtains information it is permitted to widely use it so long as subsequent uses conform with the agency’s mandate. The result is that collected data can continue to be used pretty freely. When it comes to PHAC’s call for tender, this is made explicit with language such as:
PHAC requires access to cell-tower/operator location data that is secure, processed, and timely in addition to being adequately vetted for security, legal, privacy and transparency considerations to assist in the response to the COVID-19 pandemic and for other public health applications. Aggregated indicators derived from cell-tower/operator location data provide insightful information and allow for meaningful analysis on the mobility (or movement) of populations in Canada. These analyses and findings provide situational awareness and help inform policy, public health messaging, evaluation of public health measures, and other aspects related to public health response, programming, planning and preparedness. (p. 22)
PHAC’s use of data coheres with the wider issues with the Privacy Act. As I have written previously with co-authors:
… the Privacy Act is less focused on a consent-driven regime. According to it, the majority of the government’s data handling is justified and permitted on the basis that the collection, use, or disclosure of personal information directly relates to a government institution’s operating program or is consistent with the program’s purpose. “Directly related to an operating activity” has been applied in contrasting ways. While the Treasury Board and Office of the Privacy Commissioner have previously assessed “directly related to an operating activity” through determining whether the collection, use, or disclosure is ‘demonstrably necessary,’ more recently, the Federal Court of Appeal has found that the Privacy Act imposes no necessity obligation on government institutions. Accordingly, consent largely plays a role where government agencies wish to act outside of their mandate or to repurpose data that was collected for a different purpose. (p. 34)
In response to the December 2021 revelations, Canadian Members of Parliament are now calling for an emergency probe into how PHAC obtained mobility data, used it, and plan to continue using it. While I hope that their investigation includes an analysis of the efficacy of the data that PHAC has obtained, I also hope that they extend their investigation to the underlying deficits in Canadian privacy, transparency, and accountability laws that enabled this quiet collection and use of normatively sensitive information.
There is an opportunity to educate the public about the pervasiveness of the mobile data economy and make meaningful progress towards reforming the actors that operate in this sector by way of updating Canadian privacy law. I can only hope that this opportunity to bring Canada’s laws into the digital era, and restore trust to Canadian citizens and consumers alike, is not lost.