Canadian news routinely highlights the ‘dangers’ that can be associated with social networking companies collecting and storing information about Canadian citizens. Stories and articles regularly discuss how hackers can misuse your personal information, how companies store ‘everything’ about you, and how collected data is disclosed to unscrupulous third parties. While many of these stories are accurate, insofar as they cover specific instances of harm and risky behaviour, they tend to lack an important next step; they rarely explain how Canadians can get educated on data collection, retention, and disclosure processes.
Let’s be honest: any next step has to be reasonable. Expecting Canadians to flee social media en masse and return to letter writing isn’t an acceptable (or, really, an appropriate) response. Similarly, saying “tighten your privacy controls” or “be careful what you post” are of modest value, at best; many Canadians are realizing that tightening their privacy controls does little when the companies can (and do) change their privacy settings without any notice. This post is inspired by a different next step. Rather than being inspired by fear emergent from ‘the sky is falling’ news stories, what if you were inspired by knowledge that you, yourself, gained? In what follows I walk you through how to compel social networking companies to disclose what information they have about you. In the process of filing these requests you’ll learn a lot more about being a member of these social networking services and, based on what you learn, can decide whether you want to change your involvement with particular social media companies.
I start by explaining why Canadians have a legal right to compel companies to disclose and make available the information that they retain about Canadian citizens. I then provide a template letter that you can send to social networking organizations with which you have a preexisting relationship. This template is, in effect, a tool that you can use to compel companies to disclose your personal information. After providing the template I explain the significance of some of the items contained in it. Next, I outline some of the difficulties or challenges you might have in requesting your personal information and a few ways to counteract those problems. Finally, I explain how you can complain if a company does not meet its legal obligation to provide you with a copy of your personal information. By the end of this post, you’ll have everything you need to request your personal information from the social networking services to which you subscribe.
Why Can You Request Access?
Per Canadian privacy law, all Canadians can request that companies explain and disclose the kinds of personal information that they retain about the requesting Canadian citizen. Section 4.9, Schedule 1 of Canada’s federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), legitimizes such requests and compels organizations to respond to requests when those companies have significant connections with Canada. The Privacy Commissioner of Canada’s website, when discussing cloud-computing based services (e.g. social networking services like Facebook and Twitter), reads, “Where the Privacy Commissioner has jurisdiction over the subject matter of the complaint but the complaint deals with cloud computing infrastructure and thus is not obviously located in Canada, current jurisprudence is clear that the Privacy Commissioner may exert jurisdiction when assessment indicates that a real and substantial connection to Canada exists.” Engaging in commercial relationships with Canadians can be said to constitute such a connection.
Moreover, the question of whether the Commissioner has jurisdiction over foreign companies has been settled in Canadian case law. Major social networking services establish an economic and thus significant relationship with Canadian by providing services to Canadians. Consequently, Canadians can avail themselves of PIPEDA to compel these companies to disclose what information they have collected and retained about Canadian citizens, which includes everything from the photos you uploaded from summer trips, to private conversations you’ve had with other subscribers using the social networking service, to your phone numbers it has stored, to the metadata (e.g. GPS information) that the service has collected and stored.
A Template to Request Access
The following template can act as the first, though perhaps not final, component of your adventure to learn what personal information a social networking giant retains about you. The text is written with the assumption that you are using email to submit the request, though with minor modifications it could be used to file a request through other mediums; some services may force you to mail in a physical letter, and others might try and force you to use their own request tools. Feel free to modify the text of the template as you deem necessary. The template tells a company to disclose all the information they retain about you, including information that is often hidden when you update your status page or post a photo. Following the template is a brief discussion on the significance of some of the requested items.
Subject: Access Request
[Your mailing address]
[Mailing information for social networking company]
To: [Department of social networking company]
Re: [Your subscriber username]
I am requesting a copy of all records which contain my personal information from your organization. The following is a non-exclusive listing of all information that [name of organization] holds about me, including:
- All logs of IP addresses associated with my account (because these are bound to my password-authenticated account and are thus identifiable)
- Any records of contacts stored on mobile devices that may have been collected in the course of installing your organization’s mobile app or client, or obtained through other contact upload systems
- Any records of disclosures of personal information to other parties, including law enforcement (such records of disclosures themselves constitute personal information)
- Metadata that is associated with communications content that I have made available to, or produced via, your organization’s services (e.g. Geolocational information, date content was created, biographical information embedded with content but hidden from visualized display of content, deletion statuses associated with content that remains in your database(s))
- Information that, while no longer visualized from the front-end interface presented to end-users (often regarded as ‘deleted information’), remains in your backend databases
If your organization has other information in addition to these items, I formally request access to that as well.
You are obligated to provide copies at a free or minimal cost within thirty (30) days in receipt of this message. If you choose to deny this request, you must provide a valid reason for doing so under Canada’s PIPEDA. Ignoring a written request is the same as refusing access. See the guide from the Office of the Privacy Commissioner at: http://www.priv.gc.ca/information/guide_e.asp#014. The Commissioner is an independent oversight body that handles privacy complaints from the public.
Please let me know if your organization requires additional information from me before proceeding with my request.
Here is information that may help you identify my records:
Full Name: [Name]
Account Number: [Number]
Email Associated With Account: [Email address]
Explaining the Template
It may not be self-evident why all the items in the template are important or what they mean; what is the significance of the requested data? By the end of this section these kinds of questions will be covered.
- Name of department: if possible, you want to direct your request to the company’s privacy office/officer. Alternately, if the company has an executive office email account you could send the message there. Failing either of those, try the general contact email address, or (if it’s listed) print a copy of your request and physically mail it to the company.
- IP addresses: though IP addresses aren’t perfect online identifiers they are often persistently linked to specific routers. This is true even if you have a ‘dynamic’ broadband connection in Canada; quite often it can be weeks or months before a new IP address is assigned to any given router. In the case of businesses that have dedicated IP addresses it is possible to correlate (roughly!) the geographical regions you visit. Moreover, should the social networking company in question ever disclose the IP logs linked to your account to third-parties, those third-parties could figure out where you’ve physically been present (e.g. coffee shops, libraries, airports, or anywhere else with a wifi access point). Now, this kind of investigative work would require compelling the relevant ISPs linked with the IP address to reveal what modems were associated with what IP addresses, including when, and where, those routers are located. So while this isn’t the easiest way to figure out where you’ve been, it’s a tried-and-tested method that authorities, lawyers, and other third-parties around the world have used for years.
- Contact information: social networking companies have been using your contact books to find your friends on social networks that you’ve joined for a long time. On the one hand, this information could be used temporarily to see whether people you know are on the service and the contact book information could subsequently be purged. Alternately, this information could be retained indefinitely. It’s nice to know if, when you said “yes” to grant a company access to your contacts, the company took that to mean they could store that information forever, or if they only used it for the temporary (and reasonable) purpose for which you provided the information in the first place.
- Data disclosure: though it’s somewhat self-evident, you likely want to know if the social network in question has disclosed your information to another party. Given the prevalence of policing bodies’ access to citizens’ social networking information, it is revealing to discover that (a) the information was disclosed; (b) you were never contacted by authorities. While this could be evidence of an ongoing case against you, it might just as likely suggest that your data could end up as part of a fishing expedition and you just happened to get caught up in the net. Still, it’s not just the police that you might be mindful of: has your data been sold to marketers? political parties? other identity brokers? insurance companies? In essence, there are lots of groups that are interested in your data, but you’ll likely only discover if they’ve received it by asking your social networking company about data disclosures.
- Metadata: I’ll be honest, metadata is probably the part of your request that is most likely to appear Greek to you (assuming, of course, you don’t speak Greek!). Metadata is also one of the most important categories of data that you want companies to reveal to you. In essence, what you’re asking is this: how much information about you and your information is the company in question collecting? Does it capture browser fingerprints, which can identify your web browser with high degrees of accuracy? GPS information? Biometic data? Are there data records that are ‘written’ when you publish a comment that are invisible unless you dig below the surface? Quite often metadata will be used for internal or external analysis to discriminate against various ‘types’ of users, with the purposes and related discrimination manifesting a bit differently on each social network. If you get this kind of information you might contact your closest geek buddy, who can help you decode whatever information you get back. Importantly, before you can ascertain what kind(s) of service discrimination are possible, and perhaps occurring to you, you need to know all the data, and data about data, that the company is generating about you.
- Non-deleted deleted data: The final category refers to data that you have ‘deleted’ but that wasn’t actually deleted from the company’s servers. If you read through many of the privacy policies linked with major social networks you find that they rarely provide guarantees to delete your data, and that some go so far as to assert that they cannot, or will not, remove some of your data. In essence, some social networks will suppress data from public viewing while retaining that very same data for internal purposes. In filing your request, you might find that the network in question really just suppressed information that you’d thought had been permanently deleted.
If you’re lucky in filing one of these requests you could get a whole lot of information from the company you send a letter to. Alternately, you could get next to, or absolutely, nothing from the company in question. Either way, it’s not uncommon to encounter some stumbling blocks between you and the data that social networking companies retain. In the next section I discuss some of the stumbling blocks between you and the data social networking companies hold, and a few tips to help you overcome those blocks.
Is It As Easy as Just Asking?
In the best of cases you’ll deal with a company that has a privacy officer or department that is familiar with these kinds of requests. The same company, ideally, will already have policies in place to facilitate a smooth response to your request. Unfortunately you’re likely to discover more companies ignore you, or actively resist disclosing information, than companies who happily work with you to disclose your personal information. So when you have to push and shove to get your information, what can you do?
A Polite Reminder
Companies, like individuals, often forget about things. Bureaucracies are a mess, and things get lost in them, especially when they’re trying to deal with something they’ve never encountered before (e.g. your access request) that will cost them money to fulfil (it’s not unusual for smaller social networks to retain counsel to figure out what your request really even mean!). The first thing you can do is just send a polite note or reminder a few days after your first request if you haven’t heard anything back. Ideally this (re)initiates the company’s internal policy wheels, and your data might be on its way soon thereafter. However, if thirty days go by and you don’t hear anything back, send a polite note. If you still haven’t heard from them a few days after this reminder then you can complain to the federal privacy commission (more on that below).
What If the Company Says “No”?
When you’ve been told “No” you can submit a followup letter that looks like the one below. You’ll probably want to modify it a bit depending on your correspondence with the company/representative in question. Note that in the original template, above, you didn’t explain in depth that the company had a very clear legal obligation to provide you with your information. The template below, however, does lay out those requirements. I’ve assumed that you’re corresponding through email, but if you have to communicate through other means only minor changes should be required.
Subject: Access Request
[Individual’s mailing address]
Re: [Social networking service user name]
Thank you for your timely response.
In your email, dated [date], you state that [social networking company] will not provide information that was requested pursuant to Section 4.9 of Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) on the the following bases:
[Restate, in ordered number format, the reasons the company provided for not providing your information.]
[Social networking company]’s collection, use, and dissemination of my personal information for commercial purposes means that [social networking company]’s actions fall within the scope of PIPEDA. Canadian case law and the Office of the Privacy Commissioner of Canada have previously demonstrated that foreign companies have an obligation to comply with PIPEDA.
Specifically, the Commissioner’s website, when discussing cloud-computing based services, reads, “Where the Privacy Commissioner has jurisdiction over the subject matter of the complaint but the complaint deals with cloud computing infrastructure and thus is not obviously located in Canada, current jurisprudence is clear that the Privacy Commissioner may exert jurisdiction when assessment indicates that a real and substantial connection to Canada exists” (Source: http://www.priv.gc.ca/information/pub/cc_201003_e.asp#toc5). Engaging in commercial relationships with Canadians can be said to constitute such a connection. Moreover, the question of whether the Office has jurisdiction over foreign companies has been settled in Canadian case law (See: http://www.priv.gc.ca/information/pub/cc_201003_e.asp#toc3c).
Given that [social networking company] is engaged in commercial operations in Canada, vis a vis providing its service to Canadians, it can be said to possess a real and substantial connection to Canada. As a result, it is subject to Section 4.9 of PIPEDA, Schedule 1. In light of this, I would firmly reiterate my request that [social networking company] disclose personal data that it has collected about me, as outlined in my letter to [social networking company] in my previous letter dated [Date]. For convenience sake, I have attached this letter to this email in a .pdf format.
In a situation where the company still refuses to provide you with your personal information you can file a complaint with federal privacy commissioner. Such a complaint will (hopefully!) lead to you getting access to your personal information.
Complain to the Privacy Commissioner of Canada
The federal Office of the Privacy Commissioner of Canada (OPC) is a designated ombudsperson; the office effectively acts as the federal point-institution for all things privacy. If a company either refuses to disclose your information, or is providing information in a manner that you think is misleading or false (e.g. they say they’ve given you everything, but you have very good reason to believe that the company has/is collecting further information about you) then you have the option of complaining the OPC. In your written complaint you’ll want to explain everything that you’ve done to date: when you sent your first request, responses from the company (if there have been any), and why you have a problem with their (lack of) response. Note that the OPC does not accept complains by email so you’ll need to file by letter mail to the below address:
Office of the Privacy Commissioner of Canada
Place de Ville, Tower B
112 Kent Street, 3rd Floor
Ottawa, Ontario K1A 1H3
Telephone: 613-947-1698 or 1-800-282-1376
The OPC can act as a mediator between you and the social networking company, helping all parties involved to resolve the company’s failure to disclose your information. Alternately, they can investigate the company’s practices to see if they are actively flouting federal law. For the purpose of Canadian law, it doesn’t matter if the company is located in the United States, China, or Germany, though for practical (read: lack of resources) reasons the OPC may decline to pursue a full investigation. Ideally, however, getting the OPC involved will mean that the company will (eventually) disclose your personal information.
So, hopefully after submitting your request you’ll get a copy of the information that a company has collected about you. This should include information that you, yourself, have submitted to the company: all your Tweets, messages, check-ins, and other content that you generated in your name while using the service. With a stack of information in front of you that has been provided by social networking services, you can think about whether the companies are collecting a lot of data about you, and whether you’re comfortable with the companies collecting, retaining, and using that data.
To be clear, you might be entirely OK with the data being retained and collected. The usage of your data with or without your knowledge may not bother you either. But, without a doubt, you’ll have a better idea of what kinds of information the company in question holds about you. Maybe you’ll change your online habits, maybe you won’t, but your decision will be firmly rooted in your own experiences instead of from talking heads on TV, radio, in print who regularly are warning you about the dangers of social media.
Now, before you rush off to file your access request(s), there is one last concern that might come to light: the company in question might steadfastly refuse to communicate with either you or even the federal privacy commissioner’s office. The company might operate as an information black hole, where your personal information goes in and nothing (evident) comes out. If you encounter this kind of situation, while you won’t know what the company is collecting, you’ll at least be in a better position to evaluate whether you want to remain a subscriber of that company’s social network, or if you’d rather take your personal information elsewhere.