As mentioned previously, I’ve been conducting research with academics at the University of Victoria to understand the relationship(s) between social networking companies’ data access, retention, and disclosure policies for the past several months. One aspect of our work addresses the concept of jurisdiction: what systems of rules mediate or direct how social media companies collect, retain, use, and disclose subscribers’ personal information? To address this question we have taken up how major social networking companies comply, or not, with some of the most basic facets of Canadian privacy law: the right to request one’s own data from these companies. Our research has been supported by funding provided through the Office of the Privacy Commissioner of Canada’s contributions program. All our research has been conducted independently of the Office and none of our findings necessarily reflect the Commissioner’s positions. As part of our methodology, while we may report on our access requests being stymied, we are not filing complaints with the federal Commissioner’s office.
Colin Bennett first presented a version of this paper, titled “Real and Substantial Connections: Enforcing Canadian Privacy Laws Against American Social Networking Companies” at an Asian Privacy Scholars event and, based on comments and feedback, we have revised that work for a forthcoming conference presentation in Malta. Below is the abstract of the paper, as well as a link to the Social Science Research Network site that is hosting the paper.
Any organization that captures personal data in Canada for processing is deemed to have a “real and substantial connection” to Canada and fall within the jurisdiction of the Personal Information Protection and Electronic Documents Act (PIPEDA) and of the Office of the Privacy Commissioner of Canada. What has been the experience of enforcing Canadian privacy protection law on US-based social networking services? We analyze some of the high-profile enforcement actions by the Privacy Commissioner. We also test compliance through an analysis of the privacy policies of the top 23 SNSs operating in Canada with the use of access to personal information requests. Most of these companies have failed to implement some of the most elementary requirements of data protection law. We conclude that an institutionalization of non-compliance is widespread, explained by the countervailing conceptions of jurisdiction inherent in corporate policy and technical system design.
Download the paper at SSRN
Canadian news routinely highlights the ‘dangers’ that can be associated with social networking companies collecting and storing information about Canadian citizens. Stories and articles regularly discuss how hackers can misuse your personal information, how companies store ‘everything’ about you, and how collected data is disclosed to unscrupulous third parties. While many of these stories are accurate, insofar as they cover specific instances of harm and risky behaviour, they tend to lack an important next step; they rarely explain how Canadians can get educated on data collection, retention, and disclosure processes.
Let’s be honest: any next step has to be reasonable. Expecting Canadians to flee social media en masse and return to letter writing isn’t an acceptable (or, really, an appropriate) response. Similarly, saying “tighten your privacy controls” or “be careful what you post” are of modest value, at best; many Canadians are realizing that tightening their privacy controls does little when the companies can (and do) change their privacy settings without any notice. This post is inspired by a different next step. Rather than being inspired by fear emergent from ‘the sky is falling’ news stories, what if you were inspired by knowledge that you, yourself, gained? In what follows I walk you through how to compel social networking companies to disclose what information they have about you. In the process of filing these requests you’ll learn a lot more about being a member of these social networking services and, based on what you learn, can decide whether you want to change your involvement with particular social media companies.
I start by explaining why Canadians have a legal right to compel companies to disclose and make available the information that they retain about Canadian citizens. I then provide a template letter that you can send to social networking organizations with which you have a preexisting relationship. This template is, in effect, a tool that you can use to compel companies to disclose your personal information. After providing the template I explain the significance of some of the items contained in it. Next, I outline some of the difficulties or challenges you might have in requesting your personal information and a few ways to counteract those problems. Finally, I explain how you can complain if a company does not meet its legal obligation to provide you with a copy of your personal information. By the end of this post, you’ll have everything you need to request your personal information from the social networking services to which you subscribe. Continue reading
After disappearing for an extended period of time – to the point that the Globe and Mail reported that the legislation was dead – the federal government’s lawful access legislation is back on the agenda. In response to the Globe and Mail’s piece, the Public Safety Minister stated that the government was not shelving the legislation and, in response to the Minister’s statements, Open Media renewed the campaign against the bill. What remains to be seen is just how ‘lively’ this agenda item really is; it’s unclear whether the legislation remains on a back burner or if the government is truly taking it up.
While the politics of lawful access have been taken up by other parties, I’ve been pouring through articles and ATIP requests related to existing and future policing powers in Canada. In this post I first (quickly) outline communications penetration in Canada, with a focus on how social media services are used. This will underscore just how widely Canadians use digitally-mediated communications systems and, by extension, how many Canadians may be affected by lawful access powers. I then draw from publicly accessible sources to outline how authorities presently monitor social media. Next, I turn to documents that have been released through federal access to information laws to explicate how the government envisions the ‘nuts and bolts’ of their lawful access legislation. This post concludes with a brief discussion of the kind of oversight that is most appropriate for the powers that the government is seeking.
I don’t like violence, vandalism, or other actions that generally cause destruction. Certainly there are cases where violent social dissent is a sad but important final step to fulfil a much needed social change (e.g. overthrowing a ruinous dictator, tipping the scale to defend or secure essential civil rights) but riotous behaviour following a hockey game lacks any legitimating force. Unfortunately, in the aftermath of game seven between the Vancouver Canucks and Boston Bruins a riot erupted in downtown Vancouver that caused significant harm to individuals and damage to the urban environment.
The riot itself is a sad event. What is similarly depressing is the subsequent mob mentally that has been cheered on by the social media community. Shortly after the riot, prominent local bloggers including Rebecca Bollwitt linked to social media websites and encouraged readers/visitors to upload their recordings and identify those caught on camera. In effect, Canadians were, and still are, being encouraged by their peers and social media ‘experts’ to use social media to locally instantiate a human flesh search engine (I will note that Bollwitt herself has since struck through her earliest endorsement of mob-championing). Its manifestation is seemingly being perceived by many (most?) social media users as a victory of the citizenry and inhabitants of Vancouver over individuals alleged to have committed crimes.
Perhaps unsurprisingly, I have significant issues with this particular search engine. In this post, I’m going to first provide a brief recap of the recent events in Vancouver and then I’ll quickly explain the human flesh search engine (HFSE), both how it works and the harms it can cause. I’m going to conclude by doing two things: first, I’m going to suggest that Vancouver is presently driving a local HFSE and note the prospective harms that may befall those unfortunate enough to get caught within its maw. Second, I’m going to suggest why citizens are ill-suited to carry out investigations that depend on social media-based images and reports.
If you spend much time working with computers then you’re likely familiar with metadata, or data about data. In the digital era metadata is relied upon for many of the tagging and categorization systems that are seen in popular web environments, such as Twitter, Digg, Delicious, Facebook, and so forth, and is more generally used to define, structure, and administrate data across all digital environments. I should state, upfront, that metadata is incredibly valuable: nothing that I’m going to write about should leave you with the suggestion that metadata should be removed from the digital landscape or could be removed. Instead I’m advocating for a responsible use of metadata.
In this post I will be drawing on a pair of examples to underscore just how much data is contained in popular metadata structures: the information divulged every time a person tweets on Twitter, and what your mobile phone operator may be giving up to third-parties when you browse the web on your phone. In the latter case, especially, we see that metadata is not just important for routing data traffic but also responsible for disclosing a considerable amount of personal information. I’ll conclude by noting, once again, that our privacy regulators, commissioners, advocates, and researchers need to additional funding if citizens are to have those parties regularly identify ‘bad’ metadata practices and seek rapid remedies before the data ends up being datamined for illicit or unjustifiable reasons.
The Western world is pervaded by digital information, to the point where we might argue that most Western citizens operate in a bio-digital field that is constituted by the conditions of life and life’s (now intrinsic) relationships to digital code. While historically (if 30 years or so can withstand the definitional intonations of ‘historically) such notions of code would dominantly pertain to government databanks and massive corporate uses of code and data, with the advent of the ‘social web’ and ease of mashups we are forced to engage with questions of how information, code, and privacy norms and regulations pertain to individual’s usage of data sources. While in some instances we see penalties being handed down to individuals that publicly release sensitive information (such as Sweden’s Bodil Lindqvist, who was fined for posting personal data about fellow church parishioners without consent), what is the penalty when public information is situated outside of its original format and mashed-up with other data sources? What happens when we correlate data to ‘map’ it?
Let’s get into some ‘concrete’ examples to engage with this matter. First, I want to point to geo-locating trace route data, the information that identifies the origin of website visitors’ data traffic, to start thinking about mashups and privacy infringements. Second, I’ll briefly point to some of the challenges arising with the meta-coding of the world using Augmented Reality (AR) technologies. The overall aim is not to ‘resolve’ any privacy questions, but to try and reflect on differences between ‘specificity’ of geolocation technology, the implications of specificity, and potential need to establish a new set of privacy norms given the bio-digital fields that we find ourself immersed in.