In the wake of a stunning data breach the University of Victoria campus community could only hope that the institution would do everything it could to regain lost trust. One such opportunity arose this week, when controversial Google Streetview vehicles have been scheduled to canvas the campus. Unfortunately the opportunity was squandered: it is largely by accident that the campus community has – or will – learn that Google is capturing images and wireless access point information.
In this short post I want to discuss how seriously the University failed to disclose Google’s surveillance of the campus. I begin by providing a quick overview of Streetview’s privacy controversies. I then describe the serious data breach that UVic suffered earlier this year, which has left the institution with a significant trust deficit. A discussion of the institution’s failure to disclose Google’s presence to the community, and attempts to chill speech around Google’s presence, follows. I conclude by suggesting how institutions can learn from UVic’s failures and disclose the presence of controversial, potentially privacy invasive, actors in order to rebuild flagging trust deficits.
Google Streetview and Privacy
Streetview has been a controversial product since its inception. There were serious concerns as it captured images of people in sensitive places or engaged in indiscreet actions. Initially the company had a non-trivial means for individuals to remove images from the Google Streetview database. This process has subsequently been replaced with an option to blur sensitive information. Various jurisdictions have challenged Google’s conceptual and legal argument that taking images of public spaces with a Streetview vehicle are equivalent to a tourist taking pictures in a public space.
In their early discussions of the Streetview product, the Privacy Commissioner of Canada had this to say:
We would again highlight the need for knowledge and consent – you must let citizens know that they are going to be photographed, when, why, and how they can have their image removed. We would also encourage you to be sensitive about the areas you choose. We note that in your company’s appearance before the ETHI Committee, you committed to contacting community organizations prior to the launch of StreetView in Canada to notify them of the blurring capability as well as the process for having images removed, in case they wish to explore that option. We appreciate your undertaking to do so.
Further, the Privacy Commissioners of Canada, Alberta, Quebec, and Ontario collaborated to produce a short letter to Canadians about Streetview-like systems. As noted by a member of their staff, the basic message from this letter was:
Under Canadian privacy law you should know when your picture is being taken for commercial reasons, and what your image will be used for. Your consent is also needed. There are exceptions, but they are very limited and specific.
We think companies that engage in this activity have to let citizens know that they are going to be photographing the streets of their city, when this will happen, why and how they can have their image removed if they don’t want it in a database.
While concerns remained amongst Canadians surrounding Streetview, the next major controversy arose when the public learned that Google was capturing unencrypted wireless access point data. Google initially stated that they had only collected SSID and MAC addresses from routers. As I’ve written before
In layman’s terms, the SSID is the name of the wireless network that is usually given to the device during configuration processes following the installation of the device (e.g. Apartment 312, Pablo14, or any of the other names that are shown when you scan for wireless networks from your computer). The MAC address is a unique number that is associated with each piece of Internet networking equipment; your wireless card in your computer, your LAN card, your router, and your iPhone all have unique numbers.
Google correlated the SSID and MAC address with GPS information to geolocate the router. This information is used to speed along geolocational searches using Google products; it’s faster to query wifi points and then move to GPS coordination than purely rely on GPS. Google collected this information, initially, regardless of whether an individual was interested in having wireless access point information deposited in Google’s databases. This has changed, though the ‘solution’ is perhaps as absolutely inelegant as is humanly/technically possible.
The Privacy Commissioner of Canada, amongst others, saw the collection of the SSID and MAC data as minor issues. The relative significance of this information varies depending on its usage; in a Blackhat conference talk, a researcher demonstrated how this information was instrumental in geolocating people who communicated with the researcher. In a research case this is interesting: in a human abduction or stalker situation it’s far more poignant.
What Privacy and Information Commissioners around the world were most concerned and upset by were subsequent revelations that Google’s Streetview vehicles were actually collecting data from the unsecured wireless networks that they drove past. While the company initially stated that this was an error – the result of old code accidentally being recycled – it turns out that the company knew it was collecting this data for three years before their actions came to the public eye. In her analysis, the Privacy Commissioner of Canada concluded that Google had collected the following types in information: complete email messages; user names and passwords; real names of individuals; residential and business addresses; phone numbers; medical conditions; potentially illegal actions (e.g. statements of speeding); unencrypted cookies with personal information such as IP addresses, user names, and postal addresses.
Google has since assured the public that the offending code has been removed and that ‘accidentally’ collected data has been purged. They have not been particularly forthcoming in American investigations and, partially as a result, have experienced renewed international investigations of the product. Regardless of whether the company has incurred serious financial costs due to Streetview’s continued mishaps, the Streetview brand has been tarnished: Streetview vehicles almost inherently carry with them a degree of controversy.
University of Victoria and Community Trust
In early 2012, the University of Victoria suffered a serious data breach. From reading the report produced by the Office of the Information and Privacy Commissioner of British Columbia (OIPC), we learn that a series of failures occurred. Data was lost to unknown criminal third-parties when an unencrypted storage device was stolen from the Administration Building. In the report, we learn that (.pdf):
Interviews with various University staff made it clear that senior staff in Financial Services had considered using encryption on the storage device and in fact had received advice from others that encryption should be used. Further, they agreed that encryption was an appropriate security measure. However, although there appears to have been an intention to encrypt the data, it was not carried out (Pp. 15-6).
Further, the Commissioner recognizes that physical security was lacking. First, she found that
the University placed the device in what was deemed to be a secure physical location. Of course, in the actual event, what was perceived to be a very secure location was not, because the safe was not properly fixed in place. The anchors were not appropriate to prevent the safe being dislodged, and the thieves were able to remove it (Pp. 13).
Second, she found that
the University staff did not make a decision to alarm the premises of Financial Services. Although we were informed that a break-in of the premises was considered an unlikely occurrence in the past, I believe that the amount of personal information housed in the Financial Services and Payroll areas should have led to the recognition of the need to alarm those areas. As well, since the other half of the building already had alarms in place, all areas of the building could have been easily alarmed (Pp. 14).
These physical security failures, accompanied by a failure to encrypt the data on the storage device, meant that almost 12,000 current and former employees of the University of Victoria had the following information compromised: names, social insurance numbers, and banking information. The loss of such information constitutes an incredibly serious data breach.
In short, UVic suffered an incredibly public loss of face. Ryan Berger, who sits on the Canadian Bar Association’s freedom of information and privacy section, recognized that the University had a large challenge in rebuilding its reputation. While being public about the data breach and – somewhat surprisingly to some – subsequently being recognized as a top employer in Canada might help, rebuilding trust would be an ongoing process.
Streetview Comes to Campus
Given the need to rebuild community trust, it’s disappointing to see the University of Victoria obfuscate the fact that a controversial, previously found to be privacy invasive, service was authorized to work on campus without any apparent public consultation. The Privacy Commissioner of Canada strongly suggested that Google should contact community groups prior to deploying their cameras and, it seems, Google has done that: they apparently contacted the University and the institution subsequently ‘notified’ the campus community. I would suggest, however, that the notice is as minimal as possible and is intentionally designed to hide Google’s presence to the wider community.
The University released the following information, though it was not distributed widely to the campus community and instead quietly added to a sub-section of their homepage:
Campus mapping project May 29-31
From May 29 to 31, a mapping project will be taking place on the UVic campus. Mapping technicians using a bicycle and trailer and a vehicle will be photographing the campus, including pedestrian pathways, campus trails and parking lots.
Any personally identifying information recorded (e.g. faces, license plate numbers) will be omitted from the finished product. If you have any concerns or require further information, please contact Robin Sutherland, Manager of Internet Strategies in UVic Communications at firstname.lastname@example.org or 250-721-6249.
From this message, I had no idea that it was Google Streetview that was on campus; I only learned about this when another message was forwarded to me from a colleague. The campus is not exclusively composed of academic buildings and administration wings: there are residential areas on campus that are filled with families who are using wireless access points. At no point in the ‘disclosure’ does the University provide information about how to opt-out of the collection of geolocated wifi information. Moreover, the notice cannot be understood to constitute meaningful consent to the Streetview vehicles’ operation, especially in the cases of students who live on campus and thus have higher expectations of privacy (on the basis of having personal, residential, wireless access points) than more transient non-residential students.
The University made this information available – at least by email – on May 29, the day that Google was coming to campus. In essence, it absolutely failed to give the campus community advance notice that a potentially privacy invasive service was going to be proximate to the student, staff, and faculty that are present on campus. Further, the institution intentionally obfuscated the vendor involved – the title ‘Campus Mapping Project’ when devoid of a vendor name is almost suggestive of a local campus mapping initiative – and it has not publicly provided useful opt-out information. Further, only select communities were contacted by email that Google was collecting this information.
In case a reader comes to a conclusion that obfuscation was unintentional, I can assure you that the communications department was wary that the media would learn of Google’s presence on campus, especially in light of reporters speaking to academics about Google Streetview for unrelated reporting. In at least one case, an academic was warned to not mention the presence of the Streetview vehicles on campus to reporters, on the basis that the staff member feared that it would incite the media to look into the matter more closely. This is unfortunate, and speaks poorly – at least in some small part – of the University’s regard for academic freedoms and right to communicate openly with the public and the media.
Responsible Community Engagement
When an institution faces a serious trust deficit as a result of privacy violations or breaches, it is imperative that it proactively and transparently engage with its community before allowing systemic surveillance organizations into the institution. One scholar who has studied Google has written that,
… Google in general misunderstand[s] privacy. Privacy is not something that can be counted, divided, or “traded.” It is not a substance or collection of data points. It’s just a word that we clumsily use to stand in for a wide array of values and practices that influence how we manage our reputations in various contexts (S. Vaidhyanathan. (2011). The Googlization of Everything (And Why We Should Worry. Pp. 87).
Moreover, the privacy options provided by Google are largely ineffective because of the company’s predominantly liberal conception of privacy as an individual possession. Vaidhyanathan writes that “[c]elebrating freedom and user autonomy is one of the great rhetorical ploys of the global information economy … meaningful freedom implies real control over the conditions of one’s life. Merely setting up a menu with switches does not serve the interests of any but the most adept, engaged, and well-informed” (Pp. 89). Given Google’s general failure to ‘get’ privacy, combined with the controversial nature of its real-world mapping projects and poor conception of what ‘privacy’ means, an institution with a privacy-based trust deficit should move well beyond its minimal legal obligations when communicating with its community members.
Specifically, institutions with trust deficits should give individuals advance notice of systemic surveillance projects through a means that reaches – or can reasonably be expected to reach – most or the majority of those who could be affected. This could involve an institution-wide email message, as an example. Moreover, advance notice must constitute more than same-day notification: institutions should announce such initiatives weeks in advance. Such notice should not be a statement of fact but an invitation for discourse and attempt to gather consent to the surveillance: the notice should direct individuals to forums where they can talk about the surveillance system and decide whether it should come to the institution. Edicts from on high should, at all costs, be avoided.
To be sure, the above proposals could delay some ‘campus mapping projects’ but, at the same time, could serve to rebuild a brand battered by privacy failures. I fail to see how an institution adopting UVic’s approach – intentional obfuscation, attempted suppression of academic freedoms, insufficient advice on opting out of geolocational data collection, and non-effort to gather consent to the project – can do anything more than undermine the community’s trust in the institution they work with and work for.