I am taking the opportunity to post on the blog a response from Ken Anderson, Assistant Commissioner, Privacy, Office of the Information & Privacy Commissioner of Ontario, Canada following my comments on Privacy by Design (PbD).
There is in fact two letters – the earlier of which I will post as a comment to this blog.
Just to set the scene my concerns re PbD which I think resemble the discussions on nuclear disarmament in the 1970s. In the Nixon-Brezhnev/Kosygin era, the USSR wanted to install an Anti-Ballistic Missile system around Moscow as a defence against the USA’s Inter-Continental Missiles (ICM). The USA said that such an installation would be an act of nuclear proliferation. The USSR argued that it wasn’t: if the system was purely defensive, how could it be an act of proliferation?
The USA then said that if the USSR installed its defensive system, the USA’s response would be to build so many more ICM missiles to guarantee that, in the event of nuclear war, Moscow’s defensive system would be swamped. This explains why the USA argued that a defensive system was an act of proliferation.
I think there is an element of the idea underpinning Brezhnev’s thinking in PbD. If, for example, CCTV system only records privacy protective images you can install many of them. The problem of privacy is transferred from the privacy protecting CCTV images to who can have access to the unprotected image. This gets you back to political and legal issues (e.g. is a warrant needed? Can images be released voluntarily to help the police with respect to any crime?).
I suspect that in many instances, the main effect of PbD is to shift the privacy problem from data collection to data access or elsewhere in the system of checks and balances. I also think that PbD privacy guarantees are vulnerable to a legislative changes that requires access to unencrypted personal data. In other words, you get back to basic issues such as regulator, Parliamentary scrutiny etc etc. An insightful speech of Dr Ian Kerr (iankerr.ca/content/view/526/1/) has raised a similar concern.
The target of the blog was not PbD, but the assertion that you can have privacy and security. I need a lot of convincing with respect to that statement because I think it wrong.
RESPONSE FROM THE COMMISSIONER
Dear Chris,
I appreciated your note of the 13th. You present an interesting perspective on this question. Yes please, I accept your offer to post my response, and I guess this one too. Thank you for that.
There is one point that you make with which I must take issue – your statement that “the target of the blog was not PbD, but the assertion that you can have privacy and security.” The notion that you can do precisely that represents Dr. Cavoukian’s “Positive-Sum” principle, which forms a central tenet in the concept of Privacy by Design. Given that, I believe you can appreciate my interest in responding to your note. I'll follow your sequence of ideas.
You made reference to a speech of Dr. Ian Kerr which is posted on his website. You should also note that Dr. Kerr has written a prologue to the posting where he describes his remarks as "a kind of off-the-cuff 'moment'". He goes on to describe his later conversations with Commissioner Ann Cavoukian (to whom he refers) which provides an extra context (and maybe some counterpoint) for his remarks.
It is possible that our failure to reach a meeting of the minds on this issue stems from the fact that, as Dr. Kerr notes, we defend our positions from different philosophical orientations. As a regulator, we are, essentially, pragmatists. In your role, I suspect you are afforded greater opportunity to indulge in wider reflection.
Your reference to the proliferation of nuclear missiles is intriguing, but I don't think the facts are the same. On so many issues – patron and employee safety; deterrence and detection of crime – to name a few, society demands that the state offer appropriate protections. Increasingly, the timeframe to accomplish this is not “some time next year” or “soon;” but rather, it is now. At the same time, we are confronted with an explosion of digital activity and the growing deployment of information and communications technologies into every sphere of human activity, both online and off. Tens of millions of individuals are already carrying biometric-enabled identity and travel documents; hundreds of millions are participating in online social networks, and billions of people around the world are using portable devices in new and transformative ways.
The technologies are not going away. If anything, their use will grow. They will operate in both the public and private spheres, and all of this activity generates digital footprints. It is important to also note that, as a regulator, it is not within our mandate to prevent the implementation of technology which answers valid safety and security requirements. In our view, complete withdrawal of regulators is not a viable option in today’s information society. We believe in the need for engagement, not confrontation. We also believe that privacy is fully protected when measures are drawn from an umbrella of protections that the Commissioner calls “SmartPrivacy.”
SmartPrivacy is a model which incorporates an arsenal of protections – everything necessary to ensure that an organization’s complete holdings of personal information are appropriately managed. Each element is important, but PbD represents its sine qua non. Failing to envision privacy requirements from the outset will, despite the presence of the other elements, either fail to protect PI or do so in a sub-optimal manner.
I am attaching our report entitled, Privacy and Video Surveillance in Mass Transit Systems because I believe that it addresses the concerns you note with respect to CCTV systems. The Toronto Transit Commission, the subject of the report, has employed cameras within their system for many years. In addition to the comparatively recent justifications related to crime prevention and detection, they have long been an important dimension of the system’s patrons and employee safety system, as well as an important tool to manage platform crowding, especially at choke-points during congested rush hours. It represents an excellent example of proliferation occurring prior to privacy issues and assurances. Recognizing the perception of invasiveness, the TTC has embraced PbD and implemented a full suite of controls:
• There is no routine monitoring on surface vehicles because the technology does not provide a live feed — so no one is actually watching.
• Special Constable Services do not monitor live video surveillance feed. All access is strictly logged and incident-driven; it's erased/re-written every 15 hours
• Recorded video surveillance images are only accessed by the TTC when an incident has taken place, where an investigator must isolate and copy the image before it is automatically overwritten.
• Images collected from surface vehicles are erased and automatically overwritten every 15 hours.
• The TTC reduced its retention periods for subway images from seven days to a maximum of 72 hours.
• Unauthorized access to images obtained through the video surveillance system is prevented. Hard drives containing recorded video images are only accessible through the use of a strong password, which is only available to a small number of TTC supervisors. The operators of TTC vehicles do not themselves have any access to the recorded images.
• The TTC must ensure that its video surveillance program is subjected to an effective and thorough yearly audit conducted by an independent third party, using the GAPP Privacy Framework.
• And most important, a “two-key” sign-off process (one of which must be the Chief of Police) must be invoked before police officers are permitted to retrieve any stored images.
As Dr. Kerr says, there is a role, in our society, to be played by both privacy idealists and pragmatists. I believe that it is important that the two groups maintain an open dialogue and that the critical threshold questions which exist, are both asked and answered. Once answered, if an authorized decision is made to invoke technology for use in a program, Privacy by Design is the only tool of which I’m aware which, when properly deployed, ensures the selected technology is privacy protective. We are not alone in the view that PbD is a powerful tool for privacy. For example, recently, in December 2009, the Centre for Democracy and Technology made a submission to the Federal Trade Commission in Washington D.C. on The Role of Privacy by Design in Protecting Consumer Privacy (copy attached for convenience) which concludes, "But if legislators, regulators, and innovators work together to buttress this framework with best practices that reflect Privacy by Design, then consumers and companies alike will discovery that privacy and innovation are not mutually exclusive, but that privacy is instead an essential element of the innovative Internet."
Chris, thank you for taking the time to consider these views.
Best, Ken
Ken Anderson
Assistant Commissioner, Privacy
Office of the Information & Privacy Commissioner of Ontario
Canada