Former Ontario privacy commissioner Ann Cavoukian talks balancing data privacy and utility during a health care crisis and the sudden popularity of apps like Zoom
Last week, Toronto mayor John Tory made some remarks that set off alarm bells for privacy experts.
“We had… the cellphone companies give us all the data on the pinging off their network on the weekend so we could see, ‘Where were people still congregating?’”
He later retracted the comments, first reported by The Logic, saying it was an idea he had raised casually but not implemented. “The City of Toronto is not collecting cell phone location data, nor has it received any such data,” the city’s chief communication officer Brad Ross later told the site. But the remarks put a spotlight on the role of digital data in the government response to the spread of COVID-19.
“We recognize that in an emergency situation we need to take certain steps that wouldn’t be taken in non-emergency situations. As far as I know, that is not a situation we are looking at right now,” Prime Minister Justin Trudeau later said at a press conference, not speaking definitely about the use of cell phone tracking and thus leaving the door open. “But all options are on the table to do what is necessary to keep Canadians safe in these exceptional times.”
Ann Cavoukian, Ontario’s former information and privacy commissioner and current expert-in-residence at Ryerson University and advisor for Waterfront Toronto, warns that we should be vigilant. All over the world, governments have been using or testing the waters for collecting private citizens’ data to track COVID-19, often without proper safeguards.
NOW tracked down Cavoukian to talk about the threats to digital privacy that have arisen as the world shifts online during the pandemic – not just from the government, but from tech companies with apps like Zoom getting exponentially more popular over the last few weeks. We need to be careful about the social distancing tools we use, she says, because privacy is often exchanged for convenience.
States of emergency have been declared in Toronto, Ontario and Canada. Does that give those levels of government more power to restrict personal privacy rights that are otherwise protected?
Yes, because there are emergency provision sections within privacy laws that allow for additional collection tracking of information under emergencies, such as this pandemic. You have to ensure responsibility and accountability on the part of government. And the problem is, once governments start collecting additional information, they rarely pull it back because they love having lots of information and control of it. And that’s the problem. You can’t leave it to them to be protecting our data. We have to insist upon it. I really hope that’s what the privacy commissioners are going to be doing.
Do you think the Canadian government will use cell phone data to track the spread of COVID-19?
The pressure is mounting. Other jurisdictions beyond Canada are far worse. Israel, for example, they’ve got this treasure trove of cellular data that nobody knew about. And Singapore, China and other jurisdictions are doing similar things. British Columbia just suspended part of its Freedom of Information and Protection of Privacy Act in terms of the protection of personal data. Hopefully, that’s for a finite period of time.
The problem is when this kind of additional information tracking takes place, you’ve got to have very firm end dates, sunset clauses. Along with that, you have to have provisions that say any data you collected to this point, now that the crisis is lifted, you have to – you must – you are required to delete – because you no longer require the information. But we have no assurances to that effect.
If there is going to be digital tracking, it must be proportionate, legitimate, transparent and there must be a firm sunset clause.
Everything is moving so fast, it feels like new measures are being enacted every minute of every day. Do you think the urgency and speed of it all will prevent those safeguards going in place before the legislation gets put in place?
I do. This is why an end date is so important, because once this passes, and I’m praying it does sooner rather than later, the focus will shift away from the surveillance aspects to focusing on how we get the economy back up and going and moving forward. The absence of sunset clauses and the transparency would limit our ability to bring it back. These are the things that bother me. We have to be able to prevent governments from using these same tools to track individuals for other purposes after this crisis has subsided.
If the proper safeguards were to be put in place, in terms of just being able to track the spread of coronavirus, do you think that this collection of data could be useful?
Unfortunately, it’s a trade-off at times. I believe in both privacy and data utility. So it’s not that I don’t think people, health care providers, et cetera, could benefit from knowing where the worst cases are. But you have to do that in a privacy-protected manner. You have to promote scrutiny and prevent overreach.
As people are physically distancing and working from home there have been a number of new apps and platforms that people have been adopting. For instance, Zoom has really taken off as a default mode of video chat, but a number of articles have come out about how it’s a privacy nightmare.
Everyone has had to shift to this socially distant life very quickly, so I’m sure not many people are reading the terms of service.
There’s something called Privacy By Design that I created years ago, and it’s the strongest form of protecting privacy. It’s a certification, and you don’t give it to a company, but you offer it for particular products or services. The essence of it is being proactive and getting much-needed privacy protective measures upfront, right into the design of your operations policies. Bake it into the code so that it is an essential feature that can’t be overlooked.
Do you have any apps you would suggest as alternatives that protect your data?
Signal is much better [than Zoom], there’s no question. And [the browser] Brave instead of Chrome. DuckDuckGo is much, much better for search than Google. It’s fabulous. They don’t share any of your personal information on the searches with anybody.
Is there anything else you think Torontonians should be looking at when it comes to data security during this pandemic?
I want to just keep our eyes on John Tory. Thank god he retracted what he said about tracking smartphone data. But I think it reflects his wish, that he would like to be able to track where people are going, where they’ve been. That concerns me enormously. So much will be revealed by tracking your cell phone data. Our personal lives, our medical data, our financial data, who we transact with, where we go – all of our information is on them. That shouldn’t be accessible to anyone.