Category: privacy

Harper’s nominee for Privacy Commissioner must be challenged

The current Canadian government has been in a lot of trouble recently over nominations to various federal offices. It’s been accused of cronyism, overly partisan, inappropriate  and even illegal nominations to senior positions. Many have been rejected. It comes as no surprise then to find that Prime Minister, Stephen Harper, has nominated someone who seems almost entirely inappropriate to be the next federal Privacy Commissioner.

The nominee, Daniel Therrien, has spent almost all his career as a government insider. If Therrien was a privacy expert, this wouldn’t necessary be an obstacle even to someone taking a job which is supposedly an arm’s length position, as much a watchdog on government as a government office.

If he was a privacy expert.

But he’s not.

Therrien’s experience comes mainly in corrections (prisons and parole offices) and latterly with immigration and border issues. He’s currently the Assistant Deputy Attorney General, Public Safety, Defence and Immigration Portfolio, at the Department of Justice. It is in this position that he has had some involvement with privacy issues, and in some ways, this involvement makes his nomination even more troubling.

Therrien was one of the leaders of the Canadian negotiating team that dealt with the privacy principles of the Beyond the Border Accord, the agreement that essentially allows the USA to extend its ‘perimeter’ around Canada (the original proposed version of the agreement was refered to as the North American Perimeter agreement).

So what do the principles say? Essentially they are a vague set of reaffirmations of well-understood data protection principles combined with the recognition of domestic laws. They don’t do anything specific or new. They certainly will not guarantee that sensitive personal information is not shared across borders or provide for genuine protection when they are. And it seems clear that while necessity and proportionality and data quality are all referenced, necessity seems to trump everything else. As the final principle on ‘Retention’ states:

“The United States and Canada are to retain personal information only so long as necessary for the specific purpose for which the information was provided or further used.”

But as we know from almost everything that has happened since 9/11, necessity is the mother of expansion.

In addition, most of the principles also use the phrase “in accordance with their respective domestic laws”, or similar. A paragraph on ‘Effective Oversight’ states

“A system of effective data protection supervision is to exist in the form of a public supervisory authority or authorities with effective powers of intervention and enforcement. These powers may be carried out by a specialized public information protection authority or by more than one supervisory public authority to meet the particular circumstances of different legal systems.”

Translated, this means “business as usual.” Canada can carry on having its system of Commissioners and the USA can carry on having its in-house Privacy Officers. This does nothing to resolve the issue of what happens when privacy laws and systems of oversight are in conflict or incompatible – as they frequently are.

The Prime Minister is quoted in the press release as saying: “­­­­­­­­­­I am pleased that Daniel Therrien has agreed to be nominated for the position of Privacy Commissioner. He is a well-qualified candidate who would bring significant experience in law and privacy issues to the position.”

I guess it all depends what one considers to be ‘significant experience’. He has some experience. But he is neither a privacy lawyer not a privacy expert by training nor has be become such by virtue of his career. And his limited experience is almost entirely in the context of the furthering of neoliberal trade and security agreements with the USA, it is not in domestic privacy protection.

Daniel Therrien may well have had an impeccable professional record. He may well be an excellent Assistant Deputy Attorney General. He may well be a good person. But none of those things are the issue here: Therrien is not “a well qualified candidate” to be the federal Privacy Commissioner. He could, like the current interim Commissioner, Chantal Bernier, legitimately be appointed as Deputy Commissioner in order to build up his qualification in the area. But as the Commissioner? No.

Luckily, this nomination is not a foregone conclusion. It must be approved by both the Senate and House of Commons, and Liberals, NDP and Greens have all voiced concerns already. I am adding my own voice to this in saying that this nomination must be challenged in the most robust terms. Personally, I also think it’s a great shame that the capable and directly experienced Bernier was not given the opportunity to retain the seat that she has only been keeping warm for the next Commissioner…

The Right to Watch?

I’ve always defended the right to photograph in public places. However, a number of cases in the last few weeks are highlighting an important new development in this area, a new front in the increasingly confusing information wars. Gary Marx always like to say that surveillance is neither good nor bad but that intent, circumstances, and effects make it so, but a growing number of people and organizations seem to be treating surveillance – or at least watching, and certainly not all watching is surveillance – as a right which supersedes rights to privacy. We’ve seen this in the case of Google Glass – even before it was launched commercially – and more recently with the arguments over the ‘right to be forgotten’ in Europe, with personal privacy being counterposed to freedom of information and actions to protect privacy being compared to censorship. It’s all somewhat reminiscent of Dave Eggers’ novel, The Circle, in which a Facebook-Google-Apple-a-like company completely turns around social values until, as one of the corporate slogans has it, “PRIVACY IS THEFT!”

The latest case is that of the use of drones / micro-UAVs / MAVs in the USA. The Federal Aviation Authority (FAA), the government body that controls US airspace, is trying to regulate the use of drones and has attempted to fine commercial drone operators who fly surveillance drones without their permission. The case revolves around one Robert Pirker, who used an unlicensed drone to film a promotional video back in 2011. At the moment the FAA is appealing against the National Transportation Safety Board (NTSB), who rule that it could not fine Pirker as it did have jurisdiction over small drones. Now the media has weighted in on Pirker’s side, arguing that the FAA’s stance infringes the first amendment and creates a ‘chilling effect’ on journalism.

I’m really not sure about either argument. On the FAA side, this is partly about a bureaucracy trying to keep control of its regulatory territory as much it is about the object of the regulation – the FAA does not want to be seen to be losing control just as the number of small drones is increasing massively.

On the other side, is this really about the rights of journalists? Pirker was making a commercial film not covering a story, and the effect of the FAA’s ruling being overturned is more likely to open the door to a corporate free-for-all, an absurd PKDickian world of drones as far as the eye can see, with all the attendant crashes and legal battles, could result. Think not? Well, back in the 1900s, people thought there would never be that many cars on the roads either… so it is certainly it is partly about their mandate, i.e. air safety.

The big question here, as with Google Glass and with Search, is whether technological change makes a difference. Is a flying camera just the same as a hand-held camera? Does the greater potential for intrusion, or on the other hand the inability to know that one is being filmed, matter? Does that possibility that ‘the truth’ will be revealed justify any technological method used to obtain it? If not, which ones are acceptable, whereis the line drawn, and who decides and how? In the UK, the ‘public interest’ would be a good basis for deciding, as has been frequently alluded to in the Leveson Inquiry into telephone tapping conducted by Murdoch-owned newspapers, however ‘public interest’ is a much vaguer term in the USA… what is certain is that conflicts around the ‘right to watch’ versus the ‘right to privacy’ and other human rights and social priorities are only going to intensify.

On the ‘Right to Be Forgotten’

While Viktor Mayer-Schönberger is arguing today both that there’s really not a lot new to the European Court of Justice decision to order Google to adjust its search results to accommodate the right to privacy for one individual and that it really won’t be a problem because Google already handles loads of copyright removal requests very quickly, the decision has also sparked some really rather silly comments all over the media, usually from the neoliberal and libertarian right, that this is a kind of censorship or that it will open the door to states being able to control search results.

I think it’s vital to remember that there’s really an obvious difference between personal privacy, corporate copyright and state secrecy. I really don’t think it’s helpful in discussion to conflate all these as somehow all giving potential precedent to the other (and I should be clear that Mayer-Schönberger is not doing this, he’s merely pointing out the ease with which Google already accommodates copyright takedown notices to show that it’s not hard or expensive for them to comply with this ruling). State attempts to remove things that it finds inconvenient are not the same as the protection of personal privacy, and neither are the same as copyright. This decision is not a precedent for censorship by governments or control by corporations and we should very strongly guard against any attempts to use it in this way.

Google algorithms already do a whole range of work that we don’t see and to suggest that they are (or were) open, free and neutral and will now be ‘biased’ or ‘censored’ after this decision is only testament to how much we rely on Google to a large extent, unthinkingly. This is where I start to part company with Mayer-Schönberger is in his dismissal of the importance of this case as just being the same as a records deletion request in any other media. It isn’t; it’s much more significant.

You are sill perfectly free to make the effort to consult public records about the successful complainant in the case (or anyone else) in the ways you always have. The case was not brought against those holding or even making the information public. What the case sought to argue, and what the court’s verdict does, is to imply that there are good social reasons to limit the kind of comprehensive and effortless search that Google and other search engines provide, when it comes to the personal history of private individuals – not to allow that one thing that is over and one to continue to define the public perception of a person anywhere in the world and potentially for the rest of their life (and beyond). Something being public is not the same as something being easily and instantaneously available to everyone forever. In essence it provides for a kind of analog of the right of privacy in public places for personal data. And it also recognizes that the existence and potentials of any information technology should not be what defines society, rather social priorities should set limits on how information technologies are used.

Personally, I believe that this is a good thing. However, as the politics of information play out over the next few years, I also have no doubt that it’s something that will be come up again and again in courts across the world…

PS: I first wrote about this back in 2011 here – I think I can still stand behind what I though then!

Transparent Lives: Surveillance in Canada

The New Transparency project is coming to an end, and we are launching our major final report, Transparent Lives: Surveillance in Canada / Vivre à nu: La surveillance au Canada, in Ottawa on Thursday 8th May (which is also my birthday!). The report is being published as a book by Athabasca University Press, so it is available in all formats including a free-t0-download PDF. We want as many people in Canada (and elsewhere) to read it as possible.

The launch will be covered by the Canadian press and was already blogged in the Ottawa Citizen a few days ago.

A website with resources and summaries will be here very soon, and there is also a promotional video / trailer here in Youtube.

 

Hot Air on the Surveillance Industry from the UK

Privacy International has produced a much-needed survey of the state of the surveillance industry, following its other excellent report on the use of development aid to push surveillance technologies on developing countries. The British government’s response, voiced by the Chair of the Parliamentary Committee on Arms Export Controls, Sir John Stanley,  has been a typically limp one, largely concerned with the possibility of such systems being sold to ‘authoritarian regimes’ yet blustered and talked of ‘grey areas’ when it came to Britain’s responsibility for this trade.

But this is all way too little too late. I warned of the danger of the increased technological capabilities and decreasing costs of ‘surveillance-in-a-box’ systems as far back as 2008 (see my post here which refers to that). Instead of taking horizon-scanning and pre-emptive action to limit this, Britain, the USA and many other states have encouraged this trade with state aid – as they have with military and security industries more broadly – and, not least, encouraged the use of surveillance on a global scale themselves. Their own extensive breaches of human rights through programs like PRISM and TEMPEST give them no real moral high ground to talk about what authoritarian regimes might do, when they are already pursuing the same actions.