The German constitution has a principle known as informational self-determination, the right to choose how your personal data is used.
It’s a simple concept for our data-driven age, even though it was enacted a generation ago, in 1983, well before the internet began chipping away at the pillars of privacy.
Yet privacy advocate Ann Cavoukian cites the German principal as a way to rethink and possibly even slow the erosion of privacy.
“Privacy is all about personal control, relating to the use and disclosure of your personal information. And this is critical: You have to be the one to decide how your information is used," Dr. Cavoukian said in a speech Thursday.
A leading privacy proponent, Dr. Cavoukian served three terms as Information and Privacy Commissioner of Ontario and currently heads the Privacy by Design Centre for Excellence at Ryerson University. What is critical, she argued at a symposium on cybersecurity at The Globe and Mail’s offices in Toronto, is that data not be separated from context. And by context, she means the importance of data to the individual.
“Only you know the context associated with the data and can determine whether it is sensitive or not. Should you be able to share it or not? These decisions have to be made by you,” she said.
Ironically, it’s the data collectors who perhaps most realize the need to preserve context. They know that it’s the individual who can best verify the accuracy and details of that data. The willing participation of the individual in collecting his or her own data – particularly if it’s done using a transparent process, in which the individual understands how the data will be used – tends to ensure greater accuracy.
Of course the problem is that privacy measures to help bring the individual on board are typically add-ons, not the raison d’être, for a business or government. Add-on privacy measures don’t work, Dr. Cavoukian insisted. Instead, she advocates for a method called Privacy by Design, which she developed nearly a decade ago, in which privacy is addressed at every stage of developing a digital program or platform, and at every stage of its implementation.
“It was no longer sustainable just to have regulatory compliance, after the fact. We needed something pro-active, up front, so that ideally we could prevent harms from arising,” she said.
Practically, this means following certain tenets, such as privacy by default. In other words, digital platforms should not force users to have to opt out of having their data used for some other purpose. Privacy should instead be the default, Dr. Cavoukian said. Data collectors should have to ask for permission at every point in which data could be stored and used in a different way.
“If you buy something at Amazon, you give them your credit card number for payment, you give them your home address, so that they can deliver it to you. … If that was the end of the story, you wouldn’t need me or commissioners or anybody, because everything would be fine. Obviously that’s not how things work,” she said.
Privacy-by-default flips that on its head, saying "we cannot use your information other than the primary purpose of the data collection. If, later on, we want to use it for some secondary use that arises, we’ll come back to you and seek your positive consensus,” she said. “It goes from black to white. A total game changer.”
Yet, the mindset within companies and governments is to store data simply because they can, and also because privacy is often seen as being at odds with security. It’s the argument that to have security requires a reduction of privacy.
Dr. Cavoukian doesn’t buy this. “You can do both. You can change the paradigm.”
Security and privacy measures are compatible, she said; the problem is in the way policy and digital programs are designed. Today they are often designed first, and then privacy measures are bolted on after the fact. Privacy needs to be seamlessly integrated into the program from the start, she said.
This could begin happening more, though. Europe’s General Data Protection Regulation (GDPR), implemented in May this year, requires numerous privacy measures, including privacy-by-default.
“It’s dramatic in terms of its impact, but it also has enormous influence all around the world, because everyone wants to engage in trade and do business with the [European Union],” Dr. Cavoukian said. “It’s all about returning control back to the individual, the citizens themselves.”
And although Canada has generally been thought to have kept pace with European privacy protection, our country finds itself playing catch-up in implementing a similar policy. Businesses are looking into the possibility of making Privacy by Design a voluntary standard accredited by the International Organization for Standardization, to stay in compliance with the GDPR. “I am optimistic about this, too,” Dr. Cavoukian said.
Yet, she couldn’t help interjecting notes of pessimism. These privacy measures are happening during an onslaught of surveillance. She noted a comment made to her by Bruce Schneier, a prominent voice in computer security, “that surveillance is now it. It’s the leading business model of the internet.”
How to protect yourself
What’s an individual to do when surveillance seems to be everywhere – when Google’s Gmail suggests responses as if an algorithm is reading your e-mail, and search engines offer recommendations before you even know what you’re looking for?
Technology commentator Jesse Hirsh offered a few practical suggestions for the surveillance-phobe in all of us at the recent Globe and Mail symposium on cybersecurity:
- Use ad-blocking software: The malware in ads can be frightening, he said.
- Treat technology as inherently risky: For instance, use separate browsers or even separate computers for different purposes, so if one is compromised, the effects will be limited. And never use public WiFi, especially in hotels.
- Delete your cellphone data regularly: This is not nearly as drastic as it sounds. Most of our data from the accounts and apps we subscribe to is immediately retrievable.