Your Right to Privacy

Chapter 2

Privacy at Home

The sun peeks through the curtains, heralding another day. Before rolling out of bed, you glance at the fitness bracelet attached to your wrist. Padding down the stairs, you notice the living room light is already on and the furnace is waking from its slumber, bringing the temperature up a couple of degrees.

During breakfast, there’s a chance to scroll through the headlines on your digital tablet, check the forecast, and browse a few websites for those new shoes you’ve been meaning to buy.

Before heading out the door, the phone rings. It’s someone asking if you want your heating ducts cleaned. Now you’re running late, but you’re soon out the door and into the car. You remember to slow down at the big intersection where a newly installed camera is tracking speeders. You park your car at the light rail station and reach for your transit pass, swiping it as you board the train for downtown. The journey is about 12 minutes, enough time to do a little online banking on your smartphone.

The security guard makes chitchat as you fill out the sign-in sheet in the lobby of your office building. A quick fumble for your electronic pass card, another swipe and you board the elevator for the seventh floor.

At your desk, you scratch your head before finally remembering your new computer password. Once logged on, you pull a memory key out of your briefcase, insert it into the machine, and retrieve the report you began pulling together last night at home.

During lunch hour, you check a few more websites and find those shoes at a great price from an online wholesaler. You log into your account with the store, confirm your credit card number, and place the order. Then your cell phone rings. It’s your spouse reminding you to call the insurance company. Before heading back to the office, there’s time to call the company and complete a medical history survey over the phone — a prerequisite for term life insurance.

The day is only a few hours old, but already you have left a potentially revealing trail of personal fingerprints. You probably didn’t give it a second thought and, besides, such interactions are just part of everyday life. In the modern era, we have little choice but to part with sensitive data. While that may be true, you can choose to practise good habits that will protect your personal information — and in turn your reputation, credit rating, and livelihood.

We have every right to hope our home would be a private sanctuary from the many people, organizations, and devices collecting information about us. Curtains, blinds, and a good fence are not enough anymore. In this chapter, we explore the nuisance of telemarketers, the techniques political parties use to gather personal information, and the increasingly wired nature of the places we live.

1. Telemarketers

We’ve all had them: Those annoying calls from telemarketers that always seem to come at the most inconvenient times such as during dinners or family gatherings. The good news is that there are steps you can take to reduce, though not necessarily eliminate, the calls.

In Canada, this is where the Canadian Radio-television and Telecommunications Commission (CRTC) enters the picture. The CRTC is an administrative tribunal that regulates and supervises Canadian broadcasting and telecommunications in the public interest. That means part of its job is to protect you from unwanted calls, faxes, and email.

In the United States, this task belongs to the Federal Trade Commission (FTC), “A bipartisan federal agency with a unique dual mission to protect consumers and promote competition.”

In 2006, the Canadian Parliament amended the Telecommunications Act to allow the CRTC to establish a national Do Not Call List (DNCL). Telemarketers are required by law to register and pay fees to download updates from a secure website.

The rules apply to all companies that conduct unsolicited telecommunications, whether for themselves or someone else. Not only are telemarketers required to respect the wishes of consumers who have registered their numbers on the list, but they must also maintain their own internal lists.

In the United States the Do-Not-Call Registry has been operating since 2003 and contains similar requirements for consumers and telemarketers. The registry is enforced by the FTC, the Federal Communications Commission, and state officials.

The telemarketer, who can only call within specific hours, must identify on whose behalf the call is being made. There are also rules limiting the use of Automated Dialing-Announcing Devices (ADADs).^[1] Telemarketers from the US, and other countries, making calls to Canadian consumers must also follow the same rules.

Though there are many restrictions, certain kinds of telemarketing calls and faxes are exempt from the Canadian DNCL, including those made by or on behalf of:

• Registered charities.

• Newspapers looking for subscriptions.

• Political parties and their candidates.

• Companies with whom you have an existing business relationship.

• Individuals or organizations made solely for the purpose of market research or surveys (they are not considered to be telemarketing calls because they are not selling a product or service, or asking for donations).

• Debt-collection calls.

• Persons or entities to whom you have provided express consent to be called.

If you wish to avoid these telemarketers, you can ask to be put on their Do Not Call Lists, which they are obliged to do within 14 days. It’s a good idea to record the date of your request. The organization must keep your number on its do not call list for three years and 14 days.

In Canada, you can sign up online (lnnte-dncl.gc.ca) or by calling toll-free (1-866-580-3625). After you sign up, your numbers will be added to the list within 24 hours. Once a number has been registered on the national DNCL, it is permanent. You can also, at any time, have your number removed. In the United States, you can also sign up online (donotcall.gov/register/reg.aspx) or by calling toll free (1-888-382-1222).

Telemarketers then have 31 days to update their own information and make sure they don’t call you in their next round of telemarketing. Don’t expect all calls to stop immediately. You could still receive calls within the first 31 days of signing up.

Although unsolicited calls can be an annoying fact of life, there are steps you can take to reduce the volume:

• Be careful about providing your number to anyone.

• On forms, always select any privacy check box that indicates you do not wish to be contacted. If there is no privacy option, then be cautious about providing your telephone number to a company.

• You may ask companies you do business with to avoid sharing your telephone number, or any other personal information, with third parties.

1.1 How to complain

If the calls persist once your name is on the list, there are steps you can take which involve getting the caller’s phone number and reporting it to the CRTC, along with the date. You may be able to see the telemarketer’s number and name from your telephone’s call display, or hear the last caller’s number by dialing *69. If the telemarketer calls again, ask for a number and name.

If the complaint checks out, the CRTC has many options such as a warning letter, a citation published on the tribunal’s website that identifies the alleged violation and specific corrective actions to be taken during an agreed-upon time frame, and a notice of violation for the most serious violations.

If you think the call is part of a fraud scheme, call the federal government’s Canadian Anti-Fraud Centre, a central agency that collects information and criminal intelligence on issues such as mass-marketing fraud, Internet fraud, and identification theft complaints.

In the United States, the steps are similar, though the Federal Trade Commission warns individual responses are impossible due to the high volume of complaints. However, this doesn’t mean that you’re being ignored. On the contrary, the FTC and other law enforcement agencies analyze the complaints for patterns, and then take “aggressive legal action,” which includes fines of up to $16,000 per call. So it’s always a good idea to complain.

2. Political Parties

Political parties are exempt from privacy legislation, in large part because the political process hinges on parties gaining access to personal information. The challenge is balancing the desire to protect personal privacy with the need to give political parties access to personal data to ensure political participation, the hallmark of any democracy. As we will see throughout this book, privacy advocates, regulatory institutions, businesses, and consumers struggle to get this balance right.

In Canada, the Office of the Chief Electoral Officer, known to most people as Elections Canada, is an independent, nonpartisan agency that reports directly to Parliament. Its responsibilities include conducting federal elections and by-elections and monitoring compliance with the Canada Elections Act.

In an age when political parties are devising more sophisticated means of identifying voters to ask them for money and convince them to turn up at the polls to cast a ballot, concerns about privacy should be top of mind. If you receive a request from a political party out of the blue, chances are that the organization obtained your personal information without your knowledge and consent.

At first blush, you might be tempted to blame Elections Canada for disclosing your personal details to a political party. Such was the case of a woman who complained to the Office of the Privacy Commissioner in 2006. The woman, who the commissioner does not name, became concerned when she asked the canvasser how she had obtained her phone number and knew which party she was supporting? The woman was told Elections Canada provided the information.^[2]

Now, the Canada Elections Act does say that it is acceptable for a registered political party to obtain the electoral list from each polling division. That list will include your name and address. Absent from that list, however, is the identity of the political party you supported in the previous election.

Every candidate, member of Parliament, and registered political party is allowed to use the list for communicating with voters. This is why the woman naturally assumed that Elections Canada was the culprit. But was it? It turns out Elections Canada was blameless. The Privacy Commissioner ruled the woman’s complaint was not well-founded because Elections Canada had not provided information about her party affiliation. She was also pleased to discover her name could be deleted from the electoral list sent to political parties.

The culprit was never identified, but the woman was right to sound the alarm. At the very least, such complaints put political parties on notice that while democracy depends on engaged voters, their privacy must not be taken for granted.

As we will learn in subsequent chapters, institutions such as political parties and commercial organizations find many ways to make contact with unsuspecting individuals.

In the United States, state and local governments administer federal elections. The specifics of how elections are conducted differ between states, and the US Constitution grants states wide latitude in how they administer elections.

In 2002, the Election Assistance Commission was established by the Help America Vote Act to oversee and educate the public about the voting process. The Commission is a valuable clearinghouse for information about voting and registering in your state. To make things easier, many states allow voters to register online.

In Canada, the law defines a political party as an organization whose fundamental purpose is to participate in public affairs by endorsing one or more of its members as candidates and supporting their election.

Section 44 of the Act gives the Chief Electoral Officer the power “to maintain a register of Canadians who are qualified as electors, to be known as the Register of Electors.”^[3] The law says that the returning officers, or an assistant returning officer, may delete the name of the person from a preliminary list of electors if the person requests it and provides satisfactory proof of identity.

MPs and registered parties have access to the National Register of Electors. It’s important to realize that there is a difference between being on the electoral list and in a party’s database. The former does not indicate how you vote. The latter does. Parties use a number of methods to glean information about your voting patterns from venues such as social media sites. For instance, friending a political party on Facebook can result in the user’s name and photo being listed on the party’s social media page.

Parties in the United States and Canada can pass the information they glean to telemarketing agencies, which then place automatic calls, send emails, or post letters to these potential supporters asking for money, or telling them to vote. Since many rules do not apply to political parties, there is little to be done, short of asking the party in question to remove your name from the list.

In addition to being exempt from the Federal Trade Commission rules, CRTC rules, and federal and provincial and public- and private-sector privacy laws, political parties are also exempt from the new anti-spam legislation, and the do-not-call list provisions discussed earlier in section 1.

If you feel your privacy has been breached, it’s best to contact the party and ask that your name be removed. It’s unlikely that the breach will come from Elections Canada or your state. Chances are, the issue may rest with some aspect of your online activity.

3. A Wired House

As we add devices to our homes … much more sensitive data will be collected. User interfaces on devices will shrink or disappear, making it more difficult for consumers to know when data is being collected, or to exercise any control. In fact, I expect that the Internet itself will soon “disappear” because connectivity will just be part of how things work, as electricity is today.^[4]

— Julie Brill

Our connection to the Internet goes far beyond our computers, mobile phones, and tablets. An increasing number of devices in our immediate surroundings track information about us and upload it to the institution or organization responsible for delivering a service. For instance, electronic thermostats monitor how much heat we use at certain times of the day, allowing the service provider to gauge consumer demand.

So pervasive is our connectivity to the Internet that a new phrase has been coined to describe the phenomenon: The Internet of Things. It is an environment in which people are connected through their devices that transfer data over a network without requiring human-to-human or computer-to-human interaction.

In its discussion of the Internet of Things, the Office of the Privacy Commissioner of Canada compares the phenomenon to “electricity, or the nervous system for the planet” that has become unseen, pervasive and woven into the “fabric of our society.” In general, it concludes that the Internet of Things is a “networking of physical objects connecting through the Internet” that includes elements that are discussed in this book:

• Cheap, ever-present sensors, devices, or “things.”

• Connection of the physical objects in our homes, cars, workplaces and bodies with cyberspace.

• Generation of data that is stored in the cloud where it is processed, aggregated, analyzed, and sometimes sold to the highest bidder.

Though it may sound other wordly, the Canadian privacy commissioner points out that the concept is hardly a new one, since devices have been communicating with each other for a number of years. What makes the phenomenon more pervasive are many of the concepts we examine in these pages:

• A growing number of electronic devices are being invented and built to communicate with the Internet through sensors.

• These sensors are increasingly sophisticated.

• The devices communicate a wide range of information, such as your location, biometrics, online shopping preferences and, as we’ll see in this section, your viewing habits.

• Internet of Things computing devices are cheaper, more accessible and come in all shapes and sizes. For instance, wearable devices discussed in Chapter 9 like the popular Fitbit which monitors steps taken and calories burned.

• An increasing number of institutions and organizations are using cloud computing and Big Data analytics to store, analyze and share information.^[5]

Indeed, the benefits are many — a point that Federal Trade Commissioner Julie Brill stressed at the beginning of the speech she delivered on January 5, 2016:

“Let me be clear at the outset: I believe that big data and the Internet of Things have potentially tremendous benefits. Cities can better maintain their infrastructures by developing sophisticated early warning systems for gas and water leaks. Medical researchers can enroll patients in large-scale research projects and collect streams of useful data that, in the past, would have been a mere trickle coming from surveys and patients’ own reports.”

However, Brill also warned about the dangers — that is, companies that sell these devices might not spend a lot of time thinking about security until a breach has happened. Samsung and a product it calls a SmartTV is a case in point. The TV’s remote control has a feature that, if enabled, allows you to use your voice to perform tasks such as change channels. In its privacy policy, the company had this warning, which was first reported by The Daily Beast, on February 2, 2015: “A single sentence buried in a dense ‘privacy policy’ for Samsung’s Internet-connected SmartTV advises users that its nifty voice command feature might capture more than just your request to play the latest episode of Downton Abbey.

“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party.”^[6]

So who was this third-party provider? What information other than your voice command was being picked up? Were errant discussions also being transmitted, and if so, what was being done with the information? If the transmission is not properly encrypted, could a hacker turn your TV into an eavesdropping device?

The day after The Daily Beast reported this, the company issued a statement insisting that it uses “industry-standard security safeguards and practices, including data encryption, to secure consumers’ personal information and prevent unauthorized collection or use.”^[7] That response did little to quell the outrage.

Former Ontario Privacy Commissioner Ann Cavoukian expressed her indignation during an interview with CBC News: “With Samsung, it’s like all of a sudden you have to monitor what you should say in your home — the last bastion of privacy, a place that’s supposed to be sacrosanct. Are you kidding me?”^[8]

In her speech at that International Consumer Electronics Show in Las Vegas, Brill raised concerns about this technology. “To help consumers navigate and benefit from this complex, uncertain, and exciting world, the Internet of Things and big data analytics need to meet consumers’ expectations and earn their trust. Appropriate privacy and security protections, as well as broader assurances that consumers are being treated fairly, are key elements of consumer trust.”

So what are we to learn from this cautionary tale about the SmartTV? For Cavoukian, now Executive Director of the Privacy and Big Data Institute at Toronto’s Ryerson University, the first step is to read the company’s privacy policy very carefully so that you know what information is being collected, how it’s being protected, how it’s being used, and what happens in case of a security breach.

These policies are dense and make for tough reading, but it’s worth the effort. Reputable companies should have robust policies in place. If not, then the negative publicity can force them into action, or at least clarify their position, as we saw in the Samsung case.

If you’re still not satisfied, Cavoukian says, the answer is simple: Leave the product on the store shelf.

The general public is coming to appreciate how our possessions can capture and transmit data about our lives, and also how that data can be analyzed to draw conclusions about our “private” behavior, said Colin Bennett, a political scientist at the University of Victoria. “The Internet of Things will gradually complicate the boundary between public and private spaces, and will complicate the question of what is, and is not, personal information.”

The Office of the Privacy Commissioner of Canada and its counterparts in the United States and Europe are concerned that policies governing privacy are taking a back seat to the technological developments of the Internet of Things, as more devices explode on to the market.

“How, then, can citizens who may or may not want to use this technology ensure that someone is held accountable for its use? How will they be able to challenge how the information is used, and how will they be able to give any kind of meaningful consent?”^[9]

These questions prompted Canada’s privacy commissioner, whose office is part of the Global Privacy Enforcement Network, to launch what it calls the Internet of Things 2016 “global privacy sweep.”

For its part, Canada’s privacy office focused on health devices such as fitness trackers, smart scales, and sleep monitors.^[10]

During its sweep, the privacy office looked at “whether users could understand how their personal information is collected, used, disclosed, and safeguarded and whether they could easily contact someone if they had any privacy questions,” said Tobi Cohen, a spokeswoman for the commissioner.

Officials had a chance to buy gizmos, try them out, and see if the accompanying privacy communications — the written explanations for users — were sufficient, she said.

“We examined the online information and other privacy communications available to the user related to the company behind the devices; we are contacting manufacturers, retailers and data controllers with specific privacy questions where necessary and we have sought to replicate the consumer experience by assessing privacy communications and information available to the user out of the box through to actual use of the devices.”^[11]

The office will publicize its results in the fall of 2016.

1 Frequently Asked Questions, National Do Not Call List, accessed March 2016. lnnte-dncl.gc.ca/faqs-eng#an_link05

2 “Voter Alarmed by Political Party Canvasser’s Comments,” The Office of the Privacy Commissioner of Canada, accessed March 2016. priv.gc.ca/cf-dc/pa/2006-07/pa_200607_07_e.asp

3 Canada Elections Act, accessed March 2016. documentcloud.org/documents/2691008-Canada-Elections-Act.html#document/p70/a271905

4 “Privacy and Data Security in the Age of Big Data and the Internet of Things,” Julie Brill, US Federal Trade Commissioner, accessed March 2016. ftc.gov/system/files/documents/public_statements/904973/160107wagovprivacysummit.pdf

5 The Internet of Things: An introduction to privacy issues with a focus on the retail and home environments, a research paper prepared by the Policy and Research Group of the Office of the Privacy Commissioner of Canada, pp 4-6, https://www.priv.gc.ca/information/research-recherche/2016/iot_201602_e.pdf

6 “Your Samsung SmartTV Is Spying on You, Basically,” Shane Harris, The Daily Beast, accessed March 2016. thedailybeast.com/articles/2015/02/05/your-samsung-smarttv-is-spying-on-you-basically.html

7 “Samsung Smart TVs Do Not Monitor Living Room Conversations,” Samsung Newsroom, accessed March 2016. news.samsung.com/global/samsung-smart-tvs-do-not-monitor-living-room-conversations

8 “Samsung SmartTV an ’Absurd’ Privacy Intruder, Ann Cavoukian Says,” Matt Kwong, CBC News, accessed March 2016. cbc.ca/news/technology/samsung-smarttv-an-absurd-privacy-intruder-ann-cavoukian-says-1.2950982

9 Source: The Internet of Things: An introduction to privacy issues with a focus on the retail and home environments, a research paper prepared by the Policy and Research Group of the Office of the Privacy Commissioner of Canada, p. 26, https://www.priv.gc.ca/information/research-recherche/2016/iot_201602_e.pdf

10 Source: “Canada examines health devices during 2016”, Office of the Privacy Commissioner of Canada, April 11, 2016, https://www.priv.gc.ca/media/nr-c/2016/nr-c_160411_e.asp

11 Source: Interview with authors, May 4, 2016