CILP symposium looked at legal solutions in an increasingly social world
By Mark Witten
If privacy is the ability to control data about oneself, then how can we use law and regulation to protect it, as the power and reach of Big Data and social media grow? This issue was explored at The Future Frontiers of Online Privacy Symposium, hosted by the University of Toronto Faculty of Law’s Centre for Innovation Law and Policy, and organized by Simon Stern and Leah Theriault.
Consider, for example, the app you last downloaded on your smart phone. How much information about you and your social contacts were you asked to give up to get access to the best recipes, fastest driving routes, or time and place of your child’s next hockey game? The trend to ever more Big Data will accelerate in the future with more apps, more monitoring, ubiquitous sensors and bigger aggregations of data in smart cities. Consent to data collection loses what little meaning it has in this transformed information environment, argued opening panelist Michael Froomkin.
“Consent is meaningless for remote sensing and informed consent is impossible if one cannot predict what effect the data use might have,” said Froomkin, the Laurie Silvers & Mitchell Rubinstein Distinguished Professor of Law at the University of Miami. As Froomkin explained, Big Data projects allow companies and governments to make inferences about you based on people who share observed traits about you. “There is no occasion for consent on your part, if others have consented to a deeper dive into their data,” said Froomkin.
Security companies and law enforcement officials might then use that information without your awareness, to decide whether you are trustworthy or dangerous in an emergency situation. Froomkin cited the example of “Beware,” a program made by West Safety Services in the U.S. that can quickly sort through billions of publicly available commercial records to alert first responders to potentially dangerous situations. Beware calculates “threat scores” by assigning people and addresses green, yellow, or red scores with red being the highest threat and green being the safest. Your green or red label may determine whether a concerned paramedic, or a SWAT team, is called to the scene.
Froomkin proposed a number of solutions to protect privacy, including regulation of sensors and data collection, regulation of data storage and sharing, inventing new ways to opt-in and opt-out, and a new due process in data processing. “There should be a right to contest distant, invisible algorithmic decision-making and you should get notice of when, how and why your data is being processed,” Froomkin said.
“If we want to have a sustainable digital society, trust is essential,” said panelist Neil Richards, professor of law at Washington University in St. Louis.
How can trust be built, or restored, in a digital environment where half of Canadians say they have no idea what businesses and governments do with their information?
Regulators and organizations need to be proactive in informing consumers and citizens how their data will be used. “There must be a way for an individual to find out what information about him is in a record and how it is used,” said Richards.
Panelist Neil Seeman, JD 1995, warned about the potential dangers of stifling innovation with heavy-handed regulations to protect privacy. “We need to embrace the philosophy of the web, of emancipation and freedom. We need to have privacy rules that allow Canadian innovators to flourish in a global environment,” said Seeman, CEO and founder of RIWI Corp., a healthcare and security technology company.
Panelist George Takach, LLB 1983, emphasized the need to find a healthier symbiosis between technology and privacy, which would work to their mutual advantage rather than the detriment of either. “Smart regulation tries to grasp the win-win and the solutions have to be global,” he said.
To draw lessons for future regulation of online privacy, he cited e-commerce statutes as a positive example of e-regulation that was minimalist, but very effective. “The Canadian regulations were synchronized with a global initiative, and the regulations support and enhance online activity in a measured and responsible manner,” said Takach, a leading expert in technology law and senior partner at McCarthy Tétrault in Toronto.
“We need collaborative efforts to meaningfully calibrate consent. There could be three or four types of privacy settings so you would have a choice about the degree of privacy you want,” Takach said.
In her keynote speech on legislating privacy in the private sector in Canada, Stephanie Perrin gave an insider’s view of aspects of the Personal Information and Electronic Documents Act, PIPEDA, that worked and some that didn’t. “PIPEDA worked as ‘light touch regulation’ and had the full support of industry,” said Perrin, president of Digital Discretion, who also worked at Industry Canada on the drafting of PIPEDA, which was enacted in 2000.
It succeeded in regulating the private sector. But adoption of privacy law by provinces in the public sector was slow. The problems with coerced consent need to be fixed, so users can pick their privacy preference. “The audit power doesn’t work and we need better enforcement of the legislation. A complaints-based approach is too passive,” Perrin said.
An additional difficulty for regulators is the fact that consumer behaviour often diverges markedly from theory and predictions. Regulators need to understand and be responsive to the actual behaviour of billions of social media users to craft appropriate and effective solutions to privacy concerns in the face of changing technologies and new product development.
“We need to find global solutions to online privacy issues,” said Nadine Letson, senior corporate counsel, corporate, external & legal affairs at Microsoft Canada.
As moderator of the social media analytics panel, she presented a Wikipedia list of 17 vibrant virtual communities with more than 100 million active users, led by Facebook with 1.55 billion and WhatsApp with 900 million. Canadians using Instagram, Twitter, SnapChat, Google and LinkedIn are concerned about not having enough control over their online information. But their involvement in social media continues to grow.
Panelist Leslie John’s studies of online consumer behaviour show how social media have made it easy to impulsively divulge personal information, while heightening the permanence of that information. Consumers may have serious concerns about privacy. But they can’t resist the meaningful and instant social benefits.
“Sharing information is fundamental to creating human bonds. People care about sharing information and people also say they care about privacy. Technology makes the motivation to share really salient and downplays privacy,” said John, assistant professor of business administration at Harvard Business School.
There are real dangers associated with online disclosure, however. She cited research that found 93% of recruiters look at a candidate’s social media profile. “They always adjusted their assessment negatively and were less likely to hire,” John said.
Panelist Melanie Kim argued that regulatory and business organizations must understand how consumers actually behave in assessing the risks and potential harm of sharing their information online. Behavioural economics studies show that real consumers don’t process information perfectly and aren’t rational in their decision-making.
“People care about present benefits and costs. We’re tempted to share more than is necessary. What we share online today may be safe today; but we don’t know if it will be safe tomorrow and it will be there forever,” said Kim, a research associate at Behavourial Economics in Action at U of T’s Rotman School Management.
She proposed behaviourally informed solutions that would actively encourage users to understand and evaluate the risks of online sharing, and choose their personal privacy preference. Privacy risk labels in social media would be like nutrition labels that allow consumers to evaluate health risks and make informed food choices. You could press a red, yellow or green button to indicate your preferred privacy-risk setting. Before proceeding, you might receive a reminder: Are you sure you want to do this?
“The best regulatory policies are developed with the end consumer in mind and an understanding of how real people actually make their decisions,” Kim said.
The Future Frontiers of Online Privacy Symposium was made possible by a generous gift from Microsoft Canada.