Ms. Jane Tallim (Co-Executive Director, MediaSmarts):
Thank you very much.
Hello, I am Jane Tallim, co-executive director of MediaSmarts. With me is Matthew Johnson, who is our director of education and resident privacy expert. Thank you so much for inviting us here today.
We've been following the testimony to this committee with great interest and the many excellent recommendations that you've received so far. We've also noticed the number of expert witnesses who have stated that education, especially for children and youth, is an essential part of a comprehensive approach to addressing online privacy issues.
With this in mind, we would like to focus our remarks on how digital literacy, and in particular privacy education, can help young people develop good privacy habits for social media and other online activities.
Today's presentation is very timely because next week is Canada's annual Media Literacy Week. It's co-led by the Canadian Teachers' Federation and us. This year's theme is “Privacy Matters”. On Monday we'll be in Montreal hosting a youth panel exploring this topic to launch the week.
For those of you who aren't familiar with our organization, MediaSmarts is a national not-for-profit centre for digital and media literacy. We work to ensure that children and youth have the critical thinking skills to engage with media as active and informed digital citizens.
We were launched in 1995 as Media Awareness Network through a CRTC initiative on television violence. The commission's policy on this issue stated that although industry self-regulation and TV classification systems would play a role, public awareness and media literacy programs represented the primary solution to TV violence.
The same thinking applies today to online privacy. Given the inherent difficulties legislators face keeping up with constantly evolving platforms and applications, education plays a critical role in helping Canadians of all ages understand their rights and manage their privacy and personal data.
Digital literacy is the term we use to describe the range of skills needed by young people to make wise, informed, and ethical online decisions. Privacy management is one of these core skills.
Our digital literacy resources and programs are informed by our ongoing research project, Young Canadians in a Wired World. This is Canada's longest running and most comprehensive investigation of the behaviours, attitudes, and opinions of Canadian children and youth with respect to their use of the Internet.
One of our key areas of inquiry is young people's understanding and behaviours relating to online privacy, including the types of privacy invasions they encounter, and the role of adults in building awareness and influencing behaviours.
We recently launched phase three of the young Canadians project with funding from the Office of the Privacy Commissioner of Canada. Dr. Valerie Steeves of the University of Ottawa, who is our lead investigator, presented our qualitative findings to this committee in May, so you've already had a snapshot of how online surveillance has become a reality for today's youth.
Although young people find the constant surveillance annoying, persistent myths about stranger danger and Internet risks encourage them to buy into the idea that they need to be monitored to keep them safe online. The constant surveillance by parents, schools, and corporations, and young people's acceptance of it is cause for concern. Privacy is a fundamental human right, and continuous surveillance chips away at our private space. Moreover, this constant scrutiny undermines the mutual trust, confidence, and communication between adults and youth that is essential to giving young people the autonomy they need to develop digital life skills.
Finally, if youth grow up in an environment where surveillance at home and at school is normal and accepted, they are less likely to be aware of or to exercise their privacy rights regarding corporate surveillance.
Drawing from past young Canadians research findings, we have developed an extensive collection of resources on privacy management, ranging from games to teach good privacy habits to young children, to a comprehensive professional development workshop that trains teachers in how to address and improve the state of privacy as it pertains to the online activities of their students.
In our educational materials we focus on encouraging youth to make good choices about their own privacy, and also on teaching privacy ethics. Not only is it important to have our privacy respected and protected, we need to respect and protect the online privacy of others. This idea is most immediately relevant when it comes to social interactions online, but it has implications for corporate uses of privacy as well. One reason we place privacy education in the context of digital literacy is that, as other presenters have noted, privacy is not a stand-alone issue. It intersects with safety, cyber security. cyber bullying, authentication of information and digital citizenship.
An important part of digital citizenship is understanding and exercising your rights, both as a citizen and a consumer. To do that, youth need to know that their personal information has value and that they have legal and contractual recourse in protecting it.
Perceived importance of information privacy is a critical factor in determining how well young people manage their online privacy. With children going online at increasingly younger ages, this sense of that personal information is valuable and belongs to oneself is important to cultivate, even at the primary level. For example, we have a Privacy Pirates game on our website, which was funded by Google. It helps younger students start to understand this concept.
Support for the critical importance of privacy education for youth has precedent in Canada and internationally. In 2008, Canada's privacy commissioners and privacy oversight officials passed a resolution on children's online privacy, where they committed to improve the state of privacy as it pertains to the online activities of children and youth by implementing public education activities to increase their awareness of online privacy risks. Since that time, the Office of the Privacy Commissioner has produced several excellent educational resources and has funded organizations, including ours, to produce privacy education materials.
In February of this year, the OECD adopted a recommendation on enhanced children's online protection, recognizing that the protection of children online encompasses content risks, contact risks, consumer risks, and risks relating to information security and online privacy. The OECD recommends that national governments foster awareness raising and education as essential tools for empowering parents and children, and develop responses that include all stakeholders, and integrate a mix of public and private, voluntary and legal, awareness raising, educational, and technical measures.
Good comparative models for Canada are Britain and Australia. Both have strong digital literacy components in their national digital strategies. In Australia, the federal regulator, ACMA, produces many resources addressing children's online privacy concerns. In the U.K., they've coined the notion that Britons should bear a digital entitlement, which includes not only access but also the right to basic digital literacy skills, including privacy.
The notion of privacy education for all is essential to fostering informed citizens who recognize and challenge invasive practices online. As several witnesses have noted, when the public pushes, the industry tends to pull back.
It's a widely held belief that young people, whether they be Facebook addicts or aspiring YouTube celebrities, don't care about privacy. This isn't true. In fact, the way youth understand privacy may be more relevant than how most adults view it, because they see it not as a matter of deciding whether or not to share, but as having control over the things they want to share.
To support youth, we need to widen the current focus on privacy safety risks to include privacy rights, ethical use, recourse mechanisms, and the civic and democratic dimensions of privacy. Privacy education must be supported on a national level, both through the K to 12 curriculum in schools and public awareness campaigns to inform ail Canadians.
Dr. Colin Bennett:
I thank you for the opportunity to appear before your committee and to speak about this important issue.
I am a professor of political science at the University of Victoria and have been studying privacy protection issues for nearly 30 years in Canada and internationally. I've written or edited six books on the subject and numerous articles. I'm currently in receipt of a grant from the Social Sciences and Humanities Research Council to study privacy protection of social media. I'm also working on this same subject under a contributions grant from the Office of the Privacy Commissioner of Canada.
The privacy questions raised by social networking services are broad and dynamic, as you've no doubt discovered. Social networking challenges some of the traditional approaches and assumptions behind our privacy protection laws. As you've just heard, it requires extensive education.
The Privacy Commissioner of Canada has already outlined the privacy principles that should apply to social media. Her office has been at the forefront of global efforts to ensure that big data companies abide by established privacy rules and practices. But social media is not just out there, and it's not just about Facebook, it's also about our own organizations and our own practices.
Rather than discuss social networking in all its manifestations, I want to address an area of social networking and privacy that is far closer to your own experiences and lives as politicians. I want to raise a set of questions about how your own political parties use social networking services, and indeed, other sources of personal information to build databases about Canadian citizens.
I have just co-authored a report on privacy in Canada’s political parties for the Office of the Privacy Commissioner. This work was started back in 2011 and was published earlier this year. I'd like to take this opportunity to summarize the main findings, because I think this relates closely to the subjects of your inquiries.
Canada’s federal political parties can and do collect a large amount and variety of information on Canadian citizens: on voters, volunteers, donors, members, and supporters. A disparate and fluctuating number of employees and volunteers might also have access to these data, individuals who may have no privacy and security training. Increasingly, these data are communicated through highly mobile and dispersed electronic formats, and increasingly, they are captured through the observation of social networking activity.
Canadian parties now operate extensive voter management databases; they have been doing so for some time. There are the Conservatives' constituent information management system, CIMS, Liberalist, and NDP Vote. The foundation of these databases is the electoral list provided under the authority of the Elections Act by Elections Canada, but upon that framework, a large and increasing range of other data about voters is added and analyzed.
These data come from a variety of sources: telephone polling, traditional canvassing methods, petitions, letters, commercially available geo-demographic and marketing databases, and indeed, from social networking services. Overall, however, for a variety of reasons, the contents of those systems are shrouded in some secrecy.
As new technologies pioneered in U.S. elections increasingly play a role in modern campaigning, so the range and variety of personal data available to parties will increase, and so will the concerns about the protection of personal privacy.
Here are some examples: smart phone applications for political canvassers; targeted online advertisement software; targeted e-mail campaigns, which match IP addresses with other data sets showing party affiliation, donation history, and socio-economic characteristics; sophisticated market segmentation strategies aligning online and offline behaviour; extensive use of robocalling and robotexting; and, of course, the use of social networking and social media to plan campaigns, to target likely voters and donors, and to measure impact and engagement.
Social media not only provide a convenient method to target likely supporters, but also to capture increasingly refined information about the preferences and behaviours of voters, and their contacts and their friends. These developments have received much attention in the current U.S. election cycle. One of the most notable trends is the increasing use of customized and targeted political advertisements based on the digital trails individuals leave through their social networking activities. A recent report suggests there were no fewer than 76 different tracking programs that were observable on www.barackobama.com.
Surveillance during Canadian elections is less extensive and is less intrusive—well, so far. Nevertheless there have been a number of recent controversies that have raised concerns about the practices of political parties and have raised the profile of this issue.
The Privacy Commissioner has also received a number of complaints and inquiries about the activities of our political parties over the last several years, and they've also been raised to some extent in the provinces. However, she can do little to address these inquiries because, unlike in most other democratic countries, Canadian federal privacy protection law does not cover our political organizations.
Parties do not engage in much commercial activity and are therefore largely unregulated under the Personal Information Protection and Electronic Documents Act, PIPEDA, or substantially similar provincial laws. They're not government agencies and therefore are unregulated by the Privacy Act. The only federal law that really governs their privacy practices is the Canada Elections Act, but that legislation only applies to those voter registration data collected and shared with parties and candidates under the authority of that legislation.
Parties are also exempt from the new anti-spam legislation, Bill C-28, as well as from the do not call regulations administered through the CRTC. Thus, for the most part, individuals have no legal rights to learn what information is contained in party databases, to access and correct those data, to remove themselves from the systems, or to restrict the collection, use, and disclosure of their personal data. For the most part, parties have no legal obligations to keep that information secure, to only retain it for as long as necessary, and to control who might have access to it.
Virtually every other public or private organization in Canada must abide by these basic rules, so why should political parties be different? Of course, I concede that political parties play a critical role in our democracy. Parties need personal information to mobilize and to educate voters and for a variety of other reasons, and it has been claimed that these important functions outweigh the arguments for regulation and that therefore voluntary self-regulation will suffice, but as our report demonstrates, the current voluntary policies of our main federal political parties are incomplete, and they are inadequate.
From the point of view of an ordinary supporter or contributor, or potential voter who wishes to exercise control over his or her personal information, the existing voluntary privacy commitments of Canada’s main federal parties are often difficult to find, often inconsistent, and often somewhat vague.
No party is any better or worse than any other here—I'm not picking winners or losers—but there's little evidence, frankly, that any of your parties has given sustained consideration to privacy and to the risks associated with amassing vast amounts of personal data. For example, there's no link to privacy on the home pages of either the Liberals or the NDP, the last time I checked. There is a link on that of the Conservative Party, which is fairly prominent, but their policy is also somewhat incomplete, and it contains vague assertions and exemptions.
It would be my preference for Canadian federal political parties to be brought within the statutory requirements of PIPEDA and therefore under the authority of the Privacy Commissioner of Canada. I would urge the committee to consider that. However, in the meantime I think more can be done on a voluntary basis.
I think it would be a good idea—and I have read that some political parties have already done this, but it's not necessarily prominent—that all federal political parties declare that they voluntarily abide by the obligations in PIPEDA. It would be a good idea for them to revise their privacy policies and base them on the 10 privacy principles upon which PIPEDA is based, and to publish these more prominently. I think all parties should appoint a responsible official, the equivalent of a chief privacy officer, who would have overall responsibility for the collection, use, and dissemination of personally identifiable information. All political parties should adopt appropriate risk management strategies in case of data breaches. Data breaches are seen in many other areas of our life, in the public and the private sector. I think there should be training of staff and volunteers on privacy and security issues.
It may be that some of those activities are already occurring. I don't wish to be too critical, but my point is that it's not necessarily obvious, and therefore it's very difficult for individuals and ordinary voters and supporters, etc., to find out what their rights are.
These questions are not just about privacy. Lack of attention to the protection of personal information can erode the trust that Canadians have in the political parties and in our democratic system. In an age of social networking, being more proactive about privacy protection and providing those necessary assurances is also good organizational practice.
In summary, I applaud the committee’s attention to these challenging issues concerning social media and to the practices of big data companies such as Facebook and Google. There's been a great deal written about that subject, and I can certainly talk about those wider issues. At the same time, little attention has been given to the questions that I raise here, which I think are very much related to the topic of your inquiry and, of course, to your own individual work.
I would encourage you, therefore, to think about what I've said and to work within your own organizations to get your own houses in order and to encourage your respective parties to follow the same set of information privacy principles that apply to most other Canadian organizations.
I fear that controversies about parties and privacy protection of voters will only continue. The appropriate management of personal data in an era of extensive online social networking is not only in the interests of individual citizens, but also in the interests of your own parties and of the long-term health of our political system.
Thank you very much for your attention.
Dr. Colin Bennett:
Thank you for your question.
The project has centred at Queen's University and we're looking at various trends in surveillance that have occurred over the last 10 or 15 years or so. There are several things that we would point to.
First, there is the fact that surveillance has become more mobile. It's become more general. It's not just about who you are; it's about where you are.
Surveillance has become more embedded in material objects. We don't necessarily know that we're being watched. Surveillance is also something that is not just done between big organizations and individuals. It's also something that happens from peer to peer.
There are a variety of trends that are occurring, and social networking and social media are central to all of those trends. That's why I have difficulty saying that social media and social networking are things that are out there, things that big corporations do. They are deeply embedded in all of our organizations.
With respect to privacy, it is true that our privacy protection rules need to be considered and updated in relation to social media, and particularly with respect to this issue. Our laws, such as the Privacy Act and PIPEDA, were developed with the notion of a distinction in mind between an organization and a subject, or between a controller of data and an individual. Now that distinction has broken down as social media sites are producing and selling data that is actually generated by users. It's that notion of user-generated data that really does challenge some of the existing principles within our privacy protection laws.
I want to say something in response to the previous question about enforcement powers.
The Privacy Commissioner of Canada has ombudsman powers. I am in favour of broader enforcement powers. They're certainly necessary in the light of these rapid changes in technology. More enforcement powers would create a greater certainty for consumers and indeed for businesses.
It would establish a clearer jurisprudence where the rules and the investigation reports would have a clearer legal standing than they perhaps do at the moment. It's also a little odd that some of our provincial commissioners, such as in Quebec, British Columbia, and Alberta, do in fact have enforcement powers under their respective privacy laws, when the Privacy Commissioner does not.
Mr. Earl Dreeshen (Red Deer, CPC):
Thank you to our witnesses.
I'm a former high school teacher. I taught school for 34 years.
My daughter actually teaches an educational technology course out of the University of Alberta, where she teaches online to teachers who will end up teaching in an online platform. The education industry will have to be aware of how these types of things are happening in the future, so it's how you do the training and everything else.
I noted, from your digital literacy discussion, that those types of things are needed for the students, but also at the educational level, at the teaching level, with the opportunity perhaps to go to teachers' conventions and those types of things. They're great opportunities for awareness, certainly.
I have a question about something you mentioned earlier. It's the concern that students realize they're being watched at school, and realize they're being watched at home, and therefore don't see their privacy as being something that they have any control over. Of course, if they get into sites on school time and in a school setting, you know what kind of difficulty would occur there, so they have to be able to protect themselves. I'm wondering if you have looked at how that can all be done.
As well, when you talk about digital literacy, I'm wondering if you're also explaining to them that this isn't a free service, and that the reason it's out there is for these industries to be able to gather information, which I think sometimes we forget.
I'm wondering if you could comment on that.