Media Centre

The Human Element in Designing Privacy & Security

Infosecurity Canada Conference & Exhibition

June 20, 2006
Toronto, Ontario

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(CHECK AGAINST DELIVERY)

Introduction

These are trying times for us all.  The alleged terrorist plots of recent weeks – if the allegations are substantiated – have underscored the importance of addressing the security concerns that face many countries, including Canada.

But as we address those security concerns, it is important to remind ourselves, as Robbie Burns once did through his literary reference to men and small rodents, that our best intentions can go awry. 

Today, beyond the simpler world of Burns and his mice and men, we have added the threat of terrorism and the vicissitudes of technology.  And amidst these phenomena we have another issue to be reckoned with – something called privacy, a right recognized in international law, the Charter of Rights and ordinary domestic laws of Canada, a right that is central to life in a democracy.

Maybe some of you are getting tired of hearing the privacy message. After all, privacy can sometimes be seen as throwing a bit of a wrench into all those fascinating technologies – databases, biometrics, RFIDs and the panoply of other tools for surveillance.  However, privacy is simply too important a right to be relegated to being a secondary consideration in our world.  It is too easy to be seduced by the siren song of technology and the climate of fear into seeing privacy as a hindrance to a secure and free life, rather than as an indispensable component of our democracy.

As Privacy Commissioner of Canada, I spend much of my time addressing the relationship between human beings and technology – between man (and woman and child) and machine.  I know that many in this audience are striving to develop and work with technologies, some of which are intended to protect us from the threats that we perceive around us.  It can almost go without saying, although I am going to say it, that privacy must be a consideration in developing these technologies. Clearly, building in privacy at the front end of a project is preferable to trying to add it on later.

The Human Element

There is another important issue here, beyond the technology – the human beings who work with that technology.  That is what I would like to focus on today – the human element in the privacy and security equation.  As we are all too often reminded, our species is capable of defeating the very best security technologies in the world.   

Often we defeat privacy and security measures, not through malice, but through negligence.  A recent article in the American publication, Government Computer News, described a survey of more than 900 cab drivers in nine countries.  This survey found that 85 notebook computers, 227 personal digital assistants and 2,238 cell phones had been lost in cabs in the second half of 2004. The story continued that over 4,400 notebooks are thought to have been left in Chicago’s fleet of 25,000 cabs alone.  Another article referring to the same survey noted that, on average, 3.42 mobile phones and .86 PDAs and Pocket PCs per cab were left behind each day. Chicago’s cabbies are notorious, I am told, for being frustrated Grand Prix race drivers, so maybe passengers are simply happy to escape with their lives at the end of the journey – hence the seemingly large number of devices left behind in the taxis.  But whatever the cause of the problem, it is a problem.   
 
You understand this phenomenon.  Build a sophisticated technology to enhance security or protect privacy, and have it defeated by a careless human.  One of the privacy issues dealt with by an earlier Privacy Commissioner almost two decades ago involved completed income tax forms tumbling off the back of a truck near the Parliament Buildings in Ottawa.  At least in those days, the threat posed by the carelessness could be contained fairly simply.  Today, the loss of an item of technology can have far greater consequences.

Importance of Training

On several occasions I have noticed a failure of employee training with organizations subject to the Personal Information Protection and Electronic Documents Act (PIPEDA).  Let me give you just a few examples of what can go wrong.  Last year I released the findings of an investigation into hundreds of faxes containing customer information that were sent in error over several years by the CIBC to one company in the United States and another in Dorval.  We do not know if the breach by CIBC facilitated any identity theft, but such lapses certainly create the opportunity for identity theft.

Having a privacy policy on display does not make a business privacy-compliant; at the time the faxes were misdirected, the CIBC had a privacy policy, but failed to adhere to it.  Organizations must ensure that all employees are aware of and follow privacy policies. Otherwise, some of the best technologies, and some of the finest privacy and security policies, can be reduced to rubble.

In other cases, employees of organizations have been duped by “pretexting” – the practice of misrepresenting one’s identity or using other deceitful methods to get personal information about someone else.  Legislation banning pretexting may be one solution, but again the key protection is alert and well-trained employees. 

Sometimes it is not simply a matter of a careless human defeating technology.  Sometimes it is a malevolent human.  Many see the “insider” threat – employees who have legitimate access to a network and the personal information it contains, but who choose to abuse this privilege – as the most dangerous security and privacy threat and the one that is the most difficult to defend against.  The motivations for these actions range from curiosity to revenge to profit to the need for large sums of money to feed an illegal drug habit on the black market.  Paradoxically, training employees about how to protect privacy and enhance security may alert crooked employees intent on circumventing the system about just how to do it.

The National Post newspaper reported a scheme a few years ago where five Ontario transportation ministry workers had allegedly sold 25,000 Ontario driver’s licences that would appear to the outside world to be genuine.  For several hundred dollars, individuals could obtain a “genuine” licence containing a false identity.  These licences would appear to be valid since their details were entered in the transportation ministry computers.  Anyone checking the licence would see nothing wrong.

Early in 2003, a hard drive containing personal information about possibly a million Canadians disappeared from a secure area of an information management company in Saskatchewan.  In this case, a high-tech employee had simply wanted the drive for additional storage space.  However, the hard drive would be an identity thief’s dream.

Among the data kept on the drive were insurance records for 180,000 clients of one of Canada’s largest insurance companies. Several Saskatchewan government agencies also entrusted personal information about provincial residents to the information management company that owned the hard drive.  A Canadian mutual fund company reported that the hard drive held account information for two‑thirds of its one million clients.

Just weeks later that year, the National Post reported that an unauthorized intruder gained access to a database belonging to a company that processes transactions for merchants. The intruder had access to Visa, MasterCard and American Express account numbers from clients in several countries. As many as 8 million account numbers might have been compromised overall.

If you think we have problems with the leakage of personal information now, just wait until Electronic Health Records become more fully integrated into the health care system.  The damage from the inappropriate release, deliberate or negligent, of sensitive health care information – psychiatric records, for example – could be profound. 

Looking for solutions in the wrong places

There is an important second aspect in this discussion of the human element in designing privacy and security.  That is the frailty inherent in the way we look for solutions to the security issues we face.  Too often we reach for the obvious solution rather than the right solution. 

We can see this in the world of employee privacy.  Too often, we reach for surveillance solutions that may in the end cause more harm than good.  The limited benefits in terms of workplace productivity or security – if those benefits accrue at all – may well be offset by the loss of privacy and the poisoning of the workplace environment that results.  A constantly watched, and likely dehumanized, workforce is almost certainly not an enthusiastic workforce, and the oppressive environment created by surveillance can play out in other ways that are damaging to society as a whole.  Fortunately in Canada, we do have workplace privacy rights, in part thanks to PIPEDA, that put the brakes on the tendency to reach for the obvious, but sometimes inappropriate, solution of extensive workplace surveillance.

Sacrificing privacy to enhance security also seems to be the obvious solution, or at least a significant component of the solution, to many of the security problems confronting us.  But again, sacrificing privacy may not be the best solution.  It may not be a solution at all.  I am not minimizing the potential seriousness of our security problems.  Too often, however, we are looking in the wrong place for fixes to the problems that confront us.   And in some cases, looking in the wrong places for the solutions actually creates the risk of greater harm.

If you think I am being somewhat obtuse in this part of my speech, I am.  My job is not to address the root causes of the threats that may arise to our security.  But I consider it wholly appropriate to ask whether a failure to address the root causes is leading us instead to reach for a surveillance solution that unnecessarily diminishes privacy.  In the short term, security solutions that diminish privacy may be necessary.  In the long term, we will do a grave disservice to this right – and to our autonomy – if we don’t look beyond intrusive “solutions” to the circumstances that generate risks to our security.

Let’s look at the debate surrounding a national identity card or, as it is more appropriately described, a national identity system. This piece of plastic, but more so the technological bells and whistles attached to it, may be the most significant privacy issue debated in Canadian society today.  The debate about a national identity card is not new in Canada.  The Commission d’accès à l’information du Québec expressed reservations about a national identity card in the early 1990s when discussion arose in Quebec as a result of concerns about potential electoral corruption in some ridings during the 1990 provincial election.  Canada’s Social Insurance Number has long been discussed as a possible national identifier.  But the debate about a national identity card is now being driven by a powerful fear that threatens to weaken the scepticism with which a democracy should greet any potentially intrusive measure.

Successive federal Privacy Commissioners have stated concerns about a national identity system.  Perhaps first and foremost today is the lack of utility of the system for dealing with the phenomenon of “home-grown terrorism.”  As we saw in last year’s attacks in the United Kingdom, acts of terrorism can be committed by “legitimate” individuals – not foreign interlopers – but individuals born and raised in the targeted country.  These individuals will have all the necessary legitimate documents to obtain a national identity card.  The famous character Pogo in Walt Kelly’s satirical comic strip had it right when he said, in a different context (he was speaking of the damage to environment caused by pollution), that “We have met the enemy, and it is us.”  If the enemy is us, a national identity card, acquired with legitimate documents, will not offer any real protection. 

A national identity system may even increase the risk to national security.  The existence of the system may create a false sense that security issues have been addressed, when in fact many security issues have little or nothing to do with identity.  In addition, good security requires “depth” of security – multiple means of protecting security.  To the extent to which a national identity card might give comfort that such “depth” is not necessary, it might actually weaken our defences.  

A national identity system will also provide a focal point for criminals and terrorists who want to compromise the system.  Remember the human element in privacy and security, the “inside threat?”  All it takes is a few insiders, motivated by ideology or money, and the integrity of a national identification system may collapse, bringing down with it the many other adjunct identity systems based on it. 

And let’s look at the privacy consequences of this flawed system.  Even a supposedly voluntary national identification system will inevitably move towards a de facto compulsory system.  Failure to possess a card would be grounds for suspicion by the state.  The ability to be anonymous, an important component of privacy, would disappear.  “Identification creep” will almost certainly occur.  As the UK Information Commissioner Richard Thomas has warned , a national ID card could lead to the situation where the highest level of identity validation becomes the norm for the most mundane of services. Failure to have an ID card, even if voluntary, may lead to second-class service by the private sector, including denial of service in some cases. A national ID card could effectively become an internal passport. 

A national ID system could provide a common linkage for numerous databases. As the card is used for more and more purposes, this common linkage opens the door to relentless tracking of the activities, transactions and whereabouts of individuals. 

I am not going to rehearse the many other privacy concerns about a national identity system.  That is a much longer debate for another day.  But I am going to repeat my caution about the frailty of our very human approach to the problems that confront us.  Strong justification, not just emotional appeal, is needed for the implementation of a national identification system.  The burden should fall on those who call for this national system to justify benefits in terms of added security.  They should be prepared to explain its costs in terms of privacy.  They should demonstrate that this is the least intrusive option consistent with achieving legitimate societal benefits.

Conclusion

As you can see, the human element plays a large role in privacy and security.  We need to work to ensure that the human element does not defeat legitimate security measures through negligence or malevolence.  Equally, we need to work to ensure that human negligence or malevolence does not cost us our privacy.

Perhaps above all, we need to address our very human tendency to reach for technological solutions to problems that cannot ultimately be solved by technology.  The cost of our failure to address this tendency will be the loss of this important right we call privacy, in all likelihood for little or no gain in security.

Almost two decades ago the Dyment case, Supreme Court Justice La Forest described privacy as “essential for the well-being of the individual.”  Nine years later, in the Dagg case, Justice La Forest reminded us in his dissenting opinion, although he spoke for the entire Court on this point, that the protection of privacy is a fundamental value in modern, democratic states.  More recently, in the 2002 Supreme Court decision in Lavigne, Justice Gonthier spoke of the extent to which the protection of privacy is necessary to the preservation of a free and democratic society.

This spring, in the Heinz case, the Supreme Court has reiterated “… the paramount importance of individual privacy…” in our legislative scheme.