A 7-Step Guide to Protecting Your Online Data in Canada

2018-04-25 2:39:20 PM

With thanks to Josh O'Kane and The Globe and Mail, April 25, 2018

What do the New York Rangers, REO Speedwagon and the largest outdoor amphitheatre in the Indianapolis area have in common? Despite my complete lack of interest in all three, they’re among more than 200 advertisers that I discovered had my contact information on Facebook this week, after I asked the social-media platform to hand over the data it’s collected on me since 2005.

Among the many things Facebook Inc.’s targeted-ad program got right about me – an affinity for newspapers, baseball, and, thanks to my favourite podcast, endless minutiae about the band blink-182 – it also believed I had a deep passion for ham and water. The absurdity of the targeting, perhaps, is a function of its volume and specificity: after a decade and a half of tracking my digital activity, the platform had deemed me worthy to target with 89 different ad topics.

The collection of personal information has never been more commonplace, and it’s destined to grow even more as machine-learning algorithms and voice-assistance technology, specifically designed to learn from human habits, become part of everyday life. But attempts to sway elections, incite violence, and high-profile data breaches are now raising questions about the long-term consequences of harvesting all this information. As Facebook and Cambridge Analytica’s data-abuse scandal has unfolded in recent weeks, forcing Facebook chief executive officer Mark Zuckerberg to testify before the U.S. Congress, there is finally mass appetite to study these consequences and the practices that enable them.

In the meantime, a campaign to #DeleteFacebook is asking users to push back against the tech giant, but it’s not clear how many people are willing to do that. There is no blanket way to protect personal information online, but there are ways to push back against its unwanted collection. Shifting tides in both Canadian and global privacy law, meanwhile, are starting to lean in consumers’ favour. But it’s slow. “Canadian privacy laws are complaint-driven, which in itself is fine, but there’s no incentive for compliance,” says Imran Ahmad, a partner at Miller Thomson LLP in Toronto who specializes in cybersecurity, technology and privacy law.

While companies generally collect information in the name of enhancing their services, some of those services, such as ads, inherently benefit another party. And, as the threat of data breaches continues to grow (the number of breaches in the United States rose 45 per cent in 2017 over 2016, according to the Identity Theft Resource Center), your personal information is increasingly at risk. With that in mind, here’s a guide to protecting yourself from unwelcome data collection and abuse here in Canada.

Figure out what they’ve got. If you can’t find the link in your Settings tab, Facebook lays out clear instructions for downloading your data so that you, too, can figure out if you’re somehow categorized as a user who wants ads about ham. It took Facebook under an hour to compile my information, which turned out to be more than two gigabytes tracing my nearly every move for the last 13 or so years: every theme party I’ve ever thrown (see: Top Gun), every terrible timeline post I’ve made and received (including from confused friends the week I changed my identity to Daryl Hall, of Hall & Oates, in 2009), every “friend” I’ve ever deleted and the exact day I did it.

Google offers the same data-download option, and it turned out the company had collected massively more data than Facebook: more than 10 gigabytes over two zip-file packages. Though much of this was Gmail-related, I discovered my browser history going back months, a list of every YouTube video I’ve watched since November, 2011, and locations I’d saved in Google Maps from a weekend trip to Detroit two years ago.

In the “Personal info & privacy” section of your Google account settings, you can find even more information, including a “private map” that, depending on your settings, can tell you everywhere you’ve been going back a long time. It’s designed to improve map searches and commuting routes, Google says − which I luckily had left on “pause,” since it’d be a little uncomfortable for a company I write about to know exactly where I’ve been.

Don't like what you're being targeted for? Get rid of it. On Facebook, you can click the “Ads” tab in your settings, which has a suite of options. The big one is “advertisers you’ve interacted with,” including all those who have your contact information. These advertisers, Facebook says, likely had your contact information if you shared it with them directly (unlikely, New York Rangers) or if you shared it with another business they’ve partnered with. It’s possible that a terms-of-service agreement I once signed, for instance, let the esteemed Doobie Brothers give my Gmail address to REO Speedwagon, who then took it on the run to Facebook. There are icons for each advertiser that lets you remove them from your ad “preferences,” plus settings to disallow other kinds of advertising.

Facebook has offered a privacy checkup since 2014 that’s worth running through, though the company says the one-stop-shop is not available to all users. Users who want to delete their whole accounts (rather than “deactivate” them) will need to wait up to 90 days to have all their information cleared from Facebook’s servers. Google has a checkup tool in its account settings, too, plus a number of options to adjust your targeted ads, and “activity” monitoring, including instructions to stop or start location tracking. And anyone afraid of their search history being tracked might want to try DuckDuckGo, a search engine that promises not to collect or share any personal information.

Know your rights. In terms of consumer data privacy, Canadians are generally in a better position than Americans, but falling behind Europeans. “As compared to the U.S., Canada has private-sector privacy laws,” says David Elder, a lawyer with Stikeman Elliott LLP who focuses on privacy law. “The U.S. doesn’t, really,” he says, save for some Federal Trade Commission powers.

Canada’s Personal Information Protection and Electronic Documents Act, or PIPEDA, guides the private sector’s usage of data, and Ottawa announced in April it would introduce new rules for reporting data breaches, including more clarity over what consumers deserve to know. Alberta, British Columbia, and Quebec also have private-sector privacy statutes that are similar in nature to PIPEDA.

“There is a general requirement, under PIPEDA for example, [to have] the ability to withdraw consent,” Mr. Elder says. “That ability is limited by legal, contractual, reasonable business purposes, but it’s there. So [consumers] have the right to say, ‘You no longer have my consent to use my personal information for whatever purposes.’ One thing that commonly happens now is individuals have the ability to request that organization stop using their personal information to market to them.”

While PIPEDA gives Canadians the right to make data requests from companies, and for companies to respond within 30 days, the process can be cumbersome. The Citizen Lab at the University of Toronto has found barriers to the process including data usability, identity verification, transmission security, and cost − in one instance, they found a company charged a consumer $200 plus tax.

There are signs that the prevailing Canadian privacy ecosystem is shifting in consumers’ favour. While the country offers no explicit right for citizens to ask search engines to “de-index” information about them from results, for instance, the Office of the Privacy Commissioner said in January that PIPEDA could in fact be re-interpreted to offer that right, known as “the right to be forgotten” in Europe, to Canadians. Commissioner Daniel Therrien, meanwhile, reiterated his long-held request for more powers over tech companies when he spoke to MPs in April.

The European Union is generally acknowledged by privacy experts as pushing forward the global standard for privacy rights, thanks to its General Data Protection Regulation, or GDPR, which comes into force in late May. “The underlying principle of GDPR is giving control back to the individual,” Mr. Ahmad says. “ If that is the gold standard, how are we responding and how is PIPEDA responding? We need to revise PIPEDA, and we need to have these mechanisms where people have more control over their data.”

Facebook’s Mr. Zuckerberg has said that it will make GDPR-compliant settings available to users worldwide, though Reuters has reported that the company may limit GDPR protections just to Europeans.

Be wary of sharing your contacts. One of the more startling findings several tech reporters and privacy advocates have flagged in their Facebook data downloads are the phone numbers of dozens or hundreds of other people they knew. They’re found under the “Contact Info” tab of the html file the company gives you. Mine was empty, but my editor found Facebook had a record of every number in her phone: my cellphone, her boss’s, even that of the Grade 9 babysitter her family uses. The babysitter doesn’t even use Facebook.

This is because some of its apps, including Messenger and Android’s Facebook Lite, ask for access to a person’s contact information when users get started, which a company spokesperson said in an e-mail helps connect them with friends. “People are expressly asked if they want to give permission to upload their contacts from their phone − it’s explained in the apps when you get started,” the spokesperson wrote. “People can delete previously uploaded information at any time and can find all the information available to them in their account and activity log from our Download Your Information tool.” The company also has a help page for managing contact-list uploads. When a person deletes their contacts from Facebook and its apps, the company says it deletes all of their information from its servers.

Some describe Facebook's collection of non-user data as building a "shadow profile," giving the service information about potential new users with this contact information in conjunction with browsing histories, which it can collect with ad-tracking code through partner websites. “That, to me, is utterly appalling,” says Ann Cavoukian, the distinguished expert-in-residence at Ryerson University’s Privacy by Design Centre of Excellence and a former Ontario information and privacy commissioner.

While Facebook has been called out for this practice, including during Mr. Zuckerberg’s congressional testimony, it’s not uncommon. My Google account had 1,800 contacts saved, more than I ever remember contacting through Gmail, the main service of theirs that I use. The company told me that saving contacts helps with Gmail’s auto-complete feature, and that after a decade or so of owning my address, that number of contacts would make sense − accounting for, among other things, onerous reply-all chains.

Similarly, Globe reporter Christine Dobby recently reported that Rogers Communications Inc. internet users with @rogers.com e-mail addresses (provided by Yahoo, now owned by Oath Inc.) have discovered that agreeing to their terms of service implies consent from your contacts that Oath or a third party can send them messages about its services. The Office of the Privacy Commissioner of Canada said it has received numerous concerned calls about it − and plans to discuss it with Rogers directly.

Know what you’re getting into. Yes, that means reading every “terms of service” agreement that you cross paths with. “Read the terms of service,” says Samuel Trosow, an associate professor at the University of Western Ontario’s law and media-studies departments. “Even though these things can be impenetrable and difficult to read. I’m a law professor, and did a study of these, and I found them impossible. But it’s the starting point.”

Have you ever actually done that? If you don’t want to read the whole thing, try a summary. Since 2012, a group of hackers, developers, designers and others have been building the website Terms of Service; Didn’t Read, which judiciously summarizes many organizations’ winding agreements, so you have a sense of what you’re signing away.

Privacy experts naturally want these agreements to bend more toward consumers. Those who favour Canada’s more stringent privacy-protections have, in one recent instance, found an ally in the Supreme Court of Canada. In a case called Douez v. Facebook Inc. in 2017, the court ruled that despite the requirement in Facebook’s terms of use that disputes with the company must be resolved in California, and according to California law, there was strong cause not to enforce the requirement. A majority opinion found that Canadian courts “have a greater interest in adjudicating cases impinging on constitutional and quasi-constitutional rights because these rights play an essential role in a free and democratic society and embody key Canadian values.”

The result could be crucial for future legal interpretations of terms-of-service. “It’s important to realize that just because you’re agreeing to Terms of Service with a United States company, you’re not necessarily waiving your Canadian rights,” Dr. Trosow says.

Be conscious of how you’re being tracked. It’s not just advertising-dependent companies such as Facebook and Google parent Alphabet Inc., or major retail businesses that handle credit card information, such as Amazon.com Inc., that collect and store data. There could be a great deal of danger ahead as more and more everyday objects become “smart” and connected to the much-hyped “Internet of Things,” sending out massive amounts of data about people, their homes and their lives. Two of the most popular voice-activated digital assistants, Amazon Echo and Google Home, came to Canada last year, and will likely encourage even more home connectivity in the months and years to come.

Dr. Trosow published a paper on his website last year outlining the risks of devices’ growing connectivity. He noted especially that because wearable technology such as fitness trackers or connected appliances such as smart fridges lack the same interface as traditional computers and smartphones, consumers may not be as clear about what kind of data transfers they’re consenting to.

It is crucial, Dr. Trosow says, to study and understand these devices’ security settings, as the defaults might not be up to the same standards you’d expect from a regular Internet-connected computer.

“Be aware of the fact that somebody is watching what you’re doing, and information is being gathered about your normal activity,” he says. “You’ve provided an entrance into your home and surroundings. Which, if not properly secured, could be the weak point for somebody who wants to engage in improper activities to get into your home, and have access to other things connected to your router.”

In a recent eye-opening article titled “The house that spied on me”, a Gizmodo reporter connected as many devices in her apartment as she could to the internet, including an Amazon Echo, her lights, coffee maker, baby monitor, TV, and even her bed. Her colleague built a special router to monitor the devices monitoring her and found he could discern deeply personal information, like when she was home, when she went on vacation and sometimes even what she was watching on TV.

Protect yourself, but speak up, too. If someone wants to maliciously get your personal data, you could inadvertently help them. Don’t open suspicious e-mails or click suspicious links. Don’t give your financial information away unless you have to. Use strong, varied passwords, especially where your financial information is involved; services such as 1password can help you keep track of them all. And when a service offers the chance to use two-step authentication to log in − requiring a second verification after your password to prove you’re you, such as entering in a code the service texts you − sign up.

You have the right to make your voice heard about the companies you engage with, too. Canada’s Privacy Commissioner is already concerned about the power internet giants hold (it’s currently investigating Cambridge Analytica’s misuse of 87 million Facebook users’ information, including the data of more than 620,000 Canadians), along with Rogers’ e-mail customer concerns.

Dr. Cavoukian says concerned Canadians should make their voices known to Facebook, too. When company executives spoke before MPs in mid-April, its deputy chief privacy officer Rob Sherman said Facebook is working towards “privacy by design” − a concept Dr. Cavoukian developed two decades ago that suggests “privacy assurance must ideally become an organization’s default mode of operation.“ Dr. Cavoukian was furious, calling the remarks “appalling” in an interview.

“I would love people to go to Facebook and say, ‘I want privacy by design. You said you’re offering it, where the hell is it?’” she says. “What I find unacceptable are the practices that are hidden and not made apparent,” she continues, citing the collection of users’ phone contact lists.

“Privacy forms the foundation of your freedom. If you value freedom, you value privacy. Let’s go to great lengths to keep it protected.”