IPC wants to see security/privacy rift healed
By Vawn Himmelsbach
While computer security can restrict the use of data, it can’t decide the issue of legal ownership. And in today’s world where we can save everything forever on the Internet, privacy controls have to change.
By Vawn Himmelsbach
“Just because we can use pan-tilt-zoom cameras doesn’t mean we should,”
says Tracy Ann Kosa, PIA specialist with the Government of Ontario’s
Office of the Chief Information and Privacy Officer, who spoke at the
OPS Security Conference held recently in Toronto.
“Privacy allows us to grow and make mistakes in a way you can’t do in
the absence of privacy, where everyone knows what everyone else is
doing,” she says. “With today’s technology, you basically have a record
from birth to grave ”“ you can’t erase everything and start over.”
That’s why the IPC is looking to build privacy practices into
technology. There’s a lot of confusion, however, between security and
privacy. Unlike security, privacy entails a sense of informational
ownership, that “this information is mine,” whether it’s on Twitter or
held within a Ministry of Transportation database. “But data privacy as
a right and a value is highly contextual,” says Kosa.
The risk in defining privacy is that we end up treating it too narrowly
or too broadly. Security and privacy overlap, and there’s usually a lot
The Canadian Institute for Health Information, for example, collects
your medical data when you go to a hospital emergency room. Previously,
that form was a consent form; now it gives CIHI permission to manage
your information as it sees fit. On the other hand, with electronic
medical records, the IPC tried to make it mandatory to get patient
consent at a field-by-field level, but was told it’s impossible to do
while maintaining any degree of productivity (there can be up to 10,000
fields for one person).
Security may be able to protect privacy, but it has its limitations,
since it doesn’t talk about data ownership. “Rules-based access control
is not the same thing,” says Kosa. The difference comes down to
informational ownership ”“ that users perceive it as their information.
During Super Bowl XXXV, facial recognition software was used to scan
all people entering the stadium, looking for known criminals. Possible
matches were sent to a police control room, which were then sent to the
feds, which were then sent to Interpol. Facial recognition software is
not infallible, yet it was used without the knowledge or consent of the
people being scanned. “If my photo is sent to Interpol and I’m cleared,
the onus is now on me to get my name off that list,” says Kosa.
The problem is that security is focused on protecting systems, while
privacy is focused on protecting the users of the systems. Security is
focused on protecting the organization, while privacy is focused on
protecting the data subject. While security helps protect a data
subject’s privacy, security can also violate a data subject’s privacy.
Organizations are required to protect the confidentiality and integrity
of personal information, and to consider the necessity of personal
information data processing. Many businesses, for example, like to
collect all information about all people, just in case they need it.
“Why is it collected? Who has access to it? Do you have a demonstrable
reason to know if I’m married?” says Kosa. “If not, you shouldn’t be
collecting that data.”
In some cases, organizations unknowingly violate privacy. In 2007, for
example, a video image of a toilet in a methadone clinic was
inadvertently intercepted over a wireless device in a car. After an
investigation, the IPC found that the clinic’s wireless video
surveillance system had not been properly secured. “Privacy and
security should have been in the specs for the RFP,” says Kosa.
The IPC provides guidance on wireless services including data
minimization, encryption, data integrity, data authenticity and control
over third-party applications. But that guidance is already old news in
the security world, which is why there’s a need for more co-operation
between security and privacy practitioners.
“When I conduct privacy assessments, I ask to see the security person,
and usually that person doesn’t see any reason to talk to me,” says
Kosa. “We need to start working together.”