Newly-released documents suggest Privacy Commissioner Jennifer Stoddart was caught off guard when she learned last year that departments and agencies were independently collecting and storing data from people who visited their sites and, in some cases, transferring that information across borders to third parties such as Google.
"We only became aware of the current situation when a department approached us for advice," Privacy Commissioner Jennifer Stoddart wrote in a June 2011 letter to Treasury Board President Tony Clement.
More than one year later, her worries of potential widespread privacy breaches linger, despite assurances from the minister's office that a solution is on its way.
"Our office remains concerned about the privacy implications of the use of web analytics on federal government websites," a spokeswoman for the commissioner wrote in an email this week.
Stoddart's four-page letter to Clement sent last year meticulously lays out her concerns about the privacy risks of web analytics -- the practice of collecting and analyzing data from computers that visit a particular site, in an effort to determine how users interact with it.
The practice is by no means exclusive to government. Websites frequently use web analytics to provide a detailed picture of web traffic and to help site managers improve their pages by finding out how visitors arrived at the page, the paths used to find a desired page, and whether someone is a first-time or repeat visitor.
But to help paint that picture, data including parts of a visitor's browsing history, preferences and user identification codes are often collected and stored.
CALL FOR MORATORIUM ON TRANSFERRING DATA
Coordinating and collecting the data that comes from web traffic can be time-consuming and laborious, which has prompted more than 40 government departments to rely on Google Analytics -- an online tool that requires information be transferred to the United States.
Uncertainty concerning how information is treated once it leaves the government's hands prompted Stoddart to ask that Clement place a moratorium on transferring Canadians' data to third parties "particularly those located outside of Canada, until the privacy implications of such practices are fully addressed."
Although a moratorium was not issued, the minister asked that the government develop minimum requirements to help inform departments on the safest ways to set up web analytics to diminish privacy concerns, a spokesman for Clement wrote in an email.
David Fewer, an intellectual property and technology lawyer at the University of Ottawa, was equally uneasy about the prospect of the government transferring data across the border.
"There's just no reason for that to happen," he said, noting that foreigners have fewer privacy rights in the United States than Americans.
"Google Analytics is free, but it's not free. Obviously, Canadians' privacy rights are being compromised here."
STORING IP ADDRESSES
One of Stoddart's main concerns stems from the fact that Treasury Board has neither assessed the privacy impacts of web analytics nor set up government-wide guidelines. Because of that, each federal department and agency is free to decide how it collects data, how the data is stored, and whether that information is transferred.
The commissioner's letter zeroes in on how each department and agency retains and, in many cases transfers, Internet Protocol (IP) addresses, which are the unique numbers associated with individual computers or networks.
"The piece of data most likely considered to be personal information is the IP address, which could be tied to a specific visitor, particularly in combination with other details collected (and usually stored) every time a visitor comes to a site," Stoddart wrote.
An IP address, Fewer said, can be compared to the licence plate on a car.
"Just by looking at the plate, you won't know who's in the car, but you know about the car and who it's registered to," said Fewer, who also runs the Canadian Internet Policy and Public Interest Clinic in Ottawa.
Clement's spokesman wrote that the Treasury Board has been working on a new search service that will "make it easier to find government information online" while also masking the IP addresses of individual searchers to help protect anonymity. That service is expected to be rolled out over the next year, he said.
Until then, the risk continues, Fewer said.
"A federal department can take all the collected information and then sift through to find IP addresses that keep returning to research specific information... and the government can make a lot of decisions that can affect you on a basis of that information," he said.
Fewer stressed that the government likely does not currently use information for reasons other than web analytics, but that the option is, at least in theory, available.
"If a service is being offered online that exposes an IP address, and if the IP address is being tracked, there's no reason the information couldn't be collected and used in that way," he said.
In order to make that legal, Fewer said, the government would merely have to expand their privacy policy to tell visitors their information could be used for purposes other than web analytics such as law enforcement.
"The government doesn't need consent to collect information, but they can only collect information for the purposes for which they say," Fewer said. "So all they need to do is change their website terms and conditions."
Fewer said a good understanding between information officers and technology departments in the federal government will help mitigate privacy concerns.
"I think there's probably a disconnect between the tech-heads who like, use and need analytics and the policy guys who usually think about how we're dealing with private information," he said. "The privacy commissioner is spot on. This is kind of a blind spot the government has been slow in fixing."
Original Article
Source: globalnews.ca
Author: Amy Minsky
No comments:
Post a Comment