At the instigation of the US government, the North American Free Trade Agreement (NAFTA) is about to be renegotiated. NAFTA came into force in 1994 — before computers, smart phones, social media, and advanced analytics were in common usage — and was intended as a vehicle to minimize trade barriers between Canada, Mexico and the United States.

In July 2017, the United States Trade Representative released a Summary of Objectives for the NAFTA Renegotiation which sets out the US objectives — and makes clear that the renegotiation will affect how, where, and by whom information may (and may not) be processed, stored and managed. The list of objectives indicates that the US seeks to reduce “barriers to digital trade” and to:

Establish rules to ensure that NAFTA countries do not impose measures that restrict crossborder data flows and do not require the use or installation of local computing facilities.

The Canadian government will be represented in the negotiations by a “NAFTA Council” that it created, and which is composed of individuals who have impressive track records in industry and the political sphere. The Council is missing key perspectives and representation from the privacy and access profession, and from civil society.

As a voice for privacy and access in Canada that speaks on behalf of its members and other concerned Canadians, PACC seeks input about the impact that proposed NAFTA changes could have on the ability of Canada’s access, privacy, data governance and compliance professionals to fulfill their roles and responsibilities.

This is your opportunity to have your voice heard. Complete the short survey by August 31, 2017 so that we can integrate the results into a single comprehensive report to Government. (Survey site: https://www.surveymonkey.com/r/RSWNDHN)

Your employment or other associations could hamper your freedom to express personal or unpopular views. As an independent organization, PACC is at liberty to convey the views of its members and others.

The survey asks for very basic demographic information, but does not (and will not) seek to identify respondents.

For a copy of the survey results, email NAFTA_at_pacc-ccap_dot_ca with appropriate contact information.

The U.S. Department of Homeland Security (DHS) and The University of Utah invite you to participate in the 2017 National Seminar and Tabletop Exercise for Institutions of Higher Education on October 10-11, at the S.J. Quinney College of Law.

This two-day event will include workshop sessions, a tabletop exercise and an after-action review session on preparing participants to respond to a campus emergency. This year’s event will focus on a failure in campus infrastructure caused by cyber-attack. More detailed information on the specific topics for workshops and the tabletop exercise will be available closer to the event.

The event seeks to provide participants with insight into planning, preparedness and resilience best practices for the academic community. Because emergency planning involves a team of individuals from across an institution, we recommend a team of up to five (5) senior leaders representing various functions (i.e. information technology, security, leadership, public safety, student life, communications, etc.) attend from each institution. Participants also will include representatives from federal departments and agencies that support campus resilience.

Foreign nationals are permitted to attend and participate in this informative and interactive learning event.

This event qualifies for CPD credits applicable toward PACC Professional Certification.

For more information on the National Seminar and Tabletop Exercise for Institutions of Higher Education Series, visit https://dhs.gov/nttx

The Privacy and Access Council of Canada has joined more than 20 other organizations and individuals in calling on the Government of Canada to seize the rare opportunity now available to take a leadership in the Open Government Partnership (OGP).

Accepting a leadership role in the OGP would be a concrete demonstration of the Government’s commitment to being open and accountable to Canadians — a move that would support the important and challenging work carried out by PACC members and other access and privacy professionals in private sector, public sector, and non-profit organizations across the country.

The full text of the letter is below.

10 July 2017

Dear Prime Minister,

We are writing to you as Canadian organisations and individuals who have engaged with the Open Government Partnership (OGP) within Canada and/or internationally and who believe strongly in the importance of the OGP as a forum for advancing transparency, accountability and civic engagement.

We are aware that Canada has been considering playing a more active role in the leadership of the OGP first by acting as a support co-chair for one year and then as the lead country chair for another year. We are also aware that the OGP requires a decision on this imminently, while Canada has been delaying its response.

We urge Canada to take on this important role within the OGP. Although many of us have asked Canada to do better in some of the areas of focus for the OGP, at the same time we are conscious that Canada is well poised to play a leadership role within the organisation. Indeed, Canada is enjoying an unprecedentedly strong global reputation at the moment, and becoming the lead country chair would build on that in ways which would benefit both Canada and other members of the OGP. Globally and within the member countries of the OGP, civil society space is shrinking, and Canada’s leadership to promote inclusion and high quality participation, both at home and abroad, can be of great value to the initiative.

Other countries have made their contribution by acting as chair and it is now Canada’s turn to step up and take on this important global support role. We are willing to work with and support the government in this.

We look forward to hearing a positive announcement from Canada regarding the OGP chair position very shortly.

Signed,

Organisations:

1. Canadian Taxpayers Federation
2. Centre for Law and Democracy (CLD)
3. Open North
4. Powered by Data
5. Privacy and Access Council of Canada – Conseil du Canada de l’Accès et la vie Privée
6. Reboot
7. Rocky Mountain Civil Liberties Association
8. Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic (CIPPIC)

Individuals:

1. Ana Brandusescu, Researcher, World Wide Web Foundation
2. Merlin Chatwin, Open Government Consultant, Researcher
3. Rob Davidson, Open Data Institute Ottawa
4. Mary Francoli, Associate Professor, School of Journalism and Communication, Carleton University
5. Jury Konga, Open Knowledge Canada Ambassador
6. Tracey P. Lauriault, Assistant Professor, Critical Media and Big Data, School of Journalism and Communication, Carleton University
7. Panthea Lee, Co-Founder & Principal, Reboot
8. Don Lenihan, Senior Associate, Policy and Engagement, Canada 2020
9. Lindsey Marchessault Open Contracting Partnership
10. Heather Morrison, Associate Professor, School of Information Studies, University of Ottawa
11. Daniel J. Paré, Associate Professor, Department of Communication, School of Information Studies, and Institute for Science, Society and Policy (ISSP), University of Ottawa
12. Sharon Polsky MAPP, Access & Privacy Advisor
13. Teresa Scassa, Canada Research Chair in Information Law, University of Ottawa
14. Claire Schouten, Senior Program Officer, International Budget Partnership
15. Mary-Doug Wright, Information Specialist/Consultant, Apex Information
16. Geoff Zakaib, Executive Director, Open Calgary

Registration is open for the National Privacy & Data Governance Congress being hosted by the Privacy and Access Council of Canada with the support of the Office of the Information and Privacy Commissioner of Alberta, Miller Thomson LLP, Legal Education Society of Alberta, the Runnymede Society, (ISC)², CIPS, CHIMA, and NIHI. The Congress is organized in collaboration with the Rocky Mountain Civil Liberties Association.

From April 5-7, regulatory authorities and thought leaders from industry, government and academia will gather to share insights about technological trends and regulatory developments that affect public and private sector organizations’ efforts to protect data and comply with privacy laws.

The Focus

The Congress theme — A World of Change — will focus on the most critical and timely privacy and data protection issues facing organizations today: those that foretell significant consequences for employers, employees and policy makers. A range of topics will address timely issues affecting employers and employees including:

• Privacy Impact Assessment Fundamentals
• Managing a Data Breach
• Privacy Guidance for Small & Medium Businesses
• Crafting Clear Cloud Computing Contracts
• GDPR and the Death of Privacy Shield
• Urgent Privacy Challenges in the Internet of Things
• Digital Privacy at the Border

Participants

The National Privacy & Data Governance Congress is an important opportunity to increase awareness about the intersection of privacy, security, law and technology. The Congress takes a uniquely multi-disciplinary approach that offers practical guidance that can be put to use right away — to increase skills, minimize risk, and improve compliance.

Lawyers, privacy professionals, access-to-information practitioners, members of the media, civil libertarians, as well as compliance, security, and governance and public policy professionals will find value in the Congress.

How often have you marveled at a child’s cleverness? They quickly catch on to new concepts — whether how to dress their latest doll, ride a bike, or use their parent’s cellphone or tablet. The newfound skills are acquired and honed at the child’s pace, typically with plenty of encouragement but little guidance.

Long before many children are taught about online safety they receive a mobile phone for their own use — and tacit guidance that it’s perfectly fine to reveal their innermost secrets to a smartphone or computer screen. Using FaceTime, Skype or any other videoconferencing system allows children to see and talk with a face on screen. Mommy has said the face is that of Grandma — whom the child might have never met — and the repeated experience inculcates the youngster with the clear knowledge that talking to a face on a computer screen is perfectly fine. Mommy said so.

Another facet of this training — or, more correctly, desensitization — process comes in the form of countless toys armed with digital sensors, microphones and speakers. Imagine how thrilling it will be for any child to be able to talk to their new Hello Barbie doll. No more imaginary friends. Hello Barbie is real.

Like Nest and Alexa that help around the house, Wifi enabled Hello Barbie monitors what’s going on around her. Not only is she among the latest toys that desensitizes children to accept surveillance as the norm, but Mattel continuously updates and enhances Hello Barbie’s vocabulary. Within months of being launched into the market, more than 1700 phrases had been added to Hello Barbie’s voice recognition/response system that is programmed with more than 8,000 lines of dialogue,

By listening to children’s delightful banter Hello Barbie learns everything it can: Her likes and dislikes, her preferences, her family and friends, and the nearby conversations and sounds.

Does Mattel really need to hear, record and retain the conversations from a child’s bedroom or living room? Do parents realize that inviting Hello Barbie and other digital surveillance devices into their home might (and often does) grant virtually unlimited access to their personal information? Perhaps parents are reassured knowing that Hello Barbie has been reviewed by kidSAFE Seal Program and that, like My Little Pony Storybook Collection, it meets minimum standards of online safety and/or privacy.

Like their children, many mommies and daddies (many of whom are teachers!) are baffled why targeted ads appear on their screen so soon after asking ‘Mr Google’ a related question. They marvel at how accurately Google can predict their needs and pander to their predilections; but few appreciate how that came to be.

Although desktop computers became commonplace in the early 1980s — almost 40 years ago — online privacy, safety and digital citizenship remain foreign concepts to many people. The extent of many people’s digital education is the oft-repeated mantra “stay safe online” — which imparts as much knowledge as does tossing one’s car keys to a 10-year-old and urging them to “stay safe out there”.

The parallel to driving is even greater: The time lag between the world’s first practical automobile to be powered by an internal-combustion engine — in 1885 — and the first high school driver’s education course, in 1935, was 50 years. That was long after the first automobile-related fatality was recorded in the United States, in 1899 and only 15 years before the millionth in 1951.

Computers, on the other hand, became commonplace in offices and homes at about the same time that Canada’s Privacy Act and the Access to Information Act were proclaimed, in July of 1983. When dial phones were giving way to push button phones and fax machines were being introduced. The technology-based future that Star Trek predicted a mere 20 years earlier had started to come to life, and moved ahead at light speed.

No need to wait until Stardate 1513.1 in the 23rd century for personal communicators. We carry those already. iPhones. Androids. Galaxies. And we count on our pocket-sized computers for staying in touch in our personal lives, and often for our professional existence as well.

The power and potential of new phones, new apps, and new disruptive technologies offer tremendous potential benefit for people, nations and corporations. But without a clear and correct understanding of how their design can affect people — not just corporate bottom lines or governments’ tax revenues — the trend of ignorance that has been so carefully cultivated will continue. And it is being further entrenched as curricula are updated to include robotics and coding — but not how to evaluate risk or be self-sufficient.

Young coders will soon be able to tinker with the inner workings of computers and apps, but remain ignorant about how to evaluate risk. Governments, lawmakers and lobbyists know that there is great utility in ignorance. Perpetuating ignorance is important to ensuring people continue to be reliant on third parties. It’s also important to ensure they are unable to link the cause and effect of their new apps that transmit personal information and health data to nameless, faceless corporations that promise to provide a better user experience.

Perhaps that’s why, for all the breaches that have occurred, despite the billions of dollars devoted to developing and promoting security and privacy safeguards, there’s been precious little improvement. Breaches — that continue to occur with increasing frequency and impact — have been used as justification for new apps and laws ostensibly to help protect people from their own ignorance — but not for new education enabling people to be knowledgeable and self-sufficient about computer technology.

Like youngsters who grow up with their head under the hood of a car and can adjust a car’s fuel injectors, but don’t know the rules of the road, it’s an accident waiting to happen.

Depending on one’s perspective, it’s all very discouraging or very, very motivating indeed!

The Privacy and Access Council of Canada (PACC) will be participating in the Canadian Cybersecurity Alliance (CCA) / Alliance canadienne sur la cybersécurité (ACC). The CCA-ACC (originally initiated as the Inter-Association Working Group on Cyber Security – IAWGCS) is a voluntary, non-hierarchical, not-for-profit agile network, founded by Grant Lecky in 2013. The primary purpose of the CCA-ACC is to enhance the professionalization of the Canadian cyber domain through effective inter-association engagement and knowledge-sharing.

To date, more than 90 associations with a stake in cyber security have confirmed their participation in the CCA-ACC, making this initiative unprecedented in both scale and scope. Each of the participating associations contribute their own unique perspective on the Canadian cyber landscape.

The CCA-ACC is administered by a National Council, whose role includes maintaining the structure of the CCA-ACC itself, and facilitating inter-association dialogue.

PACC President Sharon Polsky, MAPP, will be the primary association representative to participate on behalf of PACC.

The Alliance is a national network that contributes to an increased understanding of the current state of cybersecurity in Canada, and the identification of future directions for research, education, dialogue and professionalization of the domain.

Alliance members include the Canadian branch of the High Technology Crime Investigation Association,  the Canadian Centre for Cyber Risk Management,  Gaming Security Professionals of Canada, the Canadian branch of the International Information System Security Certification Consortium (ISC2),  the Association de la sécurité de l’information du Québec (ASIQ), the Ottawa Area Security Klatch (OASK), the Canadian Association of Petroleum Producers, The Canadian Gas Association, the Canadian Advanced Technology Association (CATA), the Cloud Security Alliance (Canada), the Canadian Information Processing Society (CIPS) , National Cyber-Forensics and Training Alliance Canada and others.

Security industry estimates indicate that it costs $100 per person for notification/remediation about a data breach. Add to that the beneficial economic spinoffs from consulting fees, credit monitoring fees, and Identity Theft Insurance premiums, tuition fees to teach a new generation of cyber sleuths and government agents, etc., etc., and it becomes hard to dispute that there just might be a method to this madness.

Imagine the economic impact if USBs were encrypted by default or if individuals were properly educated, starting in kindergarten, to be able to be knowledgeable and self-sufficient about privacy and computer technology, instead of being ignorant about scams and online predators, and reliant (hostage) on third parties for advice and protection. What would happen to the consulting and license fees paid to the security software and consulting firms of the world? What would happen to the new Identity Theft Insurance industry that has been spawned by breaches, inadequate privacy awareness, and fallible security?

And what would the political fallout be when an educated public is harder to bamboozle and reduces its reliance on third parties? How easily could the economy, and the government, withstand the consulting/security sector shrinking, resulting in temporary increases in unemployment and a reduced tax base as that sector adjusts to a new reality. And what sort of questions would come from an educated populace?

Who could withstand the scrutiny of an electorate that is well enough educated to know the right questions to ask. Who would venture a guess as to why — for all the billions spent on improved security, system upgrades, and public awareness campaigns — has there been so little improvement; nay, why have the breach rates continued to climb?

Why has there been so little education to enable individuals to be knowledgeable about handling, divulging, and safeguarding sensitive information.

Why haven’t schools embedded digital citizenship and privacy into the mandatory curriculum, starting in kindergarten (by which time many children have already been using tablets and smart phones)?

Why haven’t governments written laws to limit the amount of personal data that industry and government may gather and commoditize?

Why have people (including the same ones who work in the organizations that collect and broker endless reams of data about us and themselves) been so reticent to question the message that nobody cares about their own privacy, and that giving up our privacy and other freedoms is good and right and necessary so that we can be saved from…. well, we were originally told that it was to save us from terrorists but we might want to reconsider just who that is and what their motives really are. And what is the real cost to us all.