Domestic Spying Is Irrelevant to Access & Privacy Pros—Or Is It?

When my children were young and they found intrigue in Hardy Boys books, I taught them how to do many things the old-fashioned way. How to tie shoelaces and not take the easy Velco route. How to spell and look up words in a dictionary. How to hold a pencil, write, and add a column of numbers. After all, I said, if they only know how to keyboard and rely on spell checkers, what will they do when the power goes out?

People around me insisted that digital communication was the only thing my children needed to learn because that’s the way of the future; but being a mother, the tough guy, I was unmoved. When the teachers didn’t teach these basic skills to my children, I did. Whether or not they now choose to use a particular skill misses the point. Like learning to drive manual shift cars and being able to choose to drive automatic, it is important that they have the option to choose how they record their thoughts — secure in the knowledge that the record they create is theirs alone unless and until they choose to share what they penned.

The options that my children have are not shared by most of their friends. Penmanship is now dismissed as a quaint relic of an earlier time before it was possible to use “the cloud”. Many educators have erased writing skills from the curriculum, and what was once a fundamental skill to facilitate communication has been replaced with keyboarding. Little wonder, then, that children are no longer taught to write in cursive script, how to hold a pencil (or fork) correctly, or even how to print the alphabet.

Children and adults are also not taught to consider that personal musings, family secrets or corporate confidences created and stored in “the cloud” might be on a computer server located in a jurisdiction where state access to all data is the norm. Nor are they taught to consider what assumptions interlopers scrutinizing personal and corporate information might make, or what will be the consequences when the secure storage facility is breached or infiltrated or sold. So it is also no wonder that so many Radio Shack customers are aghast at the prospect of their personal information being sold as part of the company’s bankruptcy proceedings, and sextortion victims are in a panic.

In an era when cloud storage and digital communication have been popularized as the norm, and millions of users have unquestioningly entrusted their thoughts, health and photos to cyberspace, some are now questioning the wisdom of choosing pragmatism over prudence. Among those weighing the cost of convenience are Canada’s access and privacy professionals who are responsible to ensure that their organization collect, use, disclose and safeguard personal information in a manner that complies with governing privacy and access legislation.

While cloud providers’ terms of service inevitably offer assurances that inspire trust for how well they will safeguard customers’ information, the language used in service agreements is seldom assessed for the long-term or unintended risks that it can invite. Website and vendor promises that privacy is a priority, or is respected, engender enough trust to justify looking no further. Besides, looking more closely could reveal gaps and risks that would make many people very uncomfortable (and human nature reminds us that it is less uncomfortable to simply avoid looking too closely).

Users who do look closely at the language of some agreements realize that the service provider may expose all data, including sensitive and personal information, in accordance with “laws that govern” data use and disclosure. Many optimistic and trusting folk take that to mean that data would only be offered up in circumstances that they would consider to be important, reasonable, and valid. And that view points to a key feature of why vague privacy provisions of most agreements are so readily accepted: Nature and nurture encourage us to expect the best in people, so why would anyone question such thoughtfully worded assurances?

From a risk perspective, it is important to recognize that the language of service agreements is often intentionally vague. Since it is impossible to anticipate all possible eventualities, a certain amount of latitude is vital to ensure service providers are not hamstrung. On the other hand, though, such vague language can be interpreted to permit the release personal information, without consent, in response to “requests” made pursuant to “laws”. As Canadians might recall from Bill C-30 (infamously popularized as a result of MP Vic Toews’ remark that we “can either stand with [the government] or with the child pornographers”) and Nova Scotia’s anti-cyberbullying law that makes bullies of us all, such vague language can be problematic and open to both interpretation and application that can be inconsistent and incorrect.

The vagueness of many American, European and Canadian laws has substantiated concerns that email and phone calls are being scrutinized, mail is being routinely scanned, and Canadians’ information is being secretly shared by governments and government agencies — all the stuff that not long ago was routinely dismissed as the ravings of conspiracy theorists.

The international information sharing mechanisms in place between Canada and other nations also means that sensitive, confidential, or personal information can often be disclosed without notice to the affected individuals. And that leaves privacy and access professionals in a quandary: How can you respond fully to an access-to-information request when you don’t know if information has been released to third parties? And how can you honestly say that your organization is safeguarding personal information and only releasing it in accordance with the provisions of governing privacy and access law — when the data might be part of the wider information dragnet, being passed around the same way that teenage boys not that long ago used to share the latest copy of Playboy?