THE CONCEPT OF PRIVACY
Privacy is a human right with a grand tradition, both nationally and
internationally. It is recognised in the
Canadian Charter of Rights and
Freedoms and such international human rights instruments as the
Universal
Declaration of Human Rights and the
International Covenant on Civil and
Political Rights. Classically understood as "the right to be let alone," privacy in
today's high-tech world has taken on a multitude of dimensions. According to
certain privacy experts, it is the right to enjoy private space, to conduct private
communications, to be free from surveillance and to respect the sanctity of one's
body. To the ordinary Canadian, it is about control - the right to control one's
personal information and the right to choose to remain anonymous.
Privacy is a
core human value that goes to the very heart of preserving human dignity
and autonomy. It is a precious resource because once lost, whether
intentionally or inadvertently, it can never be recaptured.
OUR FINDINGS TO DATE
As Members of the Standing Committee on Human Rights and the
Status of Persons with Disabilities, we are taking a decidedly human rights
approach to assessing the effects, both positive and negative, that new
technologies are having on our right to privacy. In the spring of 1996, we held a
series of round table discussions on the impact of new technologies on human
rights. During the course of these hearings, expert witnesses repeatedly warned
us of the rapid erosion of privacy rights due to modern technological advances.
The nature of the current situation was aptly summed up by the Privacy
Commissioner for Canada, Mr. Bruce Phillips:
The issue of privacy is much broader than merely the
traffic in information over electronic systems. It gets
into all kind of things, such as biomedical applications
in the workplace and surveillance systems. There is
almost no aspect of human life these days that does not
have a privacy implication in which technology is
involved. We're at risk now of losing all of our sense of
autonomy and in the process of sacrificing a
fundamental human right. I wouldn't go so far as to say
privacy no longer exists, but it's certainly breathing
hard to stay alive.
The concern that the right to privacy is currently suffering from abuse
and neglect prompted us to devote our hearings during the fall of 1996 to assess
the scope of this right and to ascertain its place relative to the advantages,
efficiencies and convenience of new technologies. We were astonished, and
alarmed, at how all-encompassing and widespread the monitoring of our
personal lives has become. A simple credit card transaction, a secret kiss
(caught by a hidden surveillance camera) and a genetic test for medical
purposes, while seemingly isolated and private incidents, can easily become
public knowledge thanks to advances in modern technology. Indeed, the
capturing and commercializing of personal information in our computerized
world has become big business. This is no longer the cloak and dagger stuff of
government and police spy operations. New technologies are being regularly
used by private individuals, employers, and such businesses as banks and
insurance companies to monitor, record and track many aspects of our daily
lives.
PRIVACY PROTECTION
There is no comprehensive protective framework for safeguarding
privacy interests in the face of these new technological applications. With
technological advances rapidly changing the nature of relationships, Canadians
must struggle with a complicated and increasingly ineffectual system for
safeguarding their privacy interests. They must draw upon international law,
constitutional laws, federal and provincial legislation, judge-made law,
professional and industry codes, guidelines and personal ethics. Not only are
these existing sources of privacy protection complex and diverse (resulting in
what is commonly referred to as a "patchwork" effect), but they generally lack
the ability to effectively deal with emerging technologies. For example, most
federal and provincial privacy legislation deals only with the protection of
personal information or data. Moreover, with the exception of Quebec, which
deals as well with the private sector, federal and provincial data protection
legislation only applies to governments and government agencies. We are
pleased, however, to hear that the Ministers of Justice and Industry are currently
working with the provinces in an effort to introduce legislation that would
protect personal information in the private sector across the country.
YOUR VIEWS
As a Committee, we want to hear from Canadians on these issues. We
want to know about your value systems and your ethical/moral frames of
reference in relation to privacy. We also want to know where this all fits in with
today's high-tech society. It has been asserted that most Canadians are unaware
of even the basic steps they can take to safeguard their privacy in this
technological age. We want to know if this is the case and, if it is, the extent to
which people want to safeguard their rights to privacy. We want to determine
whether Canadians are actually aware that their privacy is in jeopardy. Have we
all become technologically complacent and therefore blind to erosions of our
privacy rights? Or, do we view privacy, not as an inalienable human right, but
rather as a luxury that can, and in some instances should, be traded for the sake of
other social or economic benefits?
OUR APPROACH
Since privacy is such a wide-ranging right that is under siege in so
many ways, the Committee has decided to focus its inquiry on three basic types
of intrusive activities using case studies involving specific technologies:
1) physical monitoring - video cameras,
2) biological surveillance - genetic testing,
3) personal identification practices - smart cards.
In this way, we hope to raise awareness about the risks and benefits of advancing
technologies, to stimulate debate about the need for greater privacy protection in
this new age, and to test the limits (how far is too far?) of our vested privacy
interests against both the present and future promises of new technologies. It is
not, however, the Committee's intention to definitively resolve all of the issues
raised by the three scenarios. Rather, it is hoped that the case studies will serve
as a vehicle for testing our basic values, dealing with underlying trends and
common themes, and ultimately developing some workable means of managing
divergent interests.
KEY ISSUES
The following are some basic questions that this Standing Committee
would encourage Canadians to respond to:
1. In terms of your personal value system, where do you place the right to
privacy? Is it, for example, as important as your right to free speech or your
right to a fair trial?
2. Is the present system of privacy protection in this country working? If not,
where are the trouble spots?
3. Based on your personal experience, to what extent are we sacrificing our
right to privacy for the promises offered by emerging technologies? Is this
an inevitable trade-off in a technological age?
4. What is the best method of safeguarding our privacy interests in a
high-tech world? Do we need governments to take charge and enact strong
and comprehensive privacy legislation, or do we need action taken on a
number of fronts such as the development of private sector privacy codes
by business and industry, the creation of privacy enhancing technologies,
the launching of public education campaigns and the enactment of privacy
protection legislation?
5. Are modern technologies being used, in some cases, as a "quick fix" for
social or economic problems instead of getting to the root of these
problems -- for example, the use of video surveillance cameras on public
streets to try to reduce the incidence of crime?
6. How should we all become better informed or educated about the impact of
modern technologies and practices on privacy rights?
MAIN STREET, GOODTOWN
Goodtown is a small city, with a population just over 75,000. In the
past few years, incidents of petty crime in the downtown core have been on the
increase -- especially vandalism, break-ins, and brawls after the bars close at
night. The city has always taken pride in being a peaceful, safe, family-oriented
place to live. Many citizens felt Goodtown might be heading for trouble, unless
it dealt with the escalating crime problem quickly and effectively. After much
debate, the city council decided to install a state-of-the-art closed-circuit
television system (CCTV) to monitor Main Street's downtown section. Until
that point, the only video surveillance cameras used in the city were set up by
private security firms to guard retail stores and government office buildings.
Residents are divided in their support for video surveillance on Main
Street. Most people, especially women and seniors, feel much more secure now
going to restaurants, movies, and shopping after dark. Some people, however,
who have had first hand experience with the long reach of the video cameras, are
less than impressed. Take, for example, the experiences of Joan, Paul, Sonia,
and Daniel.
JOAN
Joan is a 16-year-old with boundless creative energy. On Halloween
night, armed with a can of red aerosol paint, Joan decided to "paint the town red"
-- at least a few storefronts off Main Street. She knew enough not to try to leave
her mark on Main Street, since the CCTV system would be sure to catch her in
the act there. But she didn't realise the state-of-the-art cameras installed on
Main Street could pan, tilt, zoom and see down the pitch black, adjacent side
streets as clearly as if it were daylight, thanks to their night-vision capabilities.
Joan's prank was recorded live by a 911 operator remotely monitoring the street
from the central control room several miles away. The police were called, Joan
was caught red-handed and is now facing criminal charges.
PAUL
Paul lives outside Goodtown on a farm. He planned to attend a protest
rally in front of the Agriculture Office on Main Street, until he heard about the
city's CCTV cost-recovery program. To recuperate some of the expenses
incurred setting up its video monitoring system, the city decided to sell stock
footage from its video surveillance cameras to anyone who was interested. Paul
heard, through the rumour mill, that government bureaucrats and police
officials intended to buy the videotape recordings of the protest rally. The
digitised pictures taken of the protesters at the rally could be matched in a matter
of seconds against the digitised photographs of licensed drivers held in the
Transportation Department's data bank. Thus, most of the protesters would be
quickly and accurately identifiable. Paul was outraged by this plan which he
considered to be a major affront to both his freedom of expression and his
freedom of peaceful assembly. But he didn't want to get into the government's
bad books, so he stayed home.
SONIA
Sonia worked at the Agriculture Office until last month when she was
fired. Her employer had a smoke-free workplace policy, so employees,
including Sonia, would stand outside the front doors of their office building
when they needed to have a cigarette. Her supervisor accused her of taking
upwards of 10 cigarette-breaks each day, but Sonia denied the allegations,
explaining that her absences from her desk were due to trips to the photocopier,
the library, and other work-related tasks elsewhere in the building. She swore
she only took three cigarette-breaks each day, until her supervisor confronted
her with evidence to the contrary. He had obtained videotapes from the private
security company that guarded the building and which had video cameras
trained on the front doors as a security measure. The videotapes disclosed that
Sonia spent, on average, one hour each day, not including her lunch hour,
smoking outside the front doors of the building. Sonia was fired for taking too
many breaks, as well as for lying to cover up her actions.
DANIEL
Daniel was laid off when the factory where he worked down-sized
several months ago. Having learned his wife was terminally ill, facing no
prospect of new employment, and with his unemployment insurance soon to run
out Daniel fell into a deep state of depression. One night after having consumed
far too many beers at a local tavern, Daniel staggered to his car parked on Main
Street and struggled with the locked door. Once inside the car, instead of putting
the key into the ignition he took the pocket knife attached to his key chain and slit
his wrists. The 911 operator monitoring Main Street that night had tracked
Daniel's unsteady stroll to his car and observed him fumbling with the keys.
Before he had even slashed his wrists the operator had alerted the police about a
possible impaired driver. When they found Daniel collapsed over the steering
wheel, they rushed him to the hospital. In retrospect, he is grateful that they
saved his life. But, when the city sold the videotape footage of his suicide
attempt to a national, reality-TV show, Daniel was hurt, angry and humiliated.
He is contemplating suing the city.
QUESTIONS FOR DISCUSSION
1. Are closed-circuit television systems (CCTV) an effective tool for
deterring criminal activity, or do they simply displace that activity to areas
that are as yet unmonitored and perhaps are also lacking in the financial and
political clout necessary to secure these types of monitoring systems?
2. To what extent should video surveillance be done live versus taped? For
example, should CCTV cameras be permitted to zoom in, tilt towards and
record activities at any time, or only when an incident occurs? Who should
make decisions to record and upon what basis?
3. Once a video tape is made, who is the owner of the recording and who is
entitled to access it? Should practices or policies be in place pertaining to
retention periods and the erasing of video footage? If so, who should make
these determinations, the tape owner or user?
4. Are video cameras acceptable in public places because they are in essence
simply an extension of the naked eye? What about when these cameras
have high-tech infrared capabilities that allow them to see clearly in the
dark, penetrate walls and zoom in on an individual 300 meters away?
5. If we accept at least a certain amount of surveillance in public places,
where is the dividing line between the public and private sphere? What
reasonable expectations of privacy should we be able to carry with us in
private places (i.e., washrooms located in shopping malls with hidden
video cameras to detect shoplifting)?
6. Does the whole question of privacy turn on the location of the invasion, on
who is doing the invading, on the purpose for which the invading is being
done, or on a combination of all of these factors?
7. How should the balancing of privacy rights with the benefits of new
technologies be tackled in the area of video surveillance? Is there a need
for overall regulation in this area? If so, how could this be achieved (i.e., a
licensing system, an oversight body, a code of practice)?
8. How should we deal with future technological advances in the field of
video monitoring? Moreover, how should we handle the heightened
commercialization of personal information derived from such surveillance
practices?
THE SITUATION
Frank, a thirty-five year old truck driver for the Inter-city Moving
Company, fell and hurt his left arm when he was delivering a load of furniture.
The crew that was helping Frank called an ambulance and he was taken to the
local General Hospital, a large teaching institution associated with The City
University. They also advised Frank's boss, who owned the trucking company.
When Frank was being admitted to the hospital, he signed some forms
that allowed the hospital personnel to conduct tests and to provide treatment. At
the time, he was assured that these forms were quite routine, although the
admitting clerk mentioned that because of the hospital's affiliation with the
University, the forms contained a provision that gave consent to having medical
information used in ongoing research carried out by the institution. Frank didn't
pay much attention to this because he knew that he was there for the treatment of
an injury, not an illness.
Because he had lost a considerable amount of blood, the hospital
physician on duty, ordered a transfusion and to prepare for this, samples of
Frank's blood were sent to the hospital laboratory in order to match his blood
type. Because the doctor was conducting research into genetically transmitted
illnesses he also ordered a DNA test -- genetic screening of Frank's blood -- as
authorized by the consent form that Frank had signed when he was admitted.
The blood samples were identified as Frank's both by name and by his
provincial medical insurance number that was put on the requisition form by the
doctor.
Frank called his boss and told him that he would be off work for six
weeks. In the meantime, the boss had called Inter-city Moving's insurance
company to find out what his liability might be. The insurance company, told
the owner to ensure that copies of all documentation that related to the accident
were forwarded to them. When Frank called to report in, his boss told him to get
a copy of his record sent to the insurance company.
Frank was patched up and discharged the following day. Because he
lived 300 miles away in Phillipstown, a village of about 2000 people, the
hospital agreed that follow-up care would be provided by his own doctor and by
the homecare services there. When he was leaving the hospital, Frank asked the
clerk that was handling the discharge to put a note in the computer record that his
file should be sent to the insurance company.
The results of the genetic screening were available some time after
Frank had gone home. They revealed that Frank had several genes that together
might significantly increase his risk of developing heart disease at an early age.
THE MEDICAL SYSTEM
Because the hospital had no special system to separate out the results
of the genetic test, these were automatically entered into Frank's records in the
hospital's computerized data bank along with the results of other tests and
treatment of Frank's injured arm. Along with the blood sample that the hospital
was storing for future research purposes, the data bank was available for use by
the geneticists who were conducting research by using information provided by
the hospital.
The records clerk at the hospital used his password, called up the file
on his computer and distributed the test results as instructed in the file itself. He
printed up several copies of the file and E-mailed another copy to the hospital
physician. Without reading the file again, the doctor stored the information in
his research data base. As a matter of routine, the medical report was mailed to
Frank's family physician, who was to look after any follow-up treatment if
required and also to the Phillipstown homecare coordinator who assigned a
practical nurse, to visit Frank at home in order to change the dressings.
While his family doctor paid no attention to the report beyond looking
at what had been done to treat Frank's injured arm, the homecare nurse read
Frank's medical report carefully and suggestively told her supervisor -- who
was the best friend of Frank's wife, Elaine, -- to have a look at it sometime.
THE BANK
Two weeks later, Frank and Elaine, went to their bank to sign the
papers applying for a $75,000 mortgage for the new house that they wanted to
buy. They knew that they were stretching their financial limits, but the house
was a good bargain and would accommodate them and the family they were
planning to start. Frank decided that he would get the mortgage life-insured so
that Elaine would be free of debt if anything happened to him. At the bank's
request, Frank signed a standard form stating that he had no pre-existing
medical conditions that would disqualify him from getting the insurance. But
the loans officer knew that Frank was off work due to his injury and asked for
assurance that Frank would be back on the job soon and have ongoing
employment and a stable income. In order to satisfy the loans officer, Frank
volunteered to call his family doctor's secretary and ask her to forward a copy of
his medical records to the bank.
A few days later, he opened a letter from his bank. In it, the loans
officer explained that the bank had received Frank's file and went on to state that
Frank was ineligible for the bank-sponsored, low-cost life insurance on his
mortgage because he had a pre-existing medical condition related to his heart.
The bank also informed him that it was rejecting his application for a mortgage
because he had signed a false declaration.
THE JOB AND INSURANCE
Later that same week, Frank was called in to see his boss. He was told
that he had to look for another job. "I don't have enough work to keep you
going," the company owner explained to Frank. In reality, however, the boss
had been contacted by his insurance company which had analyzed Frank's
medical records and decided that because he might have heart problems in the
future, Frank was too high a risk for the company to insure. The boss decided
that he would not tell Frank the real reason for the lay-off because he did not
want Frank to try to claim disability insurance and possibly jeopardize the
reduction in insurance premiums that was given to Inter-city Moving as a small
businesses that had a record that was free of claims for five years.
Frank was not too downcast, however, because he had already been
asked by another trucking company to consider a job with them. Actually, it
paid more and, as he told Elaine when he called her at work to tell her the news,
he didn't like his old boss anyway. All Frank needed to do was to get a medical
and allow the company access to his medical records.
THE FAMILY
Then Elaine arrived home, very agitated. She explained that she had
had lunch with her friend the homecare supervisor. When Elaine told her friend
about Frank's job problems, the friend had commiserated with her and said that
she could explain because she had finally read Frank's file. She told Elaine that
her husband had a heart condition that was inherited and that any of their
children could have the same problem. Furthermore, he could die by the age of
fifty and leave her alone with small children to raise. Why, Elaine wanted to
know, had her husband not kept her in the picture? Didn't she have a right to
know?
WHAT NEXT?
Totally bewildered, Frank said that this was news to him and tried to
get his family doctor.
When he finally put together the pieces of the puzzle, Frank was
angry. How could people get more private information about him than he had
about himself? How could they get it without his understanding and consent?
Why was he not given the opportunity to present his own personal information
to his boss, his bank, his own wife? Frank was left with the knowledge that the
information that was in the insurance company's files, in the bank's files and in
general medical files (with his medical insurance number on it) was completely
out of his control.
QUESTIONS FOR DISCUSSION
1. Given the extremely personal nature of an individual's DNA, should the
regulation of genetic information be treated differently than the regulation
of other personal medical information? Should the government have the
right and duty to collect genetic information to ensure a healthier society?
2. - Who should be able to conduct genetic testing?
- For what purposes should collection of genetic data be allowed?
- Who should be able to retain samples of DNA, for what purpose
and under what conditions?
- When genetic information is used for research purposes what
should the obligation of the researcher be?
3. Given what happened to Frank, should privacy issues arising from the use
of genetic technology be dealt with by providing Frank with the
opportunity to take legal action, after the fact, against the hospital, the
hospital physician, his boss and his bank? Would it be better to provide for
Frank's privacy proactively by prohibiting the collection and
dissemination of genetic information altogether? Is there a middle road?
What can Parliament do?
4. Who should be able to disclose genetic information and to whom? Should
Frank's employer and the insurer have access to Frank's genetic profile?
What about Frank's wife? What about Frank, himself?
5. To what extent should individual circumstances govern how genetic
information is disclosed? For example, should it have made any difference
if Frank had been perfectly "normal" as opposed to having an increased
risk of a heart problem within the next few years? Would your view change
if Frank had a gene that guaranteed the onset of a fatal illness (e.g.,
Huntingtons)? Should Frank's children be tested for his genetic
predisposition even though they are underage? At what age should genetic
testing be allowed for children?
6. Should Frank's consent when he was admitted to the hospital be enough to
allow the collection of genetic information? What do you think constitutes
"informed consent"?
NEW OCEANIA, 2004
Marie is a hard-working, model citizen of New Oceania who
certainly never imagined herself living on "government handouts." In the
spring of 2004, however, she found herself collecting unemployment assistance
(UA) when her employer suddenly down-sized. Marie files her reports to
receive UA benefits and collects the funds owed to her by using a smart card that
functions as an ID card and an electronic-banking access card. The
unemployment assistance card (UA card) was introduced by the government's
Ministry of Work mainly to cut down on fraud and to save on the high cost of
administering the old paper-based system.
THE FINGER SCAN
Instead of filling out forms and mailing them in to receive benefits,
which was the practice at the turn of the century, Marie files her request for UA
benefits electronically, every two weeks, at a local government services kiosk.
The kiosk computer scans her finger and translates her fingerprint pattern into a
unique number, called a "digital fingerprint." At the same time, Marie slides her
UA card into the terminal, so the computer can compare the number just
generated by her finger scan with the digital fingerprint stored in the card. This
comparison ensures that Marie, the person to whom the card was issued when
she qualified to collect unemployment assistance, and the person filing her
request for benefits at the kiosk are one and the same. Marie's digital
fingerprint, being a unique number, is used as well to link the information
recorded in her card and her full UA dossier which is housed in the Ministry of
Work's central computer system.
At first, Marie was uneasy about the finger scanning process because
it made her feel a little like a criminal. Now she is more used to it and appreciates
that it is essential to verify her identity and to help cut down on fraud.
The UA card's identification technology, which establishes a card
holder's ID based on a fingerprint (a physical characteristic which is unique in
every individual) is known as "biometric" identification. The government
realised, in introducing its biometric UA card, that the information used for
biometric identification purposes is very personal and, therefore, it must not be
readily accessible to unauthorised or unscrupulous persons. Since Marie's card
is always in her possession, she can control who gets access to it. As for the
record of her digital fingerprint held in the Ministry's central computer system,
the government protects this information from unauthorised use by keeping it in
a separate, limited-access database.
CASHING BENEFITS
In addition to being an identification card, Marie's UA card is an
electronic-banking access card, that works like the magnetic stripe cards once
issued by banks. The card gives her access, from any automatic banking
machine, to the government's UA account and allows her to withdraw, in cash,
up to the full amount of benefits owed to her. She doesn't have to withdraw her
full entitlement as soon as it becomes available because the Ministry's central
computer and her card both keep a running tally of the balance which she is
owed. In this way, Marie and the government both know, at all times, the total of
her outstanding benefits.
The UA card also can be used to make direct-payment purchases at
any retail outlets which accept electronic-banking access cards. Information on
every direct-payment transaction carried out using the card is recorded
immediately on her card and simultaneously registered in the Ministry's central
computer, to keep her running balance current.
Marie found her UA card to be very convenient and user-friendly.
She could file a request for benefits directly and instantly, without having to rely
on the post office to ferry her UA reporting forms back and forth; and when she
was entitled to receive a UA payment, she could visit any banking machine,
anytime, and withdraw the cash she needed. She did not have to wait for her
cheque to arrive in the mail and then take it somewhere to get it cashed. She also
did not need to carry much cash because she could use her UA card to make
direct-payment purchases. Recent events, however, have caused her to
question some of the uses made of the card.
FRAUD CONTROL
First of all, following a trip abroad to look into job opportunities,
Marie hit a snag filing her electronic report at the government services kiosk.
Unknown to Marie, her digital fingerprint, held in the discreet UA database, had
been automatically matched against the same finger pattern digitally scanned at
the airport when she cleared customs using her electronic border crossing card.
In the process, the UA system was warned that she had been out of the country
for five days. This information exchange was carried out pursuant to an
information-sharing agreement between the Ministry of Tax (Customs) and the
Ministry of Work.
When Marie tried to file her usual report, which required among other
things that she confirm she had been available for work every day during the
two-week reporting period, the kiosk computer advised her that she was
"deemed" to have been unavailable for work for the five days that she spent
outside the country. It then notified her that she had to appear before a Ministry
of Work official within 10 days to prove that she had not attempted to file a false
claim, which is a punishable offence. The computer also told her that if she
could satisfy the official that she had not attempted to commit fraud, then her
request for benefits for that period would be processed immediately.
THE CONSUMER PROFILE
A few weeks later, Marie received a letter from XYZ Company, a
private company contracted by the Ministry of Work to provide specialised
training to UA recipients. The letter invited her to participate in a workshop
called "Living Wisely on a Limited Income." Curious as to why she had been
selected as a potential candidate for this training session, Marie telephoned the
company and spoke to a representative who told her she probably had been
contacted because of her "consumer profile." He went on to explain that the
information about her direct-payment transactions, obtained from the UA
database, had been compiled into a personal spending profile which showed
unnecessary expenses, involving for example tobacco and alcohol.
The data trail left by Marie's direct payments made with her UA card
did not accurately reflect her personal consumption habits. Marie had actually
made the cigarette and wine purchases for her grandmother for whom she often
ran errands. Not wishing to reveal any further details of her shopping habits to
this stranger, Marie did not attempt to set the record straight. However, she did
ask him whether the company sold her consumer profile to any direct-mail
advertisers. (Lately she had received several personally addressed direct-mail
advertisements from businesses selling products and services related to the
items she often purchased for her grandmother and, in light of her conversation
with this representative, she now suspected it was not a coincidence.) He
confirmed that this was the company's practice and should she not want her
personal information sold or traded, she would have to send him a request, in
writing, to that effect.
THE MURDER INVESTIGATION
The biggest shock, for Marie, came the day a police officer showed up
at her door investigating a recent murder in a nearby park. The murder weapon
had been wiped clean and discarded in a garbage can several blocks away. The
police digitally scanned the fingerprints found on the lid of the can and matched
them against a number of government databases, including the UA fingerprint
database. Marie's prints were identified in the process and she was asked to
account for her whereabouts on the night of the murder. Fortunately, she had
spent the evening in question with her grandmother, so she had an alibi.
THE NEW SUPER-CARD
Today Marie read a newspaper article on the Internet which reported
that the Government of New Oceania intends to expand the functions of the UA
card and transform it into a universal ID and multi-purpose,
government-service card to be called the "universal-card" or "UNI-card." All
workers, employed and unemployed, would be issued this card. For those
eligible to receive UA, the card would continue to be used for electronic
reporting and cashing of benefits. In addition, the card would introduce a host of
new applications for employers and employees. For example, the government
would give employers access to the card to record information on an employee's
earnings and work history -- data that would simplify and expedite the
application process for persons seeking unemployment assistance. The card
also would be used to prove one's citizenship, collect pension benefits, file
income tax information and obtain tax refunds. The UNI-card, like the current
UA card, would be a biometric identification card and, thus, offer solid proof of
the card holder's true identity. As Marie scrolled to the next story, she thought
about the unlimited potential of biometric smart cards and wondered whether
one day she would need simply one card to conduct all of her personal
transactions, with every level of government and all private businesses.
QUESTIONS FOR DISCUSSION
1. Although Marie was uneasy about having her finger scanned, she had to
submit to the process if she wanted to collect UA benefits. Use of the UA
card system was made compulsory to maximise the government's savings.
- How do you feel about the physical intrusiveness of biometric
identification -- does it bother you or are you more concerned
about how biometric information is stored and used, than how it
is gathered?
- Given the sensitivity of biometric information, do you think we
need clearer rules about who can ask for it, how those who collect
it can use it and how it should be protected? For example, should
government departments, the police, employers, banks, and
insurance companies all be equally entitled to demand this type of
information? Would you like to see sanctions, such as fines or
imprisonment, imposed on persons who misuse or abuse this
information?
2. Marie's digital fingerprint, stored in the central UA computer, was kept in a
separate, limited-access database. This data could have been made more
secure with encryption technology, but the system's planners decided not
to use encryption. They were confident that housing the biometric
information in a separate data bank would provide enough protection.
Encryption is a technological process whereby readable data, like a
digitised finger pattern, is converted into a form that is indecipherable.
Only authorised persons, who have access to the particular encryption
program used to disguise the data, would be able to translate it back into a
readable form. Technologies, such as encryption, which can be used to
improve people's privacy, are called privacy enhancing technologies or
PETs.
- What role should PETs play in protecting privacy? For example,
where information systems handle sensitive personal
information, such as biometric identifiers like fingerprints,
should the use of PETs be mandatory?
- By adopting a new PET called "biometric encryption," your
fingerprint pattern could be used like a high-security lock to
protect your personal data files instead of using it in the
traditional, unencrypted form as a master-key that can unlock
and link several of your data files -- would you prefer to see your
fingerprint pattern used as a lock or a master-key?
3. When Marie was "deemed" not to have been available for work because
the Ministry of Work was automatically notified that she had travelled
outside the country, the presumption seemed to be made that she was trying
to cheat the UA system. Some people might argue that this type of data
matching is tantamount to executing a general search warrant against
everyone who has personal information in the databases being matched.
- In your opinion, should data matching be allowed to be carried out in a
random fashion, just in case some evidence of fraud might be
uncovered? In a democratic society, is it fair and reasonable to search
for evidence of wrong-doing in this way?
4. Marie's direct-payment purchases, made with her UA card, left a data trail
which XYZ Company used to construct a consumer profile. The Company
created the profile using the raw information that the Ministry of Work
agreed to share with it. XYZ Company then capitalised on the inherent
value of this information by repackaging it and selling it to direct-mail
advertisers.
- In our information society, should more steps be taken to prevent
personal information from being shared or commercialised? For
example, should people's data trails be made anonymous or should
tighter restrictions be placed on information-sharing practices?
5. The phenomenon which privacy advocates call "function creep" occurs
with ID cards when they take on extra uses which are above and beyond
those originally contemplated by the identification system's developers.
For example, many Canadians have experienced function creep in relation
to their social insurance number. Retailers, landlords and others
commonly request peoples' SIN so they can check their credit ratings at
credit bureaus who use the SIN to link individuals to their credit
information.
- Should steps be taken to prevent function creep from happening with
respect to smart ID cards? If so, what limits or rules should apply to
these cards?
PHYSICAL MONITORING IN GENERAL
Physical surveillance, or the monitoring of human activity, is nothing
new to our society. However, with the emergence of innovative and rapidly
advancing technologies, modern surveillance has taken on a whole new
character. It has expanded beyond the purview of national security and law
enforcement, to include employers, commercial enterprises and service
providers. It is no longer labour-intensive, cumbersome and costly.
Surveillance technologies now have the ability to penetrate walls, function in
the dark and operate from great distances. Moreover, information obtained
through these monitoring techniques can easily be aggregated with other
sources of information and manipulated with ease.
CLOSED-CIRCUIT TELEVISION SYSTEMS (CCTV)
Although there are numerous modes of physical surveillance, none to
date has surpassed the prevalence of video monitoring. Technical developments
have both increased the capabilities and lowered the cost of video cameras,
making them an almost regular feature of many city streets, heavily travelled
highways, retail stores, banks, hospitals and even private homes. In particular,
there has been a boom in the prevalence of closed-circuit television systems
(CCTV). The cameras used in these systems are state-of-the-art. They can
move in any direction, zoom in on minute objects up to 300 meters away, and
bring images up to daylight level even in pitch blackness. The U.K. currently
has centrally controlled, comprehensive city-wide CCTV systems tracking the
movements of individuals in dozens of cities. In the U.S., police in Baltimore
have wired a 16-block area of downtown with enough video cameras to allow
them to watch and record activity on every street, sidewalk and alley 24 hours a
day.
In Canada, the closed-circuit surveillance camera business is
estimated to be somewhere between $65 and $90 million annually and growing.
Not only are video cameras being used openly in public places by some
municipalities and businesses, but retailers, employers and private individuals
are taking advantage of low cost technological advances to conduct
surreptitious monitoring. Ironically, while it is illegal under the Criminal Code
to intercept private conversations (i.e., "wiretapping" and "bugging"), there is
no such prohibition against secretly taking photographs or videotapes that have
no voice recordings. Moreover, only the police need obtain a warrant to
videotape people's private activities. No prior authorisation is required for
ordinary citizens, such as security guards.
THE FUTURE OF VIDEO SURVEILLANCE
The future of surveillance camera technology appears awesome.
Computerised facial recognition systems have been created that can take the
image of a face caught by a surveillance camera and convert it into a
computerised numerical sequence that can then be matched with facial images
already held in computer databases. A company in Florida, for example, has
developed powerful computing technologies that can scan a crowd at a rate of
twenty faces a second, convert the faces into an electronic code and match them
against identities already stored in a database. In Massachusetts, this
technology has been used to develop a state-wide database containing the
digitised photographs of 4.2 million drivers. One can only imagine the result
were these technologies linked to a CCTV system.
Other examples of future technologies include hand-held devices
(called Forward Looking Infrared Radar) that can look through walls to
determine activities inside buildings with the accuracy and clarity of a video
camera. Already passive millimetre wave detectors, a form of radar, can scan
beneath clothing to assist law enforcement and customs officials in detecting
concealed objects even within human body parts, such as the stomach.
KEY ISSUES
So, in terms of video monitoring, there is more at issue than simply a
question of whether our public and personal safety is ensured by having
overhead video cameras tracking events in public places. The fear is that once
the technology is in place, it opens the door to greater risks to privacy than were
ever originally contemplated. Most of us would agree that there are definite
benefits to be derived from some forms of physical monitoring.
The issue is
where do we draw the line? While this may be difficult, it may none the less be
crucial given that with the current onslaught of technological developments, the
ability to spy on one another will only become more effective, cheaper and
pervasive.
FOR FURTHER INFORMATION:
- House of Commons, Standing Committee on Human Rights and the Status
of Persons with Disabilities, Evidence, 2nd Session, 35th Parliament,
3 December 1996. (Topic of discussion: Video Surveillance)
- Privacy Commissioner of Canada, The Privacy Act - An Office
Consolidation and Index, Ottawa, 1995.
- Parts VI and XV of the Criminal Code.
Genetic information, a sub-set of health information is of increasing
interest to public health care managers, to the insurance industry, and to
employers. Apart from using it as forensic evidence in criminal investigations,
there are several uses to which genetic technologies might be put:
1. genetic screening of a broad range of the population for a particular gene or
combination of genes (e.g., cystic fibrosis, breast cancer, heart disease) to
identify the presence of a single gene or combination necessary for a
genetic illness
2. genetic testing (where evidence indicates the probability of the presence of
a gene) to verify the likelihood of an individual developing a genetic
condition (e.g., Huntingdon's disease)
3. genetic monitoring to ensure that individuals who are working in high-risk
occupations (e.g., with chemicals) are not affected by their work
environment
As the cost of gathering genetic information decreases, the pressure
towards its more widespread use will increase. In the past, the high cost of DNA
analysis has been as one of the constraints in more widespread use of this
technology. But as the costs of carrying out this analysis decrease, some
observers have pointed out that applied genetic research will make -- or save --
some businesses or institutions a lot of money. Insurance companies, private
employers, governments and educational institutions all have an immediate, or
potential, interest in promoting large-scale genetic screening to identify
individuals carrying disease-associated genes. Economic pressures to apply
genetic tests to broad sections of the population may increase as biotechnology
companies develop and sell genetic testing products and services.
Because things are moving quickly in this area, it is time to consider
possible consequences -- such as discrimination -- that might result from real
or perceived differences from the `normal' in a person's genetic makeup. This
might occur in the workplace, in access to social services, insurance
underwriting and the delivery of health care. American studies have uncovered
cases where new, renewed or upgraded insurance policies were unobtainable
even if individuals labelled with genetic conditions had no evidence of -- or
assurance of -- developing a disease associated with this genetic abnormality.
People who are poor and uneducated, or those with fears about their job security,
may not be willing or able to negotiate the complexities of the current legal and
regulatory systems to secure their rights. Other individuals who are currently
healthy may -- consciously or unconsciously knowing the implications --
refuse a genetic test and thereby suffer adverse consequences.
Data protection and privacy are serious concerns with regard to the
collection and use of genetic information. This concern stems from the
differences between genetic information and other personal information:
- Knowing about an individual's genetic makeup also provides information
about relatives.
- All DNA information is contained in nearly every body cell.
- Genetic information not only provides certain knowledge about personal
identifiers (height, build, skin colour, intelligence) but also information
about possible behaviours.
- Individual genetic information cannot be altered.
- Genetic information can indicate what will (or may) happen to health in the
future.
When the Standing Committee on Human Rights and the Status of
Persons with Disabilities held Roundtables on genetic technologies, several
questions, technical and practical, were raised:
- What can the science of genetics predict versus what it cannot predict?
What is the level of understanding about the variable nature of many
genetic conditions? (Some individuals with a genetic abnormality may
never develop a disease, others may only develop the mildest form of a
disease.)
- What is the difference between the predictive ability of genetics when
dealing with a single gene disorder versus a multiple gene disorder?
- How many single gene disorders are there, compared to multiple gene
disorders?
- What is the interaction between genetic factors and environmental and
behavioural factors?
- What is the difference between treating an individual with a genetic
condition (for example, Huntington's chorea) differently from an
individual with a non-genetic predisposition to contracting an illness such
as diabetes?
Though hundreds of diseases, for example Huntington's and
haemophilia, are caused by a single faulty gene, each of these diseases is quite
rare. Even if these genes were eliminated, some estimates put the effect on the
world's `disease burden', at less than two per cent.
With regard to most diseases, the contribution of faulty genes is less
clear. A gene, for example, might be a necessary but not a sufficient cause of a
disease. Sometimes an environmental factor might be needed to trigger the
disease. Sometimes, more than one gene may need to be faulty for a disease to
develop. In other cases, some forms of a disease might be genetic while other
forms may not be (e.g., breast cancer).
Experts have pointed out that the very presence of a genetic
technology "ups the ante" for the individual who may be subject to the test.
Social or peer pressure, for example, to take such a test can result.
In his 1995-1996 Annual Report, Bruce Phillips, the Privacy
Commissioner, stated that he believed that it was important to ensure than a
DNA database does not become subject to what he called `function creep.' By
this, he meant resisting the pressure to keep adding to the list of offences for
which testing is allowed. The same has been said of genetic screening and
genetic testing. "The pressure to do just that is present in our society, a product
of the very existence of technology and the belief that technology can solve all
our woes, if only we let it." In addition, Mr. Phillips proposed that DNA samples
be discarded to prevent unrelated secondary uses such as looking at genetic links
to crime. This is also a concern in terms of genetic information entering
large-scale data banks now used to store personal health-related information.
Individuals' health profiles, which can include genetic conditions, may be
available privately and may be accessed in a manner analogous to credit checks.
FOR FURTHER INFORMATION:
- House of Commons, Standing Committee on Human Rights and the Status
of Persons with Disabilities, Evidence, 2nd Session, 35th Parliament,
4 June 1996. (Topic of discussion: Human Rights and Biomedical
Technologies)
- House of Commons, Standing Committee on Human Rights and the Status
of Persons with Disabilities, Evidence, 2nd Session, 35th Parliament.
(Topic of discussion: Privacy and Genetic Testing)
- Privacy Commissioner of Canada, Genetic Testing and Privacy, Ottawa,
1992.
- Privacy Commissioner of Canada, The Privacy Act - An Office
Consolidation and Index, Ottawa, 1995.
THE NEED FOR PERSONAL ID
The need for individuals to prove their identity to others is as ancient
as civilisation itself. Over the centuries, as this need has grown, identification
methods have become increasingly more sophisticated. The anonymity of
today's large cities and the complexity of our daily transactions have made
personal identification systems a necessity of modern life. The ability to
accurately and reliably identify individuals is especially critical to
governments, businesses, and other service providers, so they can operate
efficiently, control fraud, and provide better quality services.
Simon Davies, who has written extensively on the topic of personal
identification, notes that three basic methods of identification are used today:
(1) identification by an object, such as a card or papers; (2) identification by
something you know, like a personal identification number (PIN) or a password;
and (3) identification by something that is part of your physical makeup, like
your photographic image, fingerprint, voice or eye pattern. The latter form of
identification, which relies upon an analysis of a physical characteristic of a
person, is known as biometric identification. It is considered to be the most
reliable of the three types of identification. At least two, and sometimes all, of
these methods of identification are combined in the various advanced
identification cards being developed and tested today.
SMART CARDS
Smart cards are one example of an emerging high-tech card. They are
being used and field-tested for a variety of applications in North America and
appear, at this point, to have the potential to be adopted widely for personal
identification purposes. A smart card is a card housing a micro-processor and
memory storage space; thus, it is essentially a credit-card-sized, portable
personal computer. It can calculate, encrypt, and record data. It can operate as a
self-contained information system or interface with computer networks and
centralised data banks.
Smart cards have a number of applications, including acting as:
access cards or keys to buildings and equipment; stored-value cards which
serve as electronic cash; and personal data storage cards which can function as
portable records systems, one example of which would be a patient's health
smart card. A smart card may combine any or all of these three applications.
Contrary to a popular misconception, smart cards are not the same
thing as magnetic stripe cards. The magnetic stripe card, the best known form of
which is the credit card, can carry only a limited amount of information, such as
the cardholder's account number, name and the card's expiry date, whereas a
smart card can hold the equivalent of two to 20 pages of typescript or 50 times
that volume if data compression techniques are used.
WHAT MAKES PEOPLE UNIQUE
Personal identifying information is needed to establish or
authenticate one's identity; it is a critical ingredient of all identification cards.
Personal identifying information is what makes each person unique and
distinctive. It may include, for example, one's date of birth, age, sex, height,
weight, eye colour, address, DNA makeup, fingerprints, blood type, religion, or
ethnic origin. The risk that someone, without proper authority, could access,
disclose or use such confidential information is the most serious privacy
concern associated with advanced identification cards. Ultimately, the success
or failure of advanced card technology experiments may depend on whether the
public can be persuaded that these cards can properly safeguard the highly
personal information contained in them. For example, in the case of health
smart cards, most cardholders probably would want to be certain that the
confidential health records which they contain will only be accessible to the
appropriate health care providers for medical treatment purposes and not be
disclosed to outsiders, such as insurance companies or employers. Without
proper assurances, people might resist voluntarily adopting the technology.
SENSITIVE INFORMATION
Society's conviction that sensitive personal information warrants
special protection from abuse is reflected in various data protection laws around
the world. Strong and enforceable data protection legislation can offer an
important degree of security; but legislation, alone, may not be sufficient to
prevent abuses of the personal identifying information collected, generated, or
disseminated using advanced card technology. Additional protection could be
provided by other measures, such as raising public awareness about privacy
rights and protections, encouraging the development of privacy enhancing
technologies, building privacy considerations into the design and
implementation of such technology, or conducting formal, independent privacy
impact audits of new advanced card technologies.
High-tech, high-quality identification systems offer the potential to
reduce fraud and promote greater administrative efficiencies -- goals which are
in everybody's interest. On the other hand, the identification systems that can
best achieve these goals tend to be physically invasive and to depend on
collecting very personal information. Most people probably would agree that
this type of information warrants stringent protection. Therefore, the challenge,
in the case of high-tech ID cards, is to make them ever more accurate and
effective while guarding and preserving the confidentiality of the personal
information they use. The question is how best to meet this challenge.
FOR FURTHER INFORMATION:
- House of Commons, Standing Committee on Human Rights and the Status
of Persons with Disabilities, Evidence, 2nd Session, 35th Parliament,
10 December 1996. (Topic of discussion: Advanced Identification Cards)
- Rita Reynolds, "Privacy and Technology," Address at Technology
Pathways to the Future -- Bell and Government Connecting Canadians,
17 October 1996.
- Privacy Commissioner of Canada, Privacy Framework for Smart Card
Applications -- A Discussion Paper, Ottawa, July 1996.
- Privacy Commissioner of Canada, The Privacy Act -- An Office
Consolidation and Index, Ottawa, 1995.
- Ken McQueen, "After SIN: National Identity Numbers?" The Gazette,
Montreal, 2 February 1997, p. A1 and A5.
;