[Recorded by Electronic Apparatus]
Thursday, October 24, 1995
.1106 
[English]
The Chair: The meeting of the Standing Committee on Human Rights and the Status of Persons with Disabilities, in which we will be discussing the issues of the valuing of human rights and the interplay between privacy and modern technology, shall start.
As you will recall, this committee is considering undertaking a study on privacy over the next months, and what in particular we will study among the many issues and concerns surrounding the right to privacy is what we're looking for.
Our meeting on Tuesday set out a series of parameters from the three interveners at that time. Today, via videoconferencing, we're going to have the pleasure of hearing from two more experts in the field. We will be hearing from Simon Davies, who was really quite dynamic when I heard him last time, and Marc Rotenberg.
I think it's important for you both to know that we are a standing committee of the House. We have a clerk of the committee, Wayne Cole, and from the Library of Parliament research staff in the law and government division we have Susan Alter and Nancy Holmes as our researchers. We're very fortunate to have Liberals, Bloc Québécois members and Reform Party members on our committee. I would like our members of the House of Commons committee to introduce themselves.
I'm Sheila Finestone, chair of this committee.
[Translation]
We will start with the vice-chairman, Mr. Bernier from the Bloc Québécois.
Mr. Bernier (Mégantic - Compton - Stanstead): My name is Maurice Bernier and I am the vice-chairman of the Standing Committee on Human Rights and member of Parliament for Mégantic - Compton - Stanstead, in Quebec.
[English]
Mr. Scott (Fredericton - York - Sunbury): My name is Andy Scott. I'm the vice-chair of the committee and the member of Parliament for Fredericton - York - Sunbury in New Brunswick.
The Chair: Oh, I'm sorry, the member from the Reform Party, please, who happens to be the House leader. Go ahead, Deborah.
Miss Grey (Beaver River): No, she is not the House leader.
The Chair: What are you?
Miss Grey: Ray Speaker is our House leader. My name is Deborah Grey. I'm a Reform member of Parliament from western Canada in northern Alberta. The name of the constituency is Beaver River. I'm the caucus chairman and the deputy parliamentary leader.
The Chair: Thank you very much, Deborah.
Russell.
Mr. MacLellan (Cape Breton - The Sydneys): My name is Russell MacLellan and I'm the member of Parliament for Cape Breton - The Sydneys in Nova Scotia.
The Chair: Sarkis.
Mr. Assadourian (Don Valley North): My name is Sarkis Assadourian. I'm a Liberal member of Parliament for Don Valley North.
Mr. Allmand (Notre-Dame-de-Grâce): My name is Warren Allmand. I'm a member of Parliament from Montreal.
Mr. Assadourian: And a Liberal.
Mr. Allmand: And I'm a Liberal. I think I'm a Liberal.
Some hon. members: Oh, oh!
Mr. Allmand: I was this morning.
.1110
The Chair: Essentially we're hoping to hear from you, Simon, and from you, Marc, what the needs are that we have to meet to better protect individual personal information in this age of interconnected data banks and computer networks. Some of the topics identified for possible study by this committee include privacy and technology in the workplace, privacy and technology in the marketplace, data surveillance by government, and physical surveillance in public places. We're looking forward to having your comments on which, if any, of these are the directions in which you believe we should be headed. I just thought I would bring you up to date.
Tuesday, in listening to our witnesses, the topics recommended for us to look at in valuing human rights were genetic testing in the workplace from Dr. Flaherty, plus looking at these issues from a more holistic perspective as a social and human rights issue and not simply as a general data collection or protection measure.
They also recommended drug and alcohol testing, surveillance cameras in the workplace and in public places, and data protection on the information highway, particularly in the area of commercial transactions.
Really, if we want to define what privacy means, it is quite flou even though it is in the Universal Declaration of Human Rights and in the International Covenant on Civil and Political Rights. How has this evolved? What is the right to privacy and what does it entail in the context of the modern technological world? What has been the general effect of technology on human rights and privacy?
I guess the last question is this. If we are of the view that the limits on personal privacy define in large part the limits of our freedom, and that we should not be compelled to share our confidences with others because this really is the hallmark of a free society, what do we need to do and where do we need to go, from your vast experience both as advocates and as writers in the field?
I guess first we're going to have the privilege of hearing from Marc. Marc, would you introduce yourself, please. Some of us had the pleasure of meeting you when you were here not too long ago with the privacy commissioners.
Mr. Marc Rotenberg (Director, Electronic Privacy Information Centre, Washington, D.C.): Thank you very much for the opportunity to speak with you. I should apologize first. It was not my choice to be in a dark room. Even though I'm a privacy advocate, I prefer bright light. So I will try to convey my views.
Mr. Rotenberg: I am the director of an organization in Washington called the Electronic Privacy Information Centre. We have taken as our mission the goal of trying to understand the privacy implications of new technology and to provide an opportunity for the public and the policy-makers to affect this change.
It is very much our view that these technologies can be shaped in ways that promote freedom, protect privacy and preserve constitutional liberty, just as they can be used to extend surveillance, to limit autonomy and to constrain the rights of the individual. The former is, for us, a central goal.
Before I proceed, I should also say we have a very good collection of privacy materials covering everything from drug testing and workplace privacy to encryption and international developments. These materials are available to anyone on the Internet at our web address, which is epic.org. I would be very pleased if you were able to make use of those materials in your work.
.1115
You set a broad and, if I may say, ambitious agenda. It is not a surprising agenda in the sense that privacy is a broad and ambitious right, an assertion of personal freedom. Justice Brandeis once described the right of privacy as the most comprehensive of all rights and the right most valued by a free people. But it is, of course, very difficult when you look at the specifics to understand where the privacy interest is implicated and what is the best technique to protect personal privacy.
I think one of the guideposts in this policy area is to understand, first of all, that privacy issues arise whenever you are talking about the collection and use of personally identifiable information, in whatever form it may take and however it may be used. This is an important line because there are a lot of circumstances where I think it is fair to say new technology allows for the processing, collection and use of information but does not necessarily implicate a privacy right, unless there is a particular individual who can be identified.
It has long been the view that the best way to deal with the problems that new technology creates is to try to regulate this collection and to try to regulate this use. Data protection, as generally understood, is the legislative attempt to control the use and collection of personal information. This is an important goal; it is a critical goal. I think the work in Canada across the provinces and the work of the federal government to extend data protection has been very successful. So have the efforts of the Europeans through the data directive to harmonize national law.
At the same time, it is also becoming clear there are techniques that can be used to protect privacy as well. These techniques take as their starting point, as does legislation, the problem of the collection and use of personal data. The critical technique to protect privacy is to limit or eliminate the collection of personal information. In the realm of communications, it is to ensure personal information can flow without the risk of unauthorized use or interception by others.
It is because of these two developments that the current debate about encryption and anonymous payment schemes have taken on the great scope that they have in the United States and elsewhere.
It is my view that in the 21st century the great challenge for those who value the right of privacy will be only partly to regulate technologies that intrude. It will be more to ensure that the freedom to use technology to protect privacy is not constrained by the state.
This, I guess, is my primary message to you this morning. I hope your committee, in its work on behalf of human rights and the freedom of the citizen, will stand up for the opportunity of individuals to engage in private communication without interception by others, by government, and by private parties. At the same time, I hope you will stand up for the right of individuals to engage in anonymous communication so their footprints, the records of their activities, are not routinely recorded.
.1120
This issue is most critical in the development of the Internet because, as we say, the concrete is now setting. The practices that are being put in place today on the Internet regarding speech, privacy and electronic commerce will be with us for many years to come.
We need clear direction from governments around the world that techniques that extend the privacy rights of citizens will not be opposed. Indeed they should be supported. I know in Europe, for example, David Chaum, the inventor of DigiCash, has proposed methods that provide for anonymous payment and has received support from the European government.
I should be careful at this point, even in my advocacy of some of these techniques, not to overstate the case. Any solution, whether it's technical or legislative, will necessarily be imperfect where matters of privacy are concerned.
A solution that recognizes as its primary goal the protection of personally identifiable information, whether recorded from a purchase, a video camera or a telephone conversation, and then proceeds, through legislative and technical means, to protect or where possible eliminate collection is a solution that's heading in the right direction with regard to some of the challenges we face in the next century.
The Chair: Marc, as I knew from having listened to you before, you are extremely succinct, and for this I thank you.
You certainly raise a new dimension in that wide spectrum of areas where we have to select what we want to address. This seems to be an area that fits very well into a legislative mandate. I thank you for setting that into place.
At this point I would like to call on your colleague, Simon Davies, if he is available. We'll come back to you with questions from my colleagues after we've heard from Simon, and perhaps you will want to comment for a couple of minutes on what Simon may say, as Simon may now comment on some of the things you have said.
We've set our timing to include 10 to 15 minutes by you and 10 to 15 minutes by Simon and then of course the questions.
Simon, are you there?
Mr. Simon Davies (Director General, Privacy International Inc. (U.K.)): I am indeed. Am I coming through clearly?
The Chair: Yes, thank you very much.
Simon's another guest who's very witty, a little bit cynical and quite a delight.
Please go ahead, Simon; introduce yourself. I've said just a few of the things that won't be so easily noticed.
Mr. Davies: I think I'll tone down my presentation now.
I am a visiting fellow at the London School of Economics. I specialize in computer security and information systems. I'm also a visiting law fellow at the University of Essex and I'm director of an organization called Privacy International, a sister organization to Marc's EPIC, which specializes in raising awareness in various countries. We've worked in about 25 countries on different subjects, such as identity cards, military surveillance, closed-circuit television and so on.
First I want to explain a definition as I see it, which might assist, and second, I'd like to talk about some of the trends I see emerging across the world.
I've just come from COMSEC, the computer security conference, where I had to speak in front of several hundred industry security people, so I had a rough ride trying to provide this definition. But my view very clearly after a few years in this field is that privacy is very much a question of a power relationship between the individual and the state, or the individual and the world around, and that could be organizations, other people or governments. It's a virtual wall you build around yourself, supported by conventions, legislation, privacy technologies and any number of things.
.1125
That's my matrix for seeing privacy. It's not a legalistic interpretation. In fact, as we go on I'll explain why I believe law has to keep in mind that it can legitimate surveillance as well as stopping it.
I see four trends emerging across the world of technology; and it would be wonderful if the committee could consider these. The first trend is one that is starting to reach public consciousness. It is the capacity and the variety of information technologies that are capable of surveillance. This is the only trend that has intrigued the public at this point.
The committee is well aware that computer technology now has virtually limitless capacity. The ability to identify individuals and to track their movements is now well known. I won't bore you with the 190 categories of surveillance technology I have identified, but many of them will be known to Canadians and in use by their governments and private companies. There are other very important trends that must be taken into account by any investigating organization or investigating body.
The second of the trends is convergence. I don't think the public have quite understood the importance of the convergence of technologies. An example is closed-circuit television in the United Kingdom. We have literally hundreds of thousands of cameras covering public spaces. The public see these as just cameras, whereas in fact they have become integrated with the telecommunications system, which in turn has become integrated with the Internet. Now we have what is commonly referred to in Britain as the ``fifth utility''.
With that convergence comes an extraordinary capacity to put individuals under surveillance, both en masse and according to each individual need. That trend, I think, has been all but ignored, because it is complex, but nevertheless it needs to be outlined, because every technology is now, if you like, able to match with every other form of technology.
There's no such thing as a stand-alone computer. Much as I think my Macintosh does not speak to any other computer apart from a Macintosh, the bottom line is that all technologies are now coming together. So we can't view this in the context we did in the early 1970s, that we have a stand-alone computer sitting in a bunker, collecting information in a very anal retentive way. That doesn't happen. It's very much a networked environment.
My view is that when the public grasps this, privacy will become as much a political issue as it did twenty years ago.
The third trend - and I've only just been able to study this in recent months - is that surveillance has become an intrinsic, built-in component in all information technology. This is allied to what Marc was speaking about before, the capacity for technology actually to protect privacy. But the way things are in 1996, virtually all information technology is surveillance technology. It's partly because governments and private organizations see a lost opportunity to create wealth, to create information that could be useful for government planning or police operations.
The problem with electronic cash, for example, is that invariably there is an audit trail, whereas there was the capacity to have genuinely anonymous electronic cash. There is the possibility of having anonymous or pseudo-anonymous medical registers, which would make people comfortable about giving information to medical authorities. Instead we have name-linked systems, because that's the way things have always been done. We could have cryptographic systems that actually do protect individual rights. Instead we have governments that clamp down on those systems. It goes on almost endlessly. By the time you get to the end of the list, there's another example.
The final trend I see emerging across the world - and this is absolutely vital for the committee's consideration - is the emergence of what I call ``pseudo-voluntariness''. In other words, a technology will be introduced in an allegedly voluntary manner. For example, an identity card will be established for any number of reasons, but ultimately what happens is that the card itself involves some sort of cost if it's not produced or if it's not....
.1130
We're having this debate at the moment in the United Kingdom. I'm sure it parallels the discussions you have had in Canada. The card here invariably, whichever party introduces it, will be voluntary. However, there will be extraordinary costs associated with non-production of the card, because it will be in the hands of private sector organizations. Those organizations will demand compliance with the identity card system from those groups who can least afford to purchase the card.
You may decide in Canada, if you go the ID card route, that this comes out of consolidated revenue. In Britain, there's been a general consensus that we have a direct cost to the consumer, so a whole of range of consumer issues come out of that.
Those, as I see it, are the emerging trends internationally. I am optimistic that this is going to become a very important public issue. The public's consciousness resides only in the first level. As the whole idea of privacy protection seeps further into public thinking, you will find this becomes a crucial issue.
I believe the pendulum has gone as far as it can towards surveillance and is now coming back. That's why the committee's work at this point in history is so crucial.
I'll stop at that point.
The Chair: Simon, I think you were the one who shared with our staff some of the privacy concerns that come out of the hard drive on e-mail, and the fact that in many large corporations they examine the e-mail they retrieve as well as voice mail...and also the request out of the state of Illinois for the full list of abortions that occurred from 1970 to 1986, developing a special abortion list, which has, of course, very serious connotations.
Could you elaborate on this e-mail and the private accounts and the right of the employer to have surveillance on the employee?
Mr. Davies: Could I pass that one across to Marc, who is more familiar with the North American legislative situation. I could certainly paint things from Europe, but there are, I know, some crucial cases that would be relevant to Canada.
The Chair: Yes, I just thought it fit into the four trends you were talking about with respect to the built-in component and built-in technology.
Mr. Davies: Yes, in that sense, if I could talk generally for a moment, the problem with electronic mail and the Internet is that it is being - I'll speak from the British perspective here - brought to heel.
You'll find that people will use the Internet for the accumulation of data of an increasingly sensitive nature. We've had an enormous difficulty in educating people about the risks in doing so, but now we're finding that, for example, doctors will put medical information through the Internet, not quite understanding the vulnerability that data faces.
When you see, then, the whole process of the Internet and the net converging to create, if you like, the new generation of telecommunications, the problem is that the technical capacity and the risks associated with that information technology have far outpaced people's ability to understand the risks inherent in the technology. In other words, it's gone far too quickly.
When you talk to people who have a technical grasp of the technology, at least how to operate the technology, by and large they don't understand the enormous security and privacy risks in placing data onto the systems. That has to do, as much as anything, with two factors: the speed of development of the technology and its extraordinary power, but also the fact that coming onstream now are very user-friendly programs that invite you to put large amounts of information onto a public resource, onto the Internet, but don't warn you of the associated risks.
To the list you have given I would add, for example, all sorts of lists that have recently been released. I believe in Florida many thousands of AIDS patients have found their information has come onto.... I wouldn't say it has become public, but it has certainly somehow leaked out of the system.
.1135
That's a general problem with computerization. We have the driver's licence problem, of course, in our own state, where all the driving licence details are made public on the Internet. In our country we find the Internet is used for the publication of people with criminal records. Okay, it's public, that's true, but the problem is you can sort by name through people with a criminal record in this country, and that invites all sorts of other problems, vigilantism and so on.
The Chair: Thank you very much.
Marc, perhaps you would answer that as part of the answer you might give one of my colleagues as we start the questioning here - unless, colleagues, you want to hear from Marc on that particular issue of surveillance and stealing, R and D and design and e-mail surveillance by the employer of the employee.
Marc, was it you who had given us that information?
Mr. Rotenberg: I don't think it was. I can say as a matter of law in the United States, the way our wire-tap law works is that it prevents interception of electronic mail when it moves through a commercial mail service provider. For example, if you're using one of these companies which provide an e-mail service, there's some legal assurance that your communication will not be improperly disclosed. But of course much of the electronic mail today moves within an organization, within a business, or across the Internet, and in many of these situations there is no legal protection.
I think the workplace example you've mentioned, which is also under consideration for the report, is particularly important, because here it seems to me there are a couple of misconceptions about the rights of the employee in the workplace. I have heard people say, for example, the business owns the computer and therefore if the employee makes any use of the computer there can be no expectation of privacy. I think that view, at least on its face, is wrong, because employees routinely make use of their desk drawers, of telephones, of rest rooms, and so forth for activity that is private and would be viewed as private, and the fact that it may be owned by the employer or the business doesn't resolve the issue.
Certainly one of the goals in the workplace is to try to understand what would traditionally be a reasonable expectation of privacy. If someone has the right to pick up the phone and talk with a colleague with the understanding that the telephone communication, absent some extraordinary circumstance, would be private, should there be any less privacy if that individual chooses to send a message to a colleague by e-mail?
This issue has not been sorted out in the States by any means. We've had some court cases. Some of our states, California for example, tend to take a fairly strong view of the privacy issue. Other states, Tennessee for example, may not. At the federal level at the moment there is no single standard for workplace privacy, although I've been involved in a couple of efforts in Congress, going back to 1991, to establish a federal standard for workplace privacy.
The Chair: Simon, do you want to add something?
Mr. Davies: Very briefly. As an analogy, the law does not recognize who owns the envelope and the stationery. It recognizes only the data contained in a letter. So you'll find the ownership of the envelope and paper is irrelevant to the law of mail interception. Some of us believe the concepts of electronic mail should be given the same sort of protection. The computer hardware is irrelevant, and we have a precedent for that in law.
The Chair: Maurice, please.
[Translation]
Mr. Bernier: I have just heard Mr. Rotenberg and Mr. Davies talk about this whole situation arising from the new technologies. I have two questions for you, before raising other issues.
.1140
My first concern - and we have discussed the issue this week with other privacy experts, with representatives from commissions from various Canadian provinces - is the need to inform ordinary citizens about these new technologies and the way to do so.
Let me explain. In other words, how can an ordinary citizen find out what private businesses or the government know about him? How can an individual, wherever he may happen to live, know everything that is known about him and how can he obtain this information?
My second question is more specific. You talked earlier about various technologies and you mentioned the issue of surveillance. It seems to be a priority for both of you, if I understood you correctly, but I would like you to indicate, for the benefit of our committee, what recommendations you would make either to our committee or to any government as far as intervention is concerned. What kind of intervention could be made by a government as far as legislation or regulation is concerned and in what area?
This week, we heard experts who identified three areas on which I would like you to comment: the whole issue of genetic testing required in the workplace; the issue of drug and alcohol testing; and finally, the issue that Mr. Davies mentioned earlier, that is surveillance cameras in public places. Are these, in your view, priority issues requiring action? If you could do so briefly, I would appreciate your telling us how we should proceed. Thank you.
[English]
The Chair: Is one of you ready to respond?
Mr. Rotenberg: Let me begin.
The answer to the first question on how the individual finds out this information is it's not very easy to do so. In some instances where there is a law that establishes a right of access, an individual can go to an organization - a credit reporting agency, for example, or a medical institution - and get a copy of his own record. But as a practical matter, not many of these laws exist, and the time and effort required to exercise this right are quite substantial.
I sometimes make analogy to the routine practice that banks have of providing their customers with a monthly statement that shows their recent activity and their current balance. We take this for granted, but of course from an information viewpoint it's absolutely critical for a person who's trying to manage personal finances to have access to that information on a regular, routine basis.
My preference would be to see that practice extended to many other areas - medical records, credit reports and so forth - so that people would, on a routine basis and without additional effort, receive copies of information held by others that affects certain aspects of their personal life. That would be the right way to do these things, and I think over the Internet it will become more possible in the years ahead.
If I could add a second answer to the first question, I should say at the same time that many of the more technical developments are very hard for individuals to comprehend. I've heard people say individuals should be made aware of how these new practices are working and how data is being gathered. My feeling is this is almost a little bit unfair. If we were to consider, for example, the problem of pollution created by automobiles, we would not reasonably expect consumers to become experts in auto emission, even though it has a bearing on the purchase of a car and the use of the car.
.1145
For those types of problems you need the expertise of a government agency and the oversight of an independent agency to make judgments on behalf of the public. Frankly it is one of the shortcomings in the U.S. that we don't have an agency to play that role.
With regard to the second question on what the priorities are, this is always the most difficult question, because there are so many different issues in the privacy area. You listed half a dozen. I could think of 10 or 12 that would all seem quite urgent.
My own view is to try to focus on those areas where the biggest changes are currently taking place, because it is in the areas where the changes are currently taking place that you're likely to have the greatest impact. For example, Simon Davies was right to focus on the problem of the growing use of CCTV in London. The collection and use of genetic data, which is a recent development that could have widespread implications, is another one. I have been very interested in developments related to the Internet, because I think this will also have far-reaching implications.
My recommendation is to focus on the larger problems. They are more difficult to solve, obviously, but they are also the ones where your efforts are likely to have the greatest impact.
The Chair: Thank you very much.
Marc, a lot of us have asked ourselves this question. It's very great that the banks provide us all this detailed information, but do we know what the bank does with that information, such as how much we've spent on our VISA card? Do they tell Visa versus American Express versus Diners Club or what? What happens with the information the bank holds?
Mr. Rotenberg: I don't know exactly, but I would say if your concern is the disclosure of financial information, your first target should probably be the credit reporting agencies, because this is an industry that is built upon the sale of personal financial details. It is the credit report in fact that reveals a great deal of information about how your personal data is made available to others.
It's also a very difficult report to get hold of. You pay for it; it takes time; it's filled with errors; it's constantly changing. I'd like to see credit reporting agencies make that information routinely availably to consumers.
The Chair: Thank you.
Who's on this side first? I've forgotten already.
[Translation]
Mr. Bernier: Mr. Davies, perhaps?
[English]
The Chair: Mr. Davies, please.
Mr. Davies: With regard to the first question, in terms of making the citizen more aware of the data that is held about her, three mechanisms come to mind. The first, which is a partial solution, is the creation of registers of databases. It is very cumbersome, short-lived and underused, but some countries, such as the United Kingdom and Australia, use registers of computer databases.
The way this is done is that, for example in Australia, the privacy commissioner will publish on an annual basis a thick book containing all of the public registers, the sort of data those registers contain and the categories of people who are covered by those databases.
The second way - and it's perhaps more costly but certainly more effective - is to create a legislative mechanism of notifications where sectors of industry and government are required to notify, one way or the other, that they are holding data about you. Parallel with that is an access requirement in law, where of course you can go and see this information and have it amended if it's incorrect.
I do agree, though, that both of those mechanisms are underutilized and grossly inefficient, particularly now that we live in an information age. We can say we're in the first few years of the information age. I agree. I don't think the citizen should be required to be watch-dogged constantly because this will be come a very onerous responsibility.
.1150
It's becoming clear to me that the third mechanism is good, and that is the creation of routine mechanisms to raise public awareness - for example, privacy impact statements. If you have a controversial surveillance technology, a privacy impact statement, which could take the form of a hearing such as the one you're conducting now, raises public awareness.
People with inquiring spirits seek the core issues from the development of information technology. That's packaged in such a way that the media might find attractive and certainly the citizenry could find attractive. Again, a parallel solution is regular annual hearings or reports that create some sort of statement of what is being proposed in this field, who knows what, how they know it and how they use the information.
Those public hearings are conducted at government expense, or public expense, but I would imagine they could have enormous influence on shaping public opinion. Those are the only three mechanisms that come to mind in terms of having people raise their awareness of these issues.
You also asked what the key issues are that require regulation. I agree with Marc that this could be a long list, but two things need to be borne in mind. First, if you go for sectoral regulation, as the United States regrettably appears to have done, you end up creating legislation to protect video records at the expense of more complex and comprehensive problems that are just not addressed.
It might be useful to legislate for a mechanism that is proactive and able, with great foresight, to see these issues before they become major problems. By and large, as you know, there are many years between the idea for a piece of legislation or regulation and the final creation and enactment. That's often too late because by then, as Marc says, the concrete could have set.
Having said that - again I'll go internationally on this - genetic and medical data are clearly in the lead. It's a very important area, because then you have genetic data being used in so-called voluntary ways so people can get discounts from insurance companies.
We have all sorts of problems in Europe with this. As advocates and consumers, we do not want insurance companies able to get DNA and genetic data. It's very much the thin edge of the wedge. I think medical databases, insurance databases and genetic information will be one of the great hot-spot issues over the next 10 years, and we must get that sorted out immediately around the world.
Biometrics and biometric identification involve the collection of data relating to your personal characteristics - for instance, fingerprints and hand prints.
The Chair: Excuse me, Simon, are you talking about smart cards or swipe cards?
Mr. Davies: These could be collected on a smart card. Canada in actual fact is a participating country in the INSPASS system. Are you aware of this?
The Chair: Do you mean the Rimouski experience in Quebec?
Mr. Davies: No, the Rimouski experiment involves the health card. That raises its own issues. I'm sure Paul-André Comeau discussed those.
The INSPASS system is the automated immigration and passport control system the United States is pioneering. Canada is a participating country. The aim is to have a substantial number of passports, or at least passport processes, replaced by a hand print within ten years. That raises enormous questions of human identity that need to be addressed now.
The Chair: Thank you very much.
Russell.
.1155
Mr. McLellan: Thank you very much, Madam Chair. I think there's a lot of skepticism already about how to control personal information being collected by unauthorized sources. Those of the public who are aware of this problem are very concerned that no one really knows how much personal information about them is on record. Secondly, they don't really believe there is a means of restricting personal information being collected by unauthorized sources.
On Tuesday we heard Ann Cavoukian talk about enlisting technologies to protect privacy. She said there is certain information that isn't necessary, and unnecessary information shouldn't be passed along. That would limit some of the unauthorized information unauthorized sources would have on individuals.
The question is, how do we know that the information is going to be limited? How do we check that? Certainly there are reviews, but how effective are they going to be?
We talked about the banks and accountability, and I would suggest to our witnesses - and I would like their comments on this as well - that the record of the law in bringing to justice those who commit white collar crime has been very poor. If a bank, for instance, has an employee who shaves a fraction of a cent off everyone's account, and that adds up over time to quite a bit of money, it doesn't even make that person known to the public. That person is dismissed and no none ever knows a crime has been committed.
We have some very fundamental procedures here. First of all, we have to know when crimes have been committed before we can talk about punishing those who commit the crimes. I would just like some ideas on what we have to do. I think we have a long way to go.
The Chair: Thank you. Marc or Simon, you can pick up on anything you wanted to add prior to this. Then we're going to have Deborah Grey on next. Go ahead.
Mr. Rotenberg: I don't disagree with your point. It is a particular problem in the privacy realm because the cases that attract the most attention are the ones that people most quickly recognize as traditional forms of crime.
One example is the health care worker who disclosed the names of 4,000 AIDS patients in Florida. You and I can understand that as a problem and probably, without too much difficulty, see the need for some legal sanction. But the more difficult issue is the maintenance of the record itself - the collection of the data. Did the organization take appropriate steps to protect it? Were there better technologies? These are not issues that are likely to be resolved by legal sanction, so we have to find other means.
I would also like to pick up on a second point you made regarding the public perception. I'm afraid it is part of Orwell's legacy that people often feel powerless when confronted with these new privacy problems and they believe they're largely beyond control. But we have seen in the United States, Canada, Europe and other parts of the world, particularly in the last few years, more citizens groups, experts and academics are objecting publicly and politically to privacy invasions that could have been avoided. I'm almost certain that in the years ahead you will see a greater public willingness for change and safeguards that are necessary to protect personal privacy.
The Chair: Simon.
Mr. Davies: The hon. member puts his finger on an important point, and that is public confidence. I think there are two fundamental problems here. The first is that public confidence in institutions has been largely shaken. I'm sure this is a problem far deeper than anything we can fathom here today. But in a sense, that is another legacy we have to live with. Over the past 20 years the sacred cows, one by one, have been burst. Any assurances that protections are going to be enshrined will therefore be met, by and large, with cynicism.
.1200
There are mechanisms that can be put in place. I thought long and hard about what the role of this inquiry and this committee could be in this, and what came through very clearly is that people want leadership and they want passion. People don't want to believe it's too late and all of their information and all their privacy has gone. They don't want to believe there is a technological determinism sweeping us into the next millennium without any controls. I believe it's far more fundamental than that, and that people's passion for this subject remains but is largely latent. It can be brought out, but it requires leadership. What I see precious little of in Europe is leadership from institutions that have a capacity to inspire the public.
Hence, we come back full circle to the cynicism - the enormity of public distrust of institutions. That is going to be the toughest question this committee has to resolve, and it's much broader than privacy. Anything you institute has to face that one question: will the public believe this is a mechanism or a law that actually works? My belief is that the public can have faith, but what is required is a serious commitment, and a commitment on a broad and a very philosophical level. This isn't tinkering around at the fringes. It's far deeper than that.
The Chair: Excuse me, Simon. Are you basically saying that while our Minister of Justice and our Minister of Industry would be presenting a very substantive plan that would include what is known here as the Canadian Standards Association - which is looking at the protection of information within industry by what is in essence a code of ethics - human rights go beyond the economic and technology focus, and that the population would be sensitive to that if it was properly placed before them? If you covered industry -
Mr. Davies: Yes, indeed. I believe the economic part of one of the trends identified across the world is the commoditization of privacy. In other words, privacy has in many senses become a commodity that can be traded off in return for either a better level of service or product, or the minimization of penalties. So there is this economic imperative that is starting to emerge.
My own view is that this is only a very small part of the picture. As far as public administration is concerned, privacy must be viewed not as an economic component, but as a fundamental human right enshrined, and one that's connected very much to dignity. It's the dignity element that I can't help but feel.... I've been to Canada many times, and the sense that I have gotten is that the questions of dignity and autonomy are central to the Canadian psyche, if I can be that brutal and say that there is a Canadian psyche. Those are two qualities that I believe come through, and I believe that privacy is central to those two qualities. That's why any government supporting privacy would be supported by the public.
The Chair: Thank you.
Deborah, please.
Miss Grey: Good morning. Thank you for being here.
It's one thing for us to sit around this room and talk about what the public wants, but let's boil this right down to the fact that we are citizens as well. We can sit here on Parliament Hill and think we are trying to do all this for the public, but we are victims - if I can could use that word - as much as anyone else. I continue to get phone calls at home and letters all of the time from people who own hotels where I have stayed. They have access to me, and here they are asking me for all kinds of things or trying to sell magazines or whatever. So I think we have to realize that we're just as concerned about this on a personal level.
When you talked just a few moments ago, Simon, about governments intervening to help people, to let them think their best interests are being looked after, you used the word ``cynicism''. I suspect there's an incredible cynicism across the country. For instance, our social insurance numbers were to be our protection. They were our guarantee of privacy and would not be used for anything other than that for which they were intended to be used, yet there has somehow been an incredible seepage or leakage, and a social insurance number can be passed around at will.
.1205
Regarding freedoms and our right to privacy, which you have both spoken about, I wanted to ask you, Marc, about the comment you made about how our challenge in the 21st century will be partly to regulate technologies, but will be more to make sure that the freedom to use the information is not confined by the state. In other words, I have freedom, but when my freedom comes up and crashes face to face with your freedom or your rights, we are in a real dilemma here. Could I get both of you to comment on that?
For instance, with the Internet, where there is just such an ultimate freedom now, we can't go back. We obviously cannot go back to eliminate the Internet. We're here in a technological age. I think the fact that we're chatting back and forth on a TV screen is living proof that there are so many positive aspects of technology. But what can be done about the fact that we cannot go back and say this can't happen? Can one country, or a series of countries, come up with legislation or regulation that is going to solve these problems of our rights crashing into each other to a point where my freedoms intersect or overrule yours?
Mr. Rotenberg: By way of clarification, let me first say that I was not talking about the freedom to use information, although I of course think such a freedom exists. I was talking about the freedom to use technology that protects privacy. I made this point because I think it dramatically changes our understanding of the relationship between the state and the citizen in this realm of privacy and technology.
The traditional relationship was that the state will protect the citizen from technology that intrudes on privacy. We have had experiences recently, however, in which citizens had technologies to protect their own privacy and the state said it was against their using this technology because it impeded the state's law enforcement function or it impeded its intelligence function. In the United States, there is just a tremendous debate over this today.
On the larger question that you asked concerning whether or not a government or a group of governments can effectively regulate, I don't think we've yet seen the answer to this. Clearly, one of the big issues of today that we haven't talked about is the concern about pornographic materials on the Internet, for example. We have legislation in the U.S. - and there are now measures in other countries - to try to regulate the availability of this information on the Internet. Some people say governments won't be able to effectively regulate it because there will always be a way to put this information on the Internet.
I think governments can in fact have an enormous impact - maybe not at a 100% level, but possibly at 98% - and can regulate particularly when working in cooperation. Sometimes this can produce a good result, and I think the European directive may be a good joint effort to protect privacy. But sometimes it can present a problem. I would not like to see regulation to limit speech on the Internet, for example, but that could happen.
Mr. Davies: The hon. member mentions the question of regulation of the Internet perhaps being difficult. I have an anecdote that is currently in force in the United Kingdom and that could be of interest.
It is true that the government has found some difficulty in regulating the content of the Internet, but it has come up with what I regard as an ingenious scheme of voluntary compliance. An organization called the Internet Service Providers Association has been established with the intent of creating a consensus across all Internet service providers in Great Britain. There are about 150 providers of Internet services, and until that had happened, there was no single voice. You genuinely had free choice in the sort of material you could get on the Internet, and the sorts of services.
.1210
Because there is now a single private sector voice, a voluntary compliance policy has been established. The first mark of that policy was the abolition of around 148 newsgroups, most of which were concerned with child sex. But in abolishing the child sex news groups, alt.home.sexual has also gone, as have alt.senior.citizen and alt.fetish.feet. The question of balance has been all but ignored in the pursuit of a quick voluntary solution. Basically, anything that contains a component part of the problem is entirely abolished.
Now, the first question that must be addressed here is whether or not the government has abandoned its responsibility to engage in public debate on the issue in return for just cutting a deal, as it were, with private sector. The second is how far it should go.
I asked one of the police involved in the liaison with this voluntary system if there was a limit to how far they would go on censorship. The response was that there is no limit. Basically, it is a consensus matter between the legislators or government of the day, the Internet Service Providers Association, and their members. We have therefore completely avoided any democratic process, but we have also avoided any slur that government is censoring material.
There is a different constitutional position in the United States and Canada than that in Europe, but that's what's around the corner. So yes, there is regulation. And no, it is not necessarily the best way of going in the this particular instance.
The Chair: In regard to all of these matters that you've been asked about here, can I just ask you both if you would say you need a democratic system of government, one in which the individual has a place in a society, in order to be even looking at privacy as a fundamental human right? Although the individual may have the right to his own integrity and dignity and autonomy, you don't necessarily find that in most countries of the world. How would privacy ever be legislated, or how could we have concurrence in any kind of definition of privacy?
Miss Grey: Excuse me, but I have to go soon, even with the time lag. I just wanted to thank you. This is a huge issue, and I just want to commend you folks on the work you're doing. Keep at it. We appreciate it.
Mr. Davies: Thank you.
Mr. Rotenberg: Thank you.
The Chair: It's okay, Deborah. I wanted you to keep at it right here.
Miss Grey: I know, but I have a 12:30 p.m. appointment.
The Chair: All right, thank you.
I wonder if you could add to that, but before you answer - if there is such an answer - we've been joined by another member of our committee, John Godfrey.
John, could you first of all introduce yourself and say what you're doing, and then ask your questions, please?
Mr. Godfrey (Don Valley West): Hello, I'm one of the government members, and I do whatever they ask of me. That's the best definition I can give.
Let me first suggest to Simon that I'll bet one of the first chat groups to go - and I think it was an American group - was called alt.dead.cats, where they posted dead cat jokes. I suspect that was probably very high on the list of abolished British groups.
Mr. Davies: Except on dog owners' lists.
Mr. Godfrey: Or mice.
I want to talk to you about public surveillance cameras. Let me be the devil's advocate. I'm not holding this view with any firmness, but it is designed to provoke.
My take on this, superficially, would be that if you're in a public space you should expect that somebody might be expected to look in on you, either electronically, in human form, or even in that of a cat that's alive. There are cases in all three countries. I think of the James Bulger case in Britain, where the four-year-old's murderers were picked up by a public surveillance camera outdoors. In New York, I can think of the World Trade Center bombing, where a parking garage camera picked up the guilty vehicle. In Canada, in my hometown of Toronto, there was the famous Just Desserts case, in which surveillance cameras in a restaurant recorded a murder. In all three cases, I think we would say this was a good application of public surveillance cameras.
In balancing privacy rights versus the public good, particularly when it concerns public space, space that you know is public - and I think that all of those places were public spaces - what's wrong with these cameras?
.1215
Mr. Davies: I don't buy the argument that -
The Chair: Simon, one second, please, because I have an additional question that is exactly along those lines of privacy and what's good versus the public space.
We have unemployment insurance in Canada. We have people who are to be paid on a weekly basis, who are supposed to be available to work and be looking for work. We now know that they have been travelling across the world - and into Florida in particular - when they're supposed to be available for work. They've come back through customs, filled out their customs forms, and declared that they bought a carton of cigarettes or whatever. Those cards are now being used to check against our unemployment insurance files. These people were not advised that those cards would be so used.
Yet, from a public information perspective and from a financial perspective, we will be recovering $300 million to $500 million from these people.
That's very important for the public purse. What does it mean in terms of personal rights and privacy rights?
Mr. Davies: That is a vast question.
The Chair: John.
Mr. Godfrey: These are two worked examples. I guess if you'd like to try to tackle each...maybe that's the way to unpack them.
Mr. Davies: They both concern public space, public rights and public interest. Let's look at the closed-circuit TV case first. And I must say that the James Bulger murder is used to maximum effect by law enforcement and by the closed-circuit TV industry. In fact, it's not quite correct.
It's true that Bulger was picked up on closed-circuit TV as he was being escorted out of the shopping centre by two 10-year-old boys just before his murder. That does not mean that the closed-circuit TV camera had any role at all in the conviction or the apprehension of those boys. In fact, the boys admitted to the murder, and after the event the closed-circuit TV image was recovered and played on media. I don't think it even helped in the prosecution because there was an admission from the boys. But it's very sexy footage and it's been used, as you say, to maximum effect.
The problem we face in terms of closed-circuit television over public spaces is that in this country and increasingly throughout Europe - and I suspect in Canada - the idea of manipulating public space to gain maximum information and maximum social control has really taken off, to the point where in new urban environments closed-circuit television is now a fixed component of urban design. You find that social engineering and closed-circuit television monitoring become one and the same process. That has nothing to do with private space and the right of private space. We have a real problem on our hands in that the technology becomes broader and more intrusive in more directions, all on the pretext that this is public space and you can do what you want.
An example of this is that in towns in this country many central closed-circuit TV systems have infra-red and high-resolution capacity. Infra-red capacity means that you can pick up people urinating in a park at 3 a.m. or an act of sex, for example, in the middle of the park at 3 a.m. This is done routinely in King's Lynn in Britain. It's a tiny, dead-end, Norfolk town of 30,000 people, with 60 to 80 cameras covering the entire place, all infra-red and all of them essentially becoming a controller of public morals and public order.
That brings in a whole range of other questions about the right of the technology to be used in this way. It's not just a simple matter of survival for law and order. It's far broader than that. If you allow the technology into a public space and then give free rein to the companies and to the agencies to develop the technology, you will find that it will intrude in the most extraordinary way.
It will intrude to the extent that you will get, as we have in many parts of Britain now, a military surveillance system, centrally controlled, able to see in all of the different light environments, with zoom and infra-red and central control capacity, that is far more powerful than the public could ever imagine.
And then, of course, you have the question of politics. You have a question of power, of social control. As I said, it's not as simple as saying that it's a private space and you can do what you want. I'm deeply concerned about these other ramifications.
.1220
The Chair: John.
Mr. Godfrey: Thank you. I would like to hear from Marc on this because I'm still interested in this question of the balance of competing goods, if you like. In the case of the World Trade Center bombing, I'm not sure whether the tape was useful in the conviction or the identification. Is Marc there?
The Chair: Marc, are you around? Did he tune in or out?
Simon, do you want to pick this up?
Mr. Davies: He might have the mute button on.
Mr. Godfrey: That's very insulting.
Some hon. members: Oh, oh!
The Chair: We'll phone him in the meantime. Simon, perhaps you could pick up on that and continue with John, please.
Mr. Godfrey: The issue is, though, that you wouldn't take the contrary view, which I assume would absolutely rule out closed-circuit TV. What is the way to get the right balance between the legitimate desire of convenience-store owners to be.... Ah, here's Marc.
The Chair: Marc, we caught you.
Mr. Godfrey: We saw you because we've got a surveillance camera on you.
Some hon. members: Oh, oh!
The Chair: They're in two different cities. They're in London and Washington.
Are you plugged in, Marc?
Mr. Rotenberg: Yes, I am.
Mr. Godfrey: I guess the question that Simon was addressing - and we saw you leave - really is about how you balance these competing goods of the right to privacy versus the sometimes useful information this picks up from the point of view of apprehending bad guys.
I gave the American example of the World Trade Center. You can think of a dozen convenience stores that have been robbed where the folks have been picked up on the basis of the identification. How do you balance those things out? Simon gave us a very interesting account of the alarming world of intrusion of infra-red cameras and all of the rest of it. How do you view it?
Mr. Rotenberg: I try to avoid the word ``balance''. I say this because too often in that equation the privacy interest is usually squeezed out. I think the examples that you give with closed-circuit TV, as we've seen in the U.S. examples to justify wire-tapping, create almost a blank-cheque environment, because there are one or two instances where the technology has aided in public safety and therefore there's little basis for restraining or slowing the deployment of the technology. I think it's a very dangerous approach.
There are a lot of risks associated with the use of these technologies and the risks are oftentimes not described. I know, for example, after seeing an investigative report on closed-circuit TV, that it makes it possible, of course, for police agencies to monitor a great deal of personal activity.
If you've actually stood behind one of these systems, as I have myself, it may change your sense of what type of public space is really being provided by this technology. These cameras don't simply provide a broad sweep of a large crowd. If you identify an individual within the crowd that you're interested in following, your camera will zoom in on that individual and will follow that individual as he moves through that space. I think that's something quite apart from anything that anyone would understand as being publicly available.
This is a critical question against privacy. There are always competing interests. Sometimes they are public safety interests and sometimes they are economic. At this point in time, I think we've still given too little weight to the privacy interest. My solution, where possible, is to try to find ways to protect privacy without sacrificing public safety or economic interest.
Mr. Davies: Could I add one more thing? I mentioned before just how far the technology can go if you let it continue unchecked. The next phase we have to confront is computerized facial recognition. It's in its infancy now, but with the right urban design...and I mentioned, if you remember, that urban design with closed-circuit TV can create controlled light conditions and that is where computerized facial recognition can work.
.1225
That is where the computer breaks your face down into a number of pixels and what's called eigenfaces in places, in other words, the light and shade in your face, and creates an identikit picture or an identity number for your face. That number can then be back-scanned into a computer. Whenever your face is scanned a second time, the number is generated and matched against pre-existing numbers in the database.
If you're not careful, you end up with that dilemma on your hands where the technology becomes able to automate its functions, not just recognizing faces but also, for example, crowd monitoring so that you can look at densities of crowds, crowd behaviour, speed patterns. Match that against the faces, and you have all sorts of possibilities that go again somewhat beyond privacy.
Mr. Godfrey: I was just going to say, is the principle fundamentally different from a guy with binoculars sitting on a roof watching you in the square, or the policemen or any other person who decides to watch another person in a public space? The difference is surely one of efficiency, but it's not a fundamentally different principle of being observed because you are in a public space.
Mr. Rotenberg: I think it is a substantial difference. These systems, as David Flaherty has written, represent the routinization of surveillance. They represent the building, the infrastructure, and designing the technique to make systems of surveillance generally applicable to the population at large, regardless of whether there is reason to believe any particular person is engaged in criminal conduct. I see this, as a part-time law professor myself, as a complete inversion of the premise that individuals are presumed innocent and presumed free until there is evidence to establish some belief that criminal action has occurred.
In the examples you described, whether it's the binoculars or the investigation or whatever it may be, there are some circumstances that give rise to the heightened suspicion. These techniques, of going drift-net fishing through financial transactions, or broad-based CCTV, treat all citizens as potential criminals, and I think that's very much contrary to the premise of constitutional democracy.
The Chair: You respond to that, John.
Mr. Godfrey: I did say it was a hypothetical question, designed to provoke good answers, which it did. I'm not naturally a paranoid person, but I must say that when you put it that way I think it makes great sense. It inverts the burden of proof in a sense.
I think my colleague here, Andy, wants to follow on.
The Chair: Yes, Andy, go ahead.
Mr. Scott: Thank you very much. I'd like to follow on that in the context that perhaps it isn't the fundamental act that is the problem as much as it is the efficiency in which that act takes place.
John, my colleague, mentions the idea of someone watching someone with binoculars. Somehow those are reasonably comparable, but when you get to the point that you can do this with a great deal more efficiency, then all of a sudden....
It's not unlike the collection of information. Prior to having the ability to use the information we collect with such a commercial value perhaps, perhaps that information was available in the past and we just didn't have the ability to organize it in such a fashion, to use it in such a comprehensive way. So it may not be the act; it may be what you can do with the technology on top of the act that challenges us and makes this more troublesome.
In fact, I think one of the gentlemen earlier said that one of the four trends has to do with the interconnection between the technologies. The guy with the binoculars cannot plug into a computer to tell them my social insurance number if he's looking at me with his binoculars. But now the capacity that has been mentioned, with the ability to print my face with a computer, or whatever, allows that to happen. So as independent actions they may not be troublesome, but their ability to be compiled makes it very troublesome.
.1230
Then the question is, if you were us and we had to come to terms with all of this, other than perhaps submitting a report to Parliament that we're terrified... I'm not certain what it is we're going to say.
I'm thinking perhaps the best we can do is to bring almost an inventory of the various things that make us terrified, to draw public attention to it; or maybe there is a singular thing we could focus on, allowing us to bring public attention to it and at the same time deal substantially with one small focused element of the problem. It was suggested on Tuesday that in fact genetic testing and the privacy implications of that -
The Chair: Alcoholism.
Mr. Scott: Yes, drug and alcohol. Basically that may be the place. Would either of you care to give us advice, beyond what you've already given us, on where we should direct our attention, or would you like to help us solve the dilemma we're going to be facing as soon as the TV is turned off, as to how to proceed with our terror?
The Chair: I want you two gentlemen to see why this is not going to be an easy task. You have these intellectual giants around this table who ask very troublesome questions and then change the question. But go ahead.
Mr. Davies: There are two things I'd like to say. very briefly. The first just follows from something Marc says, that the intellectual foundation to this has to be well established. It is true the use of these technologies is the equivalent to the imposition of a general warrant on the entire population and it must be seen that way - it's very important; Marc describes the situation very eloquently - but it's not just this extraordinary trend to the convergence of technology and the power of the technology. There's something else too.
I don't remember this, for obvious reasons, but back in about the 1840s in London when a detective force was proposed there was an enormous public outcry, not because they were any more powerful than the bobby on the beat but because they were secretive, because their actions were unaccountable and invisible. That's really important, and it has been reflected in European law. European law demands transparency, and that transparency is one small guarantee that at least people can see what's going on. Unfortunately, sometimes they have to make a lot of effort to do so.
There was a second very interesting component of European law, and it's that no decision about an individual can be made purely because of an automated process. That isn't just a Luddite thing. It's because people inherently want to keep the human component. They want to make sure anything that affects a person's life is brought about, is decided on, by judgment at a human level. That's the equivalent of the person with the binoculars.
About how you deal with this problem, it's tempting, I would guess, and it has tempted an awful lot of inquiries of this nature, to focus on an issue. Isn't it possible to take it from the other side? If we know dozens of issues at any one moment attract many different people in different ways, is it possible to look at how the privacy of the individual life has been eroded almost to nothing? In other words, you take it the other way around. You ask, well, okay, what is private now? Where do you have autonomy? You do that rather than the other way, which is let's take a look at this or that chunk of technology.
I'm starting to despair. There are so many technologies now and so many sectoral issues that it's almost impossible to take it from that perspective.
I don't know. It's just that I'm thinking off the top of my head here.
The Chair: If I may follow up on this, transparency, individual rights, etc., if I am advised in advance how this technology, which keeps changing and evolving in its form from the microchip on...if I know the information you are taking from me will be used for other matters and I indicate that you can use it for X but you can't use it for Y, or you can use it or you can't use it....
.1235
I go back to my question to you, because I don't believe things should be retroactive. I think you have to be proactive and you have to know what you're doing. If I knew the customs card I filled out will trace me as a thief or trace me as having been absent without leave or whatever the case may be, I undertake that in the full knowledge that there is a way in which the government is going to find out I was there, because I have to fill out this card, coming and going. But I know that in advance, so it's a transparent process I have participated in, or this government has taken a position and has made it part of public policy. But if it isn't part of public policy, then you're bloody well snooping and you're being a surveiller, to use the cops-and-robbers theme.
That's the way I see it. I wonder if you see it in that light or if that's being too fundamental, too silly.
Mr. Davies: No, it's certainly not being silly. There is a problem here, isn't there? The public perception is, well, they know everything anyway; there's no hope; anything I do can ultimately be traced. It's almost as if there's this resignation, particularly among public sector organizations, that there's nothing you can do. So people tend to opt out completely and just say they'll accept that privacy rights have been eliminated. I have a deep suspicion that given what we've seen with loyalty card systems in the private sector, airline mileage schemes, and so on, people have now just made the assumption that links exist between one system and another even if they don't.
But I'll come back to something Marc said earlier. That is how onerous is the responsibility to keep monitoring this stuff. It really is a huge responsibility, and I think most individuals are far too busy to keep track of it. That's why a transparency theme might have to be taken to a more macro level, a broader and far more esoteric level, rather than requiring each individual to monitor each transaction.
The Chair: If I have checked off that little square in the box that says yes, you have the right to know what I've done and what I've filled in, does that fit your category? That means I've been consulted and I therefore have the right....
It's like the electoral list we're going to put together. We're putting together a universal electoral list of all citizens of Canada. There will be information on that list. Through the privacy commissioner's intervention we've discussed what information we need to know, and only what we need to know can you get. That meant they were no longer allowed to ask us for our telephone number, because you don't need to know that. You just have to know we exist, we're alive, we breathe, and we have a citizenship that says we're a Canadian. Therefore we're on the voters list. If we don't want to be on the voters list, we have the right to say no.
I've lost the thread of my question.
Mr. Davies: The voters list is a really nice core issue.
The Chair: It was the cross-border customs form I was filling out.
Mr. Davies: Right, but I'm thinking in general terms here. It has been tradition in most countries to collect the maximum amount of information, because of this lost-opportunity motivation. When you talk about the box you check, in so many different circumstances it's usually an opt-out box. In other words, unless you tick this box, we're going to include your name in all these different functions. That's the commercial attitude across the world.
Unfortunately, for instance in Britain, there is this awfully sleazy tactic, which is to disguise the check-out box through a bizarre colour scheme. If, for example, you want to redirect your mail from one address to the other, you get this nice speckled blue form. Well, I was looking for the opt-out box that would stop my redirection details from going into the commercial environment. I'm short-sighted, but it took me about thirty seconds to find this box. It wasn't obvious. It had been designed to fall into the background.
That's the sort of tactic that needs to be publicly identified, and the perpetrators need to be humiliated. That's why, perhaps, in all of these discussions, we need to reverse the ``opt out'' idea and make things more ``opt in''. In other words, you make the decision on how your data is going to be used; they don't make it for you.
.1240
That was a bit of a rant.
The Chair: Marc, do you want to respond to Andy being terrified, or was it John?
Mr. Rotenberg: Yes, in fact, I do want to respond directly with a couple of suggestions, if I may, about the work of your committee. It is often the case with the privacy issue to on the one hand feel overwhelmed, and on the other to wonder if there is anything that can be done, and then to sort of look over your shoulder and become somewhat more paranoid than when you first started studying this issue. I hope you don't do any of these things. I think the best response is first of all to understand - both from a Canadian national perspective and also from an international perspective - that privacy is a right with a grand tradition.
As you mentioned at the outset, the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights, as well as many decisions and laws in Canada, affirm this right. I think it is very important to begin your recommendations by recognizing that indeed there is a solid foundation under you. It is not radical or blue-sky to believe that this right should be protected.
I think the next thing to do is to identify areas of concern, and you can do this in the course of a report. Many expert witnesses will come before you and make many recommendations. There may be issues that are important but, for matters of time or resource, you can't get to. Nonetheless, your report can identify these issues, can make some preliminary recommendations or suggestions, and leave for another day or another committee further work.
The critical part, of course, the third part of the report, is to identify some of the issues where you believe concrete suggestions can be made - recommendations for legislation, for business practice, for technology, for public education, perhaps through conferences or the publication of pamphlets - and to proceed on several specific projects towards some goal. I think this is absolutely critical. Frankly, there has been so much good work in Canada over the last few years that I'm sure you'll find very good information available to you.
The other course - to be overwhelmed, or to say there's too much, or to take just a very small piece without understanding the context - is perhaps not as productive. This is an area where much can be done and much will be done. The human rights dimension in many regards is really the core of the privacy issue; it is the point from which most of the debate proceeds.
The Chair: Thank you. Colleagues, does anyone here want to add to this? Yes, John.
Mr. Godfrey: I just solved the CCTV problem - the question of transparency and letting people know. If we simply legislated that all closed-circuit cameras in public spaces had to have blinking red lights, there you would know, even if you were in a park at the wrong time with the wrong person, that there was somebody watching you.
I think there would be so many blinking red lights that people would be horrified. It's just a thought.
The Chair: So essentially, if I understood both of you rightly, I get from this that first, a reaffirmation of privacy is a fundamental human right that values the individual; secondly, that there is a huge field out there that needs to be looked at, that it's impossible to do in one chunk. We have to lay the groundwork, set the philosophic base, sort of the toile de fond, and move step by step through that....
[Translation]
Are we in agreement on this?
[English]
If there are no other questions, I really want to thank both of you. I know you have given us a web site number, and we will look through that web site on Internet. We will do a fair amount of reading and some listening and a great deal of learning. We may well call upon you again. If there's something we missed or you missed in terms of advice, if you would send it to us we would appreciate it very much.
.1245
Colleagues, if that's it, then I will call the meeting to a close.
Thank you very much, both Simon and Marc, for the time you've spent and for the excitement of having the second of our videoconferences. You will be on CPAC as a first step towards informing the public about what we are doing. I hope they will listen and start to get as incensed and excited as you have done in terms of helping us take a look at this issue.
Thank you very much. Goodbye, and have a good day.
This meeting is adjourned.