THE CONCEPT OF PRIVACY
Privacy is a human right with a grand tradition, both nationally and internationally. It is recognised in the Canadian Charter of Rights and Freedoms and such international human rights instruments as the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights. Classically understood as "the right to be let alone," privacy in today's high-tech world has taken on a multitude of dimensions. According to certain privacy experts, it is the right to enjoy private space, to conduct private communications, to be free from surveillance and to respect the sanctity of one's body. To the ordinary Canadian, it is about control - the right to control one's personal information and the right to choose to remain anonymous. Privacy is a core human value that goes to the very heart of preserving human dignity and autonomy. It is a precious resource because once lost, whether intentionally or inadvertently, it can never be recaptured.
OUR FINDINGS TO DATE
As Members of the Standing Committee on Human Rights and the Status of Persons with Disabilities, we are taking a decidedly human rights approach to assessing the effects, both positive and negative, that new technologies are having on our right to privacy. In the spring of 1996, we held a series of round table discussions on the impact of new technologies on human rights. During the course of these hearings, expert witnesses repeatedly warned us of the rapid erosion of privacy rights due to modern technological advances. The nature of the current situation was aptly summed up by the Privacy Commissioner for Canada, Mr. Bruce Phillips:
The issue of privacy is much broader than merely the traffic in information over electronic systems. It gets into all kind of things, such as biomedical applications in the workplace and surveillance systems. There is almost no aspect of human life these days that does not have a privacy implication in which technology is involved. We're at risk now of losing all of our sense of autonomy and in the process of sacrificing a fundamental human right. I wouldn't go so far as to say privacy no longer exists, but it's certainly breathing hard to stay alive.
The concern that the right to privacy is currently suffering from abuse and neglect prompted us to devote our hearings during the fall of 1996 to assess the scope of this right and to ascertain its place relative to the advantages, efficiencies and convenience of new technologies. We were astonished, and alarmed, at how all-encompassing and widespread the monitoring of our personal lives has become. A simple credit card transaction, a secret kiss (caught by a hidden surveillance camera) and a genetic test for medical purposes, while seemingly isolated and private incidents, can easily become public knowledge thanks to advances in modern technology. Indeed, the capturing and commercializing of personal information in our computerized world has become big business. This is no longer the cloak and dagger stuff of government and police spy operations. New technologies are being regularly used by private individuals, employers, and such businesses as banks and insurance companies to monitor, record and track many aspects of our daily lives.
PRIVACY PROTECTION
There is no comprehensive protective framework for safeguarding privacy interests in the face of these new technological applications. With technological advances rapidly changing the nature of relationships, Canadians must struggle with a complicated and increasingly ineffectual system for safeguarding their privacy interests. They must draw upon international law, constitutional laws, federal and provincial legislation, judge-made law, professional and industry codes, guidelines and personal ethics. Not only are these existing sources of privacy protection complex and diverse (resulting in what is commonly referred to as a "patchwork" effect), but they generally lack the ability to effectively deal with emerging technologies. For example, most federal and provincial privacy legislation deals only with the protection of personal information or data. Moreover, with the exception of Quebec, which deals as well with the private sector, federal and provincial data protection legislation only applies to governments and government agencies. We are pleased, however, to hear that the Ministers of Justice and Industry are currently working with the provinces in an effort to introduce legislation that would protect personal information in the private sector across the country.
YOUR VIEWS
As a Committee, we want to hear from Canadians on these issues. We want to know about your value systems and your ethical/moral frames of reference in relation to privacy. We also want to know where this all fits in with today's high-tech society. It has been asserted that most Canadians are unaware of even the basic steps they can take to safeguard their privacy in this technological age. We want to know if this is the case and, if it is, the extent to which people want to safeguard their rights to privacy. We want to determine whether Canadians are actually aware that their privacy is in jeopardy. Have we all become technologically complacent and therefore blind to erosions of our privacy rights? Or, do we view privacy, not as an inalienable human right, but rather as a luxury that can, and in some instances should, be traded for the sake of other social or economic benefits?
OUR APPROACH
Since privacy is such a wide-ranging right that is under siege in so many ways, the Committee has decided to focus its inquiry on three basic types of intrusive activities using case studies involving specific technologies:
- 1) physical monitoring - video cameras,
2) biological surveillance - genetic testing,
3) personal identification practices - smart cards.
KEY ISSUES
The following are some basic questions that this Standing Committee would encourage Canadians to respond to:1. In terms of your personal value system, where do you place the right to privacy? Is it, for example, as important as your right to free speech or your right to a fair trial?
2. Is the present system of privacy protection in this country working? If not, where are the trouble spots?
3. Based on your personal experience, to what extent are we sacrificing our right to privacy for the promises offered by emerging technologies? Is this an inevitable trade-off in a technological age?
4. What is the best method of safeguarding our privacy interests in a high-tech world? Do we need governments to take charge and enact strong and comprehensive privacy legislation, or do we need action taken on a number of fronts such as the development of private sector privacy codes by business and industry, the creation of privacy enhancing technologies, the launching of public education campaigns and the enactment of privacy protection legislation?
5. Are modern technologies being used, in some cases, as a "quick fix" for social or economic problems instead of getting to the root of these problems -- for example, the use of video surveillance cameras on public streets to try to reduce the incidence of crime?
6. How should we all become better informed or educated about the impact of modern technologies and practices on privacy rights?
MAIN STREET, GOODTOWN
Goodtown is a small city, with a population just over 75,000. In the past few years, incidents of petty crime in the downtown core have been on the increase -- especially vandalism, break-ins, and brawls after the bars close at night. The city has always taken pride in being a peaceful, safe, family-oriented place to live. Many citizens felt Goodtown might be heading for trouble, unless it dealt with the escalating crime problem quickly and effectively. After much debate, the city council decided to install a state-of-the-art closed-circuit television system (CCTV) to monitor Main Street's downtown section. Until that point, the only video surveillance cameras used in the city were set up by private security firms to guard retail stores and government office buildings.Residents are divided in their support for video surveillance on Main Street. Most people, especially women and seniors, feel much more secure now going to restaurants, movies, and shopping after dark. Some people, however, who have had first hand experience with the long reach of the video cameras, are less than impressed. Take, for example, the experiences of Joan, Paul, Sonia, and Daniel.
JOAN
Joan is a 16-year-old with boundless creative energy. On Halloween night, armed with a can of red aerosol paint, Joan decided to "paint the town red" -- at least a few storefronts off Main Street. She knew enough not to try to leave her mark on Main Street, since the CCTV system would be sure to catch her in the act there. But she didn't realise the state-of-the-art cameras installed on Main Street could pan, tilt, zoom and see down the pitch black, adjacent side streets as clearly as if it were daylight, thanks to their night-vision capabilities. Joan's prank was recorded live by a 911 operator remotely monitoring the street from the central control room several miles away. The police were called, Joan was caught red-handed and is now facing criminal charges.
PAUL
Paul lives outside Goodtown on a farm. He planned to attend a protest rally in front of the Agriculture Office on Main Street, until he heard about the city's CCTV cost-recovery program. To recuperate some of the expenses incurred setting up its video monitoring system, the city decided to sell stock footage from its video surveillance cameras to anyone who was interested. Paul heard, through the rumour mill, that government bureaucrats and police officials intended to buy the videotape recordings of the protest rally. The digitised pictures taken of the protesters at the rally could be matched in a matter of seconds against the digitised photographs of licensed drivers held in the Transportation Department's data bank. Thus, most of the protesters would be quickly and accurately identifiable. Paul was outraged by this plan which he considered to be a major affront to both his freedom of expression and his freedom of peaceful assembly. But he didn't want to get into the government's bad books, so he stayed home.
SONIA
Sonia worked at the Agriculture Office until last month when she was fired. Her employer had a smoke-free workplace policy, so employees, including Sonia, would stand outside the front doors of their office building when they needed to have a cigarette. Her supervisor accused her of taking upwards of 10 cigarette-breaks each day, but Sonia denied the allegations, explaining that her absences from her desk were due to trips to the photocopier, the library, and other work-related tasks elsewhere in the building. She swore she only took three cigarette-breaks each day, until her supervisor confronted her with evidence to the contrary. He had obtained videotapes from the private security company that guarded the building and which had video cameras trained on the front doors as a security measure. The videotapes disclosed that Sonia spent, on average, one hour each day, not including her lunch hour, smoking outside the front doors of the building. Sonia was fired for taking too many breaks, as well as for lying to cover up her actions.
DANIEL
Daniel was laid off when the factory where he worked down-sized several months ago. Having learned his wife was terminally ill, facing no prospect of new employment, and with his unemployment insurance soon to run out Daniel fell into a deep state of depression. One night after having consumed far too many beers at a local tavern, Daniel staggered to his car parked on Main Street and struggled with the locked door. Once inside the car, instead of putting the key into the ignition he took the pocket knife attached to his key chain and slit his wrists. The 911 operator monitoring Main Street that night had tracked Daniel's unsteady stroll to his car and observed him fumbling with the keys. Before he had even slashed his wrists the operator had alerted the police about a possible impaired driver. When they found Daniel collapsed over the steering wheel, they rushed him to the hospital. In retrospect, he is grateful that they saved his life. But, when the city sold the videotape footage of his suicide attempt to a national, reality-TV show, Daniel was hurt, angry and humiliated. He is contemplating suing the city.
QUESTIONS FOR DISCUSSION
1. Are closed-circuit television systems (CCTV) an effective tool for deterring criminal activity, or do they simply displace that activity to areas that are as yet unmonitored and perhaps are also lacking in the financial and political clout necessary to secure these types of monitoring systems?2. To what extent should video surveillance be done live versus taped? For example, should CCTV cameras be permitted to zoom in, tilt towards and record activities at any time, or only when an incident occurs? Who should make decisions to record and upon what basis?
3. Once a video tape is made, who is the owner of the recording and who is entitled to access it? Should practices or policies be in place pertaining to retention periods and the erasing of video footage? If so, who should make these determinations, the tape owner or user?
4. Are video cameras acceptable in public places because they are in essence simply an extension of the naked eye? What about when these cameras have high-tech infrared capabilities that allow them to see clearly in the dark, penetrate walls and zoom in on an individual 300 meters away?
5. If we accept at least a certain amount of surveillance in public places, where is the dividing line between the public and private sphere? What reasonable expectations of privacy should we be able to carry with us in private places (i.e., washrooms located in shopping malls with hidden video cameras to detect shoplifting)?
6. Does the whole question of privacy turn on the location of the invasion, on who is doing the invading, on the purpose for which the invading is being done, or on a combination of all of these factors?
7. How should the balancing of privacy rights with the benefits of new technologies be tackled in the area of video surveillance? Is there a need for overall regulation in this area? If so, how could this be achieved (i.e., a licensing system, an oversight body, a code of practice)?
8. How should we deal with future technological advances in the field of video monitoring? Moreover, how should we handle the heightened commercialization of personal information derived from such surveillance practices?
THE SITUATION
Frank, a thirty-five year old truck driver for the Inter-city Moving Company, fell and hurt his left arm when he was delivering a load of furniture. The crew that was helping Frank called an ambulance and he was taken to the local General Hospital, a large teaching institution associated with The City University. They also advised Frank's boss, who owned the trucking company.When Frank was being admitted to the hospital, he signed some forms that allowed the hospital personnel to conduct tests and to provide treatment. At the time, he was assured that these forms were quite routine, although the admitting clerk mentioned that because of the hospital's affiliation with the University, the forms contained a provision that gave consent to having medical information used in ongoing research carried out by the institution. Frank didn't pay much attention to this because he knew that he was there for the treatment of an injury, not an illness.
Because he had lost a considerable amount of blood, the hospital physician on duty, ordered a transfusion and to prepare for this, samples of Frank's blood were sent to the hospital laboratory in order to match his blood type. Because the doctor was conducting research into genetically transmitted illnesses he also ordered a DNA test -- genetic screening of Frank's blood -- as authorized by the consent form that Frank had signed when he was admitted. The blood samples were identified as Frank's both by name and by his provincial medical insurance number that was put on the requisition form by the doctor.
Frank called his boss and told him that he would be off work for six weeks. In the meantime, the boss had called Inter-city Moving's insurance company to find out what his liability might be. The insurance company, told the owner to ensure that copies of all documentation that related to the accident were forwarded to them. When Frank called to report in, his boss told him to get a copy of his record sent to the insurance company.
Frank was patched up and discharged the following day. Because he lived 300 miles away in Phillipstown, a village of about 2000 people, the hospital agreed that follow-up care would be provided by his own doctor and by the homecare services there. When he was leaving the hospital, Frank asked the clerk that was handling the discharge to put a note in the computer record that his file should be sent to the insurance company.
The results of the genetic screening were available some time after Frank had gone home. They revealed that Frank had several genes that together might significantly increase his risk of developing heart disease at an early age.
THE MEDICAL SYSTEM
Because the hospital had no special system to separate out the results of the genetic test, these were automatically entered into Frank's records in the hospital's computerized data bank along with the results of other tests and treatment of Frank's injured arm. Along with the blood sample that the hospital was storing for future research purposes, the data bank was available for use by the geneticists who were conducting research by using information provided by the hospital.The records clerk at the hospital used his password, called up the file on his computer and distributed the test results as instructed in the file itself. He printed up several copies of the file and E-mailed another copy to the hospital physician. Without reading the file again, the doctor stored the information in his research data base. As a matter of routine, the medical report was mailed to Frank's family physician, who was to look after any follow-up treatment if required and also to the Phillipstown homecare coordinator who assigned a practical nurse, to visit Frank at home in order to change the dressings.
While his family doctor paid no attention to the report beyond looking at what had been done to treat Frank's injured arm, the homecare nurse read Frank's medical report carefully and suggestively told her supervisor -- who was the best friend of Frank's wife, Elaine, -- to have a look at it sometime.
THE BANK
Two weeks later, Frank and Elaine, went to their bank to sign the papers applying for a $75,000 mortgage for the new house that they wanted to buy. They knew that they were stretching their financial limits, but the house was a good bargain and would accommodate them and the family they were planning to start. Frank decided that he would get the mortgage life-insured so that Elaine would be free of debt if anything happened to him. At the bank's request, Frank signed a standard form stating that he had no pre-existing medical conditions that would disqualify him from getting the insurance. But the loans officer knew that Frank was off work due to his injury and asked for assurance that Frank would be back on the job soon and have ongoing employment and a stable income. In order to satisfy the loans officer, Frank volunteered to call his family doctor's secretary and ask her to forward a copy of his medical records to the bank.A few days later, he opened a letter from his bank. In it, the loans officer explained that the bank had received Frank's file and went on to state that Frank was ineligible for the bank-sponsored, low-cost life insurance on his mortgage because he had a pre-existing medical condition related to his heart. The bank also informed him that it was rejecting his application for a mortgage because he had signed a false declaration.
THE JOB AND INSURANCE
Later that same week, Frank was called in to see his boss. He was told that he had to look for another job. "I don't have enough work to keep you going," the company owner explained to Frank. In reality, however, the boss had been contacted by his insurance company which had analyzed Frank's medical records and decided that because he might have heart problems in the future, Frank was too high a risk for the company to insure. The boss decided that he would not tell Frank the real reason for the lay-off because he did not want Frank to try to claim disability insurance and possibly jeopardize the reduction in insurance premiums that was given to Inter-city Moving as a small businesses that had a record that was free of claims for five years.Frank was not too downcast, however, because he had already been asked by another trucking company to consider a job with them. Actually, it paid more and, as he told Elaine when he called her at work to tell her the news, he didn't like his old boss anyway. All Frank needed to do was to get a medical and allow the company access to his medical records.
THE FAMILY
Then Elaine arrived home, very agitated. She explained that she had had lunch with her friend the homecare supervisor. When Elaine told her friend about Frank's job problems, the friend had commiserated with her and said that she could explain because she had finally read Frank's file. She told Elaine that her husband had a heart condition that was inherited and that any of their children could have the same problem. Furthermore, he could die by the age of fifty and leave her alone with small children to raise. Why, Elaine wanted to know, had her husband not kept her in the picture? Didn't she have a right to know?
WHAT NEXT?
Totally bewildered, Frank said that this was news to him and tried to get his family doctor.When he finally put together the pieces of the puzzle, Frank was angry. How could people get more private information about him than he had about himself? How could they get it without his understanding and consent? Why was he not given the opportunity to present his own personal information to his boss, his bank, his own wife? Frank was left with the knowledge that the information that was in the insurance company's files, in the bank's files and in general medical files (with his medical insurance number on it) was completely out of his control.
QUESTIONS FOR DISCUSSION
1. Given the extremely personal nature of an individual's DNA, should the regulation of genetic information be treated differently than the regulation of other personal medical information? Should the government have the right and duty to collect genetic information to ensure a healthier society?2. - Who should be able to conduct genetic testing?
- For what purposes should collection of genetic data be allowed?
- Who should be able to retain samples of DNA, for what purpose and under what conditions?
- When genetic information is used for research purposes what should the obligation of the researcher be?
4. Who should be able to disclose genetic information and to whom? Should Frank's employer and the insurer have access to Frank's genetic profile? What about Frank's wife? What about Frank, himself?
5. To what extent should individual circumstances govern how genetic information is disclosed? For example, should it have made any difference if Frank had been perfectly "normal" as opposed to having an increased risk of a heart problem within the next few years? Would your view change if Frank had a gene that guaranteed the onset of a fatal illness (e.g., Huntingtons)? Should Frank's children be tested for his genetic predisposition even though they are underage? At what age should genetic testing be allowed for children?
6. Should Frank's consent when he was admitted to the hospital be enough to allow the collection of genetic information? What do you think constitutes "informed consent"?
NEW OCEANIA, 2004
Marie is a hard-working, model citizen of New Oceania who certainly never imagined herself living on "government handouts." In the spring of 2004, however, she found herself collecting unemployment assistance (UA) when her employer suddenly down-sized. Marie files her reports to receive UA benefits and collects the funds owed to her by using a smart card that functions as an ID card and an electronic-banking access card. The unemployment assistance card (UA card) was introduced by the government's Ministry of Work mainly to cut down on fraud and to save on the high cost of administering the old paper-based system.
THE FINGER SCAN
Instead of filling out forms and mailing them in to receive benefits, which was the practice at the turn of the century, Marie files her request for UA benefits electronically, every two weeks, at a local government services kiosk. The kiosk computer scans her finger and translates her fingerprint pattern into a unique number, called a "digital fingerprint." At the same time, Marie slides her UA card into the terminal, so the computer can compare the number just generated by her finger scan with the digital fingerprint stored in the card. This comparison ensures that Marie, the person to whom the card was issued when she qualified to collect unemployment assistance, and the person filing her request for benefits at the kiosk are one and the same. Marie's digital fingerprint, being a unique number, is used as well to link the information recorded in her card and her full UA dossier which is housed in the Ministry of Work's central computer system.At first, Marie was uneasy about the finger scanning process because it made her feel a little like a criminal. Now she is more used to it and appreciates that it is essential to verify her identity and to help cut down on fraud.
The UA card's identification technology, which establishes a card holder's ID based on a fingerprint (a physical characteristic which is unique in every individual) is known as "biometric" identification. The government realised, in introducing its biometric UA card, that the information used for biometric identification purposes is very personal and, therefore, it must not be readily accessible to unauthorised or unscrupulous persons. Since Marie's card is always in her possession, she can control who gets access to it. As for the record of her digital fingerprint held in the Ministry's central computer system, the government protects this information from unauthorised use by keeping it in a separate, limited-access database.
CASHING BENEFITS
In addition to being an identification card, Marie's UA card is an electronic-banking access card, that works like the magnetic stripe cards once issued by banks. The card gives her access, from any automatic banking machine, to the government's UA account and allows her to withdraw, in cash, up to the full amount of benefits owed to her. She doesn't have to withdraw her full entitlement as soon as it becomes available because the Ministry's central computer and her card both keep a running tally of the balance which she is owed. In this way, Marie and the government both know, at all times, the total of her outstanding benefits.The UA card also can be used to make direct-payment purchases at any retail outlets which accept electronic-banking access cards. Information on every direct-payment transaction carried out using the card is recorded immediately on her card and simultaneously registered in the Ministry's central computer, to keep her running balance current.
Marie found her UA card to be very convenient and user-friendly. She could file a request for benefits directly and instantly, without having to rely on the post office to ferry her UA reporting forms back and forth; and when she was entitled to receive a UA payment, she could visit any banking machine, anytime, and withdraw the cash she needed. She did not have to wait for her cheque to arrive in the mail and then take it somewhere to get it cashed. She also did not need to carry much cash because she could use her UA card to make direct-payment purchases. Recent events, however, have caused her to question some of the uses made of the card.
FRAUD CONTROL
First of all, following a trip abroad to look into job opportunities, Marie hit a snag filing her electronic report at the government services kiosk. Unknown to Marie, her digital fingerprint, held in the discreet UA database, had been automatically matched against the same finger pattern digitally scanned at the airport when she cleared customs using her electronic border crossing card. In the process, the UA system was warned that she had been out of the country for five days. This information exchange was carried out pursuant to an information-sharing agreement between the Ministry of Tax (Customs) and the Ministry of Work.When Marie tried to file her usual report, which required among other things that she confirm she had been available for work every day during the two-week reporting period, the kiosk computer advised her that she was "deemed" to have been unavailable for work for the five days that she spent outside the country. It then notified her that she had to appear before a Ministry of Work official within 10 days to prove that she had not attempted to file a false claim, which is a punishable offence. The computer also told her that if she could satisfy the official that she had not attempted to commit fraud, then her request for benefits for that period would be processed immediately.
THE CONSUMER PROFILE
A few weeks later, Marie received a letter from XYZ Company, a private company contracted by the Ministry of Work to provide specialised training to UA recipients. The letter invited her to participate in a workshop called "Living Wisely on a Limited Income." Curious as to why she had been selected as a potential candidate for this training session, Marie telephoned the company and spoke to a representative who told her she probably had been contacted because of her "consumer profile." He went on to explain that the information about her direct-payment transactions, obtained from the UA database, had been compiled into a personal spending profile which showed unnecessary expenses, involving for example tobacco and alcohol.The data trail left by Marie's direct payments made with her UA card did not accurately reflect her personal consumption habits. Marie had actually made the cigarette and wine purchases for her grandmother for whom she often ran errands. Not wishing to reveal any further details of her shopping habits to this stranger, Marie did not attempt to set the record straight. However, she did ask him whether the company sold her consumer profile to any direct-mail advertisers. (Lately she had received several personally addressed direct-mail advertisements from businesses selling products and services related to the items she often purchased for her grandmother and, in light of her conversation with this representative, she now suspected it was not a coincidence.) He confirmed that this was the company's practice and should she not want her personal information sold or traded, she would have to send him a request, in writing, to that effect.
THE MURDER INVESTIGATION
The biggest shock, for Marie, came the day a police officer showed up at her door investigating a recent murder in a nearby park. The murder weapon had been wiped clean and discarded in a garbage can several blocks away. The police digitally scanned the fingerprints found on the lid of the can and matched them against a number of government databases, including the UA fingerprint database. Marie's prints were identified in the process and she was asked to account for her whereabouts on the night of the murder. Fortunately, she had spent the evening in question with her grandmother, so she had an alibi.
THE NEW SUPER-CARD
Today Marie read a newspaper article on the Internet which reported that the Government of New Oceania intends to expand the functions of the UA card and transform it into a universal ID and multi-purpose, government-service card to be called the "universal-card" or "UNI-card." All workers, employed and unemployed, would be issued this card. For those eligible to receive UA, the card would continue to be used for electronic reporting and cashing of benefits. In addition, the card would introduce a host of new applications for employers and employees. For example, the government would give employers access to the card to record information on an employee's earnings and work history -- data that would simplify and expedite the application process for persons seeking unemployment assistance. The card also would be used to prove one's citizenship, collect pension benefits, file income tax information and obtain tax refunds. The UNI-card, like the current UA card, would be a biometric identification card and, thus, offer solid proof of the card holder's true identity. As Marie scrolled to the next story, she thought about the unlimited potential of biometric smart cards and wondered whether one day she would need simply one card to conduct all of her personal transactions, with every level of government and all private businesses.
QUESTIONS FOR DISCUSSION
1. Although Marie was uneasy about having her finger scanned, she had to submit to the process if she wanted to collect UA benefits. Use of the UA card system was made compulsory to maximise the government's savings.
- How do you feel about the physical intrusiveness of biometric identification -- does it bother you or are you more concerned about how biometric information is stored and used, than how it is gathered?
- Given the sensitivity of biometric information, do you think we need clearer rules about who can ask for it, how those who collect it can use it and how it should be protected? For example, should government departments, the police, employers, banks, and insurance companies all be equally entitled to demand this type of information? Would you like to see sanctions, such as fines or imprisonment, imposed on persons who misuse or abuse this information?
- What role should PETs play in protecting privacy? For example, where information systems handle sensitive personal information, such as biometric identifiers like fingerprints, should the use of PETs be mandatory?
- By adopting a new PET called "biometric encryption," your fingerprint pattern could be used like a high-security lock to protect your personal data files instead of using it in the traditional, unencrypted form as a master-key that can unlock and link several of your data files -- would you prefer to see your fingerprint pattern used as a lock or a master-key?
- In your opinion, should data matching be allowed to be carried out in a random fashion, just in case some evidence of fraud might be uncovered? In a democratic society, is it fair and reasonable to search for evidence of wrong-doing in this way?
- In our information society, should more steps be taken to prevent personal information from being shared or commercialised? For example, should people's data trails be made anonymous or should tighter restrictions be placed on information-sharing practices?
- Should steps be taken to prevent function creep from happening with respect to smart ID cards? If so, what limits or rules should apply to these cards?
PHYSICAL MONITORING IN GENERAL
Physical surveillance, or the monitoring of human activity, is nothing new to our society. However, with the emergence of innovative and rapidly advancing technologies, modern surveillance has taken on a whole new character. It has expanded beyond the purview of national security and law enforcement, to include employers, commercial enterprises and service providers. It is no longer labour-intensive, cumbersome and costly. Surveillance technologies now have the ability to penetrate walls, function in the dark and operate from great distances. Moreover, information obtained through these monitoring techniques can easily be aggregated with other sources of information and manipulated with ease.
CLOSED-CIRCUIT TELEVISION SYSTEMS (CCTV)
Although there are numerous modes of physical surveillance, none to date has surpassed the prevalence of video monitoring. Technical developments have both increased the capabilities and lowered the cost of video cameras, making them an almost regular feature of many city streets, heavily travelled highways, retail stores, banks, hospitals and even private homes. In particular, there has been a boom in the prevalence of closed-circuit television systems (CCTV). The cameras used in these systems are state-of-the-art. They can move in any direction, zoom in on minute objects up to 300 meters away, and bring images up to daylight level even in pitch blackness. The U.K. currently has centrally controlled, comprehensive city-wide CCTV systems tracking the movements of individuals in dozens of cities. In the U.S., police in Baltimore have wired a 16-block area of downtown with enough video cameras to allow them to watch and record activity on every street, sidewalk and alley 24 hours a day.In Canada, the closed-circuit surveillance camera business is estimated to be somewhere between $65 and $90 million annually and growing. Not only are video cameras being used openly in public places by some municipalities and businesses, but retailers, employers and private individuals are taking advantage of low cost technological advances to conduct surreptitious monitoring. Ironically, while it is illegal under the Criminal Code to intercept private conversations (i.e., "wiretapping" and "bugging"), there is no such prohibition against secretly taking photographs or videotapes that have no voice recordings. Moreover, only the police need obtain a warrant to videotape people's private activities. No prior authorisation is required for ordinary citizens, such as security guards.
THE FUTURE OF VIDEO SURVEILLANCE
The future of surveillance camera technology appears awesome. Computerised facial recognition systems have been created that can take the image of a face caught by a surveillance camera and convert it into a computerised numerical sequence that can then be matched with facial images already held in computer databases. A company in Florida, for example, has developed powerful computing technologies that can scan a crowd at a rate of twenty faces a second, convert the faces into an electronic code and match them against identities already stored in a database. In Massachusetts, this technology has been used to develop a state-wide database containing the digitised photographs of 4.2 million drivers. One can only imagine the result were these technologies linked to a CCTV system.Other examples of future technologies include hand-held devices (called Forward Looking Infrared Radar) that can look through walls to determine activities inside buildings with the accuracy and clarity of a video camera. Already passive millimetre wave detectors, a form of radar, can scan beneath clothing to assist law enforcement and customs officials in detecting concealed objects even within human body parts, such as the stomach.
KEY ISSUES
So, in terms of video monitoring, there is more at issue than simply a question of whether our public and personal safety is ensured by having overhead video cameras tracking events in public places. The fear is that once the technology is in place, it opens the door to greater risks to privacy than were ever originally contemplated. Most of us would agree that there are definite benefits to be derived from some forms of physical monitoring. The issue is where do we draw the line? While this may be difficult, it may none the less be crucial given that with the current onslaught of technological developments, the ability to spy on one another will only become more effective, cheaper and pervasive.
FOR FURTHER INFORMATION:
- House of Commons, Standing Committee on Human Rights and the Status of Persons with Disabilities, Evidence, 2nd Session, 35th Parliament, 3 December 1996. (Topic of discussion: Video Surveillance)
- Privacy Commissioner of Canada, The Privacy Act - An Office Consolidation and Index, Ottawa, 1995.
- Parts VI and XV of the Criminal Code.
Genetic information, a sub-set of health information is of increasing interest to public health care managers, to the insurance industry, and to employers. Apart from using it as forensic evidence in criminal investigations, there are several uses to which genetic technologies might be put:
1. genetic screening of a broad range of the population for a particular gene or combination of genes (e.g., cystic fibrosis, breast cancer, heart disease) to identify the presence of a single gene or combination necessary for a genetic illness
2. genetic testing (where evidence indicates the probability of the presence of a gene) to verify the likelihood of an individual developing a genetic condition (e.g., Huntingdon's disease)
3. genetic monitoring to ensure that individuals who are working in high-risk occupations (e.g., with chemicals) are not affected by their work environment
As the cost of gathering genetic information decreases, the pressure towards its more widespread use will increase. In the past, the high cost of DNA analysis has been as one of the constraints in more widespread use of this technology. But as the costs of carrying out this analysis decrease, some observers have pointed out that applied genetic research will make -- or save -- some businesses or institutions a lot of money. Insurance companies, private employers, governments and educational institutions all have an immediate, or potential, interest in promoting large-scale genetic screening to identify individuals carrying disease-associated genes. Economic pressures to apply genetic tests to broad sections of the population may increase as biotechnology companies develop and sell genetic testing products and services.
Because things are moving quickly in this area, it is time to consider possible consequences -- such as discrimination -- that might result from real or perceived differences from the `normal' in a person's genetic makeup. This might occur in the workplace, in access to social services, insurance underwriting and the delivery of health care. American studies have uncovered cases where new, renewed or upgraded insurance policies were unobtainable even if individuals labelled with genetic conditions had no evidence of -- or assurance of -- developing a disease associated with this genetic abnormality. People who are poor and uneducated, or those with fears about their job security, may not be willing or able to negotiate the complexities of the current legal and regulatory systems to secure their rights. Other individuals who are currently healthy may -- consciously or unconsciously knowing the implications -- refuse a genetic test and thereby suffer adverse consequences.
Data protection and privacy are serious concerns with regard to the collection and use of genetic information. This concern stems from the differences between genetic information and other personal information:
- Knowing about an individual's genetic makeup also provides information about relatives.
- All DNA information is contained in nearly every body cell.
- Genetic information not only provides certain knowledge about personal identifiers (height, build, skin colour, intelligence) but also information about possible behaviours.
- Individual genetic information cannot be altered.
- Genetic information can indicate what will (or may) happen to health in the future.
- What can the science of genetics predict versus what it cannot predict? What is the level of understanding about the variable nature of many genetic conditions? (Some individuals with a genetic abnormality may never develop a disease, others may only develop the mildest form of a disease.)
- What is the difference between the predictive ability of genetics when dealing with a single gene disorder versus a multiple gene disorder?
- How many single gene disorders are there, compared to multiple gene disorders?
- What is the interaction between genetic factors and environmental and behavioural factors?
- What is the difference between treating an individual with a genetic condition (for example, Huntington's chorea) differently from an individual with a non-genetic predisposition to contracting an illness such as diabetes?
With regard to most diseases, the contribution of faulty genes is less clear. A gene, for example, might be a necessary but not a sufficient cause of a disease. Sometimes an environmental factor might be needed to trigger the disease. Sometimes, more than one gene may need to be faulty for a disease to develop. In other cases, some forms of a disease might be genetic while other forms may not be (e.g., breast cancer).
Experts have pointed out that the very presence of a genetic technology "ups the ante" for the individual who may be subject to the test. Social or peer pressure, for example, to take such a test can result.
In his 1995-1996 Annual Report, Bruce Phillips, the Privacy Commissioner, stated that he believed that it was important to ensure than a DNA database does not become subject to what he called `function creep.' By this, he meant resisting the pressure to keep adding to the list of offences for which testing is allowed. The same has been said of genetic screening and genetic testing. "The pressure to do just that is present in our society, a product of the very existence of technology and the belief that technology can solve all our woes, if only we let it." In addition, Mr. Phillips proposed that DNA samples be discarded to prevent unrelated secondary uses such as looking at genetic links to crime. This is also a concern in terms of genetic information entering large-scale data banks now used to store personal health-related information. Individuals' health profiles, which can include genetic conditions, may be available privately and may be accessed in a manner analogous to credit checks.
FOR FURTHER INFORMATION:
- House of Commons, Standing Committee on Human Rights and the Status of Persons with Disabilities, Evidence, 2nd Session, 35th Parliament, 4 June 1996. (Topic of discussion: Human Rights and Biomedical Technologies)
- House of Commons, Standing Committee on Human Rights and the Status of Persons with Disabilities, Evidence, 2nd Session, 35th Parliament. (Topic of discussion: Privacy and Genetic Testing)
- Privacy Commissioner of Canada, Genetic Testing and Privacy, Ottawa, 1992.
- Privacy Commissioner of Canada, The Privacy Act - An Office Consolidation and Index, Ottawa, 1995.
THE NEED FOR PERSONAL ID
The need for individuals to prove their identity to others is as ancient as civilisation itself. Over the centuries, as this need has grown, identification methods have become increasingly more sophisticated. The anonymity of today's large cities and the complexity of our daily transactions have made personal identification systems a necessity of modern life. The ability to accurately and reliably identify individuals is especially critical to governments, businesses, and other service providers, so they can operate efficiently, control fraud, and provide better quality services.Simon Davies, who has written extensively on the topic of personal identification, notes that three basic methods of identification are used today: (1) identification by an object, such as a card or papers; (2) identification by something you know, like a personal identification number (PIN) or a password; and (3) identification by something that is part of your physical makeup, like your photographic image, fingerprint, voice or eye pattern. The latter form of identification, which relies upon an analysis of a physical characteristic of a person, is known as biometric identification. It is considered to be the most reliable of the three types of identification. At least two, and sometimes all, of these methods of identification are combined in the various advanced identification cards being developed and tested today.
SMART CARDS
Smart cards are one example of an emerging high-tech card. They are being used and field-tested for a variety of applications in North America and appear, at this point, to have the potential to be adopted widely for personal identification purposes. A smart card is a card housing a micro-processor and memory storage space; thus, it is essentially a credit-card-sized, portable personal computer. It can calculate, encrypt, and record data. It can operate as a self-contained information system or interface with computer networks and centralised data banks.Smart cards have a number of applications, including acting as: access cards or keys to buildings and equipment; stored-value cards which serve as electronic cash; and personal data storage cards which can function as portable records systems, one example of which would be a patient's health smart card. A smart card may combine any or all of these three applications.
Contrary to a popular misconception, smart cards are not the same thing as magnetic stripe cards. The magnetic stripe card, the best known form of which is the credit card, can carry only a limited amount of information, such as the cardholder's account number, name and the card's expiry date, whereas a smart card can hold the equivalent of two to 20 pages of typescript or 50 times that volume if data compression techniques are used.
WHAT MAKES PEOPLE UNIQUE
Personal identifying information is needed to establish or authenticate one's identity; it is a critical ingredient of all identification cards. Personal identifying information is what makes each person unique and distinctive. It may include, for example, one's date of birth, age, sex, height, weight, eye colour, address, DNA makeup, fingerprints, blood type, religion, or ethnic origin. The risk that someone, without proper authority, could access, disclose or use such confidential information is the most serious privacy concern associated with advanced identification cards. Ultimately, the success or failure of advanced card technology experiments may depend on whether the public can be persuaded that these cards can properly safeguard the highly personal information contained in them. For example, in the case of health smart cards, most cardholders probably would want to be certain that the confidential health records which they contain will only be accessible to the appropriate health care providers for medical treatment purposes and not be disclosed to outsiders, such as insurance companies or employers. Without proper assurances, people might resist voluntarily adopting the technology.
SENSITIVE INFORMATION
Society's conviction that sensitive personal information warrants special protection from abuse is reflected in various data protection laws around the world. Strong and enforceable data protection legislation can offer an important degree of security; but legislation, alone, may not be sufficient to prevent abuses of the personal identifying information collected, generated, or disseminated using advanced card technology. Additional protection could be provided by other measures, such as raising public awareness about privacy rights and protections, encouraging the development of privacy enhancing technologies, building privacy considerations into the design and implementation of such technology, or conducting formal, independent privacy impact audits of new advanced card technologies.High-tech, high-quality identification systems offer the potential to reduce fraud and promote greater administrative efficiencies -- goals which are in everybody's interest. On the other hand, the identification systems that can best achieve these goals tend to be physically invasive and to depend on collecting very personal information. Most people probably would agree that this type of information warrants stringent protection. Therefore, the challenge, in the case of high-tech ID cards, is to make them ever more accurate and effective while guarding and preserving the confidentiality of the personal information they use. The question is how best to meet this challenge.
FOR FURTHER INFORMATION:
- House of Commons, Standing Committee on Human Rights and the Status of Persons with Disabilities, Evidence, 2nd Session, 35th Parliament, 10 December 1996. (Topic of discussion: Advanced Identification Cards)
- Rita Reynolds, "Privacy and Technology," Address at Technology Pathways to the Future -- Bell and Government Connecting Canadians, 17 October 1996.
- Privacy Commissioner of Canada, Privacy Framework for Smart Card Applications -- A Discussion Paper, Ottawa, July 1996.
- Privacy Commissioner of Canada, The Privacy Act -- An Office Consolidation and Index, Ottawa, 1995.
- Ken McQueen, "After SIN: National Identity Numbers?" The Gazette, Montreal, 2 February 1997, p. A1 and A5.