Official Blog of the Office of the Privacy Commissioner of Canada

The way we interact with our digital devices has evolved over time: from specific commands in command line interfaces, to graphical user interfaces (GUIs), to touch-based interfaces. Virtual assistants (VAs) are the next step in this evolution, and they present new privacy challenges. These assistants, such as Siri (Apple), Alexa (Amazon), Cortana (Microsoft), or simply ‘Google’, are designed to respond to your spoken or written commands and take some action. Such commands let you place phone calls, order a car service, book a calendar appointment, play music or buy goods.

The use of these assistants is on the rise: a 2015 Gartner study found that 38 per cent of Americans had used a virtual assistant in 2015 and that two-thirds of customers in developed markets would use them daily in 2016. The most commonly-used VAs are voice-based, however, much of the presented information also applies to text-based VAs.

On Friday, March 10, 2017, the Behavioural Economics in Action at Rotman (BEAR) group at the University of Toronto will bring together academics, researchers, regulators, and industry and consumer groups alike to address consumer privacy challenges in the online world.

Patricia Kosseim, Senior General Counsel, OPC

Funded through the Office of the Privacy Commissioner of Canada’s (OPC) Contributions Program, the BEAR group will host a symposium highlighting the privacy challenges that consumers face every day while on the Internet.

“Online Privacy: A Human-Centred Approach” will be the theme of the day, and the symposium will feature recent research funded by the OPC’s Contributions Program and explore the key factors—cognitive, contextual, and social—that underlie consumers’ decisions to share their personal information online.

It was once the domain of doctors with bona fide concerns about their patients’ genetic predisposition for illness. Today, advances in technology have brought genetic testing to the fingertips of anybody with a few hundred dollars to spare.

The draw is understandable. Genetic testing can help people identify, prepare for and maybe even prevent future health problems. Knowing what genes may be passed down to offspring could influence family planning. Genetic testing can even reveal sensitivities to certain foods or the mysteries of one’s parentage.

Before diving into the ever-growing direct-to-consumer genetic testing market, however, it’s important to recognize that there are inherent risks to unlocking the secrets that lie deep within your DNA.

Virtual Private Networks (VPNs) let you establish a secure communications channel between your computing device and a server. After connecting to the server, you could gain access to a private network that has work files or applications, or use the server as a relay point to then access Internet content when browsing from a public network.

There are several reasons for using a VPN: you might need to remotely access information held on corporate servers while travelling or working from home; you might be wary of the insecure wireless networks you’re using; or you might want to access online content that’s blocked on the network you’re connected to but is accessible from the server somewhere else. Sometimes a company will require you to use a VPN, meaning the company will dictate the security and type of VPN you use (for example, your employer). Whereas when you make a consumer decision to use a VPN you’re responsible for making these decisions on your own.

In the wake of Edward Snowden’s revelations, a large number of consumer VPN providers have sprung up, and security experts now often suggest that you use a VPN when accessing the Internet from an insecure network (e.g., a café, public library, or other free Wi-Fi hotspot). This blog post will help you understand what to look for when choosing between different VPN services.

With tax season approaching, many businesses are pulling together mass mailings to send out to customers. The information these mailings contain is likely pretty sensitive – names, addresses, social insurance numbers and financial details. You don’t want it falling into the wrong hands!

Every year, a number of Canadians contact our Office to complain because they received sensitive financial information that does not belong to them. A number of businesses also reach out to our Office to report related breaches.

You can take precautions to prevent printing or mailing errors that can cost your customers dearly and tarnish your reputation as good stewards of personal information:

Traditionally, we have logged into online systems using a username and password. These credentials are often being compromised, however, when databases containing them are breached or we are tricked into providing the information to fraudulent individuals or websites (often through phishing or other social engineering attacks). Once these credentials are compromised, attackers can use them to log into the associated online services. Even worse, because people often reuse their usernames and passwords, the attackers can access multiple services.

In order to better verify that it is actually you submitting the username and password, organizations are increasingly turning to multi-factor authentication (MFA). MFA requires you to present multiple types of authenticating information, such as, for example, a username and password along with a unique code displayed on a token or smartphone. MFA can stymie attempts to log into a service by guessing your password or using stolen usernames and passwords. A related, less powerful technique is two-step verification which requires two pieces of information of the same kind of factor, such as two pieces of information that you know, while MFA requires you to present multiple types of authenticating information.

Canadians’ mobile devices are filled with applications that collect personal information, including identifiers that are engrained into different parts of the devices. But what exactly are these identifiers, and how are they used?

An identifier is a piece of information (usually a sequence of characters) that’s used to uniquely identify a device, a user, or a set of behaviours taken on the device. Mobile identifiers constitute privacy-affecting technologies because they can be used to correlate an individual’s various activities while using a phone, tablet, or other connected device, and they support the linking of devices with actual persons.

Our mobile devices are filled with identifiers that uniquely label different components and behaviours. The radios and other physical hardware, operating systems, applications, and even web browsers are all rife with identifiers that can uniquely identify the device, the person using the device, or the behaviours of the user. And while these identifiers are typically meant to serve a useful purpose, the user is often unaware that these identifiers exist or how they’re collected and used. We will outline several of the most prominent identifiers associated with mobile devices and their significance for privacy.

Ransomware is a type of malicious software (malware) which, when installed on a device or system, prevents access to that device, or that device’s content or applications. Once installed and operational, the malware prompts you to pay a ransom to restore full functionality to the device. Personal or sensitive data have been targeted with ransomware, or accessed when attackers were rifling through organizational computers or networks. In fact ransomware has affected a range of devices, including those running Windows, OS X, and Android, and has affected healthcare providers, police services, public schools, universities, and various types of businesses, in addition to individual consumer users. It’s an increasingly prevalent issue, with Symantec estimating that Canadians were affected by over 1,600 ransomware attacks a day in 2015.

Smart TVs . . . Fitness trackers . . . Automated thermostats . . . Self-driving cars . . .

The Internet of Things is the next frontier in digital technology which is why the Global Privacy Enforcement Network focused its 2016 Privacy Sweep on this emerging market. Sweep participants were especially interested in how companies communicate their personal information handling practices.

Given the sensitivity of the information that health and wellness devices, as well as their associated apps and websites, are capable of collecting, the Office of the Privacy Commissioner of Canada (OPC) focused its Sweep on 21 devices ranging from smart scales, blood pressure monitors and fitness trackers, to sleep and heart rate monitors, a smart breathalyzer and a web-connected fitness shirt.

The choice of devices dovetails with one of our four strategic privacy priorities—the body as information. Identified as an important area of focus during a priority-setting exercise that culminated in May 2015, the body as information refers to the mounting privacy concerns related to highly sensitive health, genetic and biometric information that is being used by organizations and governments in all sorts of new ways.

During the Sweep, our Sweepers—aka OPC staff—put the products to use to see first-hand what information the devices requested, compared to what privacy communications said would be collected. In some cases, they followed up with specific privacy questions for the companies.

Below is a brief assessment of how the devices stacked up.

So whatever happened with that Children’s Privacy Sweep, you ask?

Before we delve into the results of the 2016 Internet of Things Sweep—look out for them very soon—we thought we should update you on the outcome of our discussions with developers behind the mobile applications (apps) and websites we raised concerns about in a blog post and/or letters issued last fall.