Last week, Privacy Commissioner of Canada Jennifer Stoddart released the results of a disturbing new study conducted by her office that found many leading websites “leaking” personal information. My weekly technology law column (Toronto Star version, homepage version) notes the study, which came on the heels of similar findings by researchers in the United States, found that one in every four websites examined suffered from privacy leaks that included disclosing names, email addresses, postal codes, and location data to third party advertisers (in the interests of full disclosure, I am a member of the Stoddart’s external advisory board).
The study only covered 25 of the most popular e-commerce and media websites in Canada, suggesting that many more organizations may be violating Canadian privacy law by failing to adequately safeguard the personal information they collect and providing users with insufficient information about how their data is used and disclosed.
The source of the problem appears to be relationships with third party advertising companies, website analytics services, and electronic flyer providers. Using software that captures data sent between a user’s browser and a website, along with the data sent between the user’s browser and third-party sites, the study identified significant violations.
For example, it found a Canadian-based shopping site that revealed email addresses to 11 third party organizations after asking users to register for an email promotion service. It also found a Canadian media site that disclosed username, email address, and postal code to a content delivery and marketing service, an advertising network, and a news content provider after asking for registration to manage user subscriptions.
Stoddart responded to the report by writing to 11 of the 25 organizations covered in the study to ask how they plan to address potential violations of the law. Yet despite the obvious cause for concern, Stoddart declined to name names, as a release from her office indicated that the “Privacy Commissioner of Canada has not exercised her discretion to publicly name the tested organizations at this time.”
The decision to keep the public in the dark about privacy leakage raises its own set of concerns. While the study may cause some embarrassment for the affected sites, the preliminary findings suggest that those sites are violating Canadian law. Moreover, by keeping the identities of the sites secret, Canadians are unable to take action to mitigate the risks they face due to the privacy leakage.
The secrecy approach is particularly surprising since Stoddart has publicly admitted that she is uncomfortable with the practice. In her first speech following the renewal of her mandate in January 2011, Stoddart acknowledged “to be candid, I have a growing discomfort with the secretive nature of how we work under PIPEDA.” She added that “it seems to me that not naming names is robbing the Canadian public of much of the educational value of our investigative findings.”
While this study is not identical to a formal PIPEDA finding, if the concern was sufficient to merit its release and follow-up letters, then the same concern for maximizing the educational value to the public should apply.
The Commissioner has named names without the benefit of a full investigation in the past, disclosing investigations of Google and Facebook privacy practices in 2010. Moreover, Stoddart has been a vocal advocate for security breach disclosure legislation, new rules that would require organizations that suffer a security breach to disclose it to anyone whose personal information may be at risk.
Stoddart’s focus on greater transparency – both for organizations that collect personal information and for its own investigations – is a welcome development that should increase public confidence and awareness of privacy law. The decision to keep the names of organizations leaking personal information secret runs counter to the commitment to transparency and should be reversed.