Committees / News

Privacy and Social Media: My Appearance Before the Ethics, Accountability & Privacy Committee

appeared before the House of Commons Standing Committee on Access to Information, Privacy and Ethics for a hearing on privacy and social media.

Appearance before the Standing Committee on Ethics, Accountability & Privacy
May 31, 2012

Good morning.  My name is Michael Geist.  I am a law professor at the University of Ottawa, where I hold the Canada Research Chair in Internet and E-commerce Law. I was a member of the National Task Force on Spam struck by the Minister of Industry in 2004 and I currently serve on the Privacy Commissioner of Canada’s Expert Advisory Committee.

I appear before this committee today in a personal capacity representing only my own views.

My opening comments will identify several areas for potential government action, but I want to provide a bit of context with three key caveats.

First, it may be stating the obvious, but social media is an enormously important, positive development. The number of users is staggering and its role as a key source for communication, community, and political activity grows by the day. The opportunities presented by social media should be embraced, not demonized and government should be actively working to ensure that it incorporates social media into its policy consultation processes.

Second, Canada has been a leader in the use and regulation of social media. The Privacy Commissioner of Canada was the first to conduct a major privacy investigation into Facebook and has led on other issues involving social media and Internet companies.

Third, while we have had some influence through those investigations, Canada has not led in creating the social media services used by millions around the world. The failure to articulate and implement a national digital economy strategy comes back to haunt us in these circumstances, where the ability to place an unmistakable Canadian stamp on social media is undermined by the policy failures that have done little to encourage the development of Canadian social media sites.

What Is There to Be Done?

With those caveats, what is there to be done?  I’d like to point to four areas and issues.

1. Finish What We’ve Started

The government has introduced and even passed legislation that can be helpful in addressing some concerns that arise from social media, yet these initiatives have stalled short of the finish line. Anti-spam legislation, which received royal assent in 2010, has still not taken effect as final regulations have not been approved. In fact, Industry Canada officials now indicate it could go well into 2013 before the regulations take effect. Given the amount of work that went into the legislation, it is shocking that the law has been left in limbo.

Moreover, Bill C-12, the PIPEDA reform bill that seeks changes arising from the 2006 privacy review, lags in the House of Commons with seemingly no interest to move the bill forward. Indeed, the bill is now outdated and a full PIPEDA review to address emerging concerns such as order making power, statutory damages, and tougher security breach requirements than those found in the bill is needed. In fact, the C-12 security breach reporting rules are primarily bark with little bite given the absence of penalties for failure to comply.

The government has also promised a digital economy strategy for years and has failed to deliver. The strategy has come to be known as the Penske File, a reference to the Seinfeld episode that involves working on an imaginary file. While other countries are now years into implementing their strategies, Canada still lags behind.

It should also be noted that these issues must increasingly be addressed in concert with the provinces. The line between federal and provincial jurisdiction on many of these issues is blurry and legal challenges against federal legislation is a real possibility. Work is needed to begin to develop minimum standards that can be implemented at the provincial level should federal leadership be challenged in the courts by companies seeking to circumvent their privacy obligations.

2.    Devil is in the Defaults

In many respects, social media and Internet companies are the most powerful decision makers when it comes to privacy choices. As my colleague Ian Kerr says, the devil is in the defaults. In other words, the choices made by leading social media companies with respect to default privacy settings are the defacto privacy choices for millions of users. Given the increasing pressure to generate revenues, we can expect those default choices to change in aggressive ways to make greater use of user data.

There are examples of companies doing great work in the area. Twitter recently implemented do-not-track options that won plaudits from the Federal Trade Commission in the U.S. Similarly, Google offers its users transparency tools so that they can obtain detailed information about what information is collected, how it is used, and how they can modify their privacy choices. The company has also been transparent about law enforcement requests for information and copyright takedown demands.

There needs to be continued work on these defaults, initiatives to provide users with greater information and transparency, and steps to ensure that companies live by their privacy commitments.

3.    Lawful Access

The introduction of Bill C-30 brought with it an avalanche of public outrage and concern over the proposed Internet surveillance legislation. While much of the focus was on the mandatory warrantless disclosure of subscriber information by telecom service providers, the potential for social media and big data Internet sites to serve much the same purpose cannot be overlooked.

A recent investigation by the Privacy Commissioner of Canada into Nexopia, a Canadian social network, identified hundreds of law enforcement requests for customer name and address information, frequently for accounts that should have been deleted months earlier.

Social media generates a treasure trove of personal information that must enjoy full privacy protection and court oversight before disclosure. Indeed, documents recently obtained under Access to Information indicate that Public Safety is thinking about how the rules are applied to social media sites and services. Bill C-30 needs to go back to the drawing board to effectively account for these issues.

4.    New Legal Issues

While I think that much can be done to use or augment existing rules, social media and the Internet do raise some unique issues that may require targeted responses.  In the interest of time, let me name two.  First, do-not-track. As you may know, cookies can be used to trace the web browsing habits of users, including when they visit third party sites. For example, Facebook inserts a cookie on user browsers that traces your activities as you surf the net. Any site with nothing more than a Facebook “like” button – as found on Conservative, NDP, and Liberal sites – means that Facebook records a visit to the site and retains the information for months.

A growing number of sites, including Yahoo, AOL, and Twitter, respect functionality found in Firefox browsers that allow a user to choose not to be tracked. Google has said it will implement similar technology in its Chrome browser.

However, many sites have been slow to adopt do-not-track and Facebook has thus far declined to do so.  Given the failure of industry to self-regulate, it is appropriate for government to step in with stronger measures to ensure that user choice is respected.

Second, there is a growing problem of social media misuse. For example, in recent months there have been an increasing number of stories of employers requiring employees to provide their Facebook user id and password as a condition of a job interview. Seeking the same information with direct questions would typically be prohibited, so this is used as a circumvention of longstanding standards and principles within employment law. In response, the State of Maryland has passed a law banning employers from requiring employees or job applicants to provide access to their personal digital/social media accounts. Several other states are working on similar legislation and Canada should consider following suit.


  1. targeting by unique identifiers
    Re: 2-4 :

    Please compare and contrast the relative ease of maliciously targeting a person named, “Sonia Varaschin” vs. “Jane Doe”.

    There are hundreds of millions of people with the surnames, ‘Li’, ‘Patel’ or ‘Smith’. I count less than 10 who share my surname which is similar in its uniqueness to ‘Varaschin’.

    Those with common surname identifiers are free to invent unique identifiers of their own choosing for the purposes of business or whatever. My family walks around like a wide open and unlocked doors, the easiest of targets. And I become a suspect of being fraudulent or otherwise criminal if I try to guard my privacy and more worrisome, personal safety, by using ‘anonymous’ or fictional pseudonyms, addresses and other garbage-in/garbage-out techniques.

    I cannot choose to be free from careless and irresponsible use of my data even if I opt to steer clear of social media or even go offline because I become dragged into lists by virtue of being related and on shared contact lists. My telephone number. My address. My birthday. My voice. My image. Any other biometric profile data.

    It belongs to me. Neither the state, nor the commercial marketplace may make claim upon it, profit from it without my explicit permission, nor steal it and then sell it back at a profit.

  2. The hunted says:

    Col. Russell Williams was a database stalker.

  3. C-11
    What happened to C-11 I thought they said it was suppose to pass third reading this week, are they waiting until next week now?

  4. Ray Saintonge says:

    More issues
    In light of the recent Supreme Court ruling revise rules around forum non conveniens. In many issues involving the internet there is always the risk of being prosecuted in a jurisdiction with which one has no connection.

    Related to this would be the need to establish standards for End User Licence Agreements. People regularly click on a button saying that they have read, understood and agree with these contracts. Worse, they also need to click when there is a revision to the computer program, and the corresponding changes to the licence are small but subtle. These agreements are mostly incomprehensible to the average person. They often carry legal implications that even trained persons would only detect with difficulty. Notably it should be made clear that a person cannot contract out of rights available under domestic law, by substituting a foreign jurisdiction.

  5. MS implementing DNT by default
    Today’s news, IE10 default setting will be DNT on. I think another issue will be a right of disaffected users who terminate accounts to have their data truely and completely purged.

  6. Chris C. says:

    This clearly shows how corrupt our governements really are…
    What is striking in this piece is the distinct impression that the government does everything to promote corporations’ and the elite’s interests, taking away individual rights, saying it is vital for security and whatnot, whereas they simply yawn when said citizens object, as if we were a mere inconvenience to them.

    I have said it before and I will repeat it again: our governments have become the lackeys of corporate interests and have lost legitimacy and it’s high time the citizens woke up and demanded they do what they were elected for, which is, to defend OUR interests, We the People of This Country.

    Unfortunately, under our existing institutions, it is highly doubtful real democratic changes will ever happen. Ergo, the reasons for the rising number and extent of protests we are seeing in the world right now.

    Thanks to the internet revolution, the citizens now more and faster than ever what the rich and powerful are trying to do to in secret to take away our rights (ACTA comes to mind) and it would be in the government’s interest to wake up to this new reality and realize who they are supposed to serve: the citizens of this country, not just the few rich and powerful enough to manipulate them through their bribes (er, I meant, ‘lobbies’).

  7. Social Media
    In the modern age social media is a good source to spread the information among people.Every industry use this to grow their business.