Why the Privacy Commissioner should get off Facebook

Jesse Brown on the atrocious state of data privacy in Ottawa

Part 4 of a four-part “Privacy Reality Check” series.  Click for parts one, two and three

In the past three posts I’ve documented the atrocious state of data privacy in the federal government.  Through leaks, spies, hacks and willful disregard, Ottawa has had a disastrous few years when it comes to safeguarding the data it collects on us— a 40 per cent uptick in privacy complaints during the past year alone, worsening an already dismal record that dwarfs all privacy complaints against private industry combined. The numbers, again: private industry generated 281 complaints, 19 of which concerned the Internet. Government generated 986.

All of this happened during Privacy Commissioner Jennifer Stoddart’s watch. And she is, after all, a watchdog.  So where has she been in all of this?

She’s been on Facebook.

During the past five years or so of her 10-year tenure, Stoddart has focused obsessively on curbing the supposed transgressions of social media sites.  She has been praised wildly for these efforts, especially by the Globe and Mail, which squeals with delight each time Stoddart, the “trail-blazing,” “fearless privacy cop” “scolds” Facebook, Google, eHarmony, or, most recently, the nominally popular messaging service Whatsapp.  What are her accomplishments in this realm? Chief among them, said the Globe, was the time she “slowed Google’s plans to send cars armed with cameras to capture and post images … on its Google Street website.”

Thanks for that. Google Street View, let’s remember, is a brilliant, useful and free service that’s beloved by everyone except maybe pitchfork-wielding Norweigan scuba divers.

To put Stoddart’s social media fixation into focus: last year, as our government was leaking data by the gigabyte through lost hard drives while being fleeced by an undetected spy with a USB stick , Stoddart released six statements concerning government privacy concerns, and 21 statements about online privacy.

Yes, the Privacy Commissioner complained more about the Internet in 2012 than the entire Canadian population did.

To be clear: Jennifer Stoddart is not responsible for the government’s atrocious record on privacy, its continuing lack of data hygiene, or its basic disregard for the concept of privacy.  But you’d think, based on the complaints and the severity of the lapses, that she might have made reforming Ottawa a priority.  Instead, she may in fact have made things worse.

Earlier I wrote about Ottawa’s fear of cloud computing, which would have prevented every one of the recent data disasters.  What is the source of this aversion to cloud security?  Experts who’ve analyzed the Privacy Act can’t seem to find anything that would prevent a government agency from using secure cloud storage.  So why do folks in government consider it forbidden?

Perhaps it has something to do with the fact the Privacy Commissioner called for a moratorium on online data transfers for the purpose of Internet metrics, as Global news reported.  Google Analytics is a global standard for free web metrics, considered secure by most commercial websites.  But in order for Google’s technology to analyze a site’s data, it has to access that data.  Stoddart said that’s a bad idea for government, and advised the practise stop. Think about that from the perspective of a federal government IT manager: if the Privacy Commissioner’s official advice is that the cloud is too risky to even pass data through, surely it’s not a kosher place to store said data.

That would be a logical inference, and one many people have likely made.  But why assume?  Instead, I asked Stoddart’s office what her official position is on cloud computing. Does it, in their opinion, violate the Privacy Act (because if it doesn’t, Stoddart is really in no position to oppose it).  Here’s what they told me:

“…we could only make a specific finding following an investigation generated by a complaint. And at this time, we have neither received a complaint nor conducted an investigation related to a federal department or agency using a cloud service.”

The only way the Privacy Commissioner would be able to tell government workers that the cloud is safe to use would be if some government agency went ahead and used it anyway and it turned out not to be safe.  They would have to lose data, generating a public complaint, which would then allow the Privacy Commissioner to launch an investigation into the cloud, which they would then need to find safe.  Then everyone could use it.

Make sense?

Perhaps it’s unfair to blame Stoddart for the baffling bureaucratic mechanisms that constrain her office. Despite being named Canada’s Most Powerful Woman, her powers are largely symbolic, her office a bully pulpit from which to name and shame those who subject Canadians to exposure.  And yet she decides how to use that platform.  More than any other Canadian, she has the ability to shape the discourse around privacy, to tell us who we need to watch out for and who can be trusted.  She has chosen to generate publicity for herself by amplifying and validating the moral panic surrounding social media services we use voluntarily.

And she has chosen to downplay the flagrant privacy abuses of  government, which appointed her, and for whom she is an officer.

Follow Jesse on Twitter @JesseBrown