Big Brother, Big Data and Statistics Canada

2020/01/16 Leave a comment

The ongoing challenge of better and more timely data that can be best achieved through linking data, and the privacy and consent concerns, where government is held to a much higher standard:

On December 9, 2019, the Office of the Privacy Commissioner of Canada published the results of an investigation into complaints that Statistics Canada had requested from a credit institution and Canadian banks the personal information on financial transactions of banking customers without notifying those customers. This clearly raises the issue of big-data mining by public authorities – the marriage of Big Brother and Big Data – with regard to the protection of privacy.

Let us recall the facts: Seeking to measure household debt more precisely, Statistics Canada reached an agreement with TransUnion, which agreed to forward files covering close to 24 million Canadians. The files included personal credit ratings along with identifying elements (name, address, date of birth, social insurance number, etc.). Statistics Canada was then able to link this data (600 pieces of information) with data from its own surveys, such as the census. In addition, Statistics Canada asked Canadian banks to provide it with information on all transactions carried out by a sample of 500,000 households.

The Canadian Bankers Association (CBA), which Statistics Canada first approached, said that it was reluctant to respond to such a request because of the burden it placed on banks, but mostly because complying meant that they would violate their privacy standards. A Global News report on October 26, 2018, blew the whistle. The chief statistician was called up before the Standing Committee on Industry, Science and Technology, and an investigation was launched by the Office of the Privacy Commissioner. The Financial Transactions project, for which no data had yet been transferred, was immediately suspended. TransUnion also stopped forwarding information.

According to the results of the investigation, those whose information had been shared had not been notified. In the first case, TransUnion put a note in people’s files, but nobody told them it was there. (Only if they asked to see their file for some other reason could they discover it.) In the case of the project with the banks, Statistics Canada had not planned to notify the selected households. In both projects, Statistics Canada claims to have complied with the Privacy Act. The organization also claims to have relied on section 13 of the Statistics Act, which requires any person responsible for documents or archives, public or private, to transmit them to Statistics Canada if such a request is made. The Commissioner concluded from his investigation that the Credit Information Project did comply with existing law and that the complaint on this subject was thus “not well founded.” In the case of the Financial Transactions Project, he concluded – against the opinion of Statistics Canada – that what was asked for went beyond the transmission of pre-existing documents or archives and involved the creation of new files. However, since no data had yet been transmitted, the Commissioner did not see fit to accept the complaint. That said, he expressed several concerns and made six recommendations, two of which call on Statistics Canada to refrain from going ahead with both projects as designed.

These two projects offer an example of linkage between big data as a by-product of transactions and interactions carried out for private purposes and information obtained through surveys to which citizens are obliged to answer. The scale of Statistics Canada’s projects is impressive and suggests that the revolution associated with Big Data is now affecting national statistical offices, hitherto hesitant to join it due to methodological scruples and ethical constraints. Section 13 of the Statistics Act, conceived of at a time when statistical treatment of documents and archives was limited by their physical nature, presents unforeseen potential. It is also clear from the results of the investigation that Statistics Canada’s requests rested upon a particularly broad interpretation of this section of the law. The Privacy Commissioner therefore considers that the legal framework applying to the collection of “big-data administrative data” from the private sector is outdated and suggests that the legislator review the Statistics Act respecting this matter.

On the other hand, the problems that the Statistics Act could pose would no doubt be lesser, according to the Commissioner, “if the Privacy Act were not so out of date.” In 2016, he proposed that it be amended “to explicitly require compliance with the criteria of necessity and proportionality in the context of any collection of personal information.” In fact, even if Statistics Canada agreed to demonstrate the “necessity” of the information sought in these and other projects and the “proportionality” of the means used to obtain these data, the agency is not legally required to do so.

Finally, beyond legal amendments, the Commissioner’s report presents recommendations that are inspired by European practices aimed at ensuring the consent of individuals or even at circumventing this problem. They include “civic data sharing,” which is based on prior consent, “algorithm-to-the-data,” which means only anonymized results are transferred by the private enterprise to public authorities, and “privacy-preserving computation,” which also amounts to anonymizing information at the source. The first method resembles in all respects the position of the Harper government with regard to the long-form census. The other two would interfere with the type of data linkage that Statistics Canada envisioned.

Much has been made in recent years of the necessary independence of Statistics Canada from government. If the Office of the Commissioner’s report presents a less-than-sympathetic and somewhat authoritarian image of the agency, it is at least reassuring that Statistics Canada is accountable to a parliamentary committee, that it had to collaborate with the Office of the Commissioner to improve its practices and that a report was made public. The whole affair illustrates how big-data mining poses new challenges for official statistics when it comes to the trade-off between privacy rights and evidence-based policy-making.

Source: Big Brother, Big Data and Statistics Canada

Filed under Government Tagged with , , ,

Andrew Coyne: Political parties — not Statistics Canada — are the real bad guys of privacy invasion

2018/11/07 Leave a comment

Valid critique of the double standard:

For the past week, question period has been dominated by accusations from Conservative MPs that a government agency has been spying on Canadians — improperly gathering sensitive personal information, it is suggested, on behalf of the ruling party.

That shadowy cabal? You guessed it: Statistics Canada.

The Conservatives have invested much effort in recent years attempting to persuade Canadians that StatCan is their enemy: witness the campaign against the long-form census. The current hysteria was kicked off by a letter from the agency requesting Canada’s banks make available to it personal financial data from 500,000 of their customers.

The program is not secret: the agency briefed reporters on it a month ago. Neither does it apply only to banks. StatCan is reaching out to a range of public and private organizations, hoping to tap the databases they maintain. The reason? People aren’t filling out the surveys the agency has traditionally used to keep track of consumer purchases and the like in anything like the numbers they used to: the data is increasingly unreliable. Without access to “administrative data” to replace it, the agency would be stumbling in the dark.

Privacy concerns are worth taking seriously, of course. Canadians would be right to worry if StatCan were proposing to set up personal files in their name, or to combine bits of data collected from a variety of sources into individual profiles. Needless to say, that is not what the agency is proposing. And while data security is increasingly a concern, StatCan’s record in this regard is unblemished.

Indeed, of all the organizations that now monitor, collect and compile your personal data, StatCan would seem among the least threatening. Your cellphone provider, to take one example, not only keeps tabs on who you called at what hour and for how long, but where you were at the time — in fact, where you are at all times. In the wrong hands, that sort of detailed personal information could be used to manipulate, intimidate and defraud. Whereas the broad aggregates StatCan extracts from it are essential to good public policy.

And of all the wrong hands it is possible to imagine, among the wrongest are those of the political parties — the same parties that are so quick to mount the privacy soapbox when it comes to other organizations. It’s StatCan this week, but it was the big social media companies before and it will be somebody else next – everyone, that is, but the parties themselves. Yet the scale of what the parties are up to, and the potential for abuse — no, the reality of abuse — is far greater than anything StatCan might propose.

All of the parties keep detailed personal files on literally millions of voters. Unlike last year’s scandal over Cambridge Analytica’s use, on behalf of its political clients, of information illegally scraped off of Facebook users’ pages, the data here is acquired legally, which is to say the law has been written in such a way as to allow it.

For example, the parties all have guaranteed access to Elections Canada’s voter lists, though there is no obvious reason why they should. Combined with data purchased from private market-research companies and their own proprietary data collected from interviews with individual voters, the parties are able to assemble quite fantastically “granular” profiles of the voters they are trying to reach, with which not merely to anticipate their responses to events but to shape them, via the sort of highly customized, micro-targeted messages that modern media make possible.

All of which would be objectionable enough — there is, again, no need for any of it, and much reason to object to all of it — if it were subject to even the barest regulatory safeguards. But while government agencies like StatCan are covered by the Privacy Act and private companies come under the Personal Information Protection and Electronic Documents Act (PIPEDA), the parties have taken care to exempt themselves from federal privacy laws.

And, what is more, they seem determined to keep it that way. Federal and provincial privacy commissioners have called for bringing the parties within the law; so has the head of Elections Canada; so, too, has an all-party committee of MPs. Yet Bill C-76, the package of changes to the election laws currently before the House, makes no requirement of parties other than that they should publish their privacy policies on their websites, with no guarantee they will even abide by their own standards, let alone the kind they impose on others.

Asked to justify this, Liberal spokespeople burble on about the need to “engage” voters. “Understanding the interests and the priorities of Canadians,” Liberal adviser Michael Fenrick told the Commons access to information, privacy and ethics committee last week, “helps us to speak to the issues that matter most to them and in turn mobilizes democratic participation in our country.” Those hot-button fund-raising emails and Facebook ads that cater to your worst fears? That’s what he’s talking about, behind all the high-falutin’ language.

A Conservative official said much the same, adding that of course his party was willing to live with whatever Parliament decides, which is how an opposition party traditionally hides behind the government’s skirts. Only the NDP and Greens have publicly expressed support for bringing the parties under the privacy laws — though since neither is likely to be in a position to put this into effect, this, too, seems awfully convenient.

We’ve been this way before. The parties thoughtfully exempted their own solicitations from the do-not-call rules that apply to other telemarketers. Third-party advocacy groups are subject to much tighter election spending limits than those the parties apply to themselves. Corporate advertisers must conform to truth in advertising laws; not so the parties.

And now privacy. It’s tempting to say there’s one law for the parties and another for everyone else but, in this case, there isn’t any.

Source: Andrew Coyne: Political parties — not Statistics Canada — are the real bad guys of privacy invasion

Filed under Other Tagged with , ,