How the federal government failed to protect our mobility data
Instead of keeping its promise to strengthen Canada’s privacy laws, the federal government is taking advantage of our system’s weaknesses.
This is the third blog in our series on how the federal government used mobility data to track the locations of millions of people in Canada. To read the first blog, click here. For the second, click here.
The Parliament of Canada’s ethics committee is concluding its investigation into the use of mobility data by the federal government. They’ve heard from twenty witnesses – including Canada’s Health Minister, Chief Public Health Officer, employees from the Public Health Agency of Canada (PHAC), representatives from Telus and BlueDot, and a dozen renowned privacy experts.
Early on, there was confusion around why the federal government had obtained mobility data, which can show the precise location of individual devices that are connected cellular networks, how this data was being used, and to the efficacy of this purpose. We now know that the mobility data was obtained to track population movement trends as provinces issued stay-at-home orders and COVID-19 infections spread throughout communities. We’ve also learned that this health data surveillance initiative offered little benefit.
But one very important thing has become abundantly clear through the course of the investigation: When it comes to transparency, the federal government and Telus failed Canadians by taking advantage of weaknesses in Canada’s broken and outdated privacy laws.
Don’t believe it? Read on and decide for yourself.
The federal government’s transparency failures
Speaking on behalf of the federal government, the ethics committee heard from Health Minister Jean-Yves Duclos, Chief Health Officer Theresa Tam, and two other representatives from the Public Health Agency of Canada.
Minister Duclos was responsible for defending and promoting the federal government’s transparency initiatives when it came to the novel use of mobility data of millions of people in Canada.
He outlined the transparency steps the government took as follows:
Posting a statement on a government of Canada website: “It’s been announced in March 2020 on the web … on an application called COVIDTrends,” Minister Duclos said, implying that the federal government’s use of mobility data was transparent because a website mentioned it (Source: Minister Duclos’ testimony at the ethics committee, the 15:59:18 mark).
Unfortunately for Canadians, the COVIDTrends website didn’t exist until October of 2020 – seven months after Minister Duclos said it did – and didn’t contain information about the use of mobility data until December 6th of 2020. (Source: The Wayback Machine, and credit to Dr. Christopher Parsons). So people in Canada had literally no way of knowing that the federal government was using their mobility data until nine months after the Minister said they did.
To further the lack of transparency, the COVIDTrends website did not and does not mention where they receive the mobility data from (Telus and BlueDot); someone would not be able to learn from this website whether or not their data is being used, only that mobility data is being used.
Minister Duclos also suggested that the information was in fact readily available online during his testimony:
Information about the government of Canada’s use of mobility is publicly available on the Internet: “If you look it up on Google, you can see how the data was used,” Minister Duclos said this in response to a question about whether the average Canadian could understand how their mobility is being used (Source: Minister Duclos’ testimony at the ethics committee at the 16:08:34 mark).
Forgetting for a moment that nobody would be searching for information about a program that they had no way of knowing existed, Googling the question “How does the government of Canada use mobility data?” doesn’t return any results from the federal government that describe PHAC’s surveillance program (Source: Google). In fact, the first ten pages of search results are from external sources – meaning the federal government has not published anything that transparently describes its use of mobility data, despite Minister Duclos’ claim.
Do you feel like this process was transparent? Does the brief, nondescript mention of the use of mobility data on an obscure government website seem like a reasonable means of accountability to you? Does a reliance on external sources that have documented the federal government’s use of mobility data seem honest to you? To many, the claim that these are an effective means of transparency is absurd.
Equally troubling is the fact that, during the course of the ETHI investigation, representatives from the Government of Canada could not acknowledge that things could have been done better. Government officials offered no commitment to do things better in the future, and no admission that, in the face of understandable pressure from a global pandemic, they rushed the adoption of new technologies and data sources. While what was done isn’t illegal, it surely falls short of how we’d want our government to behave. Ultimately the mobility data tracking used by PHAC took advantage of the flaws in our badly outdated privacy legislation – legislation that the federal government has repeatedly promised and failed to update.
Compounding these transparency failures from the federal government is Telus’s negligence when it comes to notifying its customers that their data is being used for mobility tracking.
Telus’s transparency failure
On behalf of Telus, Pamela Snively, Chief Data and Trust Officer, appeared before the ethics committee to answer questions about what steps the company took to notify its customers and protect their privacy: “We are not selling customer personal information […] we’re sharing insights drawn from de-identified data, data points drawn off of our cellular network, the number of pings so that we can map population movements on a large scale to help with the pandemic.”
Apparently for Telus, the location data of their customers isn’t related to individuals, but only to “pings” that exist on their network. Following this logic, Telus seems to hold the belief that its customer base is merely serving an indistinct network of geographically unique “pings” that originate from cellular devices, and not individuals with privacy rights.
According to Snively, here’s what Telus did and didn’t do to create transparency:
Telus did not ask their customers for permission to share their mobility data: “We did not obtain user consent for this specific purpose,” Snively said when asked whether consent was obtained from Telus customers before their mobility data was shared with the federal government.
Snively confirmed Telus collects location data for the sole purpose of providing mobility services to its customers, meaning that when Telus customers try to make phone calls, those calls work. That is the only reason that information is collected and she agreed that if it were used for a different purpose, then Telus would be required to obtain the consent of its customers: “If we were selling customer personal information it would require a separate consent, and a very express consent.” But according to Snively, Telus gave the mobility data to the federal government at no cost or on a cost recovery basis, and therefore no explicit permission is necessary under Canadian privacy law.
So if Telus isn’t obtaining consent from its customers (its network of “pings”), but is using their data in a way other than what is indicated in customer contracts, how are they honouring the privacy rights of their clients?
The reason Snively provided:
Telus focused on de-identifying the data and removing any personally identifiable information from the mobility data: “When we de-identified the data it was no longer personal information about our customers, so rather than relying on consent there, what we relied upon was ensuring that we had actually de-identified it,” Snively said.
According to Telus, the “pings” on their network aren’t correlated to individuals (but are still somehow about population movements) so they’re not legally required to notify customers or to seek their consent for this new use. Telus is taking advantage of a flaw – not a feature – of our outdated legal privacy framework: In Canada, privacy laws don’t apply to personal information that has been de-identified.
The problem here is that effective de-identification is very difficult to do, and we don’t know how Telus approached it or whether their handling was adequate. If data was not comprehensively de-identified, there’s a real possibility individuals and our movements could be re-identified if the data was misused. Ironically, whether or not Telus sufficiently de-identified the mobility data is now the subject of an investigation by the Office of the Privacy Commissioner of Canada. The irony lies in the fact that Telus, like PHAC, rejected offers from Canada’s Privacy Commissioner to assist throughout this process. The fact that private companies and public bodies are able to reject the assistance of the Privacy Commissioner, an independent third-party that advocates for the privacy interests of Canadians, is another flaw in Canada’s outdated privacy legislation.
Could this have happened elsewhere in the world?
This kind of non-transparent sharing of de-identified mobility data between the private and public sectors could not have taken place somewhere like the European Union, according to witness Dr. Anne Cavoukian. Her Privacy By Design principles were baked into the EU’s privacy legislation — the General Data Protection Regulations, which govern both the private and public sectors.
In the EU, there are four categories of information, each with their own risks:
Personally identifiable information, which contains personal direct and indirect identifiers, like name, address, and image. This category is the highest risk for re-identification;
Pseudonymous data, which replaces identifiers like names with artificial identifiers. This category has a remote risk of re-identification;
De-identified data, which is data where direct and indirect identifiers have been removed. This category has a residual risk for re-identification and is the type of data that was used by Canada’s federal government;
Anonymous data, which is data that has strict technical safeguards applied to it that make re-identification impossible. This is considered zero risk.
Under the EU’s privacy laws, data that falls short of being fully anonymous cannot be used for a purpose other than the original intent for which the data was collected. Meaning, under the GDPR, Telus would be unable to share de-identified mobility data with the federal government because that data still contains a risk for re-identification, and the PHAC use is explicitly different from the original use.
In his testimony, Minister Duclos justified the federal government’s secretive use of mobility data by listing 22 other countries that are also using de-identified mobility data in response to the pandemic. However, 14 of the 22 countries he lists are in the European Union, where de-identified data is still protected by the General Data Protection Regulations.
What needs to change
One thing that would create an additional safeguard is a mandatory requirement to accept the assistance offered by the Office of the Privacy Commissioner of Canada. In this case, it is both disappointing and concerning that the Public Health Agency of Canada and Telus refused to accept assistance from Canada’s privacy watchdog.
The testimony of government officials was troubling in this respect. PHAC representatives were vague about the role the Office of the Privacy Commissioner played throughout this process. It was not until Privacy Commissioner Daniel Therrien testified that it became clear that his office was not consulted, and that their offers of assistance were flatly rejected.
Throughout the testimony from expert witnesses, many made observations about the lack of protections in Canada’s privacy law for the transference of data between the private and public sectors. Notably, University of Ottawa law professor Dr. Teressa Scassa made pointed criticisms about the lack of guidelines for these kinds of unregulated data flows, while pointing out that there was merit in these data flows for socially beneficial purposes.
In his appearance before the committee, University of Ottawa law professor Dr. Michael Geist of the University of Ottawa pointed out the transparency issues with the use of mobility data. He compared the process to the government’s deployment of the COVIDAlert application, which he observed was done in a much more transparent and collaborative manner. Importantly, he said that most people in Canada would likely not object to the use of their mobility data by Telus and PHAC, but would be concerned about the lack of transparency.
Witnesses, including Dr. Scassa and Commissioner Therrien, also said that individual consent is neither practicable nor realistic in these big data scenarios.
Unfortunately, in the absence of effective legal protections, Canadians are left with little confidence. In her testimony, Canada’s Chief Public Health Officer, Theresa Tam, admitted that the use of mobility data in PHAC’s surveillance program wasn’t particularly useful as a public health initiative. She emphasized that the government is still in the early stages of making use of this information. For this reason, PHAC and Telus are well positioned to begin enacting protective measures to make this novel use more secure, transparent, and effective moving forward.
Therefore, a strong legal framework that prescribes mandatory protections for categories of information (from identifiable to fully anonymized) should be written into Canadian privacy law. This could allow for socially beneficial uses of data while giving people in Canada the confidence they need to trust that their privacy is being protected.
But in the end, what this investigation has uncovered is the need to rebuild trust with people in Canada. The government and privacy sector must do more to act transparently when making use, especially new use, of large datasets – even when those uses are for socially beneficial purposes.
Feeling inspired to make Canada’s privacy laws stronger? Sign the petition to #DemandPrivacy from Justin Trudeau and the federal government!
Special thanks to Ali Aghaamoo for his research contributions to this blog post.