Our location data: What we know now

What we’ve learned one week into testimony about the government’s use of cell phone tracking during COVID-19.

Over the course of the past week, the Standing Committee on Access to Information, Privacy, And Ethics (ETHI) has been investigating the use of mobility data by the Public Health Agency of Canada (PHAC). The committee has heard from members of the government and experts, though so far testimony from Telus, the company that initially gathered our data, has been glaringly absent. One of our previous questions has been answered, but we’re still waiting for lots of answers. . 

In our first blog, we explained what happened, why it matters, and our key questions that must be answered. After one week of testimony, we have some answers but key questions are still open, while new ones are emerging. Here’s a run-through of where we’re at today:

One Answer, More Questions

Of our three major starting questions, only one has been answered. We still don’t know:

• How Telus determined it had obtained meaningful consent for the collection, use, and disclosure of this mobility data; 
• Whether this information was adequately de-identified — i.e., whether it had identifying details removed that could lead directly back to our individual activity and movements.

The good news here is that we can expect more answers to this in the coming weeks. The Office of the Privacy Commissioner of Canada has launched an official investigation.

While members of the ethics committee have pressed government officials about how Telus determined the consent of the approximately nine million* customers whose mobility data it shared with the federal government, those officials have said the questions are better asked of Telus. To date, no witnesses from Telus have been scheduled to appear before the committee. This is one of the glaring gaps in the ETHI committee’s process. If Telus is responsible for sharing this data with PHAC, why are they not being asked to testify about the details of that very agreement? 

So what question has been answered? We asked whether the consent that Telus relied upon extends to the context in which the Public Health Agency of Canada used the data. The surprising answer is that it doesn’t matter, according to the privacy experts at PHAC! In their view, Canada’s privacy laws, which protect our personal information, don’t apply. That’s because, according to their analysis, the data has been fully and completely anonymized. 

We’re not convinced. Whether or not this is true is now the subject of a new and ongoing investigation by the Office of the Privacy Commissioner of Canada. If they determine that the information was sufficiently de-identified, then Canada’s privacy laws may well not protect the customers whose data was shared. That’s not a good thing; as Privacy Commissioner Therrien said in his testimony before the Committee that this is a major flaw in Canada’s badly outdated privacy laws. (More on that below.)

It’s worth pointing out that the government turned down help on getting this right. Commissioner Therrien reports his office offered to complete their own analysis of the methods used to de-identify the data before PHAC began its tracking project. This offer, he said, was rejected. 

So what we have, at this point, is a process that involves no official consultation with Canada’s privacy commissioner, very little to no transparency until very recently, and zero public accountability. 

The Emperor’s New Transparency

Government officials, including the Health Minister Jean-Yves Duclos, have repeatedly asserted before the Committee that the use of mobility data by the federal government did not transpire in secret. This is a little less than true.

How are they saying they’ve been transparent? As evidence, government officials have referred to a website run by the government of Canada called COVIDTrends. During his testimony, Minister Duclos said that information about the use of mobility data has been available on this website since April of 2020 – when the Public Health Agency first began using mobility data, obtained from a company called BlueDot. 

However, according to the Wayback Machine (and thanks to the sleuthing work of Christopher Parsons of the Citizen Lab) the COVIDTrends website does not appear to have existed until October of 2020, which is six months after the government first began using mobility data. Moreover, the section that describes how the government uses mobility data wasn’t added until December 6, 2020. 

There appears to be an eight month discrepancy between when the federal government first started using mobility data without consent, and when they first began publicly reporting on this use. Canadians would have had no prior knowledge of this use, and no ability to opt-out of this use of their data until eight months after the government had already launched its initiative. 

So what if you became aware your data was being used this way in December 2020 — somehow, because you certainly weren’t directly notified! What could you do about it? If you were one of the nine million affected Telus customers, you would have had to go to a different website operated by Telus, scroll all the way to the bottom, click through to a new page, provide your phone number, select one of their options, and then you could withdraw your implied consent. 

If this seems like an unreasonable set of requirements, now consider that the COVIDTrends website doesn’t disclose that most of the mobility data comes from Telus, and doesn’t provide a link to the Telus website. So where would you learn about Telus’ involvement? You simply wouldn’t. Because the contract with Telus was sole sourced and not publicly available. 

If you were one of the nine million Telus customers whose mobility data was shared with the federal government, and you wanted to opt-out of the use of your mobility data prior to the tracking performed by PHAC, you wouldn’t have been able to. Only someone fully aware of the nature of the undisclosed business relationships driving this use of data would have had enough information to choose to opt out of this system.

How did we ever find out what was going on? The process of “transparency” the government officials are promoting worked like this:

• A Request for Proposal (RFP) for a new mobility data contract was publicly issued in December of 2021;
• Journalists (first reported in Blacklock’s Reporter, then the National Post) enquired about the RFP and learned that this was an extension of a pre-existing contract; 
• Telus customers could finally read the media coverage, learn their data was being used, find the Telus website, and opt-out through the confusing and arduous process explained above. 

Does that sound reasonable to you? It doesn’t to us! 

Meaningful Consent is Meaningless 

Canada’s privacy laws, especially those for the private sector, are built upon the notion of consent. That means that organizations that wish to collect, use, and disclose our personal information must ask for our permission before doing so. In effect, this gives us some measure of control over our own information, and it’s how our personal privacy is protected under Canadian law.

But what happens when securing informed consent isn’t asked for, or practical? Do we still have reasonable privacy protections? Privacy Commissioner Therrien told the committee that the modern information technology landscape has made traditional consent no longer realistic or reasonable for some legitimate commercial and public good uses of personal information. 

But we can’t abandon the consent model without putting better alternate protections in place. For organizations to collect our data without obtaining consent, Commissioner Therrien warned of important changes needed in Canadian privacy law:

• We need definitions of what “legitimate commercial interests” and “public good” uses are;
• We need privacy laws that invoke a rights-based framework and acknowledge privacy as a fundamental human right;
• We need an empowered regulator that can proactively launch investigations and has the ability to levy financial penalties for non-compliance;
• We need privacy laws that consider even de-identified information as subject to legal protections. 

Without these additional protections, which can only be achieved through law reform, we’re entering a phase of privacy that endorses the notion of meaningful consent as meaningless. 

PHAC’s use of our mobility data is pointing to a disturbing reality; the federal government has effectively rendered our limited privacy rights negligible by discounting the foundational principle of consent, without introducing an adequate replacement set of principles. 

Another Threatened Ending

It’s been said that the history of privacy is a history of threatened endings — moments that we risked losing our private dignity, but cobbled together a new social balance to maintain it. PHAC’s mobility tracking shows we’re facing yet another threatened ending to our rights.

Without consent-based privacy rights, we won’t have any control over our personal information. Unless, of course, we use this time to build new privacy laws that translate the intent of our privacy rights to the digital age. 

Canada has an opportunity to do just that. Nearly 15,000 people have signed the petition to #DemandPrivacy through privacy law reform from Justin Trudeau and the government of Canada. They’re calling for new privacy laws. Will you join them?

And we’re calling for reform to address the specifics of PHAC’s tracking too. Send a #DemandPrivacy message calling for NO mobility tracking without safeguards directly to Justin Trudeau! 

*According to Christopher Allison, acting vice president of the corporate data and surveillance branch of the Public Health Agency of Canada.