Our Location Data: Three Essential Questions for the Ethics Committee
Parliament’s ethics committee is investigating the use of our location data by the federal government. Here are our top three questions we need answers to, and why.
These are technical questions for the ethics committee and its experts to answer. For a general explanation of what’s happening, check out this blog post.
Recently we learned the federal government took and used the location data of 33 million devices in Canada to monitor the development of COVID-19. As Parliament’s Standing Committee on Access to Information, Privacy and Ethics (ETHI) begins its investigation into this use of mobility data by the federal government, here’s three questions that people in Canada deserve answers to, and why.
1. How did Telus obtain meaningful consent for the collection, use, and disclosure of this mobility data?
The short answer is that they probably didn’t obtain meaningful consent. It’s great that government officials have been summoned to appear before the ethics committee, but this question should also be asked of Telus, though they haven’t yet been asked to appear before the committee.
The location data that was used by the federal government was initially collected by Telus, so it is Telus that would have needed the consent of the individuals who own and use the 33 million mobile devices affected by this data sharing. For this reason, the investigation should include the private sector.
Telus representatives need to answer questions like:
- Would an individual who “agreed” to the sharing of their mobility data understand this use by the Public Health Agency of Canada?
- Was the risk of re-identification, and the subsequent harm that could cause, made clear to them?
- Were individuals provided with the option to opt-out of this data sharing?
- Could someone who initially said yes to the data sharing change their mind later?
If the answer to any of these questions is “no” then Telus may have committed a violation of Canada’s commercial privacy laws in the collection, use, and disclosure of this mobility data. So what if Public Health uses our data anyways? There should be consequences for that.
And what about the relationship Telus had with the owners and users of the 33 million mobile devices? It is not at all clear if Telus had a direct business relationship with all of these people. If not, then what form of meaningful consent did Telus rely upon to collect, use, and disclose this mobility data?
The ethics committee needs to be asking these questions of Telus and the Public Health Agency of Canada.
2. Does the consent that Telus relied upon extend to the context in which the Public Health Agency of Canada used this data?
Privacy and consent are highly contextual. If we as users give limited permission to Telus to collect, use, and disclose some of our mobility data, that cannot and should not be an open-ended carte blanche.
For example, some individuals may have believed they were permitting Telus to use their mobility data to improve network connectivity in Canada. But that level of consent does not necessarily grant permission for Telus to use their location data to sell them additional services. This would have required a separate, distinct permission.
Both Telus and the Public Health Agency of Canada should have independent obligations to respect the privacy rights of people in Canada. It is not sufficient for public officials to say: “Telus assured us that we were able to use this data for this purpose.” The federal government has an obligation to ensure without a shadow of a doubt that the data they’re acquiring was collected in compliance with Canada’s privacy laws.
Before similar data sharing happens again, officials at the Public Health Agency of Canada should be asking Telus to demonstrate that they have achieved meaningful consent for the disclosure of eight months of mobility data from 33 million mobile devices for a health initiative in the public sector.
If Telus is unable to demonstrate that consent was meaningfully provided for the context in which the Public Health Agency of Canada used our mobility data, then a privacy violation has likely occurred through the shifting context of its use.
Though privacy obligations are intrinsically complicated when data flows from the private to the public sector, this doesn’t negate the government or Telus’s privacy obligations. In fact, there should be heightened — not lessened — responsibilities for these kinds of private-public data sharing arrangements.
3. How exactly has this data been securely de-identified?
Removing unique identifiers from mobility data — that is, removing names and the most obvious identifying information from location data — has been proven an inadequate form of de-identification. In 2013, researchers published a paper demonstrating that 95% of individuals could be identified using only four unique location data points in a dataset of millions of people. This finding has since been proven in academic studies again, and again.
The kind of information that can be derived about people from location data is incredibly sensitive. Canada’s Charter of Rights and Freedoms provides protections for freedom of expression, association, and religion — all of which all have vast implications with location data. If your location data is shows specific locations repeatedly over time, it can paint a picture about the places — whether they be residential or commercial — you spend time. This can be your home, your work, your place of worship, your social and family circles, and your hobby interests for instance.
Considering the very real risk of re-identification, public officials must provide a better explanation into the precise methods by which the data had been de-identified. It is insufficient to simply say: “the data can be used for this purpose because it was in a de-identified and aggregate form.” This needs to be demonstrable and verifiable, and explicit safeguards must be in place to ensure public agencies using it will not attempt re-identification.
This is a perfect instance in which real consultation with the Privacy Commissioner would have been valuable. Canada’s Privacy Commissioner is an independent third-party with a mandate to protect the privacy of people in Canada. Guiding input from the Office of the Privacy Commissioner of Canada could have produced assurances that the data-sharing arrangement between Telus and the Public Health Agency of Canada is in compliance with Canadian privacy law. Unfortunately, while the Office of the Privacy Commissioner was informed of the data sharing arrangement no meaningful consultation appears to have taken place.
The future of data sharing and defending our privacy
Once these questions are fully and completely answered — by both Telus and the federal government — people in Canada can be more confident that sufficient privacy protections are in place when it comes to private-public data sharing arrangements. Adequate safeguards must be in place before the government considers again seeking and using this kind of sensitive public data.
But until these questions are answered, and the experts have been heard, you can send a message to Justin Trudeau asking him to introduce the privacy reforms he proposed years ago and that would create safeguards around these kinds of private-public data sharing arrangements.