What the media is missing: Government privacy breaches
Guest blog by Tyler Morgenstern, a member of the OpenMedia.ca board of directors, a steering committee member for Media Democracy Days Vancouver, and an information and privacy rights advocate. In the so-called “era of big data,” it’s no secret that more of our personal information than ever is ending up in the hands of powerful organizations, including transnational private corporations, national governments, and various public and bureaucratic bodies. And thanks to a recent rash of hacking attacks on some of the world’s biggest tech and media companies—the likes of Facebook, Twitter, the New York Times, and Apple—urgent concerns about the vulnerability of that information to privacy breaches are back in the spotlight. While these corporate attacks are certainly cause for concern, however, the flurry of headlines that they’ve attracted has buried the other side of the story: government privacy breaches.
Particularly in Canada, recent months have seen a dramatic increase in breaches, leaks, and insecurities at all levels of government, pointing to what MP Charmaine Borg has rightly called a “systemic problem” with our national data management practices. In response, researchers, advocates, and citizens across Canada are sounding the alarm.
The issue began to attract national attention in January when it was revealed that, in November of last year, a non-encrypted hard drive containing the personal information of almost 600,000 student loan recipients and a thumb drive containing the information of about 5,000 more, had vanished from the offices of Human Resources and Skills Development Canada. The drives—neither of which have been located—contained everything from outstanding loan balances to social insurance numbers, as well as personal contact information for about 250 HRSDC employees.
While we might not see breaches of this scale every day, statistics show that data insecurity is a serious and growing problem across government. In her most recent annual report, federal Privacy Commissioner Jennifer Stoddart (who recently launched an investigation into the HRSDC breach) writes that her office received a total of 986 government-related privacy complaints in 2011. This well outstrips the 281 complaints regarding private companies received during the same period.
Stoddart’s office has also seen a steady increase in the number of data breaches reported by the federal government over the last ten years. In the 2004/5 fiscal, only 27 such breaches were reported. By 2010/11, that number had more than doubled to 64, and last year, it climbed once again to an all-time high of 80.
Data Collection and Surveillance
The numbers are certainly shocking, but given the current policy climate around privacy and surveillance in Ottawa, they make an unfortunate kind of sense. After all, until recently, Bill C-30 (better known as the warrantless online spying bill) was still sitting on the order paper, poised to dramatically expand the data collection and surveillance powers of Canadian law enforcement agencies.
Luckily in February, Justice Minister Rob Nicholson made the welcome announcement that, in response to the massive public outcry raised by the Stop Online Spying community, C-30 would not be returning to Parliament. But that doesn’t mean his government’s commitment to privacy-invasive policies has softened.
Rather, with new bills like C-55, (which would preserve certain warrantless wiretapping provisions set out in C-30) and old standbys like C-12 (which would encourage telecom companies to voluntarily hand your personal information over to all kinds of so-called “lawful authorities”) the government is working hard to vacuum up huge volumes of personal information.
Privacy-Invasive Policies and Privacy-Deficient Practices
Over the past several months, we’ve seen time and again that this government’s data management practices are badly broken. Yet it continues to pursue a policy agenda that erodes legislated privacy protections at every turn, opening up new deficiencies and vulnerabilities.
This mismatch between privacy-invasive policies and privacy-deficient practices puts all Canadians at risk of fraud, identity theft, and other privacy-related crimes. As Jesse Brown recently pointed out in a series of blog posts for Maclean’s, what the Canadian government needs isn’t necessarily more information; it’s better, more secure, and more accountable ways of managing the information they already have.
We’re long overdue for a serious discussion about what kind of solutions should be in play across government. And even more importantly, we need to think long and hard about what kind of policies, regulations, best practices, and accountability mechanisms are needed to ensure that those solutions put the privacy of Canadians first.
 Protecting People On Facebook. Source: Facebook.
 Twitter: Hacking attacks may have accessed data of 250K users. Source: CNet.
 New York Times Hacked Again, This Time Allegedly by Chinese. Source: Wired.
 Apple targeted in hacking attack, no evidence any data was stolen. Source: National Post.
 Top bureaucrat apologizes for student loan data breach. Source: Montreal Gazette.
 Privacy Commissioner launches investigation of Human Resources and Skills Development Canada breach of student loan recipient information. Source: Office of the Privacy Commissioner of Canada.
 Annual Report 2011-2012 on the Privacy Act: The Privacy Act 1982 – 2012: Three Decades of Protecting Privacy in Canada. Source: Office of the Privacy Commissioner of Canada.
 Government killing online surveillance bill. Source: CBC.
 Is online spying dead? New threats and the case for vigilance. Source: OpenMedia.ca.
 Government Moves Toward Warrantless Online Spying; Amends Consumer Protection Bill. Source: OpenMedia.ca.
 Not everyone in the industry supports Starlight, the proposed Canadian film channel. Source: Maclean’s.