The Information and Privacy Commissioner of Ontario (the “Commissioner”), has just released a paper in which she identifies and challenges what she describes as the top three myths relating to the collection of metadata in connection with digital communications. In A Primer on Metadata: Separating Fact from Fiction, Dr. Ann Cavoukian expresses grave concerns about the effect disclosure of metadata may have on individual privacy rights.
Metadata is data about data, and is the information generated when a person uses digital devices. Metadata includes, for example, the date and time of calls made from a cell phone and the locations used to access email. While metadata does not in itself reveal content about the user, it can be combined with other information to develop user-specific information. For example, according to the Washington Post, use of metadata allowed the FBI to confirm that Paula Broadwell, the biographer of CIA Director General David Petraeus, was the person sending threatening messages to a woman she perceived as her romantic rival. The Washington Post describes how the FBI used the IP addresses of the hotel WiFi networks used to log in to the email account from which the threatening messages were sent, and cross-referenced those IP addresses with the hotel guest lists to determine Ms. Broadwell’s identity.
The Commissioner addresses the following myths with respect to metadata:
Firstly, that collection of metadata is not a threat to privacy because it does not disclose content. The Commissioner argues that the collection of metadata may reveal more information about a person than the actual content of the communications. Metadata is “information about other information, in this case, relating to our communications”. Collecting metadata allows the tracking of what the Commissioner describes as the “digital crumbs” people leave behind: the type and length of a person’s digital communications, including Internet use, along with their geolocations. An analysis of that data allows the creation of a detailed picture of the individual, including the people with whom they have had digital contact, the length of the communication, the websites visited, and the location of the person. The Commissioner writes that access to this data:
…provides the raw material for the creation of detailed, comprehensive, time-stamped map-lines of who is communicating with whom, when, how often, and for how long; where the senders and recipients are located; who else is connected to whom, and so forth.
Secondly, if you have nothing to hide, you should not be concerned about your privacy rights. The Commissioner argues that the basis of freedom is that the state has no right to access the personal information of law-abiding citizens, and that individuals have a right to control who has access to their personal information. The Commissioner notes that taken out of context, innocent information may appear menacing, and that historically governments that have been willing to sacrifice the right to privacy have also been willing to sacrifice other individual rights.
Thirdly, it is necessary to give up privacy rights in exchange for security. The Commissioner rejects this “zero-sum view”, arguing that public surveillance powers must be subject to judicial authorization, which will protect both individual privacy rights and public security. She maintains that surveillance programs must be subject to public scrutiny and accountability, and that any government power to seize metadata should come with legal safeguards protecting the privacy of the data.
Interestingly, and somewhat surprisingly, the Primer focuses almost exclusively on American examples of collection of metadata and on American political, judicial and academic references, with minimal references to Canada. The failure to address the Canadian landscape weakens the Commissioner’s position by suggesting that privacy concerns relating to metadata are primarily an American issue rather than a Canadian one.
The focus on the U.S. may also be the reason that the Commissioner does not call for specific legislative reforms or actions in the Primer. However, the Primer concludes with the rallying cry:
…now is the time to act. We must reject the view that security trumps privacy and liberty. Americans and Canadians, like so many other freedom-loving people, have given their lives for constitutional rights that say otherwise. We must band together and seek measures designed to provide for both security and privacy, in an accountable and transparent manner – our freedom and liberty may depend on it.