For privacy and data protection officers across Canada, COVID-19 was a dominant presence in 2020. Protecting personal data with many employees working from home while using new video, audio and text collaboration tools was a challenge. In some organizations, new e-commerce services were adopted in record time.
COVID will cast a big shadow in 2021, with two prime questions: Can employees be asked to give proof of vaccination for on-premise work, and what sort of proof will be accepted. Will it have to be paper or can there be a digital equivalent?
So far, no federal, provincial or territorial jurisdiction has said how governments will address this, temporarily leaving the private sector to work it out.
It’s assumed that early in the new year as the pace of vaccinations picks up, provinces and territories will have answers.
New legislation
The other dominant issue in 2021 will be the federal government’s proposed new private-sector data privacy law, the Canadian Consumer Privacy Act (CCPA).
Officially known as Bill C-11, it’s a sweeping overhaul of the existing Personal Information Protection and Electronic Documents Act (PIPEDA), changing the federal Office of the Privacy Commissioner from being an ombudsman to a regulator, with the power to recommend multi-million dollar fines to a new Personal Information and Data Protection Tribunal.
But for planning purposes, data protection officials and lawyers wonder if it will become law in the current session of Parliament. Minority governments can fall at any time. The last federal election was in October 2019. There is speculation the Liberal government will go to the polls as soon as it can to take advantage of the goodwill it has built up during the pandemic. Prime Minister Justin Trudeau told the CBC that he has no plans to call an election, but he’s ready for a campaign.
Since the government introduced C-11 and held the first reading debate, it hasn’t scheduled committee meetings, which is where the details of the act would be scrutinized and witnesses from the private sector called.
It isn’t known yet how vigorously the opposition and companies will fight to change C-11. Some business groups have said they aren’t enthused about the proposal to give a privacy regulator the power to levy hefty fines.
On the other hand, there will be pressure to pass the bill because the European Union is demanding countries have privacy laws similar to the General Data Protection Regulation (GDPR). PIPEDA is unlikely to make the cut.
“[C-11] may be the big story of the year because we’ve been waiting so long,” said Teresa Scassa. Canada Research Chair in Information Law and Policy at the University of Ottawa’s Faculty of Law. “It’s such an important bill in terms of private sector data protection. It’s a complete reworking of (PIPEDA), and I think the framework is going to be with us for a long time, it’s really important to get it right.”
But it’s not going to be easy, she says. “It’s really hard to be on top of all of it. Unpacking it and trying to figure out what’s changed and whether it’s for the better will take up a lot of energy in 2021.”
Remember, she added, the government has also promised a reformed Privacy Act, which covers the federal government’s duties to protect personal information. The Justice Department is accepting submissions up to Jan. 17.
British Columbia is also consulting on updating its private sector privacy law, while Quebec’s legislature is debating proposed amendments to its privacy legislation. Ontario is consulting on whether it should have its own private-sector privacy law. Its position may change now that C-11 has been introduced.
Scassa said a “sleeper issue” in 2021 may be worker and student surveillance online. With more employees working from home, some employers want to keep tabs in some way on how productive their staff is. It’s particularly an issue in the financial sector where regulations demand management keep an eye on employees handling large sums of money.
Facial recognition woes
Meanwhile, with students forced to take classes online from home, universities and colleges are grappling with how to assure there’s no cheating on tests. Some have turned to so-called proctoring applications which may make students show an image of their room to ensure no texts are open or notes tacked to a wall during an exam. The application may also use facial recognition technology to identify students.
The Globe and Mail recently ran a story on the issue, with one student of colour complaining the application refused to recognize her. This is in line with many studies that show facial recognition is less accurate with non-white faces.
There was enough controversy in 2020 that IBM withdrew its facial recognition solution. Clearview AI agreed in July to stop marketing its product to police here, but that came after federal Privacy Commissioner Daniel Therrien and three provincial commissioners announced an investigation into how Clearview collects the baseline images from the internet that its application uses. Therrien is also investigating the RCMP’s use of Clearview. Both reports may be released in 2021.
Therrien started investigations this year into the August cyberattacks on Canada Revenue and the GCKey credentials service used by many federal departments after hackers got into accounts of 11,000 users. With several provincial privacy commissioners, Therrien also launched an investigation into the data collection capabilities of Tim Horton’s mobile app.
The private sector is interested in the possibilities of merging facial recognition with other data it collects. Privacy Commissioner Therrien set some guardrails with the release in October of an investigation into how real estate developer Cadillac Fairview collected and analyzed five million images of shoppers in a mall without their knowledge. The images were captured from cameras hidden in information kiosks. The developer said the purpose wasn’t to identify people but analyze shoppers by age and gender. It has placed decals on mall entrances that explained the privacy policy.
But Therrien said there was no meaningful consent. Cadillac Fairview abandoned the project and said it has no plans to revive it.
More stories about privacy snafus
Among the more searing reports issued this year by Therrien was his investigation into the theft by an employee of data on 9.7 million customers of the Quebec-based Desjardin credit union over a two-year period. Data protection pros must have winced as the report pointed out that:
Data on some 4 million people stolen were former customers. It wasn’t clear why Desjardins was holding on to this data. PIPEDA says firms can only retain personal information needed for commercial reasons. Therrien called the discovery that this data was still sitting around “startling”;
Dejardins had 13 directives, policies and procedures for protecting personal information. But some policies and procedures were incomplete or had not been implemented;
One of them forbade copying data onto USB keys. That’s what the insider did, in contravention of the confidentiality agreement he signed;
While Desjardins’ information system restricted access to customer data to authorized users it allowed movement of restricted data to unprotected directories and storage media without any controls.
Desjardins could have reduced the possible exposure of personal data by theft by using data masking techniques to hide identifying information — as recommended by its own data protection security standards;
Desjardins knew there were security problems and had started implementing data loss prevention technology. Slowly implementing. Too slow, as it turned out.
Another insider-related report issued this year dealt with the selling of customer information by two employees of a call centre company with a branch in India hired by Dell for third party support. Several Canadians complained to the privacy commissioner after getting phony tech support calls from someone who knew a lot of information about them including their names and Dell products they owned. Dell discovered that two India-based employees of that call centre provider had sold customer lists of more than 7,800 Canadians to others who apparently made the fake phone calls.
The privacy commissioner’s office found Dell is responsible for the personal information transferred to third parties and is obligated to ensure that those firms properly protect information. However, it found data safeguards were insufficient We found that certain safeguards related to access controls, logging and monitoring, and technical controls were insufficient. It also found that Dell failed to adequately investigate the circumstances of the June 2017 breach and failed to adequately respond to customer complaints.
The investigation was satisfied Dell has since improved its safeguards and oversight.
Bonus round
Scassa pointed out a number of other interesting privacy-related rulings this year:
The Supreme Court of Canada upheld the constitutionality of a bill (the Genetic Non-discrimination Act) to protect people from being compelled by insurers and employers to have or show results of a genetic test. Briefly, the law in part makes that a criminal offence. Some argued this was a provincial matter because it touched on health. But, Scassa said, three of the judges in the majority ruled criminal law to support the protection of privacy. That could expand federal power. For example, Scassa said, it might be used to criminalize certain uses of artificial intelligence applications;
A British Columbia appeal court decision allowing a class-action lawsuit involving a 2013 data breach at a credit union to go ahead. What was interesting, Scassa said, is what wasn’t discussed in the arguments: Whether the civil wrong of “breach of privacy and intrusion upon inclusion,” a relatively new concept first approved of by an Ontario court, exists in B.C. The appeal court hinted that it would really like someone to step forward and make the case;
The uproar in Ontario in April when the province issued an emergency order allowing police, firefighters and paramedics to access health authority databases listing names of those who have tested COVID-19 positive and who they might come into contact with. “There were completely insufficient guardrails on that,” Scassa said, citing allegations that at least two police departments were abusing their access. It’s an example, she said of “maybe not thinking it through” during a crisis. First responder access to those databases was revoked in July.
Would you recommend this article?
Thanks for taking the time to let us know what you think of this article! We’d love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →
Although no one likes a know-it-all, they dominate the Internet.
The Internet began as a vast repository of information. It quickly became a breeding ground for self-proclaimed experts seeking what most people desire: recognition and money.
Today, anyone with an Internet connection and some typing skills can position themselves, regardless of their education or experience, as a subject matter expert (SME). From relationship advice, career coaching, and health and nutrition tips to citizen journalists practicing pseudo-journalism, the Internet is awash with individuals—Internet talking heads—sharing their “insights,” which are, in large part, essentially educated guesses without the education or experience.
The Internet has become a 24/7/365 sitcom where armchair experts think they’re the star.
Not long ago, years, sometimes decades, of dedicated work and acquiring education in one’s field was once required to be recognized as an expert. The knowledge and opinions of doctors, scientists, historians, et al. were respected due to their education and experience. Today, a social media account and a knack for hyperbole are all it takes to present oneself as an “expert” to achieve Internet fame that can be monetized.
On the Internet, nearly every piece of content is self-serving in some way.
The line between actual expertise and self-professed knowledge has become blurry as an out-of-focus selfie. Inadvertently, social media platforms have created an informal degree program where likes and shares are equivalent to degrees. After reading selective articles, they’ve found via and watching some TikTok videos, a person can post a video claiming they’re an herbal medicine expert. Their new “knowledge,” which their followers will absorb, claims that Panda dung tea—one of the most expensive teas in the world and isn’t what its name implies—cures everything from hypertension to existential crisis. Meanwhile, registered dietitians are shaking their heads, wondering how to compete against all the misinformation their clients are exposed to.
More disturbing are individuals obsessed with evangelizing their beliefs or conspiracy theories. These people write in-depth blog posts, such as Elvis Is Alive and the Moon Landings Were Staged, with links to obscure YouTube videos, websites, social media accounts, and blogs. Regardless of your beliefs, someone or a group on the Internet shares them, thus confirming your beliefs.
Misinformation is the Internet’s currency used to get likes, shares, and engagement; thus, it often spreads like a cosmic joke. Consider the prevalence of clickbait headlines:
You Won’t Believe What Taylor Swift Says About Climate Change!
This Bedtime Drink Melts Belly Fat While You Sleep!
In One Week, I Turned $10 Into $1 Million!
Titles that make outrageous claims are how the content creator gets reads and views, which generates revenue via affiliate marketing, product placement, and pay-per-click (PPC) ads. Clickbait headlines are how you end up watching a TikTok video by a purported nutrition expert adamantly asserting you can lose belly fat while you sleep by drinking, for 14 consecutive days, a concoction of raw eggs, cinnamon, and apple cider vinegar 15 minutes before going to bed.
Our constant search for answers that’ll explain our convoluted world and our desire for shortcuts to success is how Internet talking heads achieve influencer status. Because we tend to seek low-hanging fruits, we listen to those with little experience or knowledge of the topics they discuss yet are astute enough to know what most people want to hear.
There’s a trend, more disturbing than spreading misinformation, that needs to be called out: individuals who’ve never achieved significant wealth or traded stocks giving how-to-make-easy-money advice, the appeal of which is undeniable. Several people I know have lost substantial money by following the “advice” of Internet talking heads.
Anyone on social media claiming to have a foolproof money-making strategy is lying. They wouldn’t be peddling their money-making strategy if they could make easy money.
Successful people tend to be secretive.
Social media companies design their respective algorithms to serve their advertisers—their source of revenue—interest; hence, content from Internet talking heads appears most prominent in your feeds. When a video of a self-professed expert goes viral, likely because it pressed an emotional button, the more people see it, the more engagement it receives, such as likes, shares and comments, creating a cycle akin to a tornado.
Imagine scrolling through your TikTok feed and stumbling upon a “scientist” who claims they can predict the weather using only aluminum foil, copper wire, sea salt and baking soda. You chuckle, but you notice his video got over 7,000 likes, has been shared over 600 times and received over 400 comments. You think to yourself, “Maybe this guy is onto something.” What started as a quest to achieve Internet fame evolved into an Internet-wide belief that weather forecasting can be as easy as DIY crafts.
Since anyone can call themselves “an expert,” you must cultivate critical thinking skills to distinguish genuine expertise from self-professed experts’ self-promoting nonsense. While the absurdity of the Internet can be entertaining, misinformation has serious consequences. The next time you read a headline that sounds too good to be true, it’s probably an Internet talking head making an educated guess; without the education seeking Internet fame, they can monetize.
TORONTO – A new survey says a majority of software engineers and developers feel tight project deadlines can put safety at risk.
Seventy-five per cent of the 1,000 global workers who responded to the survey released Tuesday say pressure to deliver projects on time and on budget could be compromising critical aspects like safety.
The concern is even higher among engineers and developers in North America, with 77 per cent of those surveyed on the continent reporting the urgency of projects could be straining safety.
The study was conducted between July and September by research agency Coleman Parkes and commissioned by BlackBerry Ltd.’s QNX division, which builds connected-car technology.
The results reflect a timeless tug of war engineers and developers grapple with as they balance the need to meet project deadlines with regulations and safety checks that can slow down the process.
Finding that balance is an issue that developers of even the simplest appliances face because of advancements in technology, said John Wall, a senior vice-president at BlackBerry and head of QNX.
“The software is getting more complicated and there is more software whether it’s in a vehicle, robotics, a toaster, you name it… so being able to patch vulnerabilities, to prevent bad actors from doing malicious acts is becoming more and more important,” he said.
The medical, industrial and automotive industries have standardized safety measures and anything they produce undergoes rigorous testing, but that work doesn’t happen overnight. It has to be carried out from the start and then at every step of the development process.
“What makes safety and security difficult is it’s an ongoing thing,” Wall said. “It’s not something where you’ve done it, and you are finished.”
The Waterloo, Ont.-based business found 90 per cent of its survey respondents reported that organizations are prioritizing safety.
However, when asked about why safety may not be a priority for their organization, 46 per cent of those surveyed answered cost pressures and 35 per cent said a lack of resources.
That doesn’t surprise Wall. Delays have become rampant in the development of tech, and in some cases, stand to push back the launch of vehicle lines by two years, he said.
“We have to make sure that people don’t compromise on safety and security to be able to get products out quicker,” he said.
“What we don’t want to see is people cutting corners and creating unsafe situations.”
The survey also took a peek at security breaches, which have hit major companies like London Drugs, Indigo Books & Music, Giant Tiger and Ticketmaster in recent years.
About 40 per cent of the survey’s respondents said they have encountered a security breach in their employer’s operating system. Those breaches resulted in major impacts for 27 per cent of respondents, moderate impacts for 42 per cent and minor impacts for 27 per cent.
“There are vulnerabilities all the time and this is what makes the job very difficult because when you ship the software, presumably the software has no security vulnerabilities, but things get discovered after the fact,” Wall said.
Security issues, he added, have really come to the forefront of the problems developers face, so “really without security, you have no safety.”
This report by The Canadian Press was first published Oct. 8, 2024.
As online shoppers hunt for bargains offered by Amazon during its annual fall sale this week, cybersecurity researchers are warning Canadians to beware of an influx of scammers posing as the tech giant.
In the 30 days leading up to Amazon’s Prime Big Deal Days, taking place Tuesday and Wednesday, there were more than 1,000 newly registered Amazon-related web domains, according to Check Point Software Technologies, a company that offers cybersecurity solutions.
The company said it deemed 88 per cent of those domains malicious or suspicious, suggesting they could have been set up by scammers to prey on vulnerable consumers. One in every 54 newly created Amazon-related domain included the phrase “Amazon Prime.”
“They’re almost indiscernible from the real Amazon domain,” said Robert Falzon, head of engineering at Check Point in Canada.
“With all these domains registered that look so similar, it’s tricking a lot of people. And that’s the whole intent here.”
Falzon said Check Point Research sees an uptick in attempted scams around big online shopping days throughout the year, including Prime Days.
Scams often come in the form of phishing emails, which are deceptive messages that appear to be from a reputable source in attempt to steal sensitive information.
In this case, he said scammers posing as Amazon commonly offer “outrageous” deals that appear to be associated with Prime Days, in order to trick recipients into clicking on a malicious link.
The cybersecurity firm said it has identified and blocked 100 unique Amazon Prime-themed scam emails targeting organizations and consumers over the past two weeks.
Scammers also target Prime members with unsolicited calls, claiming urgent account issues and requesting payment information.
“It’s like Christmas for them,” said Falzon.
“People expect there to be significant savings on Prime Day, so they’re not shocked that they see something of significant value. Usually, the old adage applies: If it seems too good to be true, it probably is.”
Amazon’s website lists a number of red flags that it recommends customers watch for to identify a potential impersonation scam.
Those include false urgency, requests for personal information, or indications that the sender prefers to complete the purchase outside of the Amazon website or mobile app.
Scammers may also request that customers exclusively pay with gift cards, a claim code or PIN. Any notifications about an order or delivery for an unexpected item should also raise alarm bells, the company says.
“During busy shopping moments, we tend to see a rise in impersonation scams reported by customers,” said Amazon spokeswoman Octavia Roufogalis in a statement.
“We will continue to invest in protecting consumers and educating the public on scam avoidance. We encourage consumers to report suspected scams to us so that we can protect their accounts and refer bad actors to law enforcement to help keep consumers safe.”
Falzon added that these scams are more successful than people might think.
As of June 30, the Canadian Anti-Fraud Centre said there had been $284 million lost to fraud so far this year, affecting 15,941 victims.
But Falzon said many incidents go unreported, as some Canadians who are targeted do not know how or where to flag a scam, or may choose not to out of embarrassment.
Check Point recommends Amazon customers take precautions while shopping on Prime Days, including by checking URLs carefully, creating strong passwords on their accounts, and avoiding personal information being shared such as their birthday or social security number.
The cybersecurity company said consumers should also look for “https” at the beginning of a website URL, which indicates a secure connection, and use credit cards rather than debit cards for online shopping, which offer better protection and less liability if stolen.
This report by The Canadian Press was first published Oct. 8, 2024.
