The revelation surrounding Facebook and Cambridge Analytica’s use of data and data access breach may have been surprising to many users of the platform. For those of us in the digital identity industry and landscape, the news came as less of a shock.
When word got out about the consent issues – including insufficient permissions to access to multiple profiles and a lack of notice from Facebook – I saw it as a confirmation of the need for Privacy by Design (PbD). PbD principles posit that security and privacy controls need to be built into platforms and tools from the start and not as an afterthought. Implementation of PbD is critical in today’s digital-first world.
Speaking with other members of the digital identity community, surprise was also low on the list of reactions. “This is something we could have seen – and did see – coming ten years ago,” they refrained, pointing to their privacy and security work as existing solutions.
“Privacy is all about personal control: Individuals must be able to decide who is permitted to gain access to their personal data and to whom it may be disclosed. Privacy by Design embodies personal control as an essential feature of embedding privacy into one’s operations – proactively baking privacy into a company’s policies and systems, in order to prevent privacy harms from arising,” said Dr. Ann Cavoukian, Distinguished Expert-in-Residence, Privacy by Design Centre of Excellence at Ryerson University. “Privacy as the default is one of the 7 Foundational Principles of PbD, which states that you shouldn’t have to ask for privacy, it should be automatically given, as the default setting. Facebook offered none of these features in their dealings with Cambridge Analytica.”
The scale and publicity of this data access breach demonstrates an adage the community has clung to that has remained true across industries and platforms for years: If you are not paying to use a service, you are the product. An invisible trade-off has been happening for years and the Digital Identity industry has been working to develop better approaches and solutions that prioritize user-centred design, transparency, and tools to help people manage access to personal data.
Recognizing the Role of Regulation
Personally, the most surprising part of the story was how quickly a tool designed for advertising could be repurposed to influence people’s political activity. While we have rules and regulatory schemes for anti-money laundering and purchasing political ads, no strong regulations exist that apply to the rapidly changing and globally connected digital advertising space.
Privacy regulatory schemes must not be only focused on building walls around data for protection. These schemes must also empower Canadians to have control and make informed choices about their data. Regulations must be aligned with access to tools and frameworks that empower citizens, businesses, and government to make better choices.
Just as choosing a healthy diet is aided by nutritional labels that disclose ingredients, a healthy information diet is aided by disclosures of editorial standards, funding, & ethics. @NewsGuardRating & @_trustproject are mappig out a model: https://t.co/XbxBw8S9j3 pic.twitter.com/lGB0NWUhAa
— Alex Howard (@digiphile) April 23, 2018
Facebook recently noted, on April 4, 2018, that half a million Canadians might have also had their data swept up by Cambridge Analytica. Despite protections in place in Canada, when we are working online the rules become less clear. Borders aren’t distinct online and there is no ubiquitous data policy or protections in place. Being in Canada or a Canadian citizen does not guarantee protection or exempt us from access and privacy issues on global platforms.
The events only serve to reinforce why, beyond privacy and consent controls, we would also benefit from assurance that an anonymous person is in fact a human and not a bot – and more transparency surrounding the origin of content online. Particularly when considering government consultations and Canadian civic engagement, digital ID that lets a person authenticate while protecting their anonymity is an essential piece of creating more secure, reliable, and trustworthy digital networks. Our Digital Citizen Engagement Whitepaper with PlaceSpeak outlines additional reasons this verification is essential for better consultation and inclusive, representational digital democracy.
The Cambridge Analytica news, combined with Russian bots, illuminates a climate where misinformation is rampant and having the option for anonymity and assurance of identification are both critical. Not only are users’ data being accessed by third parties, but these third parties are advancing discourse in regional and national conversations that do not necessarily reflect the views of constituents. Data scraping and fake bots have created a multi-pronged challenge that must be addressed in order to protect diverse voices and authentic conversations in a democratic public sphere.
In the aftermath of the Cambridge Analytica events, we are left with a timely and widely resonating illustration of how important is it to:
- Establish Robust Frameworks: Prioritize an evolving Pan-Canadian Trust Framework for interoperability that puts Canadians at the centre of the design
- Position Canada for Open Data Success: Build upon Canadians’ ability to have transparency around data, access data, and use it in ways they feel most important
- Advance Privacy and Security by Design: From the foundational frameworks to the solutions within it, privacy and security must come first
The data access breach has brought wide-scale attention and media coverage, advancing the role of personally identifiable information, consent, and privacy in the minds of the public. Our community has the opportunity to use these unfortunate circumstances to continue the conversation and educate Canadians more about their data and digital information.
Collaboration in our diverse community is critical for a higher standard, to ensure that Canadian principles are prioritized in global solutions. Canada’s cooperative approach, talent, and diversity can provide a model for our peers around the world. Together, we can ensure all stakeholders have access to the necessary tools to meet and exceed regulations in a way that prioritizes Canadians while meeting the needs of businesses and governments. With a united approach, the Canadian ecosystem can truly reflect the best of what the public and private sectors have to offer to grow economic and societal opportunities.
The DIACC strives to create opportunities for these issues to be addressed, in authentic and cooperative multi-stakeholder conversations. Collaborating on the interoperability framework is critical to avoid finding ourselves in a position where we have to adopt tools that were built without our priorities included. Get in touch to get involved with our community and share your input on our Pan-Canadian Trust Framework.