Canada’s privacy watchdog publishes research paper on privacy enhancing technologies

The report comes during a time of increased privacy awareness

lock on door

As privacy concerns continue to blossom the world over, the Office of the Privacy Commissioner of Canada (OPC), has published a research paper on privacy enhancing technologies (PET).

The paper is quick to establish four simple rejoinders. It doesn’t list limitations, weaknesses and security implications; it doesn’t validate any claims made by individuals arguing for or against specific PETs; it doesn’t compare and contrast any existing PETs; and it doesn’t outline or recommend how to use any specific PET.

In short, the paper is a summary of the OPC’s research on the existing groups of PETs currently available to Canadians, as well as the role of PETs.

“PETs are intended to allow users to protect their (informational) privacy by allowing them to decide, among other things, what information they are willing to share with third parties such as online service providers, under what circumstances that information will be shared and what the third parties can use that information for,” reads an excerpt from the OPC’s report.

The OPC noted that there are a near endless number of different ways that technology service providers can ensure the use of PETs, but that they’re not all trusted equally by users.

“Many PETs only ever seem to be lab prototypes, or used in limited trials, so there is little to no experience of their practical use and their impact on the processing of personal information,” reads an excerpt from the report.

The report itself lists nine specific PETs: informed consent, data minimization, data tracking, anonymity, control, the negotiation of terms and conditions, technical enforcement, remote audit of enforcement, and the use of legal rights.

While these PETs seem like especially dense academic topics, the paper breaks them down into relatively simple terms.

  • Informed consent: Refers to when an individual is asked to provide personal information in a format that explains precisely why the data is required and how it will be used. The report does specify that “the complexity of policy language” can often make it difficult for users to understand what they’ve agreed to do.
  • Data minimization: This refers to circumstances during when users are asked for the absolute minimal amount of personal information. The report also clarifies that using private browsing methods in a personal browser can minimize the total amount of personal data that websites and other digital sources receive.
  • Data tracking: The OPC explains that this PET refers to methods that provide users with access to a database that highlights all of the data they’ve turned over to service providers. Google is listed as a service provider that succeeds in this regard, since users can easily track most of the data that Google acquires.
  • Anonymity: Rather self-explanatory, this PET ensures that users remain relatively anonymous and that the user isn’t identified by the service at all. The OPC mentions Tor as an example.
  • Control: This refers to users being able to exert “more control over what personal information is sent to, and used by, online service providers and merchants (or other online users).”
  • Negotiation of terms and conditions: Interestingly enough, while the majority of the PETs identified by the OPC are already available in regular, consumer-grade technological services, this one still isn’t readily available. The OPC mentioned the Platform for Privacy Preferences Project, which “was never widely adopted and support for it has largely been discontinued.”
  • Technical enforcement: This refers to PETs in which user privacy is manually enforced through methods like network monitoring and digital rights management.
  • Remote audit of enforcement: The OPC describes this method as providing individuals “with the ability to remotely audit the enforcement of the terms and conditions offered by online service providers and merchants.”
  • The use of legal rights: This final PET refers to the “protection/privacy laws [that] provide individuals with certain rights, including the right to access the information about them that an organization holds, the right to challenge the accuracy and completeness of that information and the right to have it amended as appropriate.”

Source: Office of the Privacy Commissioner of Canada

Header image courtesy of Flickr user Martin Dubsky.