Dr. Ann Cavoukian, Information Privacy Commissioner, Ontario

have to go - good day to all :) - thanks for the interesting info 

thanks

really good info

thank you

@Mary:  Yes, it is very nice.  So, when it becomes available, I'll get it to replace the one that was stolen.

Nice!

http://eee.asus.com/en/eeepad/transformer-prime/features

@Mary:  The 32GB model is $499, the 64GB model is $599 and the keyboard dock runs $150.  It's not available in the US, yet.  It might be available in Korea or Taiwan.  I'm not sure.

Ha! @SecTech: How much does that cost? Where do you get one?

Unfortunately it's not available yet.  It was supposed to be available Dec 9 but isn't.

LOL Mary, that's easy... Asus Transformer Prime with Keyboard Dock

Curtis Franklin is hosting Brian Chee.  It will be interesting to hear what he has to say.

@SecTech: You'll have to let us know your favorite gift idea.

Ooh that sounds good, SecTech.

I'm flipping between this one and another on Enterprise Efficiency where they are doing a talk on Geeky Gifts for Christmas starting at 3PM EST

Yes feel free to stick around! I'm just going to migrate back to my desk. Be right back.

Everyone: Anyone still wishing to chat can of course stick with us on the board!

Thank you everyone for tuning in and for your questions!

@CommissionerCavoukian, thank you for all the information.

Thanks Dr. Cavoukian. I have mark out the date Jan. 27

@SecTech:  I don't think that's possible.  Once data's out there, it's out there.  I don't think it's possible to ever ensure its destruction.

Thank you, Dr. Cavoukian! Wonderful radio program.

Thanks so much Dr. Cavoukian!

Thanks Dr. Cavoukian!

@Dr. Cavoukian:  If you order destruction of data gathered unlawfully, how can you be sure all copies have been destroyed?

Thank you very much for inviting me Nicole. It has been a pleasure to join you. And I thank the participants for their contribution!

@ Nicole Ferraro We are holding an event on Int'l Privacy Day, Jan. 27 called "Beware of Surveillance by Design." This relates to several controversial Canadian bills that would expand the web of warrantless surveillance by the government and compelling telcos to provide 11 fields of subscriber data to law enforcement -- all without any judicial authorization. This is completely unaccepable to me and hopefully to many others. We hope to see you at our event in Toronto. Watch our website for more details. www.ipc.on.ca

@Dr. Ann Cavoukian, in Alberta and BC many bars were offering this service for the security of patrons of bars known as "Barwatch", "Barlink" and other names. How has Ontario handled these machines that scan people's IDs and uploads them to a server, and to police/RCMP's servers in real time? Alberta and Alberta had a major problem with there not being enough disclosure upon entry. Bouncers grabbing patron's IDs and scanning them without proper notice. Does Ontario have these machines? If so, how have you worked to make sure privacy is the #1 concern. Is this your area? I figured it would be since it covers data being collected that is sent over private and Internet connected servers.

@Mary, oui!

@Nathan: Interesting re: Oracle. They painted a target on their backs, no?

@Mary, definitely not. Especially when dealing with American businesses that do business with Canadian citizens.

Thank you, Dr. Cavoukian! It seems that the commission doesn't restrict itself to working only within Canada.

@Mary agreed. Reminds me of Oracle's "Unbreakable" product launch of their database software in the early 2000s. It made them a huge target. About 6 vulnerabilities were found in about 48-72 hours if my memory serves me correctly. :)

@Dr. Cavoukian:  Do you see a privacy problem with Carrier IQ or is it just much ado about nothing?

@ Mary Jander We have three papers that outline how PbD can be embedded into the code of smart meters and smart grid developments -- at a very granular level. Most recently, we have partnered with San Diego Gas and Electric to embed PbD into their smart meter dynamic pricing program. Our white paper will be released March 8 and will demonstrate how privacy can indeed by embedded into smart meter functionality. www.privacybydesign.ca 

@Nathan, it wouldn't surprise me that companies don't want their great privacy and/or security designs publicized. That might tip off malfeasants.

@Nicole, great question!

@Dr. Cavoukian: How does PbD work in tandem with legislations aim at adressing the privacy problem? 

Dr. Cavoukian thank you for taking so much time and for joining us on the board here. I saw this on your site: “Surveillance by Design:” The Threat of Looming “Lawful Access” Legislation. Can you tell us more about that?

I wish more companies took a privacy / security by design in mind pertaining to their business and the information they have and have collected on their customers, clients and non-business users and partners. Of course, I'm sure there are lots... we just hear about the nightmares. The stars in the industry are rarely mentioned. Bad press is popular.

I remember a few terrible stories of breeches involving medical records.  Major stuff hitting the fan there.

@Paul Whyte PbD will save considerable resources and should not negatively impact the timelines to roll out new products. Properly planned from the outset, it could, in fact, save you time and it will for certain save you heartache in terms of data breaches..Privacy by Design NOT Privacy by Disaster. 

@Dr. Cavoukian: Thanks. Of the challenges you mentioned, which one do you think holdest the greatest leverage to the realization of the goals of PbD?

Regarding my last message, I'm talking about PbD for smartgrids, of course.

@Dr. Cavoukian: Speaking of smart grids, there have been privacy issues cited by consumers hesitant to allow monitoring of home utility use into their communities. How might privacy by design be implemented to boost consumer confidence?

@Paul Whyte I am independent of government, I am an Officer of the Legislature, reporting through the Speaker (i.e. non-partisan).

@Nathan: Privacy by design looks like a fabulous idea with some business incentives but I wonder how that will affect the timeline of rolling new products

Re: @Ann: What are the limitations of 'privacy by design'? We prefer to think of these as "challenges:" 1) getting the buy-in of senior leadership 2) creating Privacy by Design (PbD) as the organizational culture, not just a tick-box to be checked 3) translating the 7 principles of Pbd into tangible, precision engineering language (as we have done in the areas of the Smart Grid, biometrics, and RFIDs).   

Sorry that should have been "Alberta and British Columbia" not "Alberta and Ontario".

@Dr. Ann Cavoukian, in Alberta and BC many bars were offering this service for the security of patrons of bars known as "Barwatch", "Barlink" and other names. How has Ontario handled these machines that scan people's IDs and uploads them to a server, and to police/RCMP's servers in real time? Alberta and Ontario had a major problem with there not being enough disclosure upon entry. Bouncers grabbing patron's IDs and scanning them without proper notice. Does Ontario have these machines? If so, how have you worked to make sure privacy is the #1 concern.

@Paul: Isn't it a business advantage to have privacy by design now?

@Bolingbroke -- I touched on this; it doesn't so much matter if users know as much as if users care.  If users care, it means any business that doesn't play nice with data can be attacked by rivals or governments.  There will be demand for either government to keep an eye on things or consumers will stick to trustworthy brands.

@Bolingbroke: sometimes users don't know their info is being used. I think it's slowly dawning on non-technical users, though, that there are privacy risks online.

@Boling: Not many users know what happens to their data

@Smk:" Plain and simple, privacy will become a priority when it offers a business advantage.". 

Thank you! Thank you: Thank you!Thank you. 

@SMK, how do users even know how or if there data is being used?

There are many categories of enf users, and companies should take that account when designing their privacy policies

It won't offer a business advantage unless end users and consumers demonstrate they care.

@Paul: Well, it seems that companies that don't build privacy into their products and services stand to lose market share. Better to spend on privacy by design, right?

@Mary, I agree. That's where the PIPEDA statute comes in and her role as commissioner to oversee their activities, and then the local provincial statutes related to privacy for Ontario. Finding that synchronicity between public sector, private sector and 'we the people'.

Plain and simple, privacy will become a priority when it offers a business advantage

@Mary:  Unless end users make it an issue, how likely is it that the market will include privacy by design?

@Mary: at what cost?

The onus can't just be on the end users.

But @nathan, Dr. Cavoukian also seems to think that companies should make more effort to create privacy by design.

Trust is going to be a major issue in marketing.  I figure the 4 P's will be modified by 3T's (and 1 A) -- trustworthiness, timliness, and targeting.  The A is for Analytics.

@Ann: What are the limitations of 'privacy by design'?

Dr. Ann Cavoukian, you're a star and a perfect example of what a Privacy Commissioner should be. I'm in Alberta, our privacy commissioner should be getting talking points from you. Especially after hearing about your wonderful work in grilling Google. Bravo!

Back! Dr. Cavoukian will be joining us here so stick around.

@tova: Thanks! 

Thank you, Dr. Cavoukian!

@Mary, I love what she's saying. That over regulation and redundancy is a problem. Be responsible.

The Canadian outlook seems to be that service providers remain accountable. But that means that service providers shouldn't use offshore partners if they can't vouch for them.

There are some excellent examples of privacy notices that are both easy to read and understand. check out yahoo's privacy area

@Paul: Many users learn the hard way

Interesting idea that Patriot Act is red herring.

@Paul: I think that some users start applying privacy settings after some issues with their accounts.

Wayto go, Dr. Ann Cavoukian! Google needed that grilling with Google Buzz. I think I have a new privacy hero

@Mary: Blame is different than viewing them as evil. I agreed that they do fall short of the standard expected of them but that's why we keep piling the pressue on them to make amends

@Paul: You don't blame Facebook, ever, then?

@Paul, Control + <-- increase font size. :P

@Paul: Good for me. I'm not a lawyer

Really like the idea of having both connection and privacy!

@Hounhosp: I definitely won't hire you to be my legal expert if that is the way you want to defend users who are callous about their own privacy

@nathan: Agreed, the Terms and Conditions and Privacy terms is there for everyone to read, but I find there is the "fine print" discourage users to carry on reading 

I wonder how Facebook Timeline is going to go over in terms of privacy. I just enabled this feature this morning.

@nathan: Exactly and that's where i disgaree with many. I really don't see why we should perceived Facebook a the enemy

@hounhosp, actually they are. Notices go out all the time and the Terms and Conditions and Privacy terms are available right on their web-site. On the settings page and on the front of their site.

@Mary, I agree, I think that's a battle that we as users and governments need to compel Facebook to make changes on based on our demands. @Paul, When Facebook makes mistakes they should be punished, but making them the 'enemy' is wrong. People love their service, so let's work with them to make it better.

@nathan: Many are ignorant because they are not informed about the options

@Nathan: So in that context there is n need to blame Facebook?

@Ann: What are the limitations of 'privacy by design'? 

True, @nathan. But do you think that FB is doing enough to ensure user privacy? Is it giving us enough options?

@Paul Whyte, all of them do. But ignorance and laziness is not an excuse. Facebook gives them the option.

We should keep fighting to control our privacy. I agree with that

@Mary: I have no problem with that but how many users really do have the chance to check those privay settings

Hi everyone!

I really like what Dr. Cavoukian is saying. Positive sum. This is not a binary issue. Bravo! Ontario citizens should consider themselves lucky to have her looking out for them.

@Paul: I'm with Natanwosnack in thinking we should as users be able to regulate our privacy, to control the tradeoffs we make online.

@Mary: We are living in an information economy and as result information becomes the singular most important commodity

Yes, the 'myth' is a problem. People are pessimistic. Hands raised in the air "I give up". It's wrong.

For example, let's say we have two rival companies, A and B.  A does a good job of privacy, B doesn't, and consumers demonstrate they prefer companies that respect their privacy.  It means A can actually attack B successfully for financial gain.

Dr. C thinks we should not simply give up ahead of struggling for privacy.

@Mary: yes to certain extent. I think that is the currency of the digital economy: thriving on our data

Privacy and connectivity! Yes. You should be able to MANAGE your own privacy. Facebook for example; let's you manage your own privacy settings. We need this control as end-users. That's an issue - control.

We see customers boycotting Netflix but not over privacy concerns.

@Paul: you mean too that we must be willing to support sites like Facebook by offering up our privacy.

So Paul, you're saying we should be willing to forgo privacy if we're getting free services online.

good point

As far as whose responsiblity privacy is, that's a very simplified idea.  In reality most of the consumers won't be able to know for sure whether or not their privacy is protected.  But if consumers demonstrate they will take action (boycotts and other financial incentives) then the other two bodies will listen.

interesting

Where has that worked, SMK ?

Ah, the conflicting interests between security and privacy is a great point.

@Mary: I am saying whether becuase of the free stuff we are getting online like being on Facebook, should we expect any reasonable level of privacy?

But companies and government agencies should also be concerned about privacy. Intellectual Property, Trade Secrets, information on healthcare from citizens, and so forth. Privacy is all our responsibility.

@Mary:  That's quite true.  Probably why Facebook's a lost cause when it comes to privacy as far as I'm concerned.

Good points, SMK. But I'm skeptical about how effectively that system really works.

It seems that privacy by design is key to making privacy work. You can't bolt it on later, or after the fact.

so we should have get something like Internet by design also

In my opinion, the job of protecting privacy belongs to the consumer.  It's the consumer who will have to demand privacy compliance, forcing the market to listen.  If people just complain but don't take action then the only the government will take steps.  If people take action, then the market listens and the government doesn't have to do anything.

@Paul: Can you clarify that question?

@Ann: are privacy breaches what we pay for getting free stuff online?

Thank you for the fantastic information/answer, Dr. Ann Cavoukian. I agree it's an issue the private sector and public sector with the citizens need to work together to fix properly.

(I can't seem to stop using exclamation points today.)

@Paul:  Honestly, not really....

Ah, I knew it SMK!

@smk: so you trust the government to fix the privacy problem?

Also, Hi Dr. Ann Cavoukian -- I'm also from Ontario! :)

Hi Mary!

@Paul:  I wouldn't trust the market to fix the privacy issue. 

Is everyone else getting incessant "Blog Talk Radio" ?

Hi SMK!

Ping!

Audio torture ?

@Nathan: Thanks. So we can't trust the market to fix the privacy problem?

Yes, Paul it is. http://www.ipc.on.ca/english/Home-Page/

Information Privacy Commissioner. Is that a government position? 

Haha @Bolingbroke

Hello Bolingbroke

There we go

Hi Paul! We're getting past our introductions and heading into the audio.

In Canada

Hello Nathan

so where are we?

Hello, Paul Whyte!

Paul, hello.

hello

Interesting, nathan!

I was part of the original working group with Industry Canada and other agencies and companies in Canada that developed the original framework for PIPEDA. So I'm very interested to hear Dr. Cavoukian's views on this.

LOL. :)

Ha! You were the first Canadian I counted, Nathanwosnack!

Hey Bayte!

I'm interested to know what Dr. Cavoukian thinks of Carrier IQ or related smartphone tracking apps.

A third here.

You're welcome, Nicole.

Hi everyone! A second Canadian here happy to hear from Dr. Cavoukian!

Great, Nathan, thanks!

Hello to all

How do you feel PIPEDA (Personal Information Protection and Electronic Documents Act) has impacted local provincial statutes in Ontario, related to privacy, and as Privacy Commissioner do you feel PIPEDA is in synch and up to date with the needs of the privacy of Ontario citizens?

Since you guys are the early birds, any questions you want to pose up front for Ann?

Without a doubt! I'm grateful she's joining us today.

From her vblogs Dr Cavoukian appears to be an excellent presenter.

Hello all. Going to get started in about 20 minutes. Thanks for being here.

I would love to to say thank you to Dr. Ann Cavoukian, Information Privacy Commissioner for the Canadian province of Ontario for her hard work to protecting my right's as Canadian Citizen...

This is exciting. As a Canadian and someone who works in IT, and who has previously worked in information security, this is a particular topic that will be quite interesting to participate in. Welcome, Dr. Ann Cavoukian, Information Privacy Commissioner for the Canadian province of Ontario, and others!