Two Technological Contributions to Modernizing PIPEDA

This is my submission to the Director, Privacy and Data Protection Policy Directorate, Innovation, Science and Economic Development on the modernization of PIPEDA.

I’d like to bring to your attention two existing technologies which deserve your consideration, to enable them to implement privacy protection and preserve reputation while still addressing free speech rights.
• In the web’s HTTP protocol, there is an existing option called “do not track”, ignored by most. It was introduced to respond to regulatory initiatives in the United States to address the need for privacy, but the US regulations were never implemented. In Canada and the EU countries, the opposite is true.
• In the operation of search engine’s robots, there is an option to “do not offer for indexing”, already used by CanLII and many other sites. It is honored, in part out of sheer necessity, by all search engines and so provides an excellent means of implementing a specific sense of “do not index”.
Supporting these in legislation would make a pair of positive, well-understood changes in supporting privacy and reputation.

Introduction

I’m a computer programmer, formally educated as a philosopher and logician, and became professionally familiar with the interaction of technology and the law while working for Lexis Nexis some years ago. I speak strictly for myself, and not for my present or former employers.

Because I am familiar with the history and technical details peculiar to computers and the internet, I can speak to two specific parts of the broader problem space addressed by modernizing PIPEDA to support a Digital Charter.

Part 1, Do Not Track

In 1995, the EU established the Data Protection Directive for the protection of individuals’ personal data, causing great interest in numerous countries. In 20190, the US FTC proposed limitations on tracking. Soon after the discussion started, the Firefox web browser implemented support for a new Do Not Track header, as a proposed implementation of the FTC initiative.

The mechanism was widely implemented by browser makers, but the FTC dropped the effort. Not unexpectedly, the mechanism is now ignored by advertisers.

In 2017, the General Data Protection Regulation came into force, and advertisers were required to gain permission to track their customers. This led to a worldwide plethora of requests from web pages to be permitted to track the readers. Every web page who had readers in the EU either asked their customers for permission or stopped sending ads to EU residents.

To the readers, this was just another step in the seemingly endless game of whack-a-mole:

  • virus scanners, which tried to stop “malware”, and often caused normal programs to fail
  • spam blockers, which tried to stop spam emails but blocked legitimate emails
  • ad blockers, which tried to block all ads, but often cause web pages to fail mysteriously
  • “cookie” and “tracker” blocking, which try to stop one kind of tracking, but also causes web page to fail, just like ad blockers

All of these try to do something desirable, but have nasty side-effects that often requires manual intervention. The incessant demands for permission is just another straw for the camel’s back.

Do Not Track” as a browser option is much less intrusive, and has a specific, narrow meaning to the reader. To them, it means that one should not be tracked from site to site by ads importuning you to buy a particular thing.

If I get trailer-hitch ads on a car-dealer site where I just registered the Subaru I bought, that’s expected. If I get a constant stream of ads for socks after I made a typo in a search string, that’s creepy.

Besides being understandable, do not track it works well with the bilateral agreements a reader already has with particular web sites to allow the sites to ‘use cookies” to allow targeted advertising.

It is also an indication that’s available to the site on the initial request for a page, so that the site and it’s ad exchange can decide if they want to spend the time and effort needed for personalized ads, or whether to show a non-personalized ad, like trailer hitches on a car-aficionado site.

A publisher then need not worry nearly as much about constantly changing ad-blockers blocking their entire page, causing hem technical problems or the like. They can serve a page with or without personalized ads, and stop trying to the mole the customer whacks.

It is, in my opinion, an example of good public policy to specify a clear, simple and easy-to-enforce meaning for the “do not track” header. Citizens will see a government initiative that actually works, instead of the existing infinite sequence of “may I set a cookie?” and the ongoing ad-blocker wars.

Part 2, Do Not Offer for Indexing

One of the continuing debates is about web-search de-listing. This usually takes the form of someone asking Google to remove them from search results worldwide, and Google objecting on free speech grounds. In Canada we have the Equustek case, where the courts compelled Google to globally de-index a site selling software that had been stolen from a Canadian company [Equustek].

Despite this, and contrary to what many people expect, Google does not control what it does and does not put into its index. Instead, the sites it indexes tell it what pages to index or not index.

Before any of these cases, in the first few years of web search, the search robots that try to find pages to index regularly index pages the sites didn’t want indexed, or would get stuck in a loop and never finish indexing a site.

To control this, a so-called “robots” file was invented by web-site publishers, listing the pages that search robots should not try to index[Koster]. All web indexing robots obey it, in part to not be caught in an infinite loop and fail, but im part to honorz the web site’s needs. For example, CanLII, the Canadian Legal Information Institute, has a robots file that tells Google and everyone else what to index and what to ignore.

In the original right to be forgotten case, [Google Spain], part of original Spanish petition to the courts was to put Mr. Costeja González’s out-of-date legal case in the robots file. This was not particularly appealing in the EU context, but it is quite applicable in regimes like ours and the United States, where free speech considerations are very important.

For example, the Supreme Court recently reversed a contempt conviction against the CBC for not removing archival copies of information about a case for which a publication ban was ordered, in part due to free speech considerations [CBC]. If the courts instead ordered the CBC to not offer the case for indexing, they could leave it in the archives for persons to access, but stop web search companies from indexing it.

This is quite protective of free speech, and also less intrusive, more limited in its targets and more effective than google-only court orders. Do not offer for indexing deserves mention in legislation, a clear definition and appropriate limits.

Conclusions

As part of a broad defense in depth, I recommend two specific and already-used protocols be properly defined and given the force of law.

Do not track serves as a short-form for rejecting third-party tracking, without expressing a desire to cease doing business.

Do not offer for indexing serves as a means of removing obsolete information, such as juvenile misdemeanors from the current searchable web, without removing them from the pubic record.

Both take advantage of tested mechanisms that are already part of the protocol of the World Wide Web.

In future, based on our experience with these technologies, we may wish to adjust the definitions and limits, or define other steps that web publishers and readers can take, supported by technology, to make their desires known to on another.

I recommended them as an immediate and comprehensible step toward a future final state, to demonstrate good faith and technical awareness by Canada.

Respectfully,

                                                                                   David Collier-Brown

 

 

[CBC] R. v. Canadian Broadcasting Corp., 2018 SCC 5 (CanLII),, retrieved on 2018-03-20

[Equustek] Google Inc. v. Equustek Solutions Inc., [2017] 1 SCR 824, 2017 SCC 34 (CanLII), <http://canlii.ca/t/h4jg2&gt;, retrieved on 2018-03-20

[Koster] A Method for Robots Control http://www.robotstxt.org/norobots-rfc.txt

[Google Spain] European Court of Justice in Google Spain SL, Google Inc v Agencia Espanola de Protecciób de Datos, Mario Costeja González, C-131/12 [2014], CURIA. http://curia.europa.eu/juris/document/document.jsf?docid=152065&mode=req&pageIndex=1&dir=&occ=first&part=1&text=&doclang=EN&cid=34297#annotations:q5UroCNFEeiMnk8eapaOTQ

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s