Forgive me for disagreeing with Canada’s onetime top spook, but Canadians aren’t “stupid” when it comes to online privacy. Could they be smarter? Sure. But stupid? That’s a little harsh, and not altogether constructive.
John Adams was the head of the Communications Security Establishment Canada, which is responsible for electronic intelligence, between 2005 and 2011. He told a Senate committee last week that Canadians routinely post far too freely online, and don't always bother with protective measures.
If his goal was to grab headlines by using a provocative term, then mission accomplished. And while we do indeed deserve to get our wrists slapped for being less invested in online privacy best practices than we ought to be, name-calling won’t help us move the privacy bar higher.
Fortunately for Canadians, tightening our online personas and keeping our confidential data away from prying eyes is a relatively straightforward process. I’ve encountered enough companies with sub-standard privacy competencies to know the difference between those who get it and those who don’t. Companies and consumers alike need to raise their awareness of information gathering and collection best practices. Here are a few places to start:
Know the definition of private. Post a definition of the very word in a prominent spot on your corporate website. Explain to customers and stakeholders the difference between private – including names, addresses, contact information, and financial figures – and non-private data. Make it easy for users to know the limits so they avoid oversharing.
Don’t over-collect. When designing apps and tools that collect end-user data, be realistic about what information needs to be harvested. If the information is relevant to the task at hand, then by all means include it within scope. If it doesn’t add value, trim it out.
Establish accountabilities. Privacy isn’t as top-of-mind in organizations where no one owns it outright. Even if the organization isn’t large or resource-rich enough to justify a dedicated privacy role – a Chief Privacy Officer, perhaps? – updated job descriptions for non-dedicated roles can help other stakeholders know where the privacy buck starts and stops, and who to approach if they require guidance. Include contact information and set expectations around response times.
Challenge excessive collection. Companies don’t always need to know the most minute details of your financial history to sell you a hedge trimmer. Likewise online forms that go too far in collecting data that has little to do with the task at hand deserve to be called out. Mandatory fields usually have asterisks beside them. If the field isn’t mandatory, don’t fill it in. If you’re stopped in your tracks, look for a feedback button and submit a detailed complaint.
Minimize social media exposure. Don’t share every last detail of your everyday life in Twitter, and don’t friend everyone who asks on Facebook. Social media platforms have become choice breeding grounds for data collectors – and hackers.
The sad truth of an increasingly connected economy is we’ll never be able to fully eliminate every last risk to our privacy. The Canadian government thinks it’s helping by introducing a wave of proposed new legislation, including Bill S-4 to amend our Personal Information Protection and Electronic Documents Act (PIPEDA) privacy law and Bill C-13, the so-called cybercrime bill. But we don’t need new laws as much as we need a new self-driven privacy-friendly mindset.
A few simple tweaks to our online behaviours can easily cut the risks down to size by ensuring our most sensitive data stays where we want it to stay. Nothing stupid about that.
Carmi Levy is a London, Ont.-based independent technology analyst and journalist. The opinions expressed are his own. email@example.com