Saturday, November 14, 2009

Global Privacy Protection in the Internet Age

Since beginning my position as a privacy analyst a couple of years ago, I have gained increasing appreciation for the difficulty involved in protecting personal information in documents while still granting necessary access to sensitive material for legitimate use. Even when the information changes hands within a small and protected group, as it does with policy analysis, research and evaluation activities, privacy management is an involved process. But how feasible is privacy protection on a global scale in the age of the Internet?

One of the best examples I can recall of this difficulty dates back to shortly after I began my job. I was sitting in an airport passing the time by reading newspapers when I noticed the story about the Richardson triple murder in Medicine Hat, Alberta.

Under Canada's Youth Criminal Justice Act (which replaced the Young Offenders Act before it), the identities of youth are protected from publication, except in special circumstances.  In comparing two articles published on June 12, 2007 – one in The Calgary Herald and one in The Globe and Mail – I noted the similarities and differences.

The Calgary Herald reported:
  • A 13 year old girl (12 at the time of the crime) was charged in the first degree murder of Marc and Debra Richardson and their eight-year-old son Jacob.
  • Also charged was the girl's boyfriend, Jermey Steinke, who was 23 at the time.
  • The girl had a webpage and discussed her plans openly on the site “Nexopia”.
  • Her identity is protected under the Youth Criminal Justice Act.
The Globe and Mail wrote:
  • A 13 year old girl (12 at the time of the crime) murdered her family after her parents tried to sever her relationship with Jermey Steinke, who was 23 at the time.
  • None of the family members are identified by name.
  • Under the Youth Criminal Justice Act, the girl – known only as J.R. – cannot be identified.
This was the first that I'd heard of the story.  With only this limited information obtained through media, I knew that a teen by the name of “J. Richardson” had murdered her family and had posted a profile on Nexopia.com. I decided to do a little amateur investigating.

I went to Google and entered the search terms “J. Richardson Nexopia”, and from the very first page of results I learned that the suspect's name was Jasmine. Based on a family photo at the scene of the crime, Jasmine was originally thought to have been abducted or otherwise missing. As a result, a school picture of Jasmine was released due to her status as a missing person as opposed to a suspect. The picture was not distributed further when it was determined that she was alive, and a possible suspect, but because of widespread electronic distribution, it was impossible reverse the disclosure.

Wikipedia has a complete article about the Richardson family murders. At the time that I first read it, it included Jasmine's school picture.  The picture was subsequently deleted, but to no effect.  As of this writing, it and many others are still easily findable by a simple Google image search .

This situation brings a number of weaknesses of privacy protection into question. For example, how effective is the protection afforded by the Youth Criminal Justice Act when there is no uniform application of privacy masking by the media? Is legislatively mandated privacy even possible given the nature of communication as it presently exists?

Within my own job, the privacy protection measures are modelled after specifications described by Statistics Canada’s Federal Research Data Centre. The FRDC has identified three types of disclosure: Identity, Attribute and Residual. For definition clarity, the following definitions are quoted from Statistics Canada’s Guide for Researchers under Agreement with Statistics Canada:
  • “Identity disclosure occurs when an individual can be identified from the released output, leading to information being provided about that identified subject” (Statistics Canada, 2005, p. 24).
  • “Attribute disclosure occurs when confidential information is revealed and can be attributed to an individual. It is not necessary for a specific individual to be identified or for a specific value to be given for attribute disclosure to occur. For example, publishing a narrow range for the salary of persons exercising a particular profession in one region may constitute a disclosure” (Statistics Canada, 2005, p. 24).
  • “Residual disclosure can occur when released information can be combined to obtain confidential data. Care must be taken to examine all output to be released. While a table on its own might not disclose confidential information, disclosure can occur by combining information from several sources, including external ones. (e.g., suppressed data in one table can be derived from other tables)” (Statistics Canada, 2005, p. 24).
Through a combination of identity and residual disclosure, Jasmine's right to anonymity (as a 12 year old child) was denied. Two partially anonymous media reports contained a nearly complete picture upon combination, and the irreversible release of a photograph made Jasmine's identity as well known as an adult charged with the same crime. And now, electronic distribution of that information has placed it beyond the legal jurisdiction of the Canadian justice system.

Physical distances and international boundaries have become relatively meaningless in a society where publicly accessible information can reside on an Internet server in the United States or the United Kingdom. While it may be possible to seek a legal injunction against a website host, demanding the removal of sensitive information, the information can be moved elsewhere within minutes of receipt of a court order. Free website hosting from site providers worldwide provides nearly limitless choices for a new website. Mirroring – or the practice of synchronizing the content located on one computer server to also appear on other servers – makes the same information available from multiple geographic locations simultaneously. Additionally, once information is electronically distributed, there is no feasible way to cope with the subsequent redistribution of that information by others that encounter it. Through email, file transfer protocol, peer-to-peer file sharing networks, instant message, or hosting the data on a website of their own, individuals can perpetuate the spread of data beyond any government's ability to cope.

This month, representatives from 50 countries met at the 31st International Conference of Data Protection and Privacy Commissioners to reach a  draft agreement on international standards for the protection of privacy and personal data.  Will a global privacy framework ever exist that could uphold laws like the Youth Criminal Justice Act?

I would appreciate your thoughts.

References
  • Statistics Canada Research Data Centres. (2005, October). Guide for researchers under agreement with Statistics Canada
  • Walton, D. (2007, June 12). ‘I hate them so I have this plan’: Twelve-year-old decided to kill family after parents tried to stop her dating 23-year-old, Crown tells court. The Globe and Mail, p. 6A.
  • Zickefoose, S. & Remington, R. (2007, June 12). Family stabbed dozens of times: Court hears details of ‘Hat triple murder. Calgary Herald, pp. 1A, 3A.