Confronting the Dragons Without and Within: Privacy’s Final Frontier?

A Report on “Terra Incognita”: The 29^th International Conference of Data Protection and Privacy Commissioners

Montreal, Canada
25-28 September 2007

By: Jane Bailey*, Ottawa

(printable Adobe version)

This paper was commissioned by the Office of the Privacy Commissioner of Canada. The views and opinions contained in this document are those of the author and do not necessarily reflect the views and opinions of the Office of the Privacy Commissioner of Canada nor of the Government of Canada.

* Jane Bailey is an assistant professor of law at the University of Ottawa Faculty of Law: jbailey@uottawa.ca. Thank you to Ian Kerr, Khaled El Emam, Tim Caulfield and OPC staff members for their comments relating to earlier drafts of this report, as well as to Bridget McIlveen, Katie Black, Jena McGill and Julie Shugarman for their excellent documentation of the conference. Finally, thank you to the Office of the Privacy Commissioner of Canada for the opportunity to report on this precedent-setting conference and to Michael Geist and all of the other conference speakers for their inspiring and informative presentations.

Table of contents

Introduction

I. The Dragons

1. Globalization
   1. Public security
   2. Data flows and mirroring across borders
   3. Inter-jurisdictional challenges
2. Technology
   1. Data mining
   2. Radio-frequency identification (RFID)
   3. Location-based tracking
   4. Genetics and biobanking
   5. Ubiquitous computing
   6. Nanotechnology
   7. Standard setting
3. Future generations
4. Internet crime

II. The Dragonslayers/Tamers/Befrienders

1. Multi-sectoral, inter-jurisdictional collaboration
   1. The London 2006, APEC and OECD initiatives
   2. Privacy by design
   3. Civil society initiatives
2. Privacy seals
3. De-identification
4. Audit
5. Privacy impact assessments (PIAs)

III. Recurring Themes

1. The meaning of privacy
2. Privacy vs. security
3. Deficiencies in existing legal approaches
   1. “Consent”, “control”, “property” based models
   2. Legal regulation based on physical territories
   3. Focusing on retention and use, rather than minimization
   4. Inadequacy of the Canadian hierarchical model

Conclusion

Appendix A - Resolution on the urgent need for global standards for safeguarding passenger data to be used by governments for law enforcement and border security purposes, 29^th International Conference of Data Protection and Privacy Commissioners, Montreal, Canada (September 25-28, 2007)

Appendix B - Declaration of Civil Society Organizations on the Role of Data Protection and Privacy Commissioners, Montreal (September 25, 2007)

INTRODUCTION

Hundreds attended the 29^th International Data Privacy Commissioners Conference in Montreal from September 25 to 28, 2007. Provocatively named “Terra Incognita”, the conference was thematically organized around early explorers’ dealings with “unknown lands”. Working from folklore that early explorers regularly marked drawings featuring uncharted territory with the phrase “here be dragons”,¹ conference presentations were organized around six “dragons”: public safety, globalization, law meets technology, ubiquitous computing, the next generation and the body as data. Responses to these “dragons” were variously described as dragon slayers, dragon tamers and dragon befrienders. These included multi-sectoral and inter-jurisdictional collaboration, privacy seals, de-identification, audits, and privacy impact assessments (PIAs).

Conference participants were reminded on a regular basis that we are only minutes from the midnight of the total surveillance society symbolized by the ACLU’s Surveillance Society Clock.² Some members of the privacy community attributed the gravity of the current situation to the limited inroads that have been made in generating privacy-friendly policy and in capturing the hearts and minds of the public more generally. Reverberating throughout most sessions at the conference was the centrality of collaboration across sectors, stakeholder groups and territorial jurisdictions. Central projects identified for these collaborative initiatives included reconceptualizing the meaning of privacy, dismantling the privacy vs. security dichotomy, and addressing deficiencies in existing legal approaches, with a focus on the limited shelf-life of “consent”, “control” and “property” models currently in use.

Part I highlights some of what we learned about the “dragons” at the conference, focusing on globalization (including the security agenda), technology (including data mining, RFID, location-based tracking, genetics and biobanking, ubiquitous computing, nanotechnology and standard setting), future generations and Internet crime. Part II approaches the proposed toolkits for “dragon slaying”, “befriending” or “taming” (including multi-sectoral, inter-jurisdictional collaboration, privacy seals, de-identification, audits and PIAs). Part III steps back from specific issues to focus on some of the broader themes recurring throughout the conference that raise important concerns for future thinking (including the meaning of privacy, the privacy vs. security dichotomy, and deficiencies in existing legal approaches).

I. THE DRAGONS

The dragons reflected upon at the conference fall roughly within four categories: (a) globalization; (b) technology; (c) future generations; and (d) Internet crime, although within each of the categories numerous issues and concerns were addressed.

A. Globalization

Security concerns and seamless inter-jurisdictional data flows transcend territorial borders in this age of globalization. These new world conditions demand privacy-protective solutions that are either non-territorial in nature or, at the very least, are premised upon collaboration between authorities across territorial divides. Such collaboration, however, is not without its challenges as representatives from nations with differing cultures and values sit across the table from one another striving to develop tools for taming (if not slaying) dragons for whom borders bear no meaning.

(i) Public security³

The seemingly ever-increasing law enforcement demand for access to and retention of information about individuals as a necessary tool for ensuring public security found its voice in the conference’s keynote presentation by the Secretary of the Department of Homeland Security (DHS), Michael Chertoff. Secretary Chertoff painted a portrait of the continuing terrorist threat to public security and the concomitant need for: U.S. government pre-screening of passenger name record (PNR) information for all passengers on flights arriving in the U.S. from foreign destinations;⁴ a U.S. government repository of 10-digit finger prints for all non-Canadians and non-Americans coming into U.S. ports of entry; and acceptance of a reduced number of more secure identification documents by persons presenting themselves at U.S. borders. Arguing that pre-screening entrants through review of PNRs reduced intrusions on privacy overall by targeting particular individuals for secondary questioning, Secretary Chertoff reasoned that privacy vs. security was indeed a false dichotomy.

The expansion of state surveillance in the name of public security was addressed by numerous presenters throughout the conference, but it was perhaps nowhere more graphically illustrated than in Secretary Chertoff’s remarks, which closing speaker Michael Geist aptly characterized as a throwing down of the gauntlet by the security establishment. Concerns were raised by speakers such as the ACLU’s Barry Steinhardt as to the willingness and ability of the U.S. security establishment to equitably implement systems such as PNR. Further, both Steinhardt and Bruce Schneier expressed concerns with respect to the absence of evidence that privacy “trade-offs” are actually yielding greater public security overall.⁵ Data and privacy commissioners at the conference expressed their concerns relating to passenger privacy in international travel by issuing a “Resolution on the urgent need for global standards for safeguarding passenger data to be used by governments for law enforcement and border security purposes”.⁶

(ii) Data flows and mirroring across borders⁷

Threats to privacy arising from the security agenda of government players from around the globe are being augmented by the seamless flow of data across borders stemming from private business models designed to lower costs and deliver multilingual customer service on a 24/7 basis. As businesses outsource various aspects of data collection, storage and analysis in jurisdictions around the world, old models for making full disclosure to customers and obtaining their consent to these kinds of transactions are increasingly outmoded. With the differing laws, social mores and approaches to privacy arising across the various jurisdictions involved, the prospect for differences in privacy expectations between data subjects living in one area and those that predominate in the area where the data is stored and handled are practically inevitable. In addition, these cross-border data flows demonstrate the degree to which territorially-based privacy regulation is rapidly becoming ineffective. In this atmosphere, cooperation between regulators in different geographic jurisdictions, as well as mechanisms for businesses to develop uniform standards, such as the Asia–Pacific Economic Cooperation (APEC) Privacy Framework (discussed in detail in Part II(A)(i) below) are becoming increasingly relevant.

(iii) Inter-jurisdictional challenges⁸

The fluidity with which data and information flow across territorial borders necessitates inter-jurisdictional cooperation with respect to establishing standards, cooperative enforcement and public relations efforts. Joint efforts, such as OECD initiatives on cross-border enforcement (discussed in detail in Part II(A)(i) below), have become increasingly evident in recent years. Nonetheless, stumbling blocks remain. Limitations on effective joint initiatives include domestically under-empowered data protection and privacy commissioners, as well as significant cultural disparities. As Netherlands Commissioner Kohnstamm described it, in some instances these cultural disparities lead to situations of “mutual ignorance, suspicion and superiority”, which are not conducive to effective working collaborations between jurisdictions.⁹ Cultural differences may include the degree to which citizens place trust in the state, whether the system is oriented toward prevention or compensation, and the degree of respect each jurisdiction demonstrates to foreign nationals. A demonstrated commitment by partner nations to treat the privacy rights and interests of foreign nationals in a manner consistent with the way they treat their own citizens will be a critical factor in effective collaboration between nations.

The need for and challenges to inter-jurisdictional and multi-sector collaboration emanated throughout the conference and were perhaps nowhere more evident than in the sessions focusing on the intersections between law and technology.

B. Technology

Technology often progresses regardless of and without relation to “law” or other mechanisms delineating social values and principles. In many respects, law is seen as a constraint on progress insofar as it seeks to limit development in accordance with delineated principles, including those relating to privacy. In every instance addressed at the conference, whether it be data mining, RFID, location-based tracking, biobanking, ubiquitous computing or nanotechnology, legal regulators are striving to understand the social meaning and implications of technology. This is evident in efforts to anticipate the consequences of impending developments and in attempts to modernize legal regulation and concepts in light of developments that have already occurred. Once again, it appears that collaboration will be a key factor in resolving these issues. While collaboration between regulators and technology developers seems both possible and essential if “privacy by design”¹⁰ is to be accomplished, it would appear that more work needs to be done in order to ensure that these opportunities are adequately seized upon. Standard setting provides one such opportunity, as discussed below in sub-part (vii).

(i) Data mining¹¹

Data mining can take place in many contexts and for many purposes, including market profiling, healthcare and state surveillance. Regardless of the context, however, data mining raises privacy concerns because it involves secondary uses of data that was initially collected in a different context. How we evaluate the practice of data mining is affected by our assessment of the degree to which privacy is invaded by re-use of the data in question and the social benefits we understand to be achieved through secondary use of data within a particular context. As a result, some conference participants suggested that secondary uses of health-related data within the context of medical research ought to be evaluated differently from data mining for purposes such as market profiling and state surveillance.

The example of state surveillance focused upon in one conference session was the U.S.’s “Terrorism Information Awareness Program” (formerly the “Total Information Awareness Program”). Pursuant to that Program, U.S. authorities compile data from a multitude of sources purportedly to pre-identify those at risk of committing terrorist offences. However, at least one study has suggested that since the incidences of terrorism are so few and the characteristics of each attack so unique, investing resources in this kind of model is unlikely to produce greater security.¹²

It was suggested that data mining was of particular concern in contexts where data subjects were unaware of the kind of data being collected about them or of the uses to which their data would be put. Possibilities for addressing these concerns include increased and ongoing disclosure requirements by data collectors and users, as well as development of techniques for anonymizing data in order to minimize the risk of its being used to re-identify a particular individual.¹³

The concept of informed consent is itself becoming increasingly challenging to define and administer since it is difficult in so many cases to communicate data collection, retention and use patterns to data subjects. Further, there are other social concerns about the collection and secondary use of data for profiling, whether in the context of private marketing, healthcare or public surveillance, that raise serious questions as to whether the practice of data mining itself can legitimately be addressed on the basis of an individualistic consent-based model. These issues are discussed in detail below in Part III (C)(i).

(ii) Radio-frequency identification (RFID)¹⁴

RFID technology permits the tracking of a passive tag or chip inserted into an object, such as a piece of inventory or a person. Even in its current popular application for purposes of inventory control in the retail sector, RFID allows a degree of surreptitious tracking of the movement of the product, and thus persons associated with that product. As we move toward a future of item-level tagging, we move ever closer to creating an infrastructure for ubiquitous computing, which is discussed below in sub-part (v). Concerns about the privacy implications of RFIDs have caught the attention of data protection and privacy commissioners internationally¹⁵ and were the subject of guidelines issued by the Office of the Information and Privacy Commissioner of Ontario in 2006, which focused on fair information practices.¹⁶ Nonetheless, the implications of RFID in the context of a broader information structure, in which real-time collection of data regarding movement that is passively collected can be linked with other data collections, challenge existing privacy models focusing on individual knowledge and consent.

(iii) Location-based tracking¹⁷

The privacy risks of real-time surveillance were thoroughly canvassed at the conference by those speaking about location-based tracking. Individual movements are trackable as the result of emissions from various kinds of devices that many of us carry—including cell phones. Currently cell phone companies collect information as to the location of the cell phones to which they provide service several times an hour in order to provide service. Important questions arise as to the need to retain that kind of data, to whom it belongs and the legitimacy of its secondary use. Other applications include employee tracking, location-based advertising and location-based dating and can involve other devices including global positioning systems (GPS) and RFID that allow for the real-time tracking of individual movements. Panelists expressed concern that as these mechanisms for surveillance are combined with other data available online, increasingly sophisticated systems for social sorting and profiling will result. The subjection of individuals to “uberveillance”¹⁸ will increasingly deprive us of public spaces in which we feel we operate free of negative judgments being made about us. David Lyon raised the broader social concern that these systems are likely to be operated in a manner that will further marginalize the already marginalized members of our society.

The Internet Engineering Task Force (IETF) has developed GeoPriv—a technical standard aimed at protecting privacy in relation to locational information transmitted pursuant to IETF protocols, including the voice over Internet Protocol.¹⁹ The standard requires that basic privacy rules be transmitted along with locational data. These rules relate to the duration for which the information may be kept, and provide a pointer to more detailed externally-stored privacy rules. Although the standard makes privacy protections possible, its implementation is likely to depend upon the imposition of a legal requirement to use the standard. However, there are a number of current instances in which policy makers are being pressed to require that privacy features not be implemented. In the U.S., for example, submissions made at the E911 hearings have suggested that individuals should be prevented from turning off the geolocational aspect of cell phones in order to deter and/or speed investigation of false calls to 911.²⁰

(iv) Genetics and biobanking²¹

Biobanking can involve collection of extremely personal information relating to the health of individuals, raising serious privacy concerns. On the other hand, access to that information is essential for health research, clinical treatment and forensic analysis. In some cases, such as with DNA, the data constitutes personally identifying information (PII) that may be difficult to strip of its identifying characteristics (or indeed may be much less useful without them). In other cases, such as with population genetics, data is collected for purposes of studying populations and need not be directly connected with identifiable individuals. Both kinds of cases raise numerous privacy concerns.

Data that is not “de-identified” may reveal very personal aspects of an individual’s health that could be used as a basis for discrimination if mechanisms controlling access to it and its uses are not closely enforced. De-identification or elimination of the possibility of re-identification may compromise the clinical and research value of the data for some purposes, but also seems difficult to guarantee as technological developments continually shift the ground in terms of what is possible relating to re-identification.

While cross-jurisdictional collection of data may yield important benefits in terms of amassing databases from which meaningful healthcare related results can be more quickly derived, ethical questions arise in terms of the robustness of the consent being obtained from data subjects from one jurisdiction to another. One mechanism, which is used by research platforms like Quebec's, allows databases to be set up so that data from individuals who withdraw their consent at any point in time can be removed from the system.²²

These kinds of efforts notwithstanding, biobanking raises serious questions about the continuing viability of a conceptual framework premised on individual consent and property-based notions—even in the context of health based research and treatment. Socially based concerns as to secondary uses of banked data and the potential for group-based profiling are not easily answered by a system that focuses on obtaining individual consent, even if a system were devised to revisit consent each time a subsequent use of the data is made.

(v) Ubiquitous computing²³

As individuals take up technologies such as cell phones, RFID and GPS, our world is rapidly becoming one of information emanation and ad hoc networks as our devices both transmit data about us and search for data about others in our vicinity. These invisible electronic handshakes can make transacting with one another faster, simpler and easier. Individuals, for example, may perceive a benefit in being targeted for advertising about items of interest to them in retail shops as they pass by on the street and may feel comforted that they can more easily and automatically locate their loved ones when they are away from home. Marketers also clearly understand the benefits of targeted location-based marketing.

This world of information emanation and reception, however, raises serious privacy concerns. Will it be possible for individuals to take the benefits of ubiquitous computing without completely compromising the privacy of their own data? One response to this is a technological one—the “personal privacy appliance” (PPA). Individuals could use their PPAs to bank personal data about themselves and their transactions, but they would be able to set the device so as to limit others’ access to the data. One could then, for example, set the PPA to distinguish between data mining by retail marketers and requests for information by family members. Another privacy enhancing feature might be to program the device to signal its owner where she or he is at risk of releasing information that could personally identify him or her.

Ubiquitous computing also challenges legal constructs surrounding privacy. Historically, Canadian law has notionally arranged privacy interests hierarchically, with the highest level of privacy accorded to the body and lower levels being accorded, respectively to locations and then to information. In a world of ubiquitous computing where devices on our bodies (or, indeed, even our bodies themselves) are transmitting data about us as we move between locations, these categories become increasingly blurred. To the extent that the privacy interests at play are analysed primarily as informational ones, we risk an ever decelerating level of protection for privacy in Canadian law.

The world of ubiquitous computing may push the development of law away from individualistic proprietary notions where privacy turns on individuals’ choices about controlling “their” data. Rather than simply putting privacy into the design technologically, in the Canadian context, ubiquitous computing is pushing us toward redesigning our existing conceptions of privacy. One aspect of this redesign will be thinking not only about the ways in which individuals can control access to and use of information that personally identifies them, but also the aggregation of non-personally identifying information that is used to create cultural constructions affecting individuals and groups in society. The European approach to privacy as a fundamental human right provides excellent guidance for the process of redesign.

(vi) Nanotechnology²⁴

Nanoscience involves working with the atoms that comprise matter. One significant feature of nanoscience is that the properties of matter, such as how they move and how quickly they move, change at a certain level of minutia. This makes it difficult to predict how the nature and behaviour of matter will change on the nanoscale, i.e. at the level of the atoms within matter. Being able to manipulate matter at the atomic level opens up opportunities for creating new kinds of structures and beings.

Nanotechnology involves the design, characterization, production and application of structures. Nanotechnology is in the phase of investigation and discovery, due in part to the prohibitive costs currently associated with working at the nanoscale. In addition to presenting the opportunity for exponential increases in storage capacity and computing speed, nanotechnologies may raise bio-ethical questions insofar as they might permit us to collect and examine “data” about persons at the atomic level.

The privacy implications coinciding with an increased ability to control matter at the nano scale are potentially enormous—simplified passive tracking without the knowledge of the individual being tracked, and citizens involved in evermore intrusive surveillance of other citizens being only two. Some legal and privacy advocates at the conference suggested the need for modernization of regulatory instruments and the development of an international convention designed to integrate privacy principles with the development of nanotechnology, rather than privacy regulators waiting to react to nanotechnologies separately developed by private institutions. Like many of the other technologies discussed at the conference, another aspect of the challenge for today’s regulators is not knowing what tomorrow’s applications will be.

(vii) Standard setting²⁵

Standard setting provides one opportunity for the kind of multi-sectoral collaboration between the privacy community and technologists that is suggested in the context of RFID, nanotechnology and ubiquitous computing. New technologies are created in accordance with technical standards that have largely been set by members of the technology community. Within that community, hardware standards are primarily set by the International Electrotechnical Commission (IEC) and software based standards are largely developed by the International Standards Organization (ISO). A Joint Technical Committee has been established to bridge the gap between these two standard setting bodies. Typically, the development process takes place in a 6 to 12 month window, after which the standards are published and implemented. Dialogue between privacy community stakeholders and technologists within the development window is essential to ensure that privacy principles find their way into the design and implementation of technologies.

Examples of these kinds of dialogue between certain privacy community stakeholders and technologists have begun to emerge in recent years. The International Security Trust and Privacy Alliance (ISTPA), comprised of various institutions and technologists, has been working to develop a technical framework for information technology systems that operationalizes privacy principles derived from a number of regulatory sources. Opportunity for dialogue between data and privacy commissioners and industry standard setting bodies was also opened by the 2004 Poland Resolution,²⁶ which suggested a need for an international privacy standard and also articulated privacy principles essential to developing that standard. Adoption of a single standard offers the possibility of determining whether the privacy commitments voiced by various businesses are, in fact, being implemented.

C. Future generations²⁷

The online world forms a seamless part of the social space of children and youths. Some early studies of youth online presented a relatively optimistic vision of the sophistication of youth and children in online spaces. However, it is becoming increasingly obvious that online business models directed at data mining in relation to adults are also being applied in spaces predominantly populated by children and youths. Numerous websites targeted at children collect personally identifying information, as well as other detailed information about children’s preferences, in order to construct profiles that allow the sites to better market to children. Parental supervision of children’s online activities tends to be limited by a number of factors, including the difficult-to-understand privacy policies employed by these sites, as well as a generation gap that in many cases means children are more adept at using and more familiar with technologies than are the adults in their lives.

In addition, while youths are concerned about their privacy, they tend to perceive their privacy differently from adults. Youths’ primary privacy concerns online have tended to relate to keeping information about themselves away from people that they know. Widespread dissemination of images and personal information may be perceived by them as less risky in terms of their privacy than communication of that same information to their “real space” family and friends. As a result, we see a growing trend of self-exposure online by youths, as well as the dissemination of images and information by youths about other youths in their lives. A MediaAction study on youth privacy issues and Facebook is forthcoming.²⁸

In this atmosphere, multi-sectoral international collaboration in raising awareness and imposing limitations on deceptive practices is critical. The EU has engaged in a number of measures designed to address these concerns, including the 1997 Green Paper, its 1999 COE Action Plan and the 2005 EU Council directive on safer internet use.²⁹ Members of civil society have also been actively engaged in developing educational initiatives, some of which are outlined below in Part II(A)iii.

D. Internet crime³⁰

The conference session on public safety focused on Internet crime, with a particular emphasis on domestic violence, stalking, fraud and online theft.

Privacy enhancing technologies have played a dualistic role in domestic violence and stalking. On one hand, privacy-invasive technologies have been used to perpetrate abuse. Offenders have relied on keystroke loggers and spyware to track survivors’ uses of computers; in some cases interfering with attempts to locate shelters or other sources of assistance. In addition, stalkers have used geolocational devices and purchased data obtained by data brokers under pretext in order to locate their victims.³¹

On the other hand, privacy-enhancing technologies, such as call-spoofing (to prevent identification of the caller), have been relied upon by stalkers to prevent their victims from screening out their calls. These kinds of cases notwithstanding, privacy-enhancing mechanisms have been critical for some women fleeing from violence. The importance of safeguarding the personal information of survivors who have sought safety in shelters is the central focus of U.S. legislation³² that, among other things, limits the collection of identifying information about survivors using social services and shelters.

Symantec gathers information globally regarding online threats such as fraud and theft. It uses some 2 million decoy accounts to attract and monitor spamming and phishing programs that are designed to infiltrate users’ accounts, predominantly for purposes of retrieving financial data. Given the value of financial information, such as credit card and banking data, enabling privacy invasions online has become a business, with software intended for use in criminal activities, such as MPack, being professionally developed and sold.

Privacy invasions online are now being carried out in stages, with focus on infiltrating trusted websites that then unknowingly transmit them to users accessing those sites. The first stage in infecting a system with spyware or malware, such as Nimba or Blaster, is establishing a location on the system. The key logger or malicious code is then installed in a later attack. Trojans are the number one type of malicious code being installed in North America. Once they have infiltrated a system and are downloaded by users accessing that system, they are used to take personal information.

Since financial service companies are likely to be primary targets due to the large quantities of personal data that they retain, it is critical for these organizations to have detailed security policies in place not only for computers, but also for all kinds of storage mediums, including iPods and cell phones. For these organizations, leaks and infiltration can negatively affect thousands of people (e.g. the TJX case).³³

II. THE DRAGON SLAYERS/TAMERS/BEFRIENDERS:

In virtually every session of the conference, participants discussed the central need for multi-sectoral, inter-jurisdictional collaboration to address the serious threats posed to privacy in a world of increasingly ubiquitous computing technologies and tracking. More specific initiatives discussed included privacy seals, de-identification, audits and privacy impact assessments (PIAs).

A. Multi-sectoral, inter-jurisdictional collaboration

There appeared to be unanimity that the privacy-related challenges posed by increasingly ubiquitous computing necessitate contributions from and collaboration between a variety of stakeholders, including data and privacy commissioners, members of civil society, businesses, and users from around the globe. Conference participants were presented with an impressive collection of initiatives and techniques from across and among numerous sectors.

(i) The London 2006, APEC and OECD initiatives

Multilateral initiatives both designed to establish privacy principles, as well as to encourage cooperation in enforcement across jurisdictions have proliferated in recent years. Key among those mentioned at the conference were the London Initiative, 2006, the APEC Privacy Framework and the OECD Guidelines.

In 2006, Data and Privacy Commissioners at the 28^th International Data and Privacy Commissioners Conference in London supported what is now known as the “London Initiative”. Pursuant to the Initiative, data and privacy commissioners agreed to:

1. coordinate their efforts in developing communication activities on the basis of common ideas;
2. adapt their practices and methods by assessing their efficiency and effectiveness and reinforcing capacities of technical expertise, anticipation of trends and intervention in the technological field; and
3. contribute to the institutional recognition of DPAs at the international level and promote involvement of other stakeholders nationally and internationally.³⁴

That Initiative expressly recognizes the need for inter-jurisdictional and multi-sectoral collaboration and taking the initial steps for formalizing its implementation. Several earlier manifestations of these kinds of efforts were discussed on numerous occasions during the conference—particularly the APEC Privacy Framework and the OECD Guidelines.

In June 2007, at the Sydney Summit, 13 of the 21 economies that comprise APEC agreed to participate in a pathfinder project relating to cross-border privacy. The project arises from the 2004 ministerial approval of the APEC Privacy Framework identifying 9 basic principles relating to privacy, including: accountability, access, correction, security and safeguards.³⁵ The main objectives of the pathfinder are five-fold: (i) promoting a conceptual framework of principles on how cross-border rules should work across economies; (ii) promoting development of a consultative process on how best to include stakeholders; (iii) promoting development of practice documents and procedures, such as self-assessment forms and review criteria; (iv) exploring how various documents and procedures will be implemented; and (v) promoting education and outreach.³⁶ In addition to the pathfinder, there is a strong emphasis on education and collaboration with OECD privacy initiatives.³⁷ An important feature of these initiatives is an expanded focus on data minimization, rather than simply on use and retention.

(ii) Privacy by design

The concept of “privacy by design” builds upon the overall theme of multi-sectoral, inter-jurisdictional collaboration by stressing the need for interaction between business, technologists and data and privacy regulators. A number of examples of these kinds of initiatives were highlighted by various presenters at the conference. Members of the privacy community were involved in technical standard setting initiatives such as the ISTPA “Analysis of Privacy Principles” and the 2004 Resolution in Poland.³⁸ Initiatives from within the technology community itself include the development of GeoPriv standards³⁹ and research relating to the development of personal privacy appliances;⁴⁰ both of which are oriented toward providing individuals a greater degree of control over the data emanations associated with location-based technologies. Recent proactive initiatives by privacy and data regulators have included the issuance of privacy guidelines relating to RFID and to privacy by design principles by the Office of the Information and Privacy Commissioner of Ontario.⁴¹

(iii) Civil society initiatives⁴²

In conjunction with the conference, a special civil society forum was convened on 25 September 2007. Arising from that forum and tabled for the Commissioners at the conference was the “Declaration of Civil Society Organizations on the Role of Data Protection and Privacy Commissioners”.⁴³ The Declaration recommends, among other things, a broadening of the missions of commissioners, an increase in proactive efforts by commissioners to encourage governments not to lower standards, and to address concerns regarding the security establishment and commercial services. The Declaration emphasizes the need for fast action and concerted efforts to prevent routine tracking of individuals’ movements.

A key concern of civil society is the challenge of capturing the hearts and minds of a broader section of the public concerning privacy. Members of civil society are engaged in addressing the challenge of privacy threats on a number of levels:

• in bringing test cases before commissioners and in courts;⁴⁴
• educational campaigns and awareness raising:
  • to organize political protests by, among other things, relying on online social networking systems to create interest and establish communities;
  • to hold governments and commercial organizations to account by monitoring ongoing privacy-related activities and invasions;⁴⁵
  • to better understand how children and youths operate in the online environment and to develop accessible, easy-to-understand multi-media mechanisms for communicating to children and youth about privacy concerns online;⁴⁶
  • focusing on academic efforts to re-characterize the “nature” of privacy as something other than simply an individual right against government surveillance in order to develop public appeals; and
• in carrying out research on privacy-related issues, sometimes through funding provided by commissioners’ offices.

Members of civil society seek dialogue with data and privacy commissioners on an ongoing basis, including at future conferences such as this one.

B. Privacy Seals⁴⁷

Privacy seals offer commercial operations trustmarks designed to flag for consumers the operation’s compliance with certain privacy standards. Seals can provide consumers with information about the privacy practices of the services that they use in a way that is less complicated and difficult to understand than reading what is typically the fine print of a privacy policy. Two organizations—TrustE from the U.S. and PriSE from Germany provided insight on the operation of their privacy seal programs.

TrustE sets privacy standards designed to, at minimum, meet legal requirements in the U.S. The organization audits applicants to determine whether they meet the standard. Organizations that meet the standard are then eligible to receive privacy seals that become a mark of trust for consumers. TrustE monitors organizations that have received their seal to ensure continuing compliance, and provides a complaints mechanism and alternative dispute resolution to deal with issues arising between sealholders and consumers.

PriSE employs independent experts that assess applicants for compliance with privacy and information technology security regulations. The expert then issues a report that is assessed by PriSE in order to determine whether the organization’s product should receive the PriSE seal. PriSE has issued 40 certifications since 2003 and in 2007 commenced a European-wide project called EuroPrise that has both public and private participants. The concept is to allow organizations to take seals from local to Europe-wide levels in pilot projects in the U.K., Slovakia, Austria, Spain and Sweden. The certification lasts for two years, with renewal depending on succeeding on a subsequent evaluation.

Both organizations recognize the risk of fraudulent use of seals and are looking at verification mechanisms for combating this problem.

C. De-identification⁴⁸

De-identification of data involves its modification to ensure that the data cannot be connected to an identifiable individual. Some suggest that the privacy concerns of individuals and research ethics boards are reduced if data cannot be linked to identify the individual from which it derives, while others maintain that identifiability is only one of a host of privacy concerns arising from data collection, use and retention. De-identification was largely discussed at the conference in the context of health-related data.

A foundational problem with de-identification is the absence of a single set of heuristics for predicting whether de-identified data could lead to re-identification of the individual with whom the data is associated. Much depends upon the size of the data set and the mode of attack on the databases holding the information. A study using 1990 U.S. Census summary data by Latanya Sweeney showed that 87% of Americans “had reported characteristics that made them unique based only on” their zip code, gender and date of birth.⁴⁹

Further, aggregated de-identified data is less valuable in many fields of medical research, especially in genetics and genomics. Even if one were to strip genetic data of what we now believe to be all information other than that which is necessary to study a particular illness or defect, we may later find that, in fact, other information is revealed.

Numerous mechanisms for balancing the public interest in health research with the public and private interests in privacy in health data and information in instances such as these were discussed at the conference.

Other options include limiting the communities within which the data can be shared, increasing independent oversight of the use of the information and/or sanctioning misuse, including in relation to intruder attempts at re-identification. Perhaps the most focused-upon alternative was in finding mechanisms for obtaining robust consent from the data subject, consent that anticipates the possibility of different kinds of uses and outcomes relating to the data arising in the future. A recent publication by Willison et al.⁵⁰ chronicles a study of patient attitudes toward use of their data. While the subjects surveyed indicated a high level of trust in the bodies that collect their health data, most would like to have a say on the ways in which their data is used in the future. This suggests the need for a mechanism to obtain consent on an ongoing basis, rather than the current binary model based on obtaining consent for a particular use of data upon its collection. As will be discussed in further detail in Part III(c)(i) below, however, concerns have been expressed about approaching these issues from the perspective of individual consent.

D. Audits⁵¹

Privacy audits provide an opportunity for checking in on organizational compliance with privacy regulations and standards on a regular basis. They may be conducted in a proactive fashion or in reaction to complaints. Both public and private systems of auditing were addressed at the conference.

The power of data privacy commissioners to audit for privacy compliance varies from jurisdiction to jurisdiction. The data privacy commissioners for Spain, the U.K. and Canada all have audit powers, although the authority of the Canadian commissioner is subject to the determination of reasonable grounds in the private sector. Audits by public regulators provide opportunities for promoting compliance, good privacy practices and for dialogue with and education of private organizations.

As cross-border data flows become an increasingly prevalent aspect of private business models, cooperative auditing efforts between commissioners from different jurisdictions have taken on renewed significance. The 2002 EU Commission model contract for international data transfers allows a commissioner to audit the importer of data emanating from an organization within his or her jurisdiction using the same techniques and tools available to that commissioner in relation to the exporter of that data.⁵² This power was relied upon as the basis for the Spanish Data Protection Agency to conduct an audit relating to the security and use of data exported from Spain to Colombia, which ended in a finding of general compliance.⁵³

In the U.S., audit-type functions are performed by the Federal Trade Commission (FTC), which focuses on unfair and deceptive practices. The FTC’s approach is a multi-pronged one, including auditing organizations’ privacy practices where a complaint of an illegality (such as a deceptive trade practice) has been made. In these investigations, the FTC relies on outside auditors. The FTC’s approach is a purely reactive one in this context, although they spend significant time in education initiatives trying to assist private organizations to develop and implement privacy policies.

On the private side, the Canadian Institute of Chartered Accountants (CICA) has developed generally accepted privacy principles for accountants that set a North American standard. The 10 principles include 60 measurable criteria set up to allow for internal or external evaluation of compliance by private enterprises. Although the standards reflect legal requirements in North America, the principles are not designed to provide for an audit of legal compliance. IBM has developed its own internal privacy assessment tool consolidating privacy requirements from around the world into the tool, which is then used to assess corporate compliance with those standards.

E. Privacy impact assessments (PIAs)⁵⁴

PIAs are designed to ensure that governments assess and monitor how their initiatives and programs impact on individual privacy. Reports on PIAs can operate to create transparency and provide opportunities to monitor agency compliance with privacy principles.

All federal government institutions listed in the schedule to the Privacy Act, except the Bank of Canada, are required to conduct PIAs in relation to new programs and services that affect privacy. The Office of the Privacy Commissioner of Canada provides initial consultation, reviews PIAs and may issue comments and recommendations relating to them. That Office recently released an audit of departmental compliance with the federal government’s Privacy Impact Assessment (PIA) Policy⁵⁵ and is actively working with Treasury Board officials as they review their policies to improve the PIA process.

Operational difficulties with PIAs include a lack of resources and expertise in preparing and monitoring PIAs within government agencies. In order to address these kinds of issues, conference participants recommended better tailoring of requirements to fit the size and scope of the projects to which they attach, providing clear guidance on what PIAs are and what role they are intended to play and clearly setting out the roles and obligations of various players. Managers within government tasked with ensuring compliance must be provided with the training and expertise to understand consultants’ reports, regardless of whether a commissioner will be simply reviewing or actively approving the report. The Office of the Information and Privacy Commissioner of Ontario has established a PIA centre for excellence to build expertise within government.⁵⁶

Several factors are critical to operationalizing PIAs effectively. PIAs themselves must present a logical treatment of relevant topics, and be comprehensive, accurate, and couched in plain language. It is essential that they be premised upon the relevant legal requirements that apply and that they be kept up to date and monitored. The U.K. Information Commissioner’s Office released a comprehensive PIA handbook at its Surveillance Society Conference on 11 December 2007.⁵⁷

III. RECURRING THEMES

Certain themes emerged time and again at the conference, providing important strategic and conceptual links across the broad and diverse range of “dragons” and “dragonslayers” canvassed. The centrality of multi-sectoral, inter-jurisdictional partnerships and collaboration in an era of seemingly unceasing data emanation, collection, storage and transfer without regard to borders was touched on in virtually every session. As we confront the threats posed to privacy in this brave new world, there seemed to be unanimity on the need for dialogue and strategizing among regulators, technologists, members of civil society, users and business. The commitment of data and privacy commissioners from around the world to development of this collaborative vision is evident in everything from the London Initiative of 2006 through to the APEC Privacy Framework, the concept of “privacy by design”, and the inclusion of civil society organizations in dialogue and conferences such as this one.

Perhaps equally prevalent, however, was a sense that collaboration is simply a starting point. Representatives of stakeholders from many groups reflected on the importance of expanding upon common definitions of privacy, both in order to better capture the hearts and minds of the public and to develop and implement strategies that will safeguard central commitments underlying privacy protections. At least three kinds of conceptual issues were raised at various points in numerous sessions at the conference: (i) the meaning of privacy; (ii) the privacy vs. security dichotomy; and (iii) deficiencies in existing legal approaches in some jurisdictions.

A. The meaning of privacy

Conference participants in a number of sessions questioned the utility of two aspects of current conceptualizations of privacy in the wake of the emerging ubiquitous computing environment. First, numerous participants suggested that a conception of privacy as relating solely to personally identifying information (PII) was likely to be overtaken by technology. The suggestion was graphically illustrated in the contexts of discussions on RFID, location-based tracking, genetics and biobanking, and ubiquitous computing. We may, in a world of limited flows of data or limited access to data flows, take some comfort in the idea that certain data in isolation are not conducive to identification of an individual. However, as previously discussed, the Sweeney study demonstrated that with only three pieces of data (zip code, gender and birth date), 87% of Americans were uniquely identifiable.⁵⁸ As we move into a space where individuals carry data-emanating devices like RFID, GPS and cell phones, and technologies make possible the storage and accessing of increasing amounts of data, the challenge of defining “PII” becomes increasingly complex. Data that does not seem to be PII today, may well become PII tomorrow, simply by virtue of the emergence of new data sources with which to combine it. The same concern holds true in the context of genetics and biobanking, where data that appears to be de-identified for today’s purposes may, as a result of technological developments, become re-identifiable tomorrow.

The conceptualization of privacy solely in terms of PII was linked to a second concern expressed at the conference about the North American tendency to view privacy solely as an individual right against state intrusion, which was juxtaposed with the European approach to privacy as a human right and an essential component of human dignity. We may well be concerned about the privacy implications of many kinds of technology not only from the perspective of their impact upon individuals, but also upon society more broadly. These kinds of concerns were clearly articulated in the conference sessions on ubiquitous computing and location-based tracking. Speaking about the impacts of ubiquitous computing, David Phillips suggested that we ought to think about questions surrounding data emanation, collection and retention as part of distributed cultural production.⁵⁹ He suggested that individuals have an interest in data not only in terms of whether it could be used to personally identify them, but also in terms of how that data is used and combined with that of others in order to influence the culture in which they live.

The use of data collected from various individuals as the basis for developing group profiles might be thought of as one compelling example of how data is being used as a basis for producing and reproducing culture. David Lyon specifically addressed group profiling in the context of data collected through location-based tracking technologies. He pointed to the ways in which data collected about individuals is aggregated in order to profile and sort people into social groups. He predicted that these kinds of sorting would have broader social effects, with particularly negative consequences for the already most marginalized groups in society.⁶⁰ In this way, it is not only the individual whose data is initially collected that is affected. Other members of the groups that will be profiled through data aggregation, the groups themselves and society at large also stand to be affected.

A consensus was building at the conference that policy underlain by a conception of privacy as a human right, rather than simply as a right against intrusion relating to information about an identifiable individual may well be better suited to meaningfully address the challenges to be confronted in an era of escalating data emanation, collection and surveillance. It might also provide a useful platform from which to better engage the public because it expresses privacy as a social value extending beyond the protection against being individually identified. While there continue to be excellent reasons to be concerned about the use of data to identify and track individuals, this kind of approach alone may fail to capture the imagination of a significant segment of the population who believe they have “nothing to hide”.

B. Privacy vs. security

In the post 9/11 world, we are consistently confronted with the proposition that democratic societies ought to be willing to trade privacy for improved security, as if one is inevitably pitted against the other. Given all of the publicity about the risks posed to the physical safety of the public, many members of the general public are only too willing to give up privacy in order to enhance security. The dichotomy between privacy and security then becomes a useful rhetorical device not only for securing en masse concessions of privacy, but for drawing into question the motives and strategies of those advocating for strong privacy protections. Conference participants approached the dichotomy in at least two different ways.

First, privacy vs. security was challenged as a false dichotomy, although opposing motivations for challenging the dichotomy were evident. DHS Secretary Michael Chertoff⁶¹ relied on the false dichotomy analysis as the basis for justifying DHS’ increasingly intrusive border control policies. Secretary Chertoff suggested that passenger pre-screening actually minimized privacy invasions on the vast majority of the public by reducing the number of passengers who would be subject to secondary examinations at the border. This kind of analysis may well have an appeal to many individual members of the public who understand themselves to be one of the many who have “nothing to hide”. However, the analysis fails to take into account the broader social implication of the accumulation and retention of data not simply for the purposes of dealing with individuals, but for the purpose of sorting and profiling whole categories of people.

Barry Steinhardt of the ACLU⁶² also made a case for questioning the privacy vs. security dichotomy, but for reasons quite opposite to those of Secretary Chertoff. Steinhardt noted that the dichotomy seems to presume a correlation between less privacy and greater security. As he ably demonstrated, however, we have very little evidence that massive privacy concessions have yielded security gains, and there are no systems in place designed to monitor or quantify the effectiveness of the purported trade-off.

Bruce Schneier, who also questioned whether less privacy was actually yielding greater security, offered conference participants a slightly different perspective on the privacy vs. security dichotomy.⁶³ Schneier suggested that privacy vs. security is simply the wrong dichotomy. The real issue at stake is liberty vs. control. As we move into an era in which transaction records are available for almost every interaction and those records are held by third parties rather than the data subjects from whom they emanate, individuals are increasingly deprived of control over their own information. As both members of the private commercial sector and the law enforcement community recognize the value of accessing these storehouses of data, individual liberty hangs in the balance. Approaches of this kind led a number of conference participants to consider the ways in which technological developments are challenging the adequacy and continuing validity of legal approaches to privacy in many jurisdictions.

C. Deficiencies in existing legal approaches

Participants in many conference panels, from data flows to data mining to location-based technologies to biobanking, raised important concerns not only about the inadequacy of current individualistic conceptions of privacy, but also the ways in which these concepts are operationalized. Four of these will be focused upon here: (i) “consent”-, “control”-, “property”-based models of privacy; (ii) the structuring of legal regulation around physical territories; (iii) models focusing on data retention and use, rather than minimization; and (iv) the Canadian hierarchical model of privacy interests.

(i) “Consent”, “control”, “property” based models

One theme that emerged clearly at the conference was that a legal privacy model that treats data as the property of individuals who seek to control their property may well become obsolete and ineffective in safeguarding fundamental aspects of human dignity and broader social visions of a properly functioning democracy that underlie privacy protections. Both practical and principled concerns were raised by conference participants in this regard.

On the practical side, many conference participants expressed concerns about the adequacy of notice upon which “consent” to data collection, use and retention was being given. In the context of the panel relating to children’s online experiences, serious concerns were raised as to whether children or their parents were being given adequate disclosure of commercial privacy and data use policies in sufficiently plain language for them to be understood.⁶⁴ Concomitant with concerns about the adequacy of notice in the first instance, a number of speakers discussed the difficulties in explaining secondary uses in a manner that is understandable to users.⁶⁵ In the context of genetics and biobanking, concerns were expressed about the degree to which binary models take data subject consent into account only at the collection stage and the difficulties associated with developing models designed to allow for a revisiting of subject consent in relation to proposed subsequent uses.⁶⁶ Finally, in the context of inter-jurisdictional data flows, the reality may be that the privacy expectations of users who “consent” to the collection of their data in one jurisdiction may well be compromised by the flow of their data for storage or analysis in another jurisdiction with quite different privacy norms and regulations.⁶⁷ Thus, even if one remained conceptually committed to an individual “consent”-based model of legal governance, its implementation is inhibited by very real practical problems that are only likely to be exacerbated by the increasing ubiquity of computing.

Principled concerns as to the conceptual adequacy of the individual “consent”-based model were also raised. In the context of ubiquitous computing, concerns were raised about the desireability of fundamental aspects of social relations of relevance to the community as a whole being relegated to matters of individual decision.⁶⁸ Take, for example, the question of ubiquitous data emanation and reception. Once enough individuals have consented to having their data being continually available for collection, we risk constructing a society in which the presumption of surveillance prevails in the absence of individual action to opt out. Similarly, there are important reasons to question the legitimacy of individual “consent”-based models that rely on a property-based conception of data. While we may be content with the idea that individuals “own” their own data (though their data is increasingly less and less within their “possession”), we should perhaps be less sanguine when it comes to data aggregation about communities as a whole. Knowing that in the context of both location-based tracking and genetics and biobanking individual data is sometimes relied upon to profile and sort communities of people (sometimes for their “benefit”), we might legitimately ask whether legal regulation premised on obtaining the consent of individual members of those communities constitutes adequate consent in relation to the characteristics and profile of the community as a whole. In short, who do the reputation and characteristics of entire communities “belong to”?

(ii) Legal regulation based on physical territories

The problems associated with legal regulation based on physical territories also emerged as a clear theme at the conference. Data flows premised upon business models with no regard for borders pose significant obstacles for legal regimes whose legitimacy has historically been delineated by physical territorial borders. As a result, it would appear that the kinds of inter-jurisdictional, multi-sectoral collaborative efforts discussed above will become increasingly critical in terms of the development and enforcement of legal standards.

(iii) Focusing on retention and use, rather than minimization

The importance of taking proactive stances with respect to data was another theme that emerged at the conference. Given the relative ease with which collected data can be analysed and monitored, both for purposes of private and public forms of surveillance, it seems logical for legal regulation to re-focus its efforts on minimizing data collection in the first instance. Moves toward this kind of proactive regulation are evident in the fair information practices applicable under Canadian privacy legislation,⁶⁹ in the APEC Pathfinder project,⁷⁰ and in U.S. legislation aimed at limiting the data collected by social service agencies and shelters from women escaping domestic violence.⁷¹ Data minimization initiatives could play an important role for retail and financial institutions, storing significant quantities of data that make them prime targets for online hacking, malware and fraud.⁷²

(iv) Inadequacy of the Canadian hierarchical model

The Canadian legal system may face its own unique challenges in relation to privacy, at least with respect to the current approach to imposing constitutional limits on state powers of search and seizure. As Ian Kerr reminded conference participants, a considerable amount of Canadian jurisprudence on privacy has been developed in the context of challenges to searches and seizures by the state.⁷³ Within that jurisprudence, privacy interests have been notionally categorized in descending order of importance from bodily to locational to informational.⁷⁴ In a world of ubiquitous computing, where individuals emanate data about themselves and their locations, these categories become increasingly blurred. To the extent that claims dealing with “data” are reduced to claims falling within the “informational” category, legal protection for privacy in Canada may well be compromised. Legal decisions relating to privacy concerns formed outside of the context of the limitations on search and seizure, such as the recent Ontario Superior Court of Justice decision relating to adoption disclosure⁷⁵, can provide important opportunities for developing a conception of privacy better informed by human rights considerations, rather than centrally oriented toward individual liberties.

CONCLUSION

Conscious that the Clock is ticking, as we pause to ponder the breadth and depth of the challenges emerging technologies pose to privacy and thus to basic human dignity and equality, it may be worth considering the dragon symbol pursued in Terra Incognita in a different light. The conference dragon evoked the medieval dragon of European and North American folklore; a lurking evil creature best slaughtered in order to protect the innocent masses. Ancient Asian cultures offer us a very different dragon; a shape-shifting symbol of power to be revered, a power capable of being exercised for good as well as for evil; and for those born in the Year of the Dragon, a power that lies within them.⁷⁶ For those interested in protecting privacy and the values underlying it, this dragon may provide some guidance.

While it is clear that external threats to privacy that come in various shapes of globalization, emerging technology and Internet crime must be addressed, the dragons that lie within present perhaps the most stubborn obstacle. How the privacy community engages the hearts and minds of members of the broader community who believe they have nothing to hide and exhibit seemingly insatiable appetites for information about others may well be as critical in the battle as any of the initiatives and techniques being developed to monitor and address data management practices.

As we work to modernize our regulatory instruments and re-think fundamental legal concepts once presumed to protect privacy, let us hope that our focus on terra incognita does not deter us from dealing with the dragons we know to lie among and within us all.

APPENDIX A

Resolution on the urgent need for global standards for safeguarding passenger data to be used by governments for law enforcement and border security purposes

29^th International Conference of Data Protection and Privacy Commissioners
Montreal, Canada
September 25-28, 2007

Proposer: Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (Germany)

Co-sponsors:

• Österreichische Datenschutzkommission (Austria)
• Office of the Privacy Commissioner of Canada
• Office of the Information and Privacy Commissioner of British Columbia
• Office of the Information and Privacy Commissioner of Ontario
• European Data Protection Supervisor (European Union)
• La Commission Nationale de l'Informatique et des Libertés (France)
• Landesbeauftragte für Datenschutz und die Informationsfreiheit Nordrhein- Westfalen (Germany - regional)
• Garante per la protezione dei dati personali (Italy)
• College Bescherming Persoonsgegevens (Netherlands)
• Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (Romania)
• Agencia de Protección de Datos (Spain)
• Federal Data Commissioner (Switzerland)
• Information Commissioner (UK)

The conference recalls:

• the communiqué adopted at its 24^th international conference in Cardiff in 2002;
• the resolution on the transfer of passengers' data adopted at its 25^th international conference in Sydney in 2003; and
• the declaration on the protection of personal data and privacy in a globalised world adopted at its 27^th international conference in Montreux in 2005;

which recognise the balance that needs to be struck between the legitimate fight against terrorism and international crime, and the data protection and privacy rights of individuals.

The conference notes that:

• passenger data is increasingly being sought by governments to be used in the fight against terrorism, illegal immigration, and other crimes without sufficient regard to the privacy and human rights of passengers;
• some passenger data can be used to make inferences about religion, ethnicity and other highly sensitive matters;
• many governments around the world are increasingly asking for more and more data from carriers;
• carriers collect passenger data for commercial purposes and are being asked to provide it for law enforcement purposes;
• carriers increasingly have to meet many and varied demands for data and comply with many and varied systems for transferring the data, which creates uncertainty among carriers and passengers about their rights and obligations, making it difficult for passengers to understand how their data is being used and creating risk that carriers may transfer data inappropriately;
• these many and varied demands and systems incur costs for both airlines and passengers;
• for carriers to meet these demands requires legal and technical consistency;
• some carriers are still not fully complying with their obligations to inform passengers of the use and disclosure of their data; and
• other global arrangements have been put in place to facilitate international air travel and there is an urgent need to develop global solutions that facilitate international travel while respecting the privacy rights of passengers.

The conference reaffirms that:

• data protection and privacy rights, as enshrined in Art. 12 of the Universal Declaration of Human Rights and other legal instruments, protect individuals and their personal data and must be considered along with other rights in any proposals involving the transfer and use of passenger data for law enforcement purposes;
• the processing of passenger data should be carried out within a framework that takes account of accepted data protection principles and standards;
• any government proposals to use passenger data should show they are:
  • demonstrably necessary to address a specific problem;
  • demonstrably likely to address the problem;
  • proportionate to the security benefit; and
  • demonstrably less privacy invasive than alternative options; and
  should be regularly reviewed to ensure the measures are still proportionate;
• the need to safeguard personal privacy in any developments remains an essential task not only for the worldwide data protection community, but all who are concerned about fundamental rights and freedoms; and
• if governments do not take an approach which correctly weighs data protection and privacy concerns, there is a real danger they will start to undermine the very fundamental freedoms they are seeking to protect.

In the pursuit of global data protection standards for safeguarding passenger data to be used by governments for law enforcement and border security purposes, the conference calls for:

• international organisations (such as IATA and ICAO), governments and carriers to work with data protection and privacy commissioners to adopt binding global solutions with appropriate data protection safeguards;
• all government proposals to use passenger data to ensure that they are:
  • demonstrably necessary to address a specific problem;
  • demonstrably likely to address the problem;
  • proportionate to the security benefit; and
  • demonstrably less privacy invasive than alternative options; and
  should be regularly reviewed to ensure the measures are still proportionate;
• any government programmes using passenger data should provide for data minimisation; explicit limits on use, disclosure and retention appropriate to the purpose of the programme; data accuracy; rights of access and correction; and independent review;
• any solutions to take account of the legal, technical, financial and efficiency issues of carriers and authorities;
• governments to be open and transparent about the purposes for which data is collected and used and to make sure all passengers, regardless of their citizenship or country of origin, are provided with access to their personal information and appropriate redress mechanisms;
• carriers to adequately inform their passengers about any use and disclosure of their data to governments and law enforcement agencies, any use of no-fly or other watch lists, and the availability of redress with respect to use and accuracy of passenger data and related personal information; and
• data protection and privacy commissioners to continue to work together to ensure appropriate data protection and privacy safeguards and to press for binding global solutions.

Explanatory note

Increasingly, the governments of different countries have sought to use passenger data as a tool to tackle terrorism, transnational crime and other crimes. This has led to differences in the data items demanded, the uses of the data, and the level of safeguards.

The character of international travel is such that a global approach is needed, and a global solution is urgently required to ensure appropriate levels of security and to inspire passenger confidence, while providing proportionate measures that include the necessary data protection and privacy safeguards.

While data protection and privacy concerns are the paramount issues that need to be addressed in any global solution, it also provides the opportunity for other legal, technical, financial and efficiency concerns of airlines and passengers to be taken into account.

Global standards can ensure fairness, consistency, legal certainty and safeguards for passengers and carriers alike. It is clear that carriers, law enforcement agencies, international organisations, civil society groups and data protection and privacy experts all need to be involved to come to this global solution, and the commitment of the data protection and privacy commissioners in taking the lead in pressing for such a solution is essential if any progress is to be made.

APPENDIX B

Declaration of Civil Society Organizations on the Role of Data Protection and Privacy Commissioners

Montreal, September 25, 2007

We the undersigned representatives of civil society groups, having gathered together in Montreal in advance of the September 2007 International Conference of Data Protection and Privacy Commissioners, have come to agreement on several important points that we would like to bring before the world’s privacy commissioners. We agree that:

1. We are all witnessing the abandonment of our societies’ core values and rights of privacy and autonomy at an alarming rate.
2. We are witnessing the creation of an unprecedented infrastructure for the global surveillance of individuals and groups. That includes the development of previously unimaginable systems to watch over our movement: the tracking of travelers, the profiling of passengers through vast data collection programs, including “passenger name record” databases, “advanced passenger information systems” and “entry-exit” schemes, and the imposition of new identity-tracking systems. We are witnessing the growing use of technology – including RFID (Radio Frequency Identification) tags, biometrics, DNA, data mining, CCTV (Closed Circuit Television), and many others – to track our movement within countries, communities, and even schools. We continue to uncover new ways in which our communications are becoming susceptible to eavesdropping. All these systems, and others, are driving an explosion of databases of personal information, along with new means of rapidly searching, combining, and judging the contents of those databases.
3. These systems for surveillance are being constructed both by governments and the private sector. Alarmingly, there is a growing convergence between the surveillance activities of states and of private corporations.
4. These systems are often developed without democratic debate, authorisation, or oversight. As a result, the claimed benefits of such systems are too often taken at face value, and they do not receive the scrutiny necessary to ensure that they interfere with our private lives only in ways that are necessary and proportionate.
5. Our nations’ legal systems have largely failed to keep pace with the explosion of invasive new technologies. Elected representatives often lack adequate information about these developments, even when their consent is actually sought. In some of our countries, judicial institutions defer too often to the claims of executive authority, while in others they rarely hear cases on these issues because civil society groups lack the resources to bring challenges.
6. We are witnessing a destruction of individual rights that is greater than the sum all of these developments – an increasingly all-encompassing surveillance society.
7. Although our nations have all faced far greater threats and crises than terrorism within living memory, our security establishments have aggressively used the threat of terrorism and international crime to increase their own powers and undermine existing legal protections for privacy – and they are increasingly working together across national boundaries to advance their mutual aims.
8. The world’s privacy commissioners are uniquely positioned to defend our societies’ core values and rights of privacy in the face of this onslaught.

THEREFORE, we believe that stronger, more aggressive action by privacy commissioners is required to tackle this problem – that specific reports, warnings and enforcement actions, while often valuable, are not sufficient to address the enormity of the problem we face. In particular:

• The world’s privacy commissioners need to significantly broaden their mission to incorporate a greater focus on the “big picture” of disappearing privacy, and a stronger engagement in the overall direction in which our countries are headed. Too many privacy commissions have become mere administrative agencies, or have been cowed by the security agencies’ aggressive use of the terrorism threat to justify rollbacks in our privacy.
• We believe that the problem is urgent – that the pace of technology and the exploitation of the surveillance potentials it creates by the government and private sector mean that we must act quickly, before we are faced with the fait accompli of a total surveillance society.
• The world’s privacy commissioners must increase their own collective efforts at protecting privacy to counterbalance the increasing cross-border efforts of the world’s security establishments.
• There must be a more forceful effort by privacy commissioners in prodding their governments to resist pressure to weaken existing privacy standards, whether from the United States, other nations, or regional bodies. Within the global community, a single nation’s bad practice can degrade the privacy protections of all.
• In particular, this effort should include more active engagement with the public and the media, and if necessary the courts. Privacy commissioners should demand that governmental actions affecting privacy be publicly debated and democratically decided. And privacy commissioners should actively fight for the creation of adequate oversight mechanisms to permanently protect the public against invasive programs.
• Privacy commissioners should be more proactive in addressing the privacy impacts of commercial services before such services become too entrenched for action to be practical. And they should coordinate their efforts in what is an increasingly global marketplace.
• There must be a concerted, cross-national effort to preserve fundamental human rights, and protect individuals from being routinely tracked in their movements and daily interactions, which are essential freedoms in a democratic nation.
• To our governments, we also call for actions to strengthen the institutions of privacy and data protection by giving privacy and data protection commissioners greater authority and independence, and creating such institutions where they do not exist.

Signatories:

• American Civil Liberties Union (ACLU)
• Australian Privacy Foundation (APF)
• BC Civil Liberties Association (BCCLA)
• BC Freedom of Information and Privacy Association (FIPA)
• Canadian Internet Policy and Public Interest Clinic (CIPPIC)
• Electronic Privacy Information Center (EPIC)
• European Digital Rights (EDRi)
• International Civil Liberties Monitoring Group (ICLMG) representing 38 Canadian civil society organizations
• Imaginons un réseau Internet solidaire (IRIS), France
• Ligue des droits et libertés (Quebec)
• North American Consumer Project on Electronic Commerce (NACPEC), Mexico
• Option Consommateurs (Quebec)
• Privacy International
• Statewatch

Notes:

1. Folklore notwithstanding, it seems there is only one known instance of an explorer noting “here be dragons” on a map. Noted near the eastern coast of Asia on the Lennox Globe, circa 1503 (currently on display at the New York Public Library) is the phrase “Hc svnt dracones”. While references to animals, including the imaginary dragon, have appeared on other historic maps, it appears that the exact phrase “here be dragons” was found on only one. Moreover, some have connected the phrase with the term Marco Polo used in relation to certain parts of Asia—the Kingdom of the Dagroians, rather than with the term “dragon”: MapHist, “Where be Here Be Dragons?” online: http://www.maphist.nl.
2. On September 17, 2007, the ACLU launched the Surveillance Society Clock to “symbolize the reality that we are fast approaching a genuine surveillance society in the United States. The clock is set at six minutes before the ‘midnight’ of a dark end to privacy”: ACLU, “ACLU Sets New ‘Surveillance Society Clock’ at Six Minutes Before Midnight” (17 September 2007), online: http://www.aclu.org/.
3. The content in this section is derived from the following conference sessions: Michael Chertoff, Keynote Address (26 September 2007); Barry Steinhardt, Plenary 1, “Public Safety & Globalization Dragons” (26 September 2007) (http://www.privacyconference2007.gc.ca); Bruce Schneier, Plenary 1, “Public Safety and Globalization Dragons” (26 September 2007); and Michael Geist, Closing Plenary (28 September 2007).
4. The PNR includes information about the name, address, passport number, phone number, flight details and method of payment for each passenger on an air flight. Airlines flying in the United States turn this information over to the DHS, which screens the information as a method for pre-assessing which passengers ought to be detained for more intrusive secondary questioning upon arrival in the U.S.
5. Steinhardt, supra note 3; Schneier, supra note 3.
6. For the full text of the Resolution, see Appendix A.
7. The content of this section is derived from conference Information Session “Globalization Dragon – Data Flows and Data Mirroring” (26 September 2007), speakers: Martin Abrams (http://www.privacyconference2007.gc.ca), Benjamin Hayes and David Loukidelis.
8. The content of this section is derived from the following conference sessions: Jacob Kohnstamm, Plenary 1, “Public Safety & Globalization Dragons” (26 September 2007); Workshop 3, “Spanning the Earth’s Four Corners” (27 September 2007), speakers: Peter Schaar, Michael Donohue, Gus Hosein, Peter Hustinx and Colin Minihan (http://www.privacyconference2007.gc.ca).
9. Kohnstamm, ibid, see slide online: http://www.privacyconference2007.gc.ca
10. For further information on the concept of building privacy into technologies, see Ann Cavoukian, “Privacy by Design: A Crucial Design Principle” (17 September 2007), online: http://www.ipc.on.ca.
11. The content of this section is derived from conference Information Session “Data Mining” (28 September 2007), speakers: Philippa Lawson, Peter Fleischer, Bradley Malin and Richard Rosenberg (http://www.privacyconference2007.gc.ca).
12. See, for example, the presentation by Richard Rosenberg in conference Information Session “Data Mining” (28 September 2007), online: http://www.privacyconference2007.gc.ca
13. The weak prospects for fully “de-identifying” data were discussed in a separate conference session addressed in detail below in Part II(C).
14. The content of this section is derived from conference Information Session “RFID” (26 September 2007), speakers: Stephen Lau, Katherine Albrecht, Laurent Bernat, Ann Cavoukian and Pankaj Sood, online: http://www.privacyconference2007.gc.ca.
15. At the 23rd International Conference of Data Protection and Privacy Commissioners in Sydney, Australia, Commissioners issued a resolution on RFID technology (20 November 2003), online: http://www.cnil.fr. See also: Office of the Privacy Commissioner of Canada, “Fact Sheet: RFID Technology”, online: http://www.privcom.gc.ca;
16. Office of the Information and Privacy Commissioner of Ontario, “Privacy Guidelines for RFID Information Systems” (June 2006), online: http://www.ipc.on.ca.
17. The content of this section is derived from conference Workshop 1, “Location-based Tracking” (26 September 2007), speakers: Alexander Dix, Éloïse Gratton, David Lyon, Michael Michael, and John Morris (http://www.privacyconference2007.gc.ca).
18. See the presentation by Michael Michael in conference Workshop 1, “Location-based Tracking” (26 September 2007), slides online: http://www.privacyconference2007.gc.ca
19. For further discussion, see “Geopriv Requirements”, online: http://www.ietf.org.
20. See the presentation by John Morris in conference Workshop 1, “Location-based Tracking” (26 September 2007), slides online: http://www.privacyconference2007.gc.ca
21. The content of this section is derived from conference Workshop 2, “Genetics & Bio-Banking”, Parts I and II (27 September 2007), speakers: Paul Chadwick, Bartha Maria Knopper, Timothy Caulfield, Martin Dufresne and William Lowrance (http://www.privacyconference2007.gc.ca).
22. See the presentation by Bartha Maria Knoppers in conference Workshop 2 , “Genetics and Biobanking” (27 September 2007), slides online: http://www.privacyconference2007.gc.ca
23. The content of this section is derived from conference session Plenary 1, “Ubiquitous Computing Dragon” (27 September 2007), speakers: Stephanie Perrin, Ian Kerr, Teresa Lunt, David Phillips (http://www.privacyconference2007.gc.ca).
24. The content of this section is derived from conference Plenary 2, “Nanotechnology and Privacy” (26 September 2007), speakers: Jacques Saint-Laurent, Alex Türk, Hervé Fischer, Joel Reidenberg, Bernard Sinclair-Desgagné and conference Information Session “Nanotechnology II” (28 September 2007), speakers: Yves Poullett and Peter Grutter (http://www.privacyconference2007.gc.ca).
25. The content of this section is derived from conference Workshop 2, “Standards”, Parts I and II (26 September 2007), speakers: John Borking, Colin Bennett, John Hopkinson, and John Sabo (http://www.privacyconference2007.gc.ca).
26. Privacy Commissioners Resolutions on proposed ISO privacy standard and PETTEP, [2004] PLPR 49, online: http://www.austlii.edu.au.
27. The content of this section is derived from conference Plenary 2, “Children’s Online Privacy” (27 September 2007), speakers: Francesco Pizzetti, Jacquelyn Burkell, Leslie Regan Shade, and Valerie Steeves (http://www.privacyconference2007.gc.ca).
28. Leslie Regan Shade, “‘It Just Sucks You In’: Young Women’s Use of Facebook”, Leslie Regan Shade, prepared for Media Action, November 2007, online: http://www.media-action-media.com.
29. For an outline of and access to these various European Union funded initiatives, see Safer Internet, “A long history before the Safer Internet Plan” (“EU Initiatives”), online: http://www.sip-bench.org.
30. The content of this section is derived from conference Workshop 2, “Internet Crime”, Parts I and II (28 September 2007), speakers: Joel Winston, Cynthia Fraser and Dean Turner (http://www.privacyconference2007.gc.ca).
31. In Helen Remsburg, Administratrix of the Estate of Amy Lynn Boyer v. Docusearch Inc. 2003 N.H. LEXIS; 816 A.2d 1001; 2003 N.H. LEXIS 17, the estate of a woman killed by a stalker sued the databroker who obtained information from the victim by pretext and sold it to her killer.
32. Violence Against Women and Department of Justice Reauthorization Act of 2005, (“Violence Against Women Act”) H.R. 3402-24, sec. 107, online: http://frwebgate.access.gpo.gov.
33. For the results of the joint investigation of the TJX security breach by the Office of the Privacy Commissioner of Canada and the Office of the Information and Privacy Commissioner of Alberta, see news release, “Inadequate Security Safeguards Led to TJX Breach, Commissioners Say” (25 September 2007), online: http://www.privcom.gc.ca.
34. See 28th International Data and Privacy Commissioners Conference, “Communicating Data Protection and Making it More Effective” (2006), online: http://ico.crl.uk.com.
35. APEC, “APEC Privacy Framework Principles” (2005), online: http://www.ministerjusticeandcustoms.gov.au.
36. Malcolm Crompton, “The APEC Privacy Framework: Creating Trust in Developing Cross-Border Privacy Rules: A Progress Report” (March 2007), online: http://iispartners.com.
37. For a discussion of OECD initiatives, see OECD Directorate for Science, Technology and Industry, “Cross-Border Privacy Law Enforcement”, online: http://www.oecd.org.
38. See “Standards”, Parts I and II, supra note 25.
39. See “Location-based Tracking”, Parts I and II, supra note 17.
40. See presentation by Teresa Lunt, supra note 23.
41. See Office of the Information and Privacy Commissioner of Ontario, online: http://www.ipc.on.ca.
42. The content of this section is derived from conference Workshop 4, “Civil Society”, Parts I and II (27 September 2007), speakers: Barry Steinhardt, Ben Hayes, Roch Tassé and Ralf Bendrath (Part I) and Colin Bennett, Simon Davies, Alexander Dix, Barry Steinhardt and Jennifer Stoddart (Part II).
43. The full text of the declaration is attached in Appendix B.
44. For example: Lawson v. Accusearch Inc., [2007] F.C.J. No. 164 (finding Privacy Commissioner of Canada has jurisdiction to investigate a complaint from the executive director of the Canadian Internet Policy and Public Interest Clinic (CIPPIC) regarding a U.S. company’s alleged collection, use and disclosure of personal information about Canadians to Canadians); CIPPIC Request to the Privacy Commissioner of Canada for an investigation of Google Inc. and Double Click Inc. (17 September 2007), online: http://www.democraticmedia.org.
45. See, for example, “A Report on the Surveillance Society for the Information Commissioner by the Surveillance Studies Network”, David Murakami Wood (ed.) (September 2006), online: http://www.ico.gov.uk; Electronic Privacy Information Center and Privacy International, The Privacy and Human Rights Report, published annually since 1997, online: http://www.privacyinternational.org; The Surveillance Project, “Location Technologies: Mobility, Surveillance and Privacy” (March 2005), online: http://www.queensu.ca.
46. See, for example, Media Awareness Network, “Young Canadians in a Wired World” (2000–2005), online: http://www.media-awareness.ca; Canadian Teachers’ Federation, “Kids Take On Media” (2004), online: http://www.ctf-fce.ca. With respect to curriculum development, see http://www.cybersmart.org; Alberta Civil Liberties Research Centre, “Techno-tonomy: Privacy, Autonomy and Technology in a Networked World”, online: http://www.aclrc.com.
47. The content of this section is derived from conference information session “Who do you trust?: A look at privacy seals” (27 September 2007), speakers: Christine Varney, Kirsten Bock and Fran Maier, online: http://www.privacyconference2007.gc.ca.
48. The content of this section is derived from conference Workshop 4, “Protecting Privacy Through De-Identification: Reality or Fallacy”, Parts I and II (27 September 2007), speakers: Ann Cavoukian, Khaled El Emam, William Lowrance, Bradley Malin, Donald Willison and Debra Grant, online: http://www.privacyconference2007.gc.ca.
49. L. Sweeney, “k-anonymity: A model for protecting privacy”, International Journal on Uncertainty, Fuzziness and Knowledge-based Systems, Vol. 10, No. 5, 2002, p. 557-570, 558, online: http://privacy.cs.cmu.edu.
50. D.J. Willison, L. Schwartz, J. Abelson, C. Charles, M. Swinton, D. Northrup, L. Thabane, “Alternatives to Project-specific Consent for Access to Personal Information for Health Research: What Is the Opinion of the Canadian Public?”, Journal of the American Medical Information Association, 2007, No. 14, p. 706–712, online: http://www.j-amia.org.
51. The content of this section is derived from conference Workshop 3, “Audit”, Parts I and II, speakers: Artemi Lombarte, Yim Chan, Nicholas Cheung, Chris Turner and Joel Winston, online: http://www.privacyconference2007.gc.ca.
52. See Commission of the European Communities, Decision of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC (2001/497/EC), online: http://eur-lex.europa.eu.
53. Artemo Lombarte, “Audting for Privacy Workshop: Chairman’s Remarks” presented at conference Workshop 3, “Audit” (27 September 2007), see slides online: http://www.privacyconference2007.gc.ca.
54. The content of this section is derived from conference Workshop 1, “Privacy Impact Assessment”, Parts I and II (27 September 2007), speakers: Blair Stewart, Claude Beaulé, LeRoy Brower, David Flaherty, Donald Lemieux, Rebecca Richards, Trevor Shaw, Blair Stewart, Mark Vale and Nigel Waters, online: http://www.privacyconference2007.gc.ca.
55. Audit Report of the Privacy Commissioner of Canada, “Assessing the Privacy Impacts of Programs, Plans, and Policies,” October 2007 http://www.privcom.gc.ca
56. Office of the Information and Privacy Commissioner of Ontario and U.S. Department of Justice, “Privacy Impact Assessment for Justice Systems” (2000), online: http://www.ipc.on.ca. The Office of the Privacy Commissioner of Australia has also released an online guide regarding PIAs: “Privacy Impact Assessment Guide” (August 2006), online: http://www.privacy.gov.au.
57. U.K. Information Commissioner’s Office, “Surveillance Society Conference December 2007”, online: http://www.ico.gov.uk.
58. L. Sweeney, supra note 49.
59. David Phillips raised the concept of distributed knowledge production in his remarks in conference Plenary 1, “Ubiquitous Computing” (27 September 2007), see slides online: http://www.privacyconference2007.gc.ca.
60. David Lyon raised concerns regarding the disparate impact of social sorting on marginalized groups in his remarks in conference Workshop 1, “Location-based Tracking” (26 September 2007), see slides online: http://www.privacyconference2007.gc.ca.
61. Conference Keynote Address by Michael Chertoff, Secretary of the Department of Homeland Security (26 September 2007).
62. Barry Steinhardt, conference Plenary 1, “Public Safety and Globalization Dragons” (26 September 2007), see slides online: http://www.privacyconference2007.gc.ca.
63. Bruce Schneier, conference Plenary 1, “Public Safety and Globalization Dragons” (26 September 2007).
64. Conference Workshop 1, “Children’s Privacy Education”, Parts I and II (28 September 2007), speakers: Marita Moll, Thomas Hillman, Melissa Luhtanen and Cathy Wing, online: http://www.privacyconference2007.gc.ca.
65. See conference session on Data Mining, supra note 11.
66. See conference session on Genetics and Biobanking, supra note 21.
67. See conference session on Dataflows and Mirroring, supra note 7.
68. See conference session on Ubiquitous Computing, supra note 23.
69. Office of the Privacy Commissioner of Canada, “A Guide for Businesses and Organizations: Your Privacy Responsibilities: Canada’s Personal Information and Protection of Electronic Documents Act” (26 April 2004), online: http://www.privcom.gc.ca.
70. APEC Privacy Pathfinder, supra note 35.
71. Violence Against Women Act, supra note 32.
72. See conference presentation on Internet Crime by Dean Turner, supra note 30.
73. Ian Kerr raised concerns regarding the Canadian legal approach to privacy in his remarks in conference Plenary 1, “Ubiquitous Computing” (27 September 2007), supra note 23.
74. R. v. Tessling, [2004] 3 S.C.R. 432.
75. Cheskes v. Ontario, [2007] OJ No. 3515 (SCJ).
76. For further discussion of these issues, see C.A.S. Williams, Chinese Symbolism & Art Motifs (Tuttle Publishing, 1941), p. 132.