In Sidewalk Labs’ Master Innovation and Development Plan (MIDP), released Monday, the Alphabet company echoed its assurances that the Quayside project would abide by all provincial and federal government regulations encompassing data, including both existing and future privacy laws.
“Everybody wants personal information in personally identifiable form, that’s the big win.”
– Ann Cavoukian
BetaKit spoke with Ann Cavoukian, a privacy expert-in-residence at Ryerson University, and the former information and privacy commissioner of Ontario. Cavoukian formerly served as an advisor to Sidewalk Labs but resigned last year due to concerns about how the Google sister company planned to collect, use, and distribute personal data. She is now a consultant to Waterfront Toronto, the organization overseeing the project’s implementation.
Sidewalk Labs’ master plan presented more details on an independent data trust, for which it has previously advocated, that would manage its data and make “anonymized data” open source and publicly accessible. Sidewalk Labs referred to this kind of information as “urban data,” defining it as information that is collected in the city’s physical environment, including in the public realm, publicly accessible spaces, and even in some private buildings.
De-identification as a mandate, not a suggestion
Sidewalk Labs’s plan outlined hopes that this trust is transformed into a public-sector agency or a quasi-public agency in the long-term. However, Cavoukian told BetaKit that Sidewalk Labs’ vision of the Urban Data Trust as a collective asset or public trust would be a “nightmare” for privacy if personal information fell under that umbrella. She said what concerns her most about the trust is the potential for data to be re-identified by third parties, and linked back to the individual.
“What’s missing from [the trust], is the fact that it doesn’t come with a requirement that any parties that join the Urban Data Trust must de-identify data at the source, right at the time of collection,” she said. “That has to be an essential ingredient or this Urban Data Trust will have no value. In fact, it will have a negative value in terms of privacy.”
In the MIDP, Sidewalk Labs suggested that all digital companies and projects use de-identification (a process used to prevent a person’s identity from being connected with collected information) by default. However, this suggestion from Sidewalk is not a requisite.
“When you look at the section on privacy and the identification of data, they say that identifiable data should be rendered non-identifiable,” Cavoukian told BetaKit. “They then say that you can’t do so completely… that will involve some risk. To me, that’s a cop-out.”
Cavoukian said when strong de-identification protocols are used, companies can potentially minimize the risk of re-identification to less than 0.05 percent, less than the odds of being hit by lightning.
“Those are damn good odds,” Cavoukian said. “Personal information is a treasure trove. Everybody wants personal information in personally identifiable form, that’s the big win. The only way you can protect privacy is to anonymize the data right from the outset. Then you have very valuable data that you can use for a variety of purposes, but it’s not linked to personal identifiers. That’s what we have to promote. I didn’t see that coming out in this [plan].”
Keerthana Rang, a communications associate at Sidewalk Labs, told BetaKit that the company believes the independent data trust would be in the best position to determine the appropriate guidelines for responsible data use.
“We have submitted an initial set of these guidelines in the MIDP, one of which includes data minimization, security, and de-identification by default,” Rang said. “All entities, including Sidewalk Labs, should collect the minimum amount of data needed and use the least invasive technology available to achieve [a] beneficial purpose.”
No clear path to consent
Sidewalk Labs’ plan states that using a ‘distributed credential’ approach would involve implementing ‘privacy-preserving techniques’ to collect only the minimum amount of information necessary. This would also include a person’s full consent over what information is shared.
Sidewalk Labs may choose to bypass consent for users who already consent to share data on Google apps.
The company also committed to not disclose personal information to third parties, including other Alphabet companies, without explicit consent. Cavoukian said she didn’t think the MDIP sufficiently laid out what data would be collected and how members of the public could consent or revoke consent to the collection of this data.
“Let people opt-in on their smartphones to specific apps that will give them information that will actually improve their lives,” said Vaclav Vincalek, a tech entrepreneur and board member of Urban Opus, a smart city innovation cluster. “That way, you’re not tracking data from people who have totally reasonable motivations for staying off the grid.”
Cavoukian insisted upon collecting data through positive consent, meaning individuals would be able to opt into having their data collected by taking affirmative action. Opting out, or negative consent, is the process by which a user takes action to withdraw their consent.
Sidewalk Labs was not clear on whether it would consider an opt in or opt out approach to consent. Current privacy laws in Canada allow organizations to obtain “consent” for personal information collected in public spaces (think CCTV cameras) by placing notifications/signs by the camera. Rang told BetaKit, though, that the company will meet all existing Canadian privacy laws, including obligations under Canadian privacy law to obtain meaningful consent.
“Sidewalk Labs believes the public deserves a higher standard for privacy and data governance as most companies do not adhere to this practice or if there is a notice, it does not contain information about the practice, the collector, the use or any other privacy-protective measures that the collector will engage in to protect an individual’s rights,” Rang told BetaKit.
A representative of Sidewalk Labs that spoke with BetaKit on Monday indicated that it may choose to operate on the idea that if people have already consented to sharing data on apps such as Google Maps, and that person interacts with the smart city, Sidewalk Labs wouldn’t look to additional consent in those cases.
Alex Ryan, vice president of systems innovation at MaRS Discovery District, who has previously written about smart city data trusts, stated that when it comes to the kind of collection that Sidewalk Labs would do with sensors, it depends on who is collecting that data.
“If it’s government, if the city is actually doing the pilot and collecting the data, then they don’t actually need to have meaningful consent to collect personal information,” he told BetaKit.
“If it’s a private company, like Sidewalk Labs that is doing the data collection, then they would need personal consent. And that is the real problem with collecting data off the street, because a cell phone has an off switch, you can just turn off when you download apps, or consent when you download the app, and you have a way of opting out. Where and how do you opt out of a public realm?”
Cavoukian stated that whichever route Sidewalk Labs chooses to take, obtaining consent is extremely difficult, particularly when 24-hour sensors are involved.
Where will the data go?
In the MIDP, Sidewalk Labs said it will not sell personal information or use personal data for advertising. It also made a commitment to not sell personal information to third parties to use it for advertising purposes. However, it did not address other concerns with how data could be used beyond advertising.
Please stop pronouncing the data issue with Sidewalk Labs as one of privacy. That's a sub-set issue of marketization. This discourse is so incredibly problematic and confused – it's wild how many people keeping wading in this way.
— Bianca Wylie (@biancawylie) June 26, 2019
For companies to collect data, Sidewalk said there must be a clear purpose and value to any proposed use of urban data. It stated that organizations should inform individuals of how and why data would be collected and used in a way that is proactive, clear, and easy to understand. The plan added that organizations should collect the minimum amount of data needed to achieve the beneficial purpose and use the least invasive technology available to achieve a beneficial purpose.
Sidewalk Labs has also made three main commitments around data use: no selling personal information, no using personal information for advertising, and no disclosing personal information to third parties without explicit consent.
Cavoukian argued that the way companies can benefit from personally identifiable data could go well beyond the scope of advertising. She noted, for example, that insurance companies could gain access to data that has the potential to compromise the type of plan a patient will receive. She also gave the examples of employers potentially obtaining information on why their employees are late to work, as well as how collecting hoards of re-identifiable data could also put the public at risk of data breaches and identity theft. Ryan pointed to the idea that data could potentially be used to discriminate against members of minority groups.
“I’m not saying all these [scenarios] would arise, but they could,” she Cavoukian. “And the point is, why risk it? Why wouldn’t you just avoid all of these potential harms by de-identifying all the data at source? Otherwise, [Quayside] will be a smart city of surveillance, and that’s the antithesis of freedom.”
During her time on the International Council of Smart Cities, Cavoukian said she has seen places like Shanghai and Dubai become smart cities of surveillance, and her hope is that this is not repeated in Toronto. The best way to do this, she said, is to require data be de-identified as soon as it’s collected. Cavoukian stated that Waterfront Toronto strongly favours a de-identification approach and has agreed to issue a set of rules to companies hoping to participate in the Urban Data Trust, mandating them to de-identify all data at the source.
Cavoukian said she is not privy to Waterfront Toronto’s deliberations about the plan (which publicly shared its concerns on Monday), but said if the MIDP were to pass, she is certain that Waterfront will amend the MIDP to mandate the de-identification of any personal data Sidewalk collects.
“Privacy forms the foundation of our freedom, you cannot have freedom and liberty without a solid foundation of privacy,” she said. “If you value that, you have to go to great lengths to protect that.”
Image courtesy Harminder Phull for Communitech