Not good enough: Toronto privacy expert resigns from Sidewalk Labs over data concerns

\Not good enough\: Toronto privacy expert resigns from Sidewalk Labs over data concerns
Ann Cavoukian, former Ontario privacy commissioner, resigns from Sidewalk Labs
A privacy expert who resigned this week from her role as an advisor to Sidewalk Labs, the Google sister company set to build a "smart" neighbourhood on Toronto's waterfront, is concerned that the "treasure trove" of data collected there will be vulnerable to attacks.

Cavoukian said Sunday she chose to resign after a Thursday meeting between Sidewalk Labs and Waterfront TO, the organization responsible for revitalizing the city's lakeshore.

It was there that Sidewalk Labs revealed that, while it has committed to stripping all of the data it collects of personal identifiers, it could not guarantee that other groups participating in the project would do the same. 

"When I heard that, I knew I had to resign," Cavoukian said in an interview on CBC News Network. 

Most critically, she has advocated for stripping any given data point of all personally identifiable details right away using well-established techniques, as there is no opportunity for people to actually consent to collection of the information. For its part, Sidewalk Labs has committed to doing that. 

On Monday, however, the company proposed that all of the data generated by Quayside be kept in a "civic data trust." This way, no one entity would own all of it. 

"This trust would approve and control the collection of, and manage access to, urban data originating in Quayside," wrote Alyssa Harvey Dawson, head of data governance at Sidewalk Labs, in an online post.  

"The civic data trust would be guided by a charter ensuring that urban data is collected and used in a way that is beneficial to the community, protects privacy, and spurs innovation and investment."

But there was a catch, Cavoukian said. De-identification of data by the various stakeholders in the trust would not be mandatory, only "encouraged" by Sidewalk Labs.

"That's not good enough," Cavoukian said. "The only way to address this issue to ensure privacy — which I must do — is to de-identify at source at the time of collection."

"Just think of the consequences: If personally identifiable data are not de-identified at source, we will be creating another central database of personal information (controlled by whom?), that may be used without data subjects' consent, that will be exposed to the risks of hacking and unauthorized access," she wrote. 

"As we all know, existing methods of encryption are not infallible and may be broken, potentially exposing the personal data of Waterfront Toronto residents! Why take such risks?"

Cavoukian's departure comes weeks after TechGirls Canada founder Saadia Muzaffar left her role on the advisory panel. Muzaffar said she had "profound concerns" about apparent "a lack of leadership regarding shaky public trust" and what she considered unacceptable questions around privacy and intellectual property. 

The Quayside project, announced last October by Waterfront TO, has proved a lightning rod for criticisms from digital privacy advocates, who have argued that Sidewalk Labs has not been forthcoming enough about what data might be used for. 

Cavoukian said she hopes her resignation will spark a wider discussion about the project can be built while ensuring that privacy is protected. 

It is a priority for CBC to create a website that is accessible to all Canadians including people with visual, hearing, motor and cognitive challenges.

Ontario's former Privacy Commissioner Ann Cavoukian speaking at the University of Ottawa around noon. (August 16, 2010)

Ontario’s former privacy commissioner has resigned from her consulting role at a company that is preparing to build a high-tech community at Toronto’s waterfront, citing concerns that a privacy framework she developed is being overlooked.

Ann Cavoukian says she stepped down from Google sister company Sidewalk Labs on Friday following a meeting earlier in the week, when the organization said it could not guarantee people’s personal information would be protected.

She says a crucial feature of her privacy framework is that when personal information is collected by surveillance cameras and sensors, any personally identifying data is removed or “anonomized” immediately.

READ MORE: Amazon is selling ‘authoritarian surveillance’ tech to police, civil rights groups want it to stop

Cavoukian says personally identifying data is not just a person’s name, and there is information can be indirectly identifying, such as the specifics of where a person is travelling that can be linked to that individual.

Sidewalk Labs released a statement that said it would play “a more limited role” in discussions about data governance, and that while it agrees to follow her framework, Sidewalk Labs cannot gurantee that other companies involved in the project would do so as well.

Last October, Waterfront Toronto announced it had chosen Sidewalk Labs to present a plan to design a high-tech neighbourhood for the Quayside development, which is along Toronto’s eastern waterfront.