Ontario’s Privacy Commissioner has released a report on metadata – the information generated when a person uses digital devices. Information such as IP addresses, cell phone usage, and time stamps on sent e-mails are all forms of metadata which on their own are fairly innocuous; however when this information is pieced together it can be used to identify information that is specific to a user or group of users.

Metadata is not data in the traditional sense, but rather it provides clues to how individuals use the Internet – it reveals geographical locations, as well as the types and lengths of communication. This information could be used to monitor individuals without viewing the content of their communications.

Metadata may be used by advertisers, governments, and other parties to monitor online behaviour. Bits of information on Internet usage can be analyzed to reveal patterns which can ultimately be used to identify individuals. A year 2000 study by then Master’s student (and now Harvard professor) Latanya Sweeney demonstrated how an anonymized data set could be “re-identified” using the voting records for the city of Cambridge, Massachusetts with just the sex, zip code, and birth date provided in the data set. Sweeney found that 87.1 percent of people in the United States were uniquely identifiable by their combined five-digit ZIP code, birth date (including year), and sex. Whether through social media, online registrations, marketing, sales, or other forms of data, a profile of a person can be put together fairly easily.

Privacy Commissioner Ann Cavoukian has stated that Canada is no less vulnerable. She writes that “in this day and age of 24/7 online expanded connectivity and immediate access to digitized information, new analytic tools and algorithms now make it possible, not only to link a number with a name, but also to combine information from multiple sources, ultimately creating an accurate profile of a personally identifiable individual.” These techniques were used in recent memory by the FBI in their investigation into the extra-marital affairs of former CIA Director, General David Petraeus.

The report goes further in denouncing the common retort that “if you have nothing to hide, you shouldn’t be concerned about privacy”. Instead Commissioner Cavoukian argues from a rights based position that as a law-abiding citizen, the state has no right to access your personal information. From the Supreme Court’s landmark decision in Hunter v Southam [1984] 2 S.C.R. 145, Section 8 of the Charter of Rights and Freedoms has been recognized as the basis for an individual’s reasonable expectation of privacy.

Commissioner Cavoukian also tackles the issue of how surrendering privacy rights are often justified as a means of protecting public safety. For example, increased monitoring in public using drones may be justified as a means of increasing the ability of law enforcement officials to carry out investigations. Of course, public surveillance powers must be subject to judicial authorization. The report recommends that surveillance programs be open and transparent by allowing public scrutiny – legal safeguards must be in place if the government wants to use metadata for any purpose.

Note: For an interesting analysis of data anonymization please see Professor Paul Ohm’s paper in the UCLA Law Review, entitled Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization.