OPCC Draws out lessons that should be learned
On November 9, 2017, representatives of the Office of the Privacy Commissioner of Canada (OPCC) held a Deconstruction Series event in Toronto for the privacy profession, to discuss PIPEDA Summary 2017-002 which was released in August 2017 involving Wajam Internet Technologies.
Note that the OPCC has a tech lab and regularly researches technology and software products available to the public and their impact on Canadians’ privacy. This investigation was Commissioner-initiated just like the 2016 CompuFinder decision released by the OPCC after the CRTC’s finding of CASL violations. CASL amended PIPEDA giving the OPCC the power to investigate adware/spyware installations, and the Wajam case is certainly in line with this mandate of ensuring Canadians are protected from unwanted software and deceptive practices involving the collection of personal information. But as acknowledged by the OPCC, the Wajam case could have occurred irrespective of CASL’s amendments to PIPEDA, simply on the basis of lack of informed consent.
So let’s turn to the case to get a clear sense of why the OPCC chose to investigate Wajam. The software clearly seemed to have adverse effects on computers and was difficult to uninstall. Although Wajam continued to deny this, the OPCC commenced an investigation in June 2016.
Wajam is a social search engine app that was launched in October 2011 and relaunched as Socail2Search (the ‘software’) in May 2016. It is offered in 40 countries via third party distributors who get paid per installation. There have been hundreds of millions of installations. The software is essentially “bundled” as an unsolicited program through free software websites and operates through major browsers, linking with Twitter. Search results based on what your friends have viewed are displayed before your Google search results. For example, if you go to Bing or Google to search for hotels in Paris, if your network had also searched for hotels in Paris, you would see their results.
The investigation focused on three areas:
• Obtaining meaningful consent;
• Concerns about de-installation; and
• Whether Wajam is safeguarding the information being collected.
The OPCC investigation team requested policies, procedures, communications and logs to analyze Wajam’s practices. Technical analysts installed the software so the investigators could see how it looks on the end user’s computer, and a site visit to Wajam’s offices in Montreal took place.
Lack of Accountability
Wajam was not able to produce evidence of a privacy accountability framework. Privacy training was informal and although Wajam stated it had privacy policies and procedures in place, no evidence was provided.
Concerns regarding Consent and Safeguards
Two types of consent were explored by the OPCC – single offer (a consent screen for each program being installed with the bundle) and multiple offers (one consent screen for all the software programs). Note however that only a small percentage of distributors of Wajam’s software were using consent for multiple offers, and this was being phased out.
There were clearly problems with the installation processes and consent screens despite the rules and guidelines communicated by Wajam. Non-compliant behaviour by 18 distributors was noted – many had no consent screen at all. Wajam’s monitoring and recordkeeping regarding installation of its software was by trial and error. Unique identifiers stored on the user’s computer, as well as other user information, was being transferred to Wajam. Even if the software was uninstalled by the user, this information was retained indefinitely and was stored unencrypted.
De-Installation of the Software
The case goes on to highlight concerns around the confusing and misleading messages and warning statements that a user could receive when attempting to de-install the software.
Summary of key recommendations
The OPCC provided 12 recommendations that all software developers/installers should pay heed to:
1. Establish a privacy accountability framework, including written policies and procedures.
2. Communicate and train employees on the accountability framework.
3. Stop using distributors to distribute the software with bundles until measures are in place to ensure installation of the software is happening with consent.
4. Proactively provide contact information for those who installed the software but were not given the opportunity to consent.
5. Amend websites to be more transparent about the functionality of the software, such as the linking to users’ social media accounts.
7. Correct any bug in the de-installation process to ensure unique user identifiers are deleted from the computers and devices of individuals removing the software.
8. Provide additional information to users as to how de-installation of its software may be prevented by third parties and how users may overcome such challenges.
9. Immediately cease issuing all malvertising material to individuals seeking to uninstall software,
10. Delete the personal information of users who have uninstalled the software, including unique user identifiers, from Wajam’s primary and secondary databases consistent with data retention and destruction procedures and schedules.
11. Implement appropriate safeguards to protect the transmission of user information at installation.
12. Implement encryption of Wajam’s primary database.
Outcome of the Case and Conclusion
In February 2017, Wajam’s assets were sold to Iron Mountain Technology Limited (IMTL) who committed that Canadians’ personal information would not be transferred to IMTL and that all Canadians’ personal information had been deleted from its servers.
The OPCC will monitor the software to see if it is redistributed in Canada. If it is, IMTL will have to comply with PIPEDA. The OPCC has also briefed international counterparts on the case. This investigation clearly had a consumer protection flavour to it. Concerns expressed by the OPCC around lack of transparency and consent have been consistent themes throughout the OPCC’s recent decisions.
Currently OPCC guidance documents on obtaining meaningful online consent are available to comment on and were likely influenced by the Wajam investigation.
For assistance with consent and transparency for your own organization’s information practices, or for assistance with responding to a regulator investigation, contact PRIVATECH.2