SAFEGUARDS IN FEDERAL ELECTION SURVEY ‘FELL SHORT’:
The government “fell short” and “should have been more prudent” in preventing users’ personal information from being shared with third parties as they interacted with a much-maligned online electoral reform survey, Canada’s privacy commissioner has found.
MyDemocracy.ca employed third-party scripts that could disclose users’ personal information to Facebook without their consent as soon as they loaded the website, according to the commissioner’s investigation. The responsible Privy Council Office also failed to conduct a privacy-impact assessment related to the initiative.
About 360,000 people participated in the survey in December and January. An investigation from the privacy commissioner’s office says information retrieved about individuals could lead to “a fairly accurate picture of one’s personal activities, views, opinions and lifestyle” and “be quite revealing about an individual’s internetbased activities.”
Commissioner Daniel Therrien found no evidence the PCO was trying to match individuals to their responses, but IP addresses and other information was shared with Facebook automatically, “thereby increasing the risk that users’ interaction with the website could not be truly anonymous.” Users who were simultaneously logged into Facebook could be identified.
The commissioner’s office did not consult Facebook or investigate its use of the information. Consequences could have been unintended because scripts were ostensibly there to facilitate sharing results on social media after completing the survey, but a different design would have avoided any breaches, the report says.
Therrien’s report rebukes the PCO for not assessing privacy concerns ahead of time. “Given the nature of the MyDemocracy initiative and the personal information collected, PCO fell short of our expectations,” it says.
The website was launched last December as part of a Liberal government consultation on changing Canada’s federal voting system, an initiative that was ultimately scrapped.
The survey requested optional demographic information including postal codes, household income, sex, age and other details. At the time, Therrien contacted the PCO with concerns such information was being asked for “without apparent justification” and scripts were sending information to Facebook and Google Analytics.
The PCO told Therrien it never directly collected or received participants’ information, and results were provided in an “anonymized form,” according to his office.
It also said third-party sites such as Facebook “only received common web transaction data,” and noted Facebook users agree to its terms of service. If they were worried, people could have responded by “using private browsing modes” or “deleting their Facebook account.”
“In our view, the Terms of Service between Facebook and its account holders does not relieve PCO of its privacy obligations in the circumstances,” Therrien’s report concludes.
The PCO did take a few steps to resolve concerns. Vox Pop Labs, the company contracted to create the web survey, altered the website after Therrien’s concerns were raised to try to ensure Facebook script would be activated only once a user clicked on a “share” button.
The Post recently reported that the PCO also altered an original contract with Vox Pop Labs after Therrien’s concerns had been made public.
Documents obtained through access-to-information law showed the contract was amended while the website was still live to include more-stringent privacy considerations and reverse language in the original contract that implied users’ personal information should be collected and provided to government.
GIVEN THE NATURE OF THE ... INFORMATION COLLECTED, PCO FELL SHORT OF OUR EXPECTATIONS