Dic 2020 Interview with Ann Cavoukian

Dr. Ann Cavoukian is recognized as one of the world’s leading privacy experts. Dr. Cavoukian served three terms as Information and Privacy Commissioner of Ontario, Canada. At that time she created the concept of Privacy by Design, a framework that proactively seeks to integrate privacy into the design specifications of information technologies, network infrastructure, and business practices, thereby achieving the highest possible protection. She is currently the Executive Director of the Global Privacy and Security by Design Center. She is also a professor at Ryerson University and Arizona State University. In addition, she is the author of two books, “The Privacy Payoff: How Successful Businesses Build Customer Trust” with Tyler Hamilton, and “Who Knows: Safeguarding Your Privacy in a Networked World” with Don Tapscott. She has received numerous awards in recognition of her leadership on privacy issues, including being named one of Canada’s 25 most influential women.

What is privacy to Ann Cauvakian? Is freedom threatened in any way in our digitized society?

Let me tell you a personal and family story. My family origin is Armenian. My grandparents narrowly escaped the Armenian genocide in 1915. My grandfather was in prison. With my grandmother he had three children. My father was three years old at the time and my grandfather, to save my family, since he was a good drawer and an artist, painted a really beautiful picture. My grandmother told me the story that my grandfather always made him carry parchment paper and charcoal. He was an artist. One night, because he noticed the face of the Turkish generals, and because he really loved to ask whoever it was, and he had a candle and a very good memory, which by the way is the strength of every society, he spent the night drawing the face of one of those generals. The next morning, he managed with great effort to get one of the soldiers to give the portrait to that general, with my grandfather’s greetings, but who would want to look at that drawing? He thought they were going to be killed that day, but a soldier on horseback appeared at dizzying speed, sent by the general in the portrait, who wanted to know who would have portrayed him so well on that parchment paper, in charcoal. That gesture meant freedom for my family. Otherwise, I would not be here today. 

The stories associated with freedom for people who are Armenian, like me, are very important. My grandmother told me, since I was especially “devoted” to privacy, that in prison she suffered from the absence of privacy. That one word at that time for the Armenians was death on the spot. The whispering, avoiding them knowing our conversations, all that, makes me think that in the world we want to live in, we need privacy.

Without a doubt, whenever you have a mission in life, which is born from deep within you, there is an engine like this personal testimony. Do you dare to predict any social change motivated by our digital reality? Perhaps, a new concept of what we understand by private life?

Of course, you have to tell people that they have to be very careful in the digital world. For example, about how to share their information, to whom it is revealed, etc. because there are risks that cannot even be imagined for the privacy of personal data that may pursue you at some point in your life, but I also want to give people hope. Usually people think that surveillance is so rampant now, that we can’t think that we’re going to have any form of privacy in the future and that’s just not true. What I mean is that people should not give up, or enter into this kind of thinking because it is so destructive. We will always have privacy, even though it may be harder to achieve sometimes and sometimes less, but I would tell you not to give up, not to look at the odds of not having it. Remember the story of my grandfather that I just told you. If you had thought about the odds of getting free and if you had listened to those who told you that if you were crazy, we wouldn’t be here today talking. It’s just not going to happen that there’s no privacy, and don’t forget that there are also chances that things will be done that will increase privacy. 

For example?

For example, in this regard, I would like to emphasize to your readers that there are certain relevant concepts, of which we hear little, such as “centralized identity” or “decentralized”, that influence privacy. 

The foundations are being laid for what is called “the decentralized identity”, which consists of large companies such as Microsoft, IBM…, allowing individuals to control their identity and personal data managed by these companies, instead of having their identity located in a centralized database as Google or Facebook do. In this sense, the database would be moved to a safe place, under the control of the individual who can control how they are identifying the information they give, as well as counteract the type of surveillance that may be taking place. I say this as an example that we can’t give up, think of Apple and their end-to-end encryption and how it’s growing big time, and that they will also increase the number of new protection techniques, so you don’t have to give up on privacy. You have to find ways to protect your own information, especially in the online world, especially in these times of Covid where everything is digital, and take some steps to protect your identity online, taking care in this area, and above all, I reiterate, do not give up. The world of privacy is a growing, developing world. 

Do you think that people, despite the privacy warnings, give their personal data very happily to anyone who asks for it? 

Generally speaking, it takes time for people to learn why they need to have more control over their information and not just leave it in the hands of others, and so companies are getting extra knowledge, so knowing your own information is critical. We have privacy policies from design, privacy regulations, access to information that companies have about us, and we know how data can affect us in the hands of others. We can do all this. But also, on the other hand, many companies have privacy certificates, from design, and it helps them. I have been told by many companies that it helps them to build a business relationship based on trust with their customers. 

Does transparency in the management of personal data policies help? 

Yes. This transparency with personal data, in fact, as companies recognize me, benefits them because they have thousands of personal data, and the intervention of people (the data owners) helps them to catalogue the personal data, update it, discard it, register it, … in a way that increases the quality of the information.

When people have access to their own data, it really is a “win-win” situation for all parties involved, where the interests of one party do not conflict with those of another. In fact, privacy from design and allowing access to personal data stored by companies to the interested parties themselves, is above all a game where everyone wins, and not where one wins if the other loses, of zero sum. Companies win over the quality of the information, and people win by having control over the information they want to share with the companies. 

To what extent can your seven fundamental principles of privacy stop what seems to be an unstoppable tendency to transform the notion of privacy after the appearance of Covid-19? 

I’m not going to suggest that this is not a difficult time. Whenever you are faced with a pandemic like Covid-19 it is, and governments tend to want to take advantage and access your information, your personal information. Fear is free, people are so scared that they say it’s okay to be that way, that if they have to disclose their information that’s okay, they want to be safe, they want to know who has Covid and who doesn’t. This is something I have been fighting against strongly lately, and really, we can’t accept this.

I don’t know if it exists in Spain, I suppose it does, but in Canada there is an App that tracks the contacts you may have had, in relation to Covid, which is based on the Apple-Google framework, which fully protects privacy. 

Why is it good for privacy? 

First, an individual can choose to download the app or not, which will send them something like “exposure notification”. You are notified that you have been exposed to someone who is within 2 meters of you and who has tested positive for Covid and date. Then, secondly, this individual then decides what to do with this information, whether to go to your family doctor or to the health authorities. I fully support this because from the point of view of privacy it is 100% effective. 

What would you tell people about their privacy in times of pandemic?

What I try to tell people when I do all my interviews with the media is that we have ways of protecting privacy and improving protection against Covid, and we can actually do both, you can’t conceive of one against the other. 

In fact, 300 epidemiologists from around the world, from 26 countries, wrote an open letter to the government of their respective countries and said that if states were going to get involved in surveillance for Covid testing, etc…. they should work on privacy in the reporting methods associated with surveillance, otherwise people will not conform and participate in surveillance programs and it will be a doomed strategy. Therefore, ways can be found to marry public health and privacy. Both aspects are relevant. We must rule out zero-sum, win-lose, all-or-nothing games. Privacy is not about that, but about the fact that its preservation is good, even in the strategy of public health surveillance, because it encourages people’s participation (in public health measures that include digital applications and notifications). 

Finally, people should check if the Covid surveillance and notification apps that are installed are developed under the Google-Apple framework or standards, because at the beginning, for example, Australia and England did not do it under this framework, and there were hardly any people who downloaded it, because they understood that it did not protect their privacy. This is no longer the case, as both countries changed to the framework set by Apple-Google, and as a result, the App was much more successful among the population.  

Germany, on the other hand, with this Apple-Google framework developed another App a few months ago, and at 24h it had more than 6.5 million downloads and I think they have reached 40 million, because Germany has an excellent personal data protection policy. Germany told its citizens that it could not identify them, which was impossible thanks to the excellent development carried out by Apple and Google. 

Can privacy be the instrument to solve the problems of inequality that can be generated by the use of data (some people as net contributors of personal data to companies, and others, the opposite)?

This is a very good question, and not an easy one to answer, because it will depend on the subjects, the people, and the use they make of their own personal data, and actually, many people do nothing about it, although I hope they adopt some protection to protect themselves. As individuals engage in activities that may compromise their personal data, and do so from a privacy perspective, this can have a significant impact in terms of the added value individuals can derive from the use of digital technologies (without them being a source of danger to their personal data). 

I urge people not to remain in the background but to participate in the protection of their data and, I am not suggesting that they should not disclose their data, but rather ask themselves when dealing with companies, when they are interested in what a company offers, if their information is going to be used by them, for what purpose, etc., or if they are going to hand it over to third parties and then pass the question on to the companies. 

Therefore, it is a matter of establishing a mutually beneficial relationship between individuals and companies, so that the former are willing to learn more about the companies, to become interested in the goods and services they offer to consumers, that is, to receive useful information from the companies, and the latter, in turn, benefit from having the consumers (to do business with them by protecting their personal data). In short, it is about encouraging people to participate and have a voice to say what they want and don’t want and this will serve their needs enormously.