Our comprehensive report on surveillance in Canada is available. Download it here.

Trend 4 – The Growing Ambiguity of Personal Information

Trend 4 – The Growing Ambiguity of Personal Information: From Personally Identified to Personally Identifiable

It is more difficult to decide what information is private and what is not. Your name or social insurance number clearly identify you as an individual, but what about a group photo in which you appear that is later posted on Facebook or a picture taken by a traffic camera of your car licence plate number? Each can be used to identify or track you.

The meaning of personal information is changing. There was a time when it was relatively clear what “personal information” was. It was your name, your street address, perhaps also an official government-issued ID, such as your Social Insurance Number. By and large, we also knew how and when others were using this information to identify us. No doubt, confusion and misidentification occurred from time to time, but we were typically identified in ways that were familiar—and transparent—to us.

To a large extent, we also expected, or trusted, organizations we knew to protect our privacy, which they did by protecting other information linked to our personal identifiers—our bank records, our census returns, our consumer credit histories, our library borrowing record, and so on. If we did not want to be contacted by someone we did not know, we could get an unlisted telephone number.

Times have changed.

Canada’s public safety authorities, in attempts to update and extend the ability of law enforcement agencies to access the information that identifies us online by saying that the various ways in which we are identified online are no different from “phonebook data” that link a phone number to a name and a residential address. Just as the police can find out who the subscriber of a particular telephone number is, they should be able to find out who is behind the multiple identifiers that allow each of us to communicate and network online. Here, the government is making a convenient but dubious distinction between this “subscriber data,” which police would not need a warrant to access (just as they do not need a warrant to look you up in the phonebook), and the content of your communications, which would require prior judicial authorization (a warrant) on a standard of reasonable and probable cause that a crime has been, or will be, committed.

Our subscriber information is not, however, the same as our phonebook listing.1 How we are identified online is complex and dynamic. Online communications involves many more identifiers than our name, phone number, and address. How many of us know about, let alone can decode, the following: the Internet Protocol (IP) address, the mobile identification number (MIN), the media access control (MAC) number, the Service Provider Identification Number (SPIN), the electronic serial number (ESN), the International Mobile Equipment Identity (IMEI) number, the International Mobile Subscriber Identity (EMSI) number, and the subscriber identity module (SIM)? Each of these identifiers can potentially be traced back to a unique user. So that is the first point. We are now identified in ways that are highly technical and largely mysterious. Most of us have no clue how we are identified online.

The second point is that using the Internet is not like using a telephone. It is not just a communications medium but the basic platform through which many of us engage in essential professional, personal, and political tasks: booking hotels and flights, social networking with friends and colleagues, shopping for books and music, organizing our lives through calendars, and conducting research. This information can be far more revealing about our lives than what we may say during telephone conversations. How we are identified through digital networks, therefore, provides important insights into who we are, what we do, whom we do it with, and when and where we do it.

Thus, the scrutiny of identifiers by organizations can reveal enormous amounts about our daily lives. If you want to test who might have access to your browsing habits, install a free download program like Collusion or Ghostery. Within seconds of browsing, you will see a list of ad networks or Web analysis and reporting tools that are tracking and sharing information about your online activities. Browse around further, and the list multiplies and spreads like a spider web. In the online world, we have become “identifiable” even if we are not “identified.”

Are IP Addresses Personal Information?

Every device connected to the public Internet is assigned a unique number known as an Internet Protocol (IP) address that allows applications to send information—like browsing results and email—to the correct recipient. IP addresses consist of four groups of numbers separated by periods. Since these numbers are usually assigned to Internet service providers within region-based blocks, an IP address can often be used to identify the user’s general location. But the issue gets complicated because some IP addresses are dynamic, changing frequently.

The privacy commissioner of Canada has said that an IP address is personal information:

An Internet Protocol (IP) address can be considered personal information if it can be associated with an identifiable individual. For example, in one complaint finding, we determined that some of the IP addresses that an Internet service provider (ISP) was collecting were personal information because the ISP had the ability to link the IP addresses to its customers through their subscriber IDs.2

In spite of such decisions, there is a significant and long-running battle over whether the IP address is, or is not, personal information for the purposes of privacy law. The answer to this question is crucial for determining whether the average Internet user has any personal privacy rights over his or her searches, browsing habits, blog posts, or social networking activities. Google’s official position is that an IP address is not personal information because it identifies a machine and not a person.3 Many users may share one computer with a single IP address—members of the same family, for instance, or employees within a business, or students who share a library computer terminal. An Internet service provider will be able to associate the IP address with a home or business account but not (at least not ordinarily) to any particular person using a device linked to the Internet.

The mobility of our devices means that we are continually connecting to the Internet at coffee shops, airports, and other public places through a number of IP addresses. Although an IP address is rarely going to be directly related to one identifiable individual, it is how the IP address is combined with other information (or could reasonably be combined with other information) about tastes, behaviours, and interests that has privacy advocates concerned.4 If you knew and combined enough online and offline information, you might have enough data to make a highly probable (sometimes almost perfect) guess about who was doing what, when, and where.

Confusions around Personal Information and Privacy

A related point is that individuals can be positively identified even when none of their personally identified information, like their name or address, is available. This is accomplished simply by combining other basic and non-identifiable information about them. A recent study of a random sample of people living in Montréal shows that almost 98 percent could be positively re-identified by name if one knew three variables: date of birth, gender, and postal code.5

Another source of confusion around traditional understandings of personal information relates to social networking. Traditionally, we conceived privacy concerns as stemming from personal information about individuals being collected and processed by organizations. Big organizations primarily control personal data, which they analyze using the latest technologies in order to make decisions about individuals in their capacities as consumers, clients, students, employees, and so on.

If we produce user-generated content, does that personal information belong to us or to the companies whose platforms host it? Do these organizations have a responsibility to apply all the privacy principles to the data we provide? Our regulators tend to say yes, insisting that social-networking ser- vices are data controllers, whatever the source of the personal data processed.6

Companies tend to see things differently, which is apparent from the definitions of “personal information” contained in their official privacy policies, as documented by a recent study of the most popular twenty-four social-networking sites used in Canada.7 Predictably, conceptions of which characteristics accurately define personally identifiable information vary across these sites. Visit the Canadian Access to Social Media Information (CATSMI) project to see just how various SNSs define the information they collect about you, and the implications they have for privacy.

A final brief example refers to metadata—the data about the data—which typically includes identifiers such as users’ IP addresses, their operating systems, and any information gained from cookies. This is information that can subsequently be used not only to identify individuals and their personal browsing habits but also to track their physical location. Of the twenty-four SNSs surveyed in the CATSMI research, not one identified any element of metadata as personally identifiable information, nor did any of them give users any expectation of privacy regarding their metadata. Unsurprisingly, the motivation for this treatment of metadata is overwhelmingly couched in the language of the SNS’s efforts to improve the user experience. IP addresses or cookie information are necessary, it is reasoned, to combine services, to prevent problems, to keep products safe, and, generally, to tailor one’s use for a more “personalized” approach. The broader privacy implications are rarely addressed.

Conclusion

The contentious and confusing definition of personal information exposes a basic problem with trying to use privacy laws to address the entire range of social problems captured by the word surveillance: surveillance can occur even when personal information is not collected. The examples above demonstrate that the information available about us online cannot be split into two neat categories, some of it personal and some of it non-personal. Rather, the risks to privacy tend to depend on what organizations assume about us when they collect information about us and on how likely it is that they will be able to use our information to identify us individually.

This trend also confronts us with a larger question about how to understand this looming social problem in political terms. Privacy analysis and privacy law tend to begin and end with the existence of personally identified or identifiable information. If no claim can be made about the actual or potential linkage between a surveillance practice and a specific individual, then the privacy regime cannot help.

One major contribution of surveillance scholarship is the insistence that power relations are present between the watchers and watched even when personal information is not captured. Surveillance technologies structure power relations and imbalances between individuals and between individuals and organizations, whether personal data are captured or not. If no personal data are collected, it is difficult to contend that a “privacy problem” per se exists. Yet power is and can be exercised without any personally related data being captured, anonymized or otherwise. The growing ambiguity and complexity of these questions brings into focus the range of surveillance problems that lie outside the very broad realm of personal privacy protection.8 Read the full trend in the free download of the Transparent Lives: Surveillance in Canada book.

  • 1. Office of the Privacy Commissioner of Canada, What an IP Address Can Reveal About You: A Report Prepared by the Technology Analysis Branch of the Office of the Privacy Commissioner of Canada, May 2013, http://www.priv.gc.ca/information/research-recherche/2013/IP_201305_e.asp.
  • 2. Office of the Privacy Commissioner of Canada, “Legal Information Related to PIPEDA,” last modified 2 October 2013, http://www.priv.gc.ca/leg_c/interpretations_02_e.asp.
  • 3. Alma Whitten, “Are IP Addresses Personal?” Google Public Policy Blog, 22 February 2008, http://
  • 4. Paul Ohm, “Broken Promises of Privacy: Responding to the Surprising Failures of Anonymization,” UCLA Law Review 57 (2010): 1701–77.
  • 5. Khaled El Emam, David Buckeridge, Robyn Tamblyn, Angelica Neisa, Elizabeth Jonker, and Aman Verma, “The Re-identification Risk of Canadians from Longitudinal Demographics,” BMC Medical Informatics and Decision Making 11, no. 46 (2011), http://www.biomedcentral.com/1472-6947/11/46.
  • 6. See, for instance, EU Article 29 Data Protection Working Party, Opinion 5/2009 on Online Social Networking, adopted 12 June 2009, http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2009/ wp163_en.pdf.
  • 7. Colin J. Bennett, Adam Molnar, Christopher Parsons, Brittany Shamess, and Michael Smith, An Analysis of SNS Policies, unpublished report funded through the Office of the Privacy Commissioner of Canada’s Contributions Program, 2012.
  • 8. See Colin J. Bennett, “In Defense of Privacy: The Concept and the Regime,” Surveillance and Society 8, no. 4 (2011): 485–96.

Creative Commons LicenseIf you have any questions regarding this website or our work, please feel free to contact us. For information about what data we collect, please see our Privacy Policy.