'Not good enough': Toronto privacy expert resigns from Sidewalk Labs over data concerns

A privacy expert who resigned this week from her role as an advisor to Sidewalk Labs, the Google sister company set to build a "smart" neighbourhood on Toronto's waterfront, is concerned that the "treasure trove" of data will be vulnerable to attacks.

Former Ontario privacy commissioner Ann Cavoukian resigned late last week

Former Ontario privacy commissioner Ann Cavoukian said she is worried that Sidewalk Labs has not gone far enough to ensure people's personal information is safe from bad actors. (CBC)

A privacy expert who resigned this week from her role as an advisor to Sidewalk Labs, the Google sister company set to build a "smart" neighbourhood on Toronto's waterfront, is concerned that the "treasure trove" of data collected there will be vulnerable to attacks.

The departure of Ann Cavoukian, Ontario's former privacy commissioner and current Ryerson University fellow, is just the latest blow to the ambitious, data-driven project.

Cavoukian said Sunday she chose to resign after a Thursday meeting between Sidewalk Labs and Waterfront TO, the organization responsible for revitalizing the city's lakeshore.

It was there that Sidewalk Labs revealed that, while it has committed to stripping all of the data it collects of personal identifiers, it could not guarantee that other groups participating in the project would do the same. 

"When I heard that, I knew I had to resign," Cavoukian said in an interview on CBC News Network. 

The 12-acre smart neighbourhood, called Quayside, would undoubtedly amass an extraordinary quantity of data from sensors embedded into the physical infrastructure. A key part of Cavoukian's advisory role was helping Sidewalk implement privacy-protecting measures into the design of the area.
Sidewalk Labs has proposed the redevelopment of what's currently a stretch of parking lots and former industrial space along Toronto's eastern waterfront. (Sidewalk Labs)

Most critically, she has advocated for stripping any given data point of all personally identifiable details right away using well-established techniques, as there is no opportunity for people to actually consent to collection of the information. For its part, Sidewalk Labs has committed to doing that. 

On Monday, however, the company proposed that all of the data generated by Quayside be kept in a "civic data trust." This way, no one entity would own all of it. 

"This trust would approve and control the collection of, and manage access to, urban data originating in Quayside," wrote Alyssa Harvey Dawson, head of data governance at Sidewalk Labs, in an online post

"The civic data trust would be guided by a charter ensuring that urban data is collected and used in a way that is beneficial to the community, protects privacy, and spurs innovation and investment."

Doubts about data security

But there was a catch, Cavoukian said. De-identification of data by the various stakeholders in the trust would not be mandatory, only "encouraged" by Sidewalk Labs.

"That's not good enough," Cavoukian said. "The only way to address this issue to ensure privacy — which I must do — is to de-identify at source at the time of collection."

In her resignation letter sent to Sidewalk Labs on Friday, Cavoukian phrased her concerns this way:

"Just think of the consequences: If personally identifiable data are not de-identified at source, we will be creating another central database of personal information (controlled by whom?), that may be used without data subjects' consent, that will be exposed to the risks of hacking and unauthorized access," she wrote. 

"As we all know, existing methods of encryption are not infallible and may be broken, potentially exposing the personal data of Waterfront Toronto residents! Why take such risks?"

Saadia Muzaffar, tech entrepreneur, author and founder of TechGirls Canada, also left her advisory role, citing 'profound concerns' about the Quayside project. (CBC)

Cavoukian's departure comes weeks after TechGirls Canada founder Saadia Muzaffar left her role on the advisory panel. Muzaffar said she had "profound concerns" about apparent "a lack of leadership regarding shaky public trust" and what she considered unacceptable questions around privacy and intellectual property. 

The Quayside project, announced last October by Waterfront TO, has proved a lightning rod for criticisms from digital privacy advocates, who have argued that Sidewalk Labs has not been forthcoming enough about what data might be used for. 

Cavoukian said she hopes her resignation will spark a wider discussion about the project can be built while ensuring that privacy is protected.