'Not good enough': Toronto privacy expert resigns from Sidewalk Labs over data concerns
Former Ontario privacy commissioner Ann Cavoukian resigned late last week
A privacy expert who resigned this week from her role as an advisor to Sidewalk Labs, the Google sister company set to build a "smart" neighbourhood on Toronto's waterfront, is concerned that the "treasure trove" of data collected there will be vulnerable to attacks.
- AnalysisSidewalk Labs says its 'smart' neighbourhood will respect your privacy — but proof is in the details
Cavoukian said Sunday she chose to resign after a Thursday meeting between Sidewalk Labs and Waterfront TO, the organization responsible for revitalizing the city's lakeshore.
It was there that Sidewalk Labs revealed that, while it has committed to stripping all of the data it collects of personal identifiers, it could not guarantee that other groups participating in the project would do the same.
"When I heard that, I knew I had to resign," Cavoukian said in an interview on CBC News Network.
Most critically, she has advocated for stripping any given data point of all personally identifiable details right away using well-established techniques, as there is no opportunity for people to actually consent to collection of the information. For its part, Sidewalk Labs has committed to doing that.
On Monday, however, the company proposed that all of the data generated by Quayside be kept in a "civic data trust." This way, no one entity would own all of it.
"This trust would approve and control the collection of, and manage access to, urban data originating in Quayside," wrote Alyssa Harvey Dawson, head of data governance at Sidewalk Labs, in an online post.
"The civic data trust would be guided by a charter ensuring that urban data is collected and used in a way that is beneficial to the community, protects privacy, and spurs innovation and investment."
Doubts about data security
But there was a catch, Cavoukian said. De-identification of data by the various stakeholders in the trust would not be mandatory, only "encouraged" by Sidewalk Labs.
"That's not good enough," Cavoukian said. "The only way to address this issue to ensure privacy — which I must do — is to de-identify at source at the time of collection."
In her resignation letter sent to Sidewalk Labs on Friday, Cavoukian phrased her concerns this way:
"Just think of the consequences: If personally identifiable data are not de-identified at source, we will be creating another central database of personal information (controlled by whom?), that may be used without data subjects' consent, that will be exposed to the risks of hacking and unauthorized access," she wrote.
"As we all know, existing methods of encryption are not infallible and may be broken, potentially exposing the personal data of Waterfront Toronto residents! Why take such risks?"
Cavoukian's departure comes weeks after TechGirls Canada founder Saadia Muzaffar left her role on the advisory panel. Muzaffar said she had "profound concerns" about apparent "a lack of leadership regarding shaky public trust" and what she considered unacceptable questions around privacy and intellectual property.
The Quayside project, announced last October by Waterfront TO, has proved a lightning rod for criticisms from digital privacy advocates, who have argued that Sidewalk Labs has not been forthcoming enough about what data might be used for.
Cavoukian said she hopes her resignation will spark a wider discussion about the project can be built while ensuring that privacy is protected.