My Warning for Waterfront Toronto on Sidewalk Labs Open Door to Data in the MIDP ‘Realignment’ Summary

Computer code on screen

This morning I attended the Waterfront Toronto Board of Directors Meeting and while the initial summary of ‘realignments’ from the original Sidewalk Labs / Sidewalk Toronto Master Innovation and Development Plan (MIDP) seemed a positive move forward, one point in the summary handout is deeply problematic.

my tweet from this am on first reading of the summary

Dark Pattern Designs

The underlined text is a clear example of “dark pattern” design – in this instance, language that obfuscates and/or manipulates attention and perception to the advantage of the corporate interest. Here ‘commercially reasonable efforts’ defers an ethical treatment of data to established, current practices in the commercial sector. The legal loopholes and exceptions this phrasing enables means you might as well say, whatever we can get away with legally, as per our Terms of Service, we will.

Let me give examples from a current *live* Privacy Policy that demonstrate how much personal and non-personal data is legally collected and used. The following sections are from Calm, the #1 Sleep app, Apple’s Best of 2018 Award Winner, Apple’s 2017 App of the Year, and ‘The Happiest App in the World, according to the Center for Humane Technology. Most striking (see below), is how user data is clearly stated to be a ‘business asset’ that can be disclosed or transferred in the event of a bankruptcy.

You can read the full privacy statement here, (downloaded it’s a 22 page PDF). Note that you have to link to the statement from the Terms of Service page, a deliberate second step designed to deter users from reading the privacy policy.

Data Collection

Note below the range of data collected automatically and that none of this data is ‘personal information.’

Automatic Data Collection. Calm.com Privacy Policy

In this section, ” commercially reasonable” includes accessing personal information from other sources:

Note below the extensive collection of non-personal data: device identifier, user settings, location information, mobile carrier, and operating system of your device.

Anonymized Data

Note below how anonymized personal Information is aggregated, encompassing de-identified demographic data and de-identified location information, for further use. As such, “Anonymized and aggregated information is not Personal Information, and we may use such information in a number of ways…”

The security of anonymized data is tenuous, as researchers at different UK universities in July 2019 “published a method they say is able to correctly re-identify 99.98% of individuals in anonymized data sets with just 15 demographic attributes.”

“Commercially Reasonable”

All of the above data collection and data use is “commercially reasonable.” The second major flag in the continue of the sentence I underlined is the “process[ing] of non-personal data.” As a data category, this functionally includes anything / everything that is not personal, from web-browsing and search history included, to any other online activity, cross device and cross platform that you engage in.

Suffice to say, this particular phrasing gives Sidewalk Labs a firehose of data to analyze and add to pre-existing user activity digital profiles, which we all have as Google/YouTube ad targets. Waterfront Toronto should be absolutely concerned as to what this statement legally allows. I find it laughable as to any assurance of data privacy protection.

If you haven’t read my prior posts on data privacy and children, a demographic more heavily regulated than adults, you can read these here:

“We street-proof our kids. Why aren’t we data proofing them?” Sept. 29, 2019

“Protecting children’s data privacy in the smart city.” May 15, 2019

Can We Trust Alphabet & Sidewalk Toronto with Children’s Data? Past Violations Say No.

Tweet capture of my deputation before the Executive Committee

I spoke today before the City of Toronto Executive Committee on the update to Quayside, and the proposed Master Innovation and Development Plan from Sidewalk Toronto. The full text of my statement on the question of “Can We Trust Alphabet & Sidewalk Toronto with Children’s Data?” is below, though my public deputation was slightly shorter. You can watch my deputation here, starting at 2:55:38. The text is below:

Deputation to City of Toronto Executive Council

Good afternoon and thank you for the opportunity to speak before you today. What I will speak to is a small segment of a larger academic study examining how big tech and entertainment conglomerates are handing children’s data and my paper on Big Data, Disney, and the Future of Children’s Entertainment was published yesterday.

To clarify – to speak to Councillor Fletcher’s question, in Canada and the US children under 13 are deemed to be minors, and cannot give consent, hence terms of use requiring parental consent on most websites. In the EU, with the enforcing of the General Data Protection Regulation (GDPR) in May 2018, all but two countries raised the age of consent to 16. the Office of the Privacy Commissioner of Canada (OPC) recognizes children as vulnerable and deserving of special considerations: they cannot make informed decisions as to what they are agreeing to. We do not have adequate legislation in Canada to regulate today’s data collection practices, generating pseudonymized consumer profiles via cross-browser fingerprinting and other methods.

illustration of Quayside from Sidewalk  Toronto
Do you see children in this illustration from Sidewalk Labs? I do.

My findings on Alphabet’s subsidiary companies are alarming, well-documented internationally, and raise serious questions as to whether we can trust a big tech company to self-regulate. Alphabet’s subsidiary companies, Google, YouTube, and Google Play, have an established pattern of violating children’s data privacy due to variously: 

  • Broadly, an (over) reliance on AI to serve ads and content recommendations;
  • a lack of human oversight on app developer practices in the Google Play store; 
  • a lack of human oversight on YouTube resulting in pedophile comments on child posted videos, documented in major media coverage in 2017 and again in 2019; 
  • an overreach as to data collection of minors and teens via Google Chromebooks introduced in American schools in 2017 whereby account holders had to opt-out of data collection.

Let me detail two instances further:

  1. A 2018 academic study, “Won’t Somebody Think of the Children?: Examining COPPA Compliance at Scale,” published in the Proceedings on Privacy Enhancing Technologies, found that “thousands of Android apps potentially violated the Children’s Online Privacy Protection Act or COPPA in the US. “The study examined  “5,885 child-directed Android apps from the US Play Store, which are included in Google’s Designed for Families programme, and found that “Overall, roughly 57% of the 5,855 child-directed apps that we analysed are potentially violating Coppa.” A complaint from the Campaign for a Commercial Free Childhood to the FTC in the US expanded on how the Google Play Store apps were marketing to children and in turn, violating children’s privacy.
  2. James Bridle’s 2017 essay “Something is Wrong on the Internet” launched a media storm of concern as to the lack of regulation for child-directed bot-generated videos on YouTube Kids, thousands of which offered disturbingly violent, copyright-violating content. In April 2018, YouTube Kids finally launched “new features that allowed parents to create a white-listed, non-algorithmic version of its Kids app,” after months of parent and consumer advocacy groups demanding this function.

The consistent documented pattern across Alphabet’s companies is a failure to enforce secure data privacy for children under 13 until an external organization calls attention to violations. Why is this important for Quayside? Sidewalk Labs is a sister company to three of Alphabet’s subsidiaries, all of whom have failed to meet compliance requirements (more than once) with repeated international outcry, so there is no basis to expect that Sidewalk TO will be any more reliable as to protecting or respecting the privacy of minors. 

As John Thackera stated, Trust is not an algorithm. So, can we trust companies who trust in algorithms? Based on existing documentation, we should not assume we can trust Alphabet’s Sidewalk Toronto to consistently respect the data privacy of our most vulnerable citizens, as sister companies have not in the past. Currently, so called “urban data” gathered in public spaces will scoop the data of minors and treat it as adult data, unless protections are clearly designed and executed. Clarity as to how we can ensure the consistent protection of the data privacy of children and youth must be central to our discussions of technology globally and to Justin Trudeau’s proposed Digital Charter in Canada. It behooves us to be very circumspect as to trusting Alphabet’s Sidewalk Toronto with our children’s data.

See my post on Medium on “Protecting Children’s Data Privacy in the Smart City.

Note: The New York Times published a report, “On YouTube’s Digital Playground, an Open Gate for Pedophiles,” on Monday June 3, 2019, that AGAIN, YouTube’s algorithms are pushing child-created content to pedophiles, resulting in mass *swarm* activity in views and on the comments. The instances I referred to were from 2017 and February 2019.