Canada's superior privacy laws are a good reminder of where the US falls short.
When California lawmakers proposed the Right to Know Act in 2013, tech companies grew worried. The bill, designed to make it possible for state residents to ask private companies for a copy of their personal information, was championed by digital privacy advocates. But Silicon Valley lobbied against the bill, viewing it as a burden.
One tech industry lawyer told The New York Times that the proposed legislation was "not workable" and too broad in scope—despite the fact those same tech companies already contend with similar laws in places such as the European Union. The bill never passed.
In Canada, however, you can glimpse what could have been. The country has long had a national privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), that governs how companies store, collect, and use a person's data. Not all companies are forthcoming about their data collection practices, nor how your data is used, and that's where laws like PIPEDA come in. You can go to any company, even those based outside of Canada, and ask for a record of all of your information the company has collected, how long it's stored, and who it's been shared with. The company is legally required to comply.
"Compared to the United States, we do have these rights of access, whereas Americans do not," said Andrew Hilts, who is the executive director and research lead at the Canadian not-for-profit Open Effect, and a research fellow at the University of Toronto's Citizen Lab.
The process can still be daunting, though, which is why Open Effect, in partnership with The Citizen Lab, created an assistive tool. When it first launched in 2014, Access My Info (AMI) made it easy for Canadians to ask some of the country's internet and cellphone providers for access to all logs, IP addresses, text message metadata and more. Two years later, Hilts has rebuilt the site from scratch, with funding from the Canadian Internet Registration Authority (CIRA), and added a range of new companies that users can request their data from.
The revamped version went live on Tuesday.
You can now ask OkCupid for stored "lifestyle information" such as your "drinking habits or sexual preference information," for example, or request that FitBit provide records detailing your "step activity, heart rate, sleep patterns, food intake"—just two of the many fitness tracking companies and dating services that can be queried through the site.
There is the option to query two agencies within the Government of Canada so far, and Hilts says that additional categories, including "transportation apps" such as Uber, Zipcar, and car2go, are on the way.
That AMI exists at all is a stark reminder of the differences between US privacy law and other jurisdictions around the world, and a window into what life for some Americans would have been like if the Right to Know Act had passed. After all, what makes the tool possible isn't some special arrangement with private companies, nor technology designed to extract personal data in a novel way, but good old-fashioned Canadian law.
The whole process takes a few minutes: You choose the service that you'd like to query, select the categories of information you're interested in, and then AMI generates a letter. It even tells you where to send it. Canadian law dictates that companies have 30 days to respond—though that's not to say you'll get a timely or satisfying answer.
Companies that do business in Canada must adhere to Canadian law, but it's not clear how some internationally-based services will respond, if at all, according to Hilts—and there are no fines or other penalties for a company that chooses to ignore your request. Of those that have responded to past requests, the responses have rarely been perfect. And after a letter is generated, it's ultimately up to the user to follow up with the company.
But when companies do respond, "it could be valuable for people just to learn the extent of the data that's being collected, and how it's being categorized and processed, and just how it's being used," says Hilts. "And with that information they can figure out whether they're comfortable with that arrangement."
The idea is that, by making an otherwise arcane process easier—and expanding the types of organizations to which Canadians can send requests—people that might not otherwise be familiar with Canadian privacy law or understand the types of data they can access will be more inclined to exercise their legal rights. In the months after AMI was first announced in 2014, thousands of Canadians sent requests to internet and cellphone providers using the tool. It's unlikely they would have done so if AMI did not exist.
Though some, such as Google, offer data export tools, Hilts says the results are usually less complete than what the AMI tool requests—for example, "metadata type information, and information about profiles that have been generated about you based on your activities." Such data may not be consciously created or inputted by the user, but is personal information nonetheless.
"People only found out what data Ashley Madison was actually collecting on people due to the data breach," Hilts says. "So I think by using something like Access My Info, people can find out what data is out there about them, and thus, what could actually end up leaking in the event of a data breach."
As long as you live in Canada, of course.