Michael Geist writes that the Privacy Commissioner of Canada should be more transparent and name the web sites that were leaking consumer information. Commissioner Stoddart had declined to do so:
The Privacy Commissioner has not exercised her discretion to publicly name the specific tested organizations at this time. The research was designed to offer a snapshot of the Canadian context and it is likely that a significant number of other Canadian sites may also be leaking personal information.
On some level, I appreciated the hat-tip to fairness: you’d be hurting the reputation of the firms whose sites you tested while many other sites would not get the bad press – but only because they weren’t tested. And while naming some names might alert consumers to risks on those sites, could it give a false sense of security about sites not named only because they weren’t tested?
But I also understand Michael’s position as I generally – and strongly – endorse the idea of transparency about breaches.
Michael writes:
The decision to keep the public in the dark about privacy leakage raises its own set of concerns. While the study may cause some embarrassment for the affected sites, the preliminary findings suggest that those sites are violating Canadian law. Moreover, by keeping the identities of the sites secret, Canadians are unable to take action to mitigate the risks they face due to the privacy leakage.
The secrecy approach is particularly surprising since Stoddart has publicly admitted that she is uncomfortable with the practice. In her first speech following the renewal of her mandate in January 2011, Stoddart acknowledged “to be candid, I have a growing discomfort with the secretive nature of how we work under PIPEDA.” She added that “it seems to me that not naming names is robbing the Canadian public of much of the educational value of our investigative findings.”
What do you think the Commissioner should have done under these circumstances? And what should she do now?
Read more in the Toronto Star.