Digital Privacy Quest

● This quest is completed in this document. ● Unless you have been given a copy of this document in G Suite Classroom, you will need to make your

own copy. Do this by clicking File; Make a copy. Hand the Quest in by sharing it with your instructor. ● This quest includes a weave of ideas and activities which may not be able to be completed in one

sitting, as it is estimated that the quest will take a good three to four hours. ● Use the Table of Contents below to navigate to through sections you have completed. ● Bloom’s Taxonomy: You will find

some of the activities only hit the lower levels of learning complexity, to “understand”. As you progress in the quest, you are invited more and more to “apply” and “analyze” for deeper learning.

Use the red arrow to quickly navigate back to the top.

Table of Contents Table of contents items are hyperlinks

Table of Contents 1

Part I: Context 2 Your hosts for this Quest: 2 Where do you complete this quest? 2 What is this quest about? 3 Video Activity 6

Part II: Government Access to Personal Information 6

Government Access to Personal Information Activity 7

Part III: Concerns About Privacy 10 Canadian Concerns About Privacy 10 Canadian Concerns About Privacy Activity 14 Canadian Concerns About Privacy: Search Algorithms - Invasive or Helpful (or both)? 14 Yesvi & Novi Argument Activity 17 So, What Are We Worrying About? 17 So, What Are We Worrying About? Activity 19

Part IV: Your Privacy Plan 19 Maintaining Your Own Privacy 19 Maintaining Your Own Privacy Activity 22 Ensuring the Privacy of Your Students 23 Ensuring the Privacy of your Students Activity 23

Part V: Full Circle 24 Back to FIPPA 24 FIPPA Consent Form Requirements: 27 FIPPA Consent Form Resources: 27

Hand in this Quest 27

Part I: Context

Your hosts for this Quest: ● Novi (right) the “cup is half empty” brother (Pessimistic, cautious)

● Yesvi (left) the “cup is half full” brother (Exuberant, enthusiastic)

● Avi (bottom) the “cup is a cup” brother (Whatever works)

● Want more details about your hosts? Click here.

Where do you complete this quest?

This is a quest that is completed in this document. If you did not get a copy of this in G Suite Classroom, you can make your own copy by clicking: File; Make a copy.

What is this quest about?

In our continuously connected modern existence, data is flowing through the electronic ether in quantities that are… well… awe-inspiring, and growing. Even those who think they do not have private data floating through wires and servers do have private data floating through wires and servers. This quest has you focus on:

● Privacy: Yours and your students’ online privacy ● The privacy “game” governments are “playing” in their attempts to balance security with personal

privacy. ● BC’s FIPPA (Freedom of Information and Privacy Protection Act) Legislation ● How to keep your and your students’ information more private.

We start this quest with the person who requested we do this quest: Novi

Novi: What a mess! FOIPPA! FIPPA! FLIP! Yes. I think it is a mess. It's not that I don't agree that we should be aware of Freedom of Information, especially with the Patriot Act in the United States allowing their security

services way too much access to information on U.S. soil, but that pendulum has swung way too far over to the right. Don't get me wrong, I love "the right", but not when legislation forces me to go through a tonne of work just to be able to use one internet service with my students, AND, an overzealously paranoid parent can say "no" to what I am doing, AND I have to come up with something else for that student! Ridiculous. Did I really just say: "overzealously paranoid parent"! Insensitive? Yup. I am not Yesvi, that polly-anna prince of prissy. Want to complain about my lack of sensitivity? No problem... you know Avi's email address… he is my complaint department (heh, heh). You know there are strange people out there. I know there are strange people out there. Don't get me started. People can look normal as heck and have some pretty strange ideas. And you're not safe anywhere. A few years ago my wife and I were camping... you know, the peaceful kind of camping in a provincial campground with RV generators rattling away and country music blaring throughout the campsite. At a neighboring campsite we saw some folks that looked quite normal and might be fine to talk to. They looked normal: They handled their kids fine; they had upscale camping equipment; they wore clothing that looked like they were just about to go for an expensive hike; and they drove a Subaru Forester. No generators. No country music. No big parties of trucks arriving at their site for the inevitable Hank Williams sing-along. We got to talking. Can you believe it... I was actually being neighborly. That would be the last time… I’m telling you. The husband started telling us about this conspiracy in the US. He started to talk

about Obama's secret internment camps all over the US, where millions of dissenters were being incarcerated... I laughed, thinking he was joking. He was not joking. He looked at me as if I might be a bug that just emerged from under his pillow and he was just about to squash it with his Vasque St. Elias GTX hiking boots (Which I was sure he wore to bed.). HE. WAS. NOT. JOKING! My jaw hit my knees on the way down to the ground where it just lay there like a beached halibut, all quivery and floppy. He drove a Subaru Forester for gosh sakes. If you can't trust a person who drives a Subaru Forester to be normal and boring, who can you trust. I've got to tell you, I love my wife. Nobody else in that situation would have been able to look at me in the eyes and not break up into peels of laughter. She looked at me, and then looked right back at the guy as if there was no wackiness at all, as if he had said that the weather was very fine or that we should sell our Bombardier stock. Normal stuff. I had to get us out of there... and fast. I yawned really big; you know, the mouth-super-wide-open-head-back-arms-stretched-out-as-far-as-they-could-go type of yawn. Said it was time for bed and we excused ourselves. It was only 6:00 PM, but I thought we were pretty convincing. You know we locked the door to our trailer that night. What was I talking about? Oh yeah. I bet it was this very guy, the Obama Internment Camp guy, who, about a dozen years ago, probably a minor assistant ministry official, made a big hooplah about things and made up this FIPPA legislation that makes you work for hours and hours just to get permission from parents to use online tools that might be housed outside of Canada. Again, don't get me wrong, I agree with being aware and making others aware, but the stuff you have to do to get permission is just over the top. Let's say I want my students to have an ePortfolio and I know that one of the best tools is a Web service. Let's say that the easiest and most robust services seem to be something like Weebly or Wix or Blogger, or G Suite. They make it easy for my Grade Six students to develop their ePortfolios and make them look good but without the need to learn a lot about Web design or work with complex services. No problem. All you have to do is create a ten-page consent form (parsed from different forms you find out there), and make sure that every parent signs the form. These forms are scary to read.

Really scary. After reading one of these consent forms you want to shut it all down: Cancel your Internet, your cell phone, and definitely your subscription to Reader's Digest. I like to read these consent forms out loud around the campfire because they’re even more scary than that old "The Claw" story. You heard it. More scary than "the claw" story! You think that all of the parents are going to read these horror stories and sign the forms and send them back to you? What are the odds of doing that without hours of work and frustration. What if you are a Humanities 10 teacher with 120 students? Are you going to go through this process? OK. Well, what about a blanket form filled out by everybody at the beginning of the year. Makes sense. Nope. The Obama Internment Camp dude made sure to close that loophole. Do I sound frustrated and angry. You bet your bunions. This quest is about all of us getting angry together. Oh, oh. Avi heard me... Here he comes. I think I need to go check on the tire air pressure on the old trailer....

Whoa there, Sunshine! Let's just take a breath before we go any further. I get that you are angry, but we need to look at this rationally. Sorry I had to get involved in this quest, but I could see Novi having you writing letters to your councilperson and "storming the capital".

Novi has a good point to make but I think we need a calmer voice to help him. Of course there is a need for an awareness and instruction around the importance of Privacy! I must admit, however, that there are some interesting contradictions and assumptions made by legislation such as FIPPA. It is not just about the extra work in getting permission. Right, Novi!? And! The folks who created the FIPPA legislation didn’t do this because they wanted to make things difficult for teachers. The Office of the Information and Privacy Commissioner (OIPC - both for Canada and BC), along with a whole host of folks who cared about transparency and privacy... created FIPPA. It is big. It is not just about privacy, though; it is also about access to information that was previously not available to folks… about transparency. Let’s not jump to conclusions about the folks who created FIPPA, let’s take a calming breath and watch a couple of videos that gives us a bit of background.

Video Activity

Activity Please read all instructions before beginning

This is an 11 minute video which gives us a bit of background about FIPPA https://youtu.be/J9bMzTCz35M As you can see from the video, this is an important piece of legislation.

Let’s watch another video, created by Kim Madore, which gives us a sense of FIPPA in relation to Public Schools. https://youtu.be/XHMSn0kYkAo

Three things that you learned from these videos

I learned how FIPPA not only protects the privacy of an individual’s information, but also provides a service by allowing access to certain public information. I was more aware of and/or focused on the protection of privacy aspect of the act and didn’t really take in the fact that it also encompasses certain ‘freedoms to information,’ despite its title.

I learned that not all provinces in Canada have the same Freedom of Information and Privacy Acts (i.e. not federal).

I learned about the USA Patriot Act, why it was implemented, and how it enables US law enforcement to surveil any form of communication, including the use of phone taps and viewing private emails.

What do you think about FIPPA legislation at this point in the activity? (min 100 words)

I’m still uncertain as to whether I think FIPPA is really necessary or not, especially as it pertains to K – 12 students. What information could students possess that people would actually want? In fact, that probably applies to most people. Unless someone has something to hide I don’t think it’s necessary to bury or prevent access to information. Those are my initial thoughts. However, I understand that there are many nefarious individuals in our society who seek to take advantage of others through fraudulent means. I don’t actually know how any of this actually works or what kinds of information is of value to these types of people other than, say, credit card numbers, etc., but I have heard certain buzz words such as: identity theft, phishing scams (no idea what this is), and hacking. (Ok, now I sort-of know what phishing is as I had to quickly look it up to make sure I was spelling it correctly.) I do realize that FIPPA legislation was done to protect and uphold the rights of individuals, and would like to trust that there is actually a need for it (unfortunately). I’m still not certain how allowing a middle school student to, for example, write a report on astronauts and posting it in Google Classroom for their teacher could possibly lead to disaster. I would like to think it couldn’t. I’m sure, though, that it is just a small stroke of a much larger picture in which it is included. I look forward to learning more as I move forward through this quest.

Part II: Government Access to Personal Information

Privacy has been an area of interest in BC for quite a while, but it was not until the creation of the Patriot Act in the U.S. that stakeholders in the B.C. Government were convinced of the need for privacy for individuals from access by agencies of the US government, and pushed FIPPA as legislation. (Remember that FIPPA is also about the ability to access information. This was another reason FIPPA legislation was so important.)

There is a bit of a privacy “game” being played by governments all over the world. It is sometimes difficult to keep up with the changes, never mind making useful sense of each of the policies. I feel you need to be a legal expert on the topic of privacy to understand the nuances of the various policies, and the dynamic changes that are playing out as government security agencies sell the notion that privacy should be second to security. Are they correct? Many people feel that privacy is one of our human rights. The UN Declaration of Human Rights has the right to privacy as number 12 on the list of 30 human rights. Let’s see if we can build an understanding, a context, for what the issues are which instigated FIPPA. Why do we care? Well, in understanding Governmental access to our private information, we might be able to make more sense of what it is we need to focus on to keep you and your students safe online. In this section of the quest, we are going to:

● Understand the powers of the Patriot Act (without getting into too many details) ● Understand how the recent EU GDPR (General Data Protection Regulation) has changed the

landscape (Or has it?) ● Ask if our data is safer on Canadian soil?

Government Access to Personal Information Activity

Activity Please read all instructions before beginning

Read

US Patriot Act and Cloud Data For an understanding of the US Patriot Act’s effect on the powers granted to US law enforcement agencies access to private information, we go to lawyer Alex Lakatos, a partner at Mayer-Brown.

This article ...is one of the most accessible to a lay person that I have found thus far. Please note that this article mentions the EU Safe Harbour Agreement, but there are newer regulations in place as of 2018; in this case the GDPR (General Data Protection Regulation) and the Cloud Act. The activity below has you focus on FISA orders, NSLs and MLATs. Why? Please be patient as we weave our way through a few stories to arrive at a better understanding of privacy for our personal information from various governments.

What is your understanding of a FISA order and the associated implications for the privacy of your personal information?

From what I understand, a FISA order allows the FBI to obtain business records pertaining to individuals after being granted permission by a higher court. The reason for doing so is largely for the purposes of terrorism investigations. FISA orders existed prior to the Patriot Act, but the act provided greater access and protections in its use, such as access to tangible items like books and documents. I don’t feel that my own personal information would be affected in any way due to FISA, but I realize that it could be if I use a cloud service provider based in the USA.

What is your understanding of an NSL and the associated implications for the privacy of your personal information?

An NSL is a subpoena that the FBI or other US government agencies can use to obtain records from a number of different businesses and service providers. NSLs can be issued without permission by a higher court and can be used more readily by more people than a FISA order. Things like banking and financial records, as well as email account information (contact information but not email content) can be accessed. As already stated, I don’t feel my own personal information would be affected, but it certainly could. Looking at it from the perspective of a citizen of the USA, I would be much more concerned. Then again, if I am using a web service that is based in the US, I probably should have the same concerns as current US citizens do, and this applies to both FISA orders and NSLs. I just can’t envision what would lead the US government to ever come across my name or want to subpoena any information related to me, and if they ever did, there would be nothing there that could possibly be of interest… or I don’t think so anyhow. So, from the standpoint of associated implications for the privacy of my personal information: if I were using a US based web service and if for some reason the government came across my name and wanted my personal information, then yes, they would be able to access it, and therefore my personal information can no longer be seen as entirely private.

What is your understanding of an MLAT and the associated implications for

MLAT stands for “Mutual Legal Assistance Treaty” and is a treaty between countries where they provide assistance to one another with regards to criminal offenses. From what I understand, this includes the provision of requested data (e.g. personal information) regardless of where it is housed. Although there is now a “data protection provision” where a government can refuse assistance on “data protection grounds,” assistance is rarely denied.

the privacy of your personal information?

As far as implications for the privacy of personal information is concerned, it would appear that an MLAT goes just one step further than a FISA or an NSL and takes that last little bit of protection away from individuals who try to avoid the possibility of having their personal information falling under the close scrutiny of the US government by ensuring they do not use US based web services or those who store their data on American soil. If a government wants access to someone’s personal information, particularly in relation to a criminal offense or suspicion of terrorist ties/activities, they are quite likely going to access it if either you are a US citizen, or a citizen of a country that has an MLAT with the US.

Read

The GDPR (General Data Protection Regulation) changes the landscape. The EU has implemented a stringent set of privacy policies. You may remember in 2018, many sites that you regularly visit (such as Google, Microsoft,...) required you to accept new policies based on GDPR compliance. This was brought about by organizations wishing to “do business” in the EU being required to comply with the new, stringent privacy policies. Matt Burgess, Senior Editor for Wired Magazine, writes an accessible piece describing some of the changes in EU privacy policies. What is GDPR? The summary guide to GDPR compliance in the UK

SCAN

GDPR (General Data Protection Regulation) changes the landscape Scan this example of a GDPR compliance statement. This is a G Suite whitepaper attempting to help us understand the implications of Google’s commitment to the GDPR. You only need to scan this, but you might choose to read the whole thing if you wish.

Read

How does the GDPR compare with Canada’s Privacy Legislations? Read the last two very short sections of this piece from CTV News.

● Why does this European Law affect Canada? ● How does the GDPR compare to Canadian data privacy laws?

What are your thoughts about the GDPR?

(Min 100 words)

One of the strongest data protection regulations across Europe and implemented in 2018, the GDPR is seemingly a true advocate for upholding an individual’s personal privacy. There is a strong focus on organizations obtaining consent prior to collecting personal information, as well as the introduction to potentially hefty fines for non-compliance to any part of the regulation. As I continue to read and learn about protection of privacy in general, and the GDPR in particular, I am beginning to better understand the need for such protections. Initially I looked at things from a very personalized perspective and felt that my personal information couldn’t possibly be of interest to anyone; I questioned why anyone, really, would be concerned with their personal information becoming public. Considering the world we now

live in and realizing that personal information is not just email addresses and library records, but religious beliefs, criminal records, medical records, sexual orientation and more, I feel much more strongly in favor of regulations such as the GDPR. The more stringent guidelines, such as allowing individuals to request to see all of the data a company has about them, how it is being used, and for it to be deleted if the information is no longer required for what it was collected, is setting a precedent for other privacy laws around the world.

Read

With the next step in international legislation, the privacy of individuals from government access begins to feel like “a game of cat and mouse”. “The latest twist in the drama came in March 2018, with the adoption of the Cloud Act. This legislation legalizes the seizure of any emails or other data stored on servers in the US and even internationally. Major American cloud companies and their subsidiaries have no choice but to comply, as do international companies operating on US soil. “With complete disregard for the legal sovereignty of other countries because of where the data is stored,” comments law firm August Debouzy.”

Hélène Toutchkov https://www.oodrive.com/blog/regulation/protecting-your-data-and-your-private-life-usa-vs-eu/

More information on the Cloud Act if you wish.

Read

What about the Canadian Government? Are we at least safe here? In 2012, the IAPP Canada Privacy Symposium was held in Ontario. Two eminent speakers provided a very revealing presentation on:

CLOUD COMPUTING & THE PATRIOT ACT: A RED HERRING? View slides 20 - 25

Back up copy makes it easier to view slide numbers… which you will need.

David T.S. Fraser Partner

McInnes Cooper

Lindsey Finch Senior Global Privacy Counsel

Salesforce.com David.fraser@mcinnescooper.com Although the whole presentation is interesting, and slides 11 to 19 have some interesting general information about Canada’s Response to the US Patriot Act, the Very surprising information comes to us in slides 20 through 25

What are three ways in which Canadian Government agencies can access our private data?

Three different statutes of the Canadian Anti-terrorism Act allow interception of or access to personal emails with either a wiretap order or a search warrant/production order, respectively.

The CSIS Act allows “secret warrants” to be issued from a “secret court,” which authorize the interception of any communication or collection of any information, from “any place.”

The National Defense Act allows the Minister the power to authorize interception of “private communications directed at foreign entities located outside of Canada.”

How is our data not safe from Government Agencies outside of Canada?

The Patriot Act, for example, allows the US government access to any data stored on US soil, as well as data stored by companies outside of the US, but are either based in the US or have a “US presence.” MLATs are another means for government agencies outside of Canada to access our data, as well as other, informal sharing of information between government agencies, particularly with regards to “targets of mutual interest.”

Part III: Concerns About Privacy

Canadian Concerns About Privacy

Avi: It is interesting that, in BC, we do not have as stringent a policy around consent if personal information is housed in Canada. We can collect information and house it in a "reasonably secure" location on Canadian soil without the need for Privacy consent forms like FIPPA consent forms, but we need consent when it is housed outside of Canada. This assumes quite a bit. Are Canadian servers not prone to inappropriate access by governmental agencies outside of Canada (or inside of Canada). We see from the last activity that anything on a server anywhere is prone to

access by international governmental agencies. Yesvi has asked to be part of this conversation. Yesvi: Thanks, Avi. I appreciate being included in this quest. I know I might be a bit naive, but… Novi: A bit naive! Yesvi, if they sold naivete in the grocery store… it would be in jars with your picture on it.

Avi: OK, Novi. You had a say earlier and went overboard so I had to get involved. Let’s give Yesvi a chance here. Novi: It would be like the Paul Newman picture on those expensive salsa jars… Avi: Novi! Novi: Except Yesvi would sell them for free. Free Naivete by Yesvi. Almost sounds like a perfume. Avi: Ok. That’s enough Novi: The commercials would all have Barbara Streisand songs and cupcakes with sprinkles on them. Avi: NOVI! Novi: Whatever. Avi: Go ahead, Yesvi. Yesvi: Thank you. As I was saying… I know that I tend to be a bit trusting, but I really don’t have a problem with the Canadian Government accessing my data. I figure they need the right to access data so that they can protect us from terrorism or criminal elements. Novi: What about your right to Privacy, Mr. Cupcakes? Yesvi: Let me finish. I am not bothered by international agencies accessing my data. Novi: Oh jumping jerwillickers!

Yesvi: I am not even that concerned with organizations that I join accessing my data…. or business. Novi: Buy Naivete by Yesvi... today… Yesvi: What DOES scare me…. Novi: … in five new flavours... Yesvi: What DOES scare me…. Is hackers. There are so many stories out there of people accessing personal data and using it for dark purposes. Just look at the news and you get a plethora of stories about data breaches… access to personal information that the server owners did not know about. And remember, that is what we get from the news. I wonder if, like an iceberg, we are seeing 10% of the bulk of issues. I doubt that, these days, being on Canadian soil is an anathema to unwanted access. Novi: I love it when you try to use big words. “Anathema”. Sheesh. Avi: Come on, Novi. I know you agree with this. We’ve talked about it. There are oodles of stories where hacking occurs against companies that hold masses of personal information and where one would think the security is stringent. The ones that scare me are the ones that reveal information about children. I remember reading an example of this on CBC, where VTech was hacked for 6.4 million children's account information and 4.9 million adult accounts (http://www.cbc.ca). Novi: Yeah. Yeah. I DO agree. But does he have to use words like “anathema”, or “plethora”? Seriously. Yesvi: This is what keeps me up at night. Not whether the US government can access my data, but whether the bad people out there are going to hack me. Are they going to steal my identity, or get into my banking? Are they going to get control of my computer and delete my Barbara Streisand collection. And there is something else. A couple of years ago I decided to Ping my rented server space in Vancouver to ensure that it was on Canadian soil. The Ping kept showing that the access points came from the United States. I contacted my server provider and they assured me they were on

Canadian soil; however, the pathway to the server provided by my service provider (according to them) had the access routed through two switches/routers in the United States. So, I get on my iPad on Vancouver Island and go to access my Moodle instance in the Vancouver server, I am routed through stations all over the place (about a dozen), then into the U.S., and back to Vancouver. Mind you, the FIPPA rules state that the information should be "housed" in Canada, but I think that this is "old" and "static" thinking, which does not take into account the extreme advances in information "boosting". What I am saying here is that, as well-meaning as the legislation is, I do not believe it provides the protection we think it might. Novi: Yeah. OK, Yesvi. I am going to agree with you on this one. Yesvi: Really? Novi: Enjoy the moment. The fact that governmental agencies can access personal data using MLATs, and that there is quite a bit of sharing going on behind the scenes between government organizations anyway, does make protection from government access to personal data a tough thing for us to battle. So, Avi, why did you stop me at the beginning of the quest? If FIPPA really doesn’t protect our students from data being accessed by government agencies in and out of Canada, why bother with it? What then is the difference between data in Canada and Data in Europe, or the US? What we really need here is not legislation, its… Avi: ...education. Novi: Right. We need to make students and parents and teachers aware of privacy. But do they really care? I mean it is a bit of a double standard, isn’t it. Most students and parents share all sorts of private information in their personal digital lives. Heck, I know that Yesvi is planning to try baking rainbow cupcakes with words on them that, when you combine them, make up the lyrics to that Streisand song, “People”. Yesvi: How did you know that. Novi: Your Pins on Pintrest. Your update on Facebook. Your Tweets on Twitter. Your Instagram…

Yesvi: Ok. Ok. I get it. Avi: To answer your question, Novi, I think people do care. But don’t take my word for it. Let’s find out.

Canadian Concerns About Privacy Activity

Activity Please read all instructions before beginning

Read

The Office of the Information and Privacy Commissioner (OIPC) of Canada completed a survey in 2016 that revealed some interesting data about the concerns of Canadians around privacy. The survey was interview-based with a sample of 1500 Canadians across the country. All you need to read here are the Key Finds (3. Key Findings). However, feel free to read on and view the charts provided for each area on the survey. Interesting stuff. Survey Findings

What are three things that you learned from these findings?

Based on my own knowledge of privacy rights prior to this quest and what I have learned over the past few hours of reading and considering the various implications of these readings, it surprises me that two-thirds of Canadians rate their own knowledge of privacy rights as either “good” or “very good.”

I found it interesting that so many Canadians are concerned about how different organizations could access and use their personal information to make decisions about them (e.g. insurance companies). To me this implies a great distrust in the basic integrity of most companies, which is unfortunate.

It is also quite interesting to find that most Canadians would be concerned about the collection of their fingerprints or DNA, such as a saliva sample in order to “determine their likelihood for developing future health conditions,” or to even learn more about their own ancestry.

What are three things you are most concerned about with regard to digital privacy?

My biggest concern regarding digital privacy is a hacker gaining access to my personal information for untoward reasons, e.g. gaining access to my banking information or credit card numbers.

Another concern would now be how much power government agencies, both in and outside of Canada, have in terms of accessing private, personal information.

Finally, giving consideration to everything I have been learning, I am concerned that I don’t know enough about how to keep my own personal information safe.

Any other comments or thoughts on your digital privacy in Canada?

When I first read about FIPPA, I actually thought that BC’s privacy laws were, perhaps, a little too strict as it made it difficult, for example, for teachers to efficiently use some very good web tools in the classroom. Now that I understand more about the various types of personal information that is housed in the cloud and the ways different agencies and people can access it, I realize the need for more stringent protections. While FIPPA and other personal protection acts across Canada try to offer certain protections for Canadian citizens, things like MLATs and general agreements (often unofficial) between governments negate the good that these protection acts seek to provide.

Canadian Concerns About Privacy: Search Algorithms - Invasive or Helpful (or both)?

Novi: I have a question for Mr. Cupcakes.

Avi: Sigh. Novi: You mentioned earlier that you are not really concerned with organizations like business organizations using your personal data. I see from the survey here that Canadians are pretty concerned about this… but you are not. Why? Aren’t you worried about, say, search engines tracking your search history and using it to show you ads and have search results tailored to you? There are huge issues with that, aren’t there? Yesvi: At first I did wonder about that. Then, as a result of being part of this quest, and learning about browsers that block trackers and search engines that do not track my searches, I have to admit that I am MORE comfortable with my search engine limiting my results to my search tendencies and predicting what I will want. Novi: WHAT! You’re MORE comfortable with search engines tracking your usage. You have to explain this. You WANT search engines to only show you sites that agree with your perspective or point of

view. That sounds like something I would like… not something Mr. “Let's Listen to Everybody And Hug a Lot” would want! Yesvi: Ok, Ok. Well, I was searching for this story about a Zen master and a University professor I had heard a long time ago. I wanted to use it in a class to show my students about emptying one's mind (like emptying a cup) before anything else can fit in. Anyway, I tried a search engine that did not monitor activity and the results were horrible! Novi: You mean they were bad results? What do you mean by horrible? Yesvi: I mean disgusting. I almost lost my breakfast just glancing at the search results. Then I used the exact same search terms in my usual search engine, which does track my activity, and the results were almost all about education… and I found what I needed immediately. Novi: Soooo…. The algorithm used by your regular search engine knows that you prefer content about education and filtered out other sites. Yesvi: Yes. I actually breathed a sigh of relief to be back to my usual search engine. Novi: OK. I see your point. But doesn’t that create a situation where folks only see what they usually look at? Isn’t this the kind of thing that encourages the kind of political tension we have been seeing in the US, where “the right” only sees material that is from “the right”, and the liberal-minded only see the data that they already believe in? Yesvi: I really don’t care about that. I care about keeping my breakfast down. I care about what shows up in front of my face, and I am happy to have my search engine help me with that. Novi: I have a real problem with that. That’s like industrial sized Naivete by Yesvi.. The kind that large hotel restaurants would buy in bulk. I can’t believe I am arguing for this… but we need to be open to other perspectives, and we can’t do that if some algorithm is trying to predict our search result preferences. Avi: Did Novi just say that we have to be open to other perspectives? Did he just use the word “open” and “perspectives” in the same sentence?

Yesvi: Yes he did. That was soooooo sweet. It was like snowdrops breaching the cold to remind us that spring is coming. Avi: It was like that first cup of coffee in the morning. Yesvi: It was like a cool breeze on a scorching summer day. Avi: It was like that first bite of your stir-fried tofu with toasted sunflower seeds and cheddar cheese… sort of crispy, yet chewy because the melted cheese has just turned a golden brown… Novi: Oh, Jumpin Jenanickins. Why do I get involved in these quests? I have enough to do.

Yesvi & Novi Argument Activity

Activity Please read all instructions before beginning

Your thoughts

What are your thoughts about Yesvi and Novi’s conversation about search engine algorithms?

What would you prefer? Search result tailored to your preferences, or would you rather “see it all”

Any other thoughts on organizations using your digital data to tailor what you see?

Truthfully, I don’t know enough about a search engine’s use of algorithms to give a fully informed opinion on the topic, but I would like to believe it’s less black and white than Yesvi and Novi make it out to be, so I will try to break it down in my own mind. From their conversation it appears that search engines either do monitor search activity, or they don’t. This is logical. Ok. It is also logical that search engines that don’t monitor search activity will not be able to provide suggested links or advertisements based on your previous searches. That leaves search engines that do monitor a person’s search activity and understanding what they actually do and do not provide in the way of results because of this. I had always believed that results were provided based on popularity or ‘most visits.’ However, if what Yevi and Novi suggest is true and actual search results are tailored to the search engine based on the search history…, well, I’m not actually sure how I feel. I don’t think it lends itself to naivete as Novi suggests, as I don’t believe that people get all of their information from web searches. I also don’t think that search engines provide only one perspective on any given topic. I honestly can’t give an opinion as to whether I would prefer to see search results tailored to my own preferences or if I would prefer to “see it all” until I

do some research into what each would look like for me personally - and if there is actually much of a difference at all. My last thoughts on this topic (for now) would be that I like having my digital data used to tailor what I see. In some ways I view it as a service. For example, I like to visit Pinterest now and again when I have time, and I like that I can log on and have a bunch of new pins to scroll through based on my personal interests. Why would I want to scroll through a bunch of stuff that I have no interest in whatsoever? I am not naive and I like to view both sides of an argument. I also do not believe everything I read. I took a little side trip and read the following article by Canadian writer, Dave Davies, to better inform myself on search engine algorithms: https://www.searchenginejournal.com/how-search-algorithms-work/252301/ (Note: there was some good humor in this article. I enjoyed it.) Good food for thought in this part of the quest. I may do some more reading on it in my own time.

So, What Are We Worrying About? Interesting. I noticed before Yesvi and Novi had that discussion about search engine results, in the OIPC survey, that there was no mention of fear of hackers. I guess the survey did not deal with privacy from hacking. I find it interesting because, I share Yesvi’s fear of being hacked. I wondered if more people shared the same fears. I did a search and found a bit of data.

● A Gallup poll in the US a few years ago revealed that Americans are more afraid of having

their personal information hacked than they are of theft or murder or anything, really… it was their top fear.

● Closer to home, a March, 2018 Canadian Internet Registration Authority (CIRA) survey revealed that Canadians are worried that their personal information might be hacked… but through data breaches of the Canadian Government or the organizations which individuals use.

● The abounds with sites that discuss keeping your devices safe from hackers. We have been hearing more and more about personal computers being hacked with trojans that allow hackers to control aspects of the computer, or locking folks out of their files using ransomware, ...and on and on.

● The more I delve into this topic the more murky and unsolvable it feels. It feels as if there is little an individual can do to stay safe and private. Some people feel that there is nothing that we can really do to remain 100% safe.

But there are things we can do to improve privacy. Before we go on, I think we should review what we have done so far so that we can ensure a context for what is ahead. Here is what we have discussed:

● Government agencies (Canada, US, Europe…) have legislated their right to access our personal information. Canadian government agencies have rights that are similar to the US Patriot Act, giving them surprisingly wide access to our personal data.

● Governments from different countries share personal data through legal channels using MLATs, and some information is simply shared through backchannels.

● Canadians are concerned with privacy. ● Canadians are concerned with their personal information being hacked.

Let’s discuss that last point some more to create a context for the next steps. I am not sure that a lot of folks who are online (almost everybody) realize how accessible their data is. I have a story: About a year ago I was contacted by somebody who wanted to extort money from me. I noticed the email in my SPAM because the subject line had one of my passwords. What the heck! I looked at the email and this person had one of my usernames and passwords and told me that they were monitoring my activity and wanted money to delete the information. This was a complete scam, as I know this person could not monitor my activity due to the various tools and techniques I use to stay private (More on that below.), and I ignored the threat. But this was a real username and password I had for a couple of the services I subscribe to, so my curiosity was peaked. I checked the various accounts in which I used that username and password… more services than I should have used the same username and password… I know better. I went through and changed all of my passwords to unique ones. But where did this person find my information. Well… it was openly available on a Website (which I won’t mention), along with tens of thousands of other people’s usernames and passwords. Apparently, some hackers like to share data breach information with others… openly. Why? Who the heck knows. Brewing chaos? Just like other people to suffer? Who knows. But, the journey led me to understand that the Canadian concern with data breaches is very valid. I started to use Troy Hunt’s service: “Have I been Pwned?” to find data breaches associated with my emails. It was fascinating.

So, What Are We Worrying About? Activity

Activity Please read all instructions before beginning

Have you been “pwned”?

Try this if you feel comfortable. Go to haveibeenpwned and type in one of your email addresses. Then scroll down to see if your email address is part of any data breaches.

Do not write the results here, simply let me know that you have done this and feel free to share your thoughts. You will be given some advice below on improving your privacy, so please do not “freak out” with what you see. Yay! Here are the results on my personal email that I have been using for 15 or so years: (I know you instructed not to write the results here, but I was happy to share!)

Good news — no pwnage found! No breached accounts and no pastes (subscribe to search sensitive breaches)

Funny, I was a little nervous typing in my email address, but not “scared.” But I felt better knowing nothing was found. I know this does not make me immune to data breaches and I would still like to find out more on how to better protect my personal information. The results were also the same for my VIU and work email addresses.

Part IV: Your Privacy Plan

Maintaining Your Own Privacy

I think it’s time to get back to Novi’s first rant at the start of this quest. He was not impressed that legislation creates so much work for teachers wanting to use dynamic digital tools. All three of us agree that we need to protect our privacy, but, as this is focussed on education, we also need to protect the privacy of our students.

But let’s step back a moment and look at the issues of privacy in education.

The weakest links in information security tend to not be in schools, where teachers have become more and more cognizant of the importance of personal information protection. Although a FIPPA consent form is an important means of informing parents and students regarding the why, what, where, when and how of an online tool a teacher is hoping to use with students, it is not enough. I agree with Novi, that education is far more powerful than legislation in this matter. It is not just about access by government agencies outside of Canada, it is about understanding the risks outside of the school situation, of the growing number of privacy breaches, what is done with information we provide in our digital engagements, and how to stay private and safe in our professional AND personal digital lives. We cannot afford to assume that legislation is going to protect us. Consent forms are not going to protect us from human error, while education might. It is education which can help avoid the numerous situations we are seeing in which private information is shared due to human error. Let’s talk about that for just a moment. Our students’ private information is only as safe as the weakest link in the privacy chain, and as we have heard over and over, the weakest link is the human one. A lack of understanding about privacy, or laziness, or an unwillingness to care about privacy can cause as much trouble as does a privacy breach. Here is one example if you would like to read it. I think our best resource in the battle to keep student information private is in educating everybody. Let’s begin that process here. We will:

● Look at a few ways you can improve your digital privacy from hacks and breaches. ● Look at student privacy and how to educate students on it’s importance so that they are aware

of the risks and have techniques for their digital lives outside of school as well as in school. In the activity below, you will be asked to build your own personal digital privacy guiding principles and toolkit.

As an example, here is part of my toolkit, which changes regularly:

1. I use a VPN (Virtual Personal Network) The VPN creates an encrypted tunnel between your computer and the site you are visiting. This tunnel keeps the information, which is usually routed through several switches and routers… usually all over the place, invisible and inaccessible to any organization and individual attempting to access it from the outside (See image from celo.net/ below) The exceptions here are your computer or device and the site which you are visiting. Even your Internet Service Provider cannot access your activity.

VPNs have become quite easy to use. There are free VPNs. The browser, https://www.opera.com/ , has a built- in VPN you can turn on and use for free. However, when I read about the effectiveness of free VPNs compared with ones which you pay for, I chose one for which I pay. The other important part of a VPN is running it on mobile devices. Accessing public wifi or wifi with which you are not familiar are a security concerns. You can run your VPN on phones and on all mobile devices. The one to which I subscribe has one price which covers all of my devices and it works on all devices.

2. I have well reviewed antivirus and malware software running at all times and with real-time protection (rather than only when I do a scan.) Some antivirus software also includes options for a VPN.

3. I use very complex passwords and attempt to use unique ones for various services. Because of this, I need to use a service which manages my passwords and helps me create secure passwords. There are several of these services around.

4. I attempt to use online tools which I have deemed (through research) are more secure than others. Examples:

a. I have begun to use Brave Browser, because it stops ads and tracking. There are services, such as https://panopticlick.eff.org/ which you can use for the same purpose with your current browser.

b. I have used search engines that keep your searches private, such as https://duckduckgo.com/ . But, like Yesvi, I do not like some of the results I get in a browser that does not use an algorithm to predict my results. I am back and forth with this one.

c. I regularly use https://haveibeenpwned.com/ to track data breaches.

d. I “google” myself quite regularly to see what folks can see about me. I do this on a browser in which I am not signed in to any accounts.

e. I try to follow the guidelines found on this excerpt from the VIU Social Media Privacy Guide providing advice regarding privacy.

Maintaining Your Own Privacy Activity

Activity Please read all instructions before beginning

Personal Strategies Search the Web for how to keep your data private. Find three resources that you think might be helpful and place links to those on the right. Feel free to use resources I mentioned.

https://www.astrill.com/

https://www.mcafee.com/consumer/en-us/store/m0/index.html

https://www.techradar.com/news/best-external-desktop-and-portable-hard-disk-drives

From the resources above, write five strategies you can use to keep your digital data safe.

For the past nine and a half years I have been using a VPN as I have been living and working in China. The use of this VPN allows me to use sites blocked by China, such as Google, Facebook, and YouTube, as well as various news sites, all blog sites, and more. I often have to jump around and use different VPN servers (various cities and countries) as China’s Internet Police sometimes block certain servers. Unbeknownst to me, I have been protecting my digital data through the necessity of using a VPN, and will continue to use it wherever I am. I will also continue to change VPN servers (provided by the VPN company I subscribe to) regularly as added security.

I have used antivirus software (I use McAfee) on all of my devices for as long as I can remember. This software can detect and prevent, or remove viruses and trojans.

McAfee and other antivirus software also include the use of a password manager, which “helps create and remembers usernames and passwords for each of your online accounts across all devices” (https://home.mcafee.com/root/landingpage.aspx?lpname=mls_info_v3&affid=0&culture=en-us).

McAfee also offers “Secure Cloud Storage” with a “Personal Locker” and asserts to “securely store(s) sensitive documents in the cloud with authentication that uses your voice and face” https://home.mcafee.com/root/landingpage.aspx?lpname=mls_info_v3&affid=0&culture=en-us).

In terms of keeping data from our own devices private or protected, one thing I do is to back-up all of the data from my personal devices to an external hard drive and then remove any unnecessary information from those devices. There are also cloud-based and antivirus software companies (as mentioned above) that provide back-up services, but my preference is an external hard drive. By backing up the data kept on your own devices (personal or otherwise), you protect this data insofar as not losing it altogether, as is the risk with a ransomware attack.

Are there any tools you might use to keep your data private?

I am a little confused on how to differentiate strategies and tools as it applies to this exercise. A strategy would be to use a VPN, but the tool to use in this instance is a VPN. As well, a strategy would be to use antivirus software for reasons x, y, and z, and the tool for this purpose would be antivirus software. I’m sure I’m missing something here but I’m not sure how to answer this differently than I already have above.

Ensuring the Privacy of Your Students There are so many resources you might use to help your students learn about privacy that your head could start spinning. This next activity has you pulling out some ideas for teaching your students about privacy. There are three areas you will focus on:

● Guiding principles you want your students to develop ● Gather some lessons that you might use to help your students develop those guiding principles ● Gather some resources in which you might have student engage (actual activities rather than

lesson plans).

To do this, you can research the Web for resources, or you might wish to begin here:

● One of my favourite resources is a US-based organization: Common Sense Media ○ Their Privacy Initiative ○ Tonnes of resources, videos, and activities for various age groups

● Education resources from the Office of the Privacy Commissioner of Canada. ● getcybersafe ● mediasmarts

Ensuring the Privacy of your Students Activity

Activity Please read all instructions before beginning

Our Students From the resources above or the ones you found through research, write three to five guiding principles which you would like your students to embody when dealing digital privacy.

Keep your social network activity private. http://techland.time.com/2013/07/24/11-simple-ways-to-protect-your-privacy/

Ensure your home wifi network is secure (or ask your parents to). https://www.getcybersafe.gc.ca/cnt/blg/pst-20181221-en.aspx

Always make sure you understand the privacy policy and terms of use before installing any new apps. https://www.getcybersafe.gc.ca/cnt/blg/pst-20181221-en.aspx

Create usernames that don’t contain identifying information. https://www.getcybersafe.gc.ca/cnt/blg/pst-20181221-en.aspx

Create strong passwords, and use different passwords for different sites.

From the resources above or the ones you found through research, paste the URLs (internet addresses) of three to five lesson plans which you might use to help your students embody guiding principles when dealing digital privacy. Or… briefly describe ideas you have that are not in the resources.

http://mediasmarts.ca/lessonplan/privacy-dilemma-lesson-plan-senior-classrooms Actual lesson plan: http://mediasmarts.ca/sites/mediasmarts/files/pdfs/lesson-plan/Lesson_Privacy_Dilemma.pdf

http://mediasmarts.ca/lessonplan/privacy-and-internet-life-lesson-plan-intermediate-classrooms Actual lesson plan: http://mediasmarts.ca/sites/mediasmarts/files/lesson-plans/lesson_privacy_internet_life.pdf

Internet Security Basics Lesson Plan - http://www.digitalwish.com/dw/digitalwish/view_lesson_plans?id=7137

Winning the Cyber Security Game - https://mediasmarts.ca/sites/mediasmarts/files/lesson-plans/lesson_winning_cyber_security_game.pdf

https://www.priv.gc.ca/media/4766/lesson_04_eng.pdf

From the resources above or the ones you found through research, paste the URLs (internet addresses) of three to five activities or resources or videos which you might have your students access to help them develop guiding principles when dealing digital privacy.

https://www.priv.gc.ca/en/about-the-opc/what-we-do/awareness-campaigns-and-events/privacy-education-for-kids/pp/9-12/

https://us.norton.com/internetsecurity-how-to-ten-ways-to-keep-your-data-private.html

Live My Digital for students: Security & Privacy: https://www.youtube.com/watch?v=XvRE0RUFpBI

Social Smarts: Privacy, the Internet and You (graphic novel) - https://www.priv.gc.ca/media/3609/gn_e.pdf

Discussion topics on the impact online tools and practices have on privacy -  https://www.priv.gc.ca/en/about-the-opc/what-we-do/awareness-campaigns-and-events/privacy-education-for-kids/topic-sujet/index/ 

Part V: Full Circle

Back to FIPPA Novi: Ok. I actually like where this has gone. Education rather than legislation. But. Let’s step back a bit. Even though a FIPPA consent form is a bit of an illusion of safety, I still have to create and make families complete a consent form to use any cloud tool outside of Canada! That seems kind of silly, given that having data on servers in Canada does not guarantee privacy! Yesvi: Well. I actually learned a lot when I created a FIPPA consent form for using Weebly for ePortfolios in my class. And I made my consent form educational… so that parents and students learn about privacy as they read it.

Novi: Do you think everybody read it? Yesvi: Well. No. I don’t. I asked the students and most parents just signed it without reading it. Some read it and asked me some questions, but most just signed it. I had one parent challenge me… because the form was kind of scary, and I had to spend about an hour discussing it with him before he was satisfied. It was a nice conversation, though. I turned it to discussing our classroom garden and the…. Novi: Yeah, yeah. And how long did it take you to create the consent form? Was it hard to do? Yesvi: Well. It did take me most of a weekend. I had to read Weebly’s privacy policy and make a summary of it for parents so that they didn’t have to read all of it and make sense of it for themselves. I had to go over why we are doing it and what the risks are. I admit it was time-consuming and not an easy (nor fun) task. I made it more pleasurable by putting on my Barbara Streisand collection on shuffle play so I didn’t know what was coming next. Did you know that…. Novi: Yup. Not surprised. So… what if I don’t have time to do this. What if I don’t feel qualified to read and understand the ins and outs of a privacy policy? These things are written by lawyers… which I am not. What if I just can’t stand doing this? WHAT IF I JUST DON’T DO IT? Avi: This is where there might be some trouble for you. You and your school could be fined if there is a complaint made to the Office of the Information and Privacy Commissioner for BC. Mind you, there are several steps the OIPC takes before there is a fine.

I contacted OIPC for BC and discovered that over the last five years there have been ____ (waiting for a response) FIPPA-based complaints made re: teachers, schools and universities.

That when a complaint is made OIPC __________ (waiting for a response)

And that they have resources to help you navigate the process. (waiting for a response)

Let’s be clear about what is required, according to https://www.oipc.bc.ca/guidance-documents/1427 :

● FIPPA details how public bodies (such as schools) must manage personal information. That’s us.

● Personal Information means any recorded information about an identifiable individual (such as real first and last name)

● FIPPA requires the protection of personal information. Period. Organizations must have “reasonable security arrangements” to ensure personal information is not breached. This bit is beyond us… it is up to our schools and school districts.

● FIPPA requires all personal information be stored on Canadian soil, with three exceptions: ○ Consent is provided by the individual (or legal guardian when the individual not an adult)

and is done so in the prescribed manner. ○ The other two exceptions do not apply to us.

Novi: I knew it. After all this… you’re still going to make me create consent forms for every tool I want to use with my students. This is ridiculous! Avi: Chill, Novi! Just let me finish. I am going to provide you with some guidance and some examples you can use. Also… and I think this is important… I use the FIPPA consent process as a sort of filter for whether or not I should use something with my classes. Let me give you an example. I used to use Rezzly’s GameLab with my students to gamify my courses but, as Rezzly’s servers are in the US, it required a FIPPA consent form,. Having to go through the process of generating a FIPPA consent form really made me question if it was worth it, and whether there was another way. There was another way. When I looked at G Suite for Education, I saw a large suite of tools that could be utilized in some very flexible ways. There were all sorts of tools, from Docs and Sheets to Presentations and drawing; from Classroom to Sites for ePortfolios. It was a robust set of tools that I could use and have my students use. For all of these tools, all I needed was one FIPPA consent form. And, it was an easy easier consent form to complete because Google provided the information in accessible language. So, to me, a good thing about FIPPA consent forms is that they are a hassle to create and get everybody to sign… because it forces me to ask the question: Is this tool worth it? OK, having said this, there are some resources available for you, and some advice.

FIPPA Consent Form Requirements: ● Consent is voluntary and provides the following information:

○ Describes the personal data required ○ Describes how the personal data will be used ○ Describes the purposes of requiring and using the personal data ○ Describes the risks involved in having the data stored outside of Canada and ways to

mitigate those risks. ○ If possible, describes the location of data storage

● Consent form can be electronic if the organization stores the consent and can show that consent was given.

● As the consent is voluntary, teachers may need to provide alternative means for students to gain course credits.

FIPPA Consent Form Resources: ● Breanne Quiste created Privacy Compass in her Masters work for the VIU OLTD program.

The page linked here has an alphabetical list of downloadable consent forms and information for some specific cloud tools, such as Duolingo, FreshGrade, Edmodo and more.

● I have my G Suite Consent form, which includes some online behaviour agreements. The linked version is a Google Doc, which you can make a copy of and use as a template if you wish: Simply click File: Make a copy

● Templates and examples from the OIPC for BC (waiting for reply)

Hand in this Quest You are done. Phew! Now hand it in:

● If you received this quest in Classroom, simply go to classroom and hand it in. ● If you made your own copy, simply share this document with your instructor (Make sure to share with

editing privileges)