ResearchTransparency and Accountability

Access Your Information with AMI Benefits and Design Rationale

Using the Canadian commercial privacy legislation, Personal Information Protection and Electronic Documents Act (PIPEDA), Canadians can learn what information their telecommunications companies hold about them, for how long, for what purposes, and when they disclose that information. In effect, the law empowers Canadians to understand how telecom companies manage the personal information entrusted to them and allows them to make informed decisions about whether they want to maintain that commercial relationship. However, enforcing these rights can be challenging.

In recent months, the Citizen Lab has worked to help Canadians more easily send letters that compel service providers to disclose the information that they retain about individuals. These efforts have been in the service of making Canadian telecommunications companies’ data collection, retention, processing, and disclosure policies more transparent.

The Citizen Lab’s past efforts, however, required individuals to copy, paste, and manually complete the letters requesting personal information. A new tool that the Citizen Lab has created, in collaboration with the Digital Stewardship Initiative (DSI), is called Access My Info (AMI), which makes it easier for Canadians to quickly file requests to Canadian data operators, with telecommunications service providers being the initial supported category of operator.

This post first identifies the individual and collective benefits of using the Access My Info tool. Next, it discusses some of the technical elements of the tool: How is it designed to be maximally privacy-protective? How was it built to ensure that individual Canadians are making legitimate requests? Finally, we conclude by identifying some areas of future improvement and the general importance of the tool.

Individual and Collective Benefits

AMI is important for individual Canadians and for the public as a whole.

For individuals:

  • AMI enables Canadians to exercise existing laws by leveraging contemporary technologies. It is not always the case that new legislation is needed for the digital era; sometimes tools just need to be built to improve the utility and accessibility of existing laws.
  • AMI empowers Canadians to better understand how their personal information is collected and managed. Canadians demonstrably care about their privacy, but often rely on others — academics, government officials, non-profits — to explain how their information is managed and whether their privacy is at risk. AMI lets Canadians take control by requesting their own personal information and coming to their own conclusions about the appropriateness of telecommunications service providers’ practices.
  • AMI lets customers of businesses with strong ties to Canada re-purpose the tool to build their own requests to other businesses and industries. AMI is open source software, released under the Apache 2.0 license, and available on Github.

In addition to empowering individual Canadians, AMI serves a set of community goods.

First, the Canadian public generally has no idea how long information is retained by telecommunications carriers. As a result, they cannot agitate for better privacy practices, fully understand how much ‘digital exhaust’ is generated each day, or choose companies with preferable privacy practices. By requesting access to our personal information and disclosing the findings back to the broader community, we can all improve our awareness of telecommunication companies who respect the right to privacy.

Second, AMI lets the Canadian public, parliamentarians, and privacy commissioners understand how laws granting access to personal information actually operate in a digital era. By filing requests using platforms like AMI, we can gain an understanding of how companies can comply with personal information requests at scale, and whether existing access to personal information laws need updating or revision.

Third, while AMI is currently developed to issue requests to the telecommunications sector, it can be easily re-purposed for issuing requests to other industries. In its existing configuration, AMI facilitates the telecommunications sector in demonstrating its compliance with Canadian law. However, the very existence of the platform, combined with public knowledge that other sectors could be tested, may increase general awareness, attentiveness, and care in how companies collect, handle, and process Canadians’ personal information.

How AMI works. Click to enlarge.
How AMI works. Click to enlarge.

Technical Design that Protects the Right to Privacy

To enjoy all of the aforementioned benefits, we worked hard to ensure that the design of the web application was as protective of the right to privacy as possible. Here, we talk about the rationale behind the technical decisions that went into AMI’s implementation and its initial deployment with our launch outreach partner, Open Media.

Privacy considerations

In addition to achieving the tool’s core objective of creating a legal request for access, we developed AMI so that the tool does not collect any of the personal information that people input when creating their request. We did this because the substance of a legal exercise of one’s rights — in the case of AMI, an access request letter — requires the input and disclosure of sensitive information. In a nutshell, neither DSI nor any implementers of AMI have any business in knowing Canadian citizens’ subscriber information, names, addresses, or the metadata tying all that together. This kind of personal information should only be shared between the data operator and the person requesting access.

We also have several secondary objectives associate with this tool. For instance, researchers and policy makers interested in data privacy can benefit from learning about the outcomes of individuals’ requests for access to their personal information. Some research and policy questions include: How many people submitted requests, and to which companies? How many people received full responses? What data fields were provided by telecommunications companies, and where are there similarities and differences between responses?  Furthermore, outreach and advocacy organizations who deploy this tool may be interested in maintaining a healthy community of citizens interested in data collection, retention, or privacy issues, which could include discussions with people about their experiences using the tool.

To accomplish these secondary objectives, and without undermining the tool’s policy of collecting no user-submitted information, we added a final, optional stage to the web application’s letter generation wizard. After the request has been generated, users may submit a form indicating their willingness to help with the research objective and stay in touch with Open Media, our outreach partner.

AMI itself does not collect user-submitted data, nor does it embed externally-hosted data collection forms into its interface. By directing users to an external website to voluntarily share information with Open Media, we are creating a distinction between the process of creating a request through AMI and any supplementary, optional processes that involve the submission of personal data to another party.

Role of the Individual

Another important design consideration is the autonomy of the person filing the request. In addition to not collecting user-submitted information, the tool does not send requests on people’s behalf. It is up for the individual to either mail the request physically or electronically after having generated it. Because of this design decision, the companies receiving AMI-generated requests would have difficulty questioning the request’s origin or dismissing it as vexatious.

While this results in a slightly more substantial time commitment on the behalf of requesters, we regard the extra time as important so that the requests are not dismissed out of hand. We want to empower individuals to exercise their rights, not just empower them to send requests that will be disregarded by the recipients.

Everything Client-side

AMI guides users through a multi-step form that pulls in data specific to selected companies and their services without sending data to a server. We achieve this by using the client-heavy JavaScript library AngularJS. Inputted data is stored in the web browser as Javascript object instances and manipulated at various stages of the process by leveraging Angular conventions.

The PDF letter that is generated in AMI’s final stage also relies on a JavaScript library, called JSPDF. JSPDF converts the HTML output of the letter to a PDF entirely within the user’s web browser; having created the PDF, the requesting individual can then save the document to their computer to print and mail to their telecommunications provider.

People sending an email version of their request letter click on a “mailto” link with pre-populated “to,” “subject,” and “body” fields that will open up a new email window in the requester’s desktop web client of choice. All that remains is to review the letter in one’s mail client and then hit send.

Access My Info Tool, Just the First Step

A major area of future work for the AMI tool is to expand the number of supported companies beyond telecommunication companies. A wide range of Canadian commercial entities collect, process, and disclose personal information. We developed AMI to easily accommodate new companies and services, and we will identify new sectors and organizations based on internal prioritizations. We welcome any interested members of the Canadian or global Internet community to clone, fork, and submit pull requests back to AMI through our source code repository at Github. AMI is released under the Apache 2.0 license.

If you would like to discuss how you could help further the tool’s development, please drop Andrew Hilts, the tool’s developer, an email at andrew [at] digitalstewards.ca.

In essence, AMI informs and empowers individuals and the citizenry to understand how, why, and for what reasons their information is collected, processed, and disclosed to other parties. It enables Canadians to understand, at least partially, how their own personal information is part of an ‘information ecology’. And it reveals the kinds of ‘digital exhaust’ that are retained, collected, and processed by our most important communications partners, that is, our telecommunications carriers. We hope that you will use it and share any feedback you have about either the tool or the responses that you receive.

Check out Access my Info, over at https://openmedia.ca/myInfo.

 

Media Mentions

The Canadian Press, VICE’s Motherboard, and featured on CTV News, Huffington Post and the Toronto Star.