Battling “Function Creep”

Seemingly benign technologies can be pressed into service as privacy offenders. 

Internet-based companies are slowly becoming aware of the importance of maintaining customer confidence in the handling of personal information.  Even traditional companies are waking up to privacy issues.  A stolen laptop is the easiest way to understand the risks: a commonly-used piece of technology loaded with customer data makes mobile employees more productive; it can also present a public relations nightmare if the laptop is pinched while your employee is grabbing a coffee.

Whether the technology is simple (such as data loaded onto a laptop) or complex (cloaked software which conducts surreptitious surveillance on users), the issue is the same: personal information must be safeguarded in the face of “function creep”.   Function creep is the phenomenon of a particular technology’s function to “creep” beyond its original scope, to include other nefarious purposes.  The temptation to use the technology to harvest valuable personal information is seemingly irresistible.  The Sony Rootkit case is a classic example where efforts at copyright protection crossed the line into privacy violation. 

In Canada, the Federal Privacy Commissioner recently considered this issue in a complaint by employees that their employer was conducting surveillance on them via a GPS system installed in company vehicles.  Interestingly, the Privacy Commissioner found that the data collected by the GPS system did qualify as “personal information” under the relevant Act, even though the system only collected metrics about the use of the vehicle – speed, location, start and stop-times, etc.  The system did not collect any information about the identity of the person driving it, although company records could be used to determine who used which vehicle.  In the end the complaint was resolved in the employer’s favour since the purpose of the technology (safety, productivity and asset management) could be balanced effectively against the potential invasion of employee privacy.

Calgary – 10:48 MST


4 Comments so far

  1. […] As I’ve noted in past posts, privacy and internet law often overlap. In a very interesting Federal Court decision on Monday, the Privacy Commissioner of Canada has been ordered to re-open its investigation into the privacy practices of an American company. A Canadian complainant asked the Privacy Commissioner to investigate Accusearch Inc. for possible violations of the Personal Information Protection and Electronic Documents Act (PIPEDA). In 2005, the Privacy Commissioner’s office closed its file after concluding that it lacked the jurisdiction to investigate a foreign company. In coming to this decision, the Commissioner stated that “Canadian legislation will only apply to the persons, property, juridical acts and events that occur within the territorial boundaries of the enacting body’s jurisdiction.” That decision was appealed to the Federal Court, resulting in Monday’s judgement. […]

  2. Zane February 12th, 2007 11:34 am

    Well done! | Cool site

  3. Ellen February 12th, 2007 11:34 am

    Great work!

  4. Troy February 12th, 2007 11:34 am

    Well done!

Leave a reply

You must be logged in to post a comment.