We sat down with CIP grant recipient Christopher Parsons from the Citizen Lab at the Munk School of Global Affairs, University of Toronto, to learn more about the DIY Transparency Report Tool that’s been developed. The tool helps businesses generate transparency reports to better communicate with their customers about how they are collecting, retaining, and disclosing their data.
Can you tell us about the DIY Transparency Report Tool that was developed and what it does?
We developed a standalone tool that runs on your webserver. The tool develops three kinds of reports:
- The first is a data retention report. It lists all the data a business retains from customers, how long it’s retained, and why it’s retained. Under legislation, organizations have to be able to explain such retention practices to their customers.
- The second report is a law enforcement handbook. When law enforcement comes to a business, they typically don’t know who to address the data request to, the processes for collecting and retaining data, etc., so we have a series of questions where organizations are able to explain their retention and disclosure policies, as it pertains to requests by government agencies. As an example, an organization might explain whether they share information voluntarily – that is, absent a binding government order – and the rationales for that internal policy decision.
- The third report generated is the classical transparency report. This is typically issued by large companies and outlines how often government agencies have requested data and how the company has responded.
With these three reports combined, users holistically understand how a company collects, retains and exposes data about them.
In creating this tool, we don’t assume that companies are doing anything wrong nor making a judgement on how a company should respond to a government request. What we’re trying to do is help small and medium-sized enterprises (SMEs) to provide responses, to provide an explanation to customers and to be transparent about their interactions with government requests.
How did you get the idea for the project?
I’ve been looking at telecommunications and transparency issues for a number of years at this point, and quite often you see large companies releasing these types of reports because they have the resources and the time.
I’ve talked to large companies at conferences, and done research in the area, and I found out that one of the main reasons companies were producing these types of reports was in reaction to a crisis. For most smaller organizations, they said they just didn’t have the resources – the time, the people, the money, or the understanding of how to build a transparency report.
Based on that feedback, we discovered small companies would get requests from law enforcement agencies for huge volumes of user data and they didn’t know how to respond. Before we developed this tool, there was no affordable market solution for this issue that small companies were encountering.
Is the tool designed with a specific type of organization or business in mind?
To some extent it is. When we developed the tool, we were really digital SME focused, but that’s not a requirement to be able to use the tool.
The tool is generic and modular. Every field can be modified and new fields can be added. It could be used by small businesses like a VPN operator, a domain name registry, or a large hotel chain. We don’t necessarily have a strong focus on the latter type of organization but they could modify the tool to fit their organizational needs quickly.
You alluded to the fact that SMEs are often short on resources. Could you expand on why it is more difficult for small/medium-sized enterprises (SMEs) to produce transparency reports?
SMEs can have anywhere from 1 to 200 employees. Quite often organizations are agile, working hard on getting product out, dealing with support calls, and they just don’t have a full-time position dedicated to figuring out what’s required to produce a transparency report.
What we’re trying to do is reduce the cost for SMEs to be able to produce the reports. There are operational policy questions and a lot of back-and-forth discussion required to take place within the organization, so there still is a cost – but with the implementation of the tool, the process is streamlined.
Something we’ve done is developed a guidebook that explains the steps and fields of the tool that provides greater context – why organizations would want to use these tools, why it makes businesses sense to build reports up front to get ahead of things rather than waiting for a crisis, and more.
What security measures are in place so that the data in the report is protected?
The core thing about what we’ve done is that the tool is meant to be downloaded and then stored in the environment that the organization thinks is the most appropriate. It could be stored on a shared cloud, a local laptop, etc. – we didn’t want to force any particular measure on a company.
Having encryption is a better idea, but we know different organizations have different internal policies.
Another feature is that there is local instantiation of the tool. If Company A is running it, as well as Company B, they won’t see each other’s information. We don’t see the data until reports are published.
We had extensive stakeholder consultations during development, and created the tool so that the reports can be either public-facing or kept in house. We developed the tool with the aspiration that these reports will be more public-facing. This would show that the company is taking data privacy issues seriously.
If businesses produce these reports, I would argue that a benefit is that it demonstrates full compliance of Canadian commercial privacy legislation and PIPEDA.
Are businesses and organizations required to produce these types of reports?
The first type of report, the data retention report, I would argue is required.
For the other two, Canadian companies should be required to produce transparency reports under several principals as PIPEDA. We don’t have a specific law, but we do have the Privacy Commissioner, Daniel Therrien, making strong assertions that these kinds of reports ought to be produced.
I think they will be standard operating practice in the future, which is why it’s to the benefit of organizations to now to get ahead of the law and demonstrate good corporate responsibility.
The tool is designed for ccompanies to choose to produce one, two, or all reports – we didn’t design the tool to force companies into producing all three. The ideal situation would be to have all three – but companies choose what they want because they understand their own situation.
How has the funding from the Community Investment Program contributed to the project?
Without the funding from CIP, we quite frankly wouldn’t have had the money to hire the developer to create the tool. We would have been able to do the policy work, but not hire the developer. The funding covered the resources to do the development work and go live with the tool.
Are Canadians generally concerned about the data that organizations and businesses have? Why?
Repeated studies have indicated Canadians have a generalized concern for the way their data is collected, retained, and used. Some Canadians decline to engage in online commerce because they are concerned about how their data is disclosed.
Developing and maintaining trust with their users or customers can be a challenge for organizations. We are seeing telecommunications companies developing transparency reports as a part of their corporate social responsibility to develop trust.
Transparency reports are not the only solution to this challenge by any stretch, but are one way to demonstrate good corporate governance and to show concern for users. It’s one tool to facilitate awareness.
Do you see more people becoming educated and aware of this issue?
We’re seeing an emergence of interest in the issue in the past five years or so, as the Canadian population becomes more digitally literate.
Not all Canadians will be flocking to read transparency reports, but when reports are released en masse, they do help the people here at Citizen Lab, University of Ottawa, or other institutions, comb through the information to release it to the public in the more digestible news story that will resonate with most consumers.
But to get to this stage in the research, we need baseline data. That’s why transparency reports are useful and important. They contribute to growing awareness of privacy and transparency issues and are focused on broadening and expanding the conversation. This isn’t something that can be done 1-2 weeks or months, but over the course of several years.
What has been the reaction to the tool so far?
We’ve shared the tool with a series of organizations, and held workshops for people working in related spaces around the world.
Organizations (small or large) have been uniformly excited to see it and we’ve had the opportunity to speak with the leaders in Canada about the work we’re doing. Overall, they’ve been supportive of the idea that this tool will reduce costs and friction to produce these reports.
We’ve had good feedback from civil society, who are strongly supportive of the work. One person indicated there’s been a lot of talking about helping SMEs, but not a lot of doing to make it possible. I think that’s one of the real contributions we’ve made. What we’ve produced is entirely open-sourced, and we’re anticipating continuing the development of the tool.
What are the next steps?
Currently, we’ve been going around to SMEs that have a depth of expertise to get their feedback. We’re working with a few key partners, one which has actively applied the tool. We expect to continue to re-architect the tool based on feedback, release an updated version, continue iterating for the foreseeable future.
Our long-term aspirational goals involve expanding to serve legal communities, which we are excited to do, but first, we are focusing on iterating the current tool to maximize its use and make it as informative as we can.
For more information about the DIY Transparency Report tool, documentation, and application code, visit the press release.