Last year I decided it would be fun to read Stephen King’s entire Dark Tower series for the first time.
King and Dark Tower fans know that to get the most out of the seven proper Dark Tower novels, you need to read a bunch of King’s other books, which are only quasi-related to the main series. In a particular order. Being a completionist, getting to Book II meant that I had to first read The Eyes of the Dragon (fun!), the short story “The Little Sisters of Eluria” (diverting!), and, um, The Stand. Which, as most people know, is a fantastic read, but also So. Very. Long.
In other words, it was a lot of reading just to get back to the main event. Enjoyable? Most definitely. Worthwhile in the end? Yes. But a long way to go nonetheless.
All of this to say that this is my final, throat-clearing post before I actually start reading the actual Master Innovation and Development Plan. And while these reports share only an alphabet in common with King, I hope that reading them will illuminate our final destination in much the same way that my pre-Drawing of the Three reading did the subsequent Dark Tower books.
Anyways, on to the issues at hand. In this post I’ll be covering the digital aspects of the pre-MIDP Sidewalk Labs and Waterfront Toronto output. First, a quick summary of Schedule I of the Plan Development Agreement, “Digital Governance Framework Principles.” I’ve focused on more concrete deliverables rather than fuzzy statements of intent on the assumption that the former are more easily trackable than the latter, which could be fulfilled by doing almost anything. These will give me a yardstick with which I can evaluate the final agreement.
There is a lot of wiggle room in these principles. For example, claims that they will only collect, use, retain and disclose data “necessary for the provision of the services and [the benefit of] individuals” could also be rephrased by saying that they will collect, use, retain and disclose any data needed to provide these services. As always, the devil will be in the details.
Other than that, for the moment I’ll note that they have a strong bias toward using transparency and informed consent to ensure that peoples’ data rights are protected. They also claim to favour “Meaningful … opt-out provisions.” Reconciling the ubiquitous surveillance proposed in all previous with such an opt-out would be a neat trick.
Then, I’ll highlight some important points from Sidewalk Labs’ October 2018 “Digital Governance Proposals for DSAP Consultation,” a 41-page PowerPoint presentation that stands as its most thorough (to that date) public statement on how it thought data should be governed.
Part I: The Digital Governance Framework Principles
- They will follow the laws of the country. (um, huzzah?)
- Identification and assess “with respect to risk to human or democratic rights” “any form of surveillance of individuals,” and will be “remedied where necessary.” (Schedule G, Article 1) (see: devil, details)
- Identifies an individual’s “rights to access and review their data”
- Commits to the transparent “collection, use, retention and disclosure of personal data”
- Will only collect, use, retain and disclose data “necessary for the provision of the services and [the benefit of] individuals.” Another way of saying this, however, is that they will collect, use, retain and disclose any data needed to provide these services.
- Will use de-identification and other technologies “to ensure privacy is protected”
- Based on “informed consent”
- “Meaningful … opt-out provisions”
Note: This approach places significant responsibility on the individual: The company provides all the information (transparency), and it will be up to the individual to know and understand enough about what data is, how it is collected, and how it will be used to make sound decisions.
That’s a big ask, given that even most data experts don’t fully understand these issues, and that people are being asked for consent for companies to use their data in ways that affect other people, potentially negatively. All this to say, even “informed consent” isn’t the silver bullet we often think it is.
And of course the main point here should be that these are all empty promises until they’re actually defined in a concrete proposal.
“Clear and robust structures of accountability for the safe use of data including open protocols and rules”
“Algorithmic transparency to avoid bias or marginalization”
“Reasonable limits on use of even aggregated data” (not defined)
Explore “novel ownership structures for non-personal data”
Note: Again, these commitments mean nothing until they are actually defined. As for the “novel ownership structures,” we can jump ahead a bit and note that this is referring to “urban data,” a phrase that doesn’t exist in Canadian law or in the data scholarship or data-policy debates (and which Sidewalk Labs can define to fit its own interests), and a “data trust,” which as Dr. Natasha Tusikov notes, would not be a “trust in the legal sense.”
Innovation: Making up phrases that sound like they mean something other than what they mean!
They will follow the law of the land.
Note: While it’s nice to know they aren’t going to commit to breaking any laws, it also means that they won’t go beyond the law to actually localize Canadian data in Canada.
Systems and platforms that are open by default (Schedule G, Article 4).
Secure data and resilient infrastructure “and solutions”
Note: Again, the details will matter.
The Digital Strategy Advisory Panel
The mandate of the Panel is to provide Waterfront Toronto with objective, expert advice to ensure that principles of ethical use of technology, accountability, transparency, protection of personal privacy, data governance and cyber security are upheld.
Its recommendations are non-binding.
Note: As I’ve noted in previous posts, the Auditor General of Ontario has noted that the (part-time) Digital Strategy Advisory Panel has had “limited” effectiveness (in the words of one of its own members).
Part II: Digital Governance for DSAP Consultations
This document reads like a public relations exercise, touting the people they’ve consulted, including, Dr. Ann Cavoukian, the former Information and Privacy Commissioner of Ontario and Privacy by Design consultant, who famously resigned as a Sidewalk Labs advisor at about this time because of concerns over privacy. (She has since softened her stance against Sidewalk Labs, embracing parts of the MIDP.) There are no links to other reports, so it’s unclear where they came up with some of their more consequential ideas, particularly “Urban Data” and the “Civic Data Trust.” This thinness makes it difficult to evaluate on its own terms.
From the outset we knew that the monetization of data would not be part of our business model. (p. 4)
This comment responded to the fact that since October 2017 neither Sidewalk Labs nor Waterfront Toronto had been forthcoming about how the for-profit Sidewalk Labs would make its money on this project.
Privacy by design?
Sidewalk Labs leans heavily on “Privacy by Design” (p. 8). Teresa Scassa, Canada Research Chair at the University of Ottawa, data law expert par excellence and Digital Strategy Advisory Panel member, offers a useful critique of this proposal (spoiler: it’s much less than meets the eye).
As an added bonus, her line “The second point I tried to make in my 5 minutes at the Thursday meeting was about data governance” is telling regarding the amount of oversight the Digital Strategy Advisory Panel is able to provide. No matter how brilliant its members (and I’m a huge admirer of many of them), they’re still doing this on a part-time basis, meeting once every few weeks or months. An outside, part-time panel is no substitute for in-house experience.
- “Independent governance is necessary to protect personal and public interests across areas of data stewardship, privacy, access, and, security—in addition to government enforcement of Canadian and Ontario privacy laws and regulations.” Everyone should be subject to the same rules (p. 10).
Let’s make up some concepts! Sidewalk Labs’ Civic Data Trust and Urban Data
From the beginning, one of the problems in evaluating Sidewalk Labs and Waterfront Toronto’s Quayside proposals is that they kept moving the goalposts. Two posts ago, I noted how Sidewalk Labs’ original $US 50 million ante was portrayed as an investment in consultations, or in the “initial planning and testing phase of the project.” In July 2018, it came out that it was also originally intended as a possible land downpayment, but then the Plan Development Agreement nixed that. It’s hard to keep up when you’re dealing with Billy Flynn-levels of creative confusion.
Here, we get two new terms that we’ve never seen before: a “Civic Data Trust,” and “urban data” (pp. 11-16).
Others, such as Dr. Tusikov, have discussed issues and concerns with these two terms, and this proposal spends some time outlining each concept, but for the purposes of preparing to examine the MIDP, the main point to keep in mind is that both of these terms are not found in Canadian law. Neither are they in common usage among data scholars. In fact, they seem to originate with Sidewalk Labs. A quick Google Scholar search reveals no examples of term “civic data trust” before 2019. Categorizing data as “urban” and “non-urban” is likewise an innovation (it’s mentioned briefly in the Plan Development Agreement). (Sidewalk Labs defines urban data as “data collected in the physical environment” (p. 37)). In contrast, Canadian law tends to focus on personal information, not “urban data.”
What this means is that Sidewalk Labs can define these two terms any way they want. Their definitions in those documents will be consequential.
Noted: The Civic Data Trust would be responsible for obtaining some form of “community consent” (p. 38), which would seem to be a departure from the emphasis on individual consent.
Schedule I (above) of the Plan Development Agreement refers only to the need for “Meaningful, informed consent and opt-out provisions.” This part is probably linked to their idea of urban data, which would “not apply to Urban Data in most cases.” Such data would be made “freely and publicly available as a default matter and/or controlling access” (p. 38). It does make me wonder when, how and why Sidewalk Labs came up with the category of Urban Data in the first place, rather than using concepts based in the Canadian law that both Sidewalk Labs and Waterfront Toronto profess to hold so dear.
Responsible Data Impact Assessment
This document also proposes a Responsible Data Impact Assessment, to be done “at the design phase, prior to data collection or use” (pp. 17-21).
Again, how this is treated in the MIDP will be important. For now, the key point is that this is yet another example of Sidewalk Labs setting up the standards by which it will evaluate projects in which it will likely have an intimate interest. As with much of these proposals, including those under the “Governance Case Studies” section (pp. 22-25), it’s not the idea of a risk assessment that’s problematic; it’s the way in which it will be carried out. We need details, which hopefully will be provided in the MIDP.
Not a smart city, or an adaptable city, but one with different priorities
The “Open Digital Infrastructure and Services” commits to open architecture and standards rather than “a centralized, monolithic platform” (p. 30), that will be open to “a wide range of players” (p. 29).
Parts of the “Open Digital Infrastructure and Services” repeat the vapourware promises of Sidewalk Labs’ Project Vision document (e.g., the list on p. 27; “Enabling innovation by a wide range of players,” p. 29), but one thing that stood out to me was its mission-statement recap section, also on p. 27:
From the start of this project, we imagined a set of new experiences that could be possible in a new type of city. Streets that prioritized safety, pedestrians, and cyclists … . Buildings with a far more diverse and vibrant mix of uses … . Significantly reduced carbon emissions.
This statement highlights the fact that the Quayside project is as much about setting priorities as it is about introducing cool tech and sensors. Sidewalk Labs isn’t just selling a surveillance-driven datafied city. The above statement outlines the priorities Sidewalk Labs has for the city. They are a statement about how the city should be governed. And while they look pretty inoffensive, they amount in this context to governance by stealth, an attempt to change the city’s political priorities via infrastructure plans.
While it seems like we’re all discussing, say, algorithm-driven traffic flows, we’re actually discussing what rules should govern our cities, and who should be setting them. And the one thing that characterizes all of the Waterfront Toronto and Sidewalk Labs documents we’ve looked at up until now is that it assumes a particular set of priorities. This assumption effectively takes the discussion of whether these priorities are the right ones s off the table.
This gets to the problem with the above statement: it assumes that the desired outcomes are going to be uncontroversial and can therefore be left to the experts. It assumes that they are beyond politics.
One of the most important lessons I learned in my six years working for various federal parliamentary committees is that people of good faith (and almost all of the politicians I worked with fit this description) can have dramatically different visions about what policies Canada should adopt, and that what is uncontroversial to one person will be hugely troubling to another. That’s why we have politics and Parliaments: to work these things out in an open, democratic manner.
I certainly thought that a lot of what I heard from parliamentarians was wrong, but I never doubted that these perspectives came almost always from a desire to make Canada a better place. And even when I heard something that I thought was wrong, I tried to keep in mind that maybe (just maybe!) they knew more than I did, and that that I might be the one who’s wrong. That’s politics; that’s policymaking.
The last thing any city should do is to assume that everyone shares the same prioritization of means and objectives. These are political discussions and should be treated as such. Instead, Sidewalk Labs is proposing its own set of priorities, sidestepping the debate over whether or how these priorities should be pursued.
Data Localization: No, thank you.
Sidewalk Labs isn’t going to do that (p. 35).
Quayside as a data source for Google?
They give a flat “no.” (p. 38)
We’ll see. I’ve read ahead and (spoiler) they leave themselves a lot of wiggle room. Sidewalk Labs
commits to not disclose personal information to third parties, including other Alphabet companies, without explicit consent (MIDP Overview, p. 84, emphasis added).
Not sharing without explicit consent is way different from a hard “no.” And as suggested by our above discussion about urban data and civic data trusts, to say nothing of their way of playing with the meaning of words like “no,” you can be pretty sure that regular people and Sidewalk Labs have very different ideas about what “explicit consent” actually means.
Sidewalk Labs’ role and general governance
- Sidewalk Labs: will be the provider of “some critical infrastructure and core services,” with “other players provid[ing] the lion’s share of technology.
- Governments: they enforce privacy laws
- Data Trust: it will oversee the collection and use data, possibly with some government involvement.
That’s it for now. One more sleep until the MIDP!