Leg4

© Information and Privacy Commissioner of Ontario, 2006

CANADIAN GAMING SUMMIT 2011 April 19, 2011

Mary O’Donoghue General Counsel and Manager of Legal Services Information and Privacy Commissioner/Ontario

Casinos As Public Institutions under the Freedom of Information and Protection of Privacy Act


The Regulator: Information and Privacy Commissioner/Ontario

ABOUT US: • The Information and Privacy Commissioner of Ontario (the IPC) is

an administrative tribunal as well as a policy making body. • In addition to her powers as an adjudicative tribunal, the IPC has an

explicit statutory authority to – Conduct research into access and privacy issues; – Receive information from the public on the operation of the

Acts; – Comment on proposed government legislation and programs;

and – Educate the public about Ontario’s access and privacy laws.


Information and Privacy Commissioner/Ontario The Acts

Information and Privacy Commissioner/Ontario oversees: The Freedom of Information and Protection of Privacy Act (FIPPA) The Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) and The Personal Health Information Protection Act (PHIPA) Under these Acts she resolves access to information appeals and complaints when government or health care practitioners and organizations refuse to grant requests for access or correction or fail to treat personal information in accordance with the statutory Privacy Rules;


The Acts

• Each of these Acts provides for access to information and privacy of personal information.

• FIPPA came into effect in 1988, MFIPPA in 1991, and PHIPA in 2004

• Under FIPPA and MFIPPA, the general public has a right of access to general records in the custody or control of institutions, as well as to their own personal information

• Access rights are subject to both legislated exclusions and exemptions


Purpose of FIPPA/MFIPPA

• The purposes of the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act are: – a) To provide a right of access to information under the

control of government organizations in accordance with the following principles:

• information should be available to the public; • exemptions to the right of access should be limited

and specific; • decisions on the disclosure of government information

may be reviewed by the Information and Privacy Commissioner.

– b) To protect personal information held by government organizations and to provide individuals with a right of access to their own personal information.


PUBLIC INSTITUTIONS

• Which bodies are covered? “Institutions” are the entities subject to the public sector Acts

– FIPPA institutions mainly cover provincial ministries and agencies, including entities specially scheduled by regulation

– MFIPPA institutions are municipal governments and their agencies, school board, libraries, police services etc.

– In Ontario, under the aegis of the Ontario Lottery and Gaming Corporation, Casinos are subject to the privacy and access to information rules of FIPPA


Transparency, Openness and Privacy

• Under the two public sector Acts, there are 3 underlying principles:

– Citizens are ensured access to the information that allows

them to participate meaningfully in the democratic process – Elected officials and public officials remain accountable to

the citizenry – Public institutions are responsible for safeguarding

personal information and following the privacy rules


The Privacy Rules

• Part III of the Freedom of Information and Protection of Privacy Act provides rules for the protection of the privacy of the individuals. “Fair information practices:” – personal information should be collected directly from the

individual, unless indirect collection is necessary and authorized; – institutions should collect only personal information which is

specifically authorized by statute, necessary for a lawfully authorized activity or for law enforcement;

– individuals should be notified by the collecting institution when their personal information is collected; notice should contain legal authority for the collection; name, title and telephone number of institution employee who can answer questions;


The Privacy Rules cont’d.

– individuals have a right of access to their personal information held by institutions, subject only to statutory disclosure exemptions;

– individuals may request correction of their personal information being held by institutions, or have right to attach statement of disagreement;

– institutions only use personal information for the purpose for which it was collected or for consistent purpose; consistent purpose is one reasonably expected by the individual;

– individual can consent to new use for the information; information may be collected for more than one use; all potential uses identified prior to collection, and all main uses disclosed to the individual at the time of collection;


The Privacy Rules cont’d.

– institutions should not disclose personal information except as permitted under the Act, or upon consent of the individual;

– institutions should use only personal information which is accurate and up to date in making decisions affecting an individual; and

– institutions must provide for the proper secure custody of personal information


Privacy Rules in the Casino

Investigation Report PC-010005-1, February 26, 2001 • Hamilton Spectator reporter contacted the IPC for

information on biometric facial scanning by OPP in casinos.

• The Alcohol and Gaming Commission (AGCO) Investigations Branch, (seconded OPP officers) closely monitors Ontario casinos to enforce section 209 of the Criminal Code, which criminalizes cheating while playing a game or betting . The OPP was using Facial Recognition Technology.


Facial Recognition Technology in the Casino

• The OPP used Facial Recognition Technology to detect suspicious behaviour by customers. If reasonable suspicion that individual is engaging in criminal activity, uses the face recognition software to determine if the individual is a known or suspected casino cheat.

• Facial template is compared for matching purposes against two databases (the first is the casino based database of suspected casino cheats throughout North America, the second is the OPP database which contains convicted casino cheats in Ontario and ongoing investigations)

• Incident report is prepared and facial scan only retained if investigation leads to a criminal conviction.


Facial Recognition in Casinos

• If conviction, scan retained in OPP database at casino where criminal activity took place. OPP may also send facial scans to OPP teams at other casinos in the province for their database. OPP in Ontario casinos did not send their facial scans to other jurisdictions, however others may send their scans to Ontario casinos.

• Where the investigation resulted in no conviction the data was

deleted and no copy maintained on file. In addition, contrary to media allegations, the OPP did not engage in the scanning of all casino customers.


IPC Findings

• Template was personal information • Collection was for purpose of law enforcement and so proper; officers

gather information in accordance with duties under the Police Services Act. Used only for law enforcement and access restricted to OPP.

• Notice - Posted Notice was required under s. 39(2). Imaging was publicly known and disclosure would not reveal unknown investigative technique.

• Law enforcement provisions “would not apply to exempt institution from requirement for general notice to inform the public entering a casino that OPP may be collecting their personal information through the use of face recognition technology… An individual’s face displays unique and highly personal information about that individual, including her or her race, colour, age and sex. In our view, members of the public should be made aware that this information could be collected if they choose to enter a casino in Ontario.”


Consultation

• Though it is not a requirement for the IPC to be consulted on every project which may have privacy implications, it is however within the spirit and intent of the Act to consult. In addition, consultation with the IPC will ensure the compliance with the Act. Neither the AGCO nor the OPP consulted with the IPC on the development of facial recognition technology. As well, neither institution established a privacy impact assessment before the implementation of this technology. It is the view of the IPC that consultations are highly recommended and especially important when the use of biometric programs may impinge upon privacy.


Casino Investigation Information - Access

• IPC Order PO-2796, AGCO, 2009 • http://www.ipc.on.ca/images/Findings/PO-2796.pdf • Alcohol and Gaming Commission of Ontario received FOI

request for 1) “plan to investigate” 2) “report of investigation” – ...any other AGCO document which mentions the [requester]

or relates to the [date] Casino [name] incident.

http://www.ipc.on.ca/images/Findings/PO-2796.pdf


Investigation Information - Access

• Records denied by AGCO included some about investigation of the casino’s “operational and performance aspects of a surveillance system”.

• The IPC Adjudicator found that the records contained “more than an internal

review of a surveillance incident as claimed by the appellant…This information at issue in the records concerns a sensitive subject, namely the surveillance system in a named casino which is related to both the security system in that casino, as well as the protection of the public who frequent that casino. While there may be a public interest in disclosure of this information, the significant and sensitive nature of this information outweighs both the public’s interest in disclosure as well as the appellant’s need to receive this information for his own private interest to assist him in his court action.”

• Refusal of access upheld - section 49(a) (requester’s own p.i.) in

conjunction with section 13(1) (Advice to gov’t) as well as section 14(2)(a) (law enforcement report).


The Future of Privacy

With onslaught of new technological programs involving personal information and new

privacy risks, the Commissioner’s challenge is to

Change the Paradigm to Positive-Sum,

NOT Zero-Sum


Privacy by Design: The Trilogy of Applications

Information Technology

Accountable Business Practices

Physical Design & Infrastructure


PRIVACY BY DESIGN: THE 7 FOUNDATIONAL PRINCIPLES

• 1. Proactive not Reactive: Preventative, not Remedial;

• 2. Privacy as the Default setting;

• 3. Privacy Embedded into Design;

• 4. Full Functionality: Positive-Sum, not Zero-Sum;

• 5. End-to-End Security: Full Lifecycle Protection;

• 6. Visibility and Transparency: Keep it Open;

• 7. Respect for User Privacy: Keep it User-Centric.

• www.ipc.on.ca/images/Resources/7foundationalprinciples.pdf


Embedding Privacy at the Design Stage: The Obvious Route

• Cost-effective

• Proactive

• User-centric

• It’s all about control – preserving personal control and freedom of choice over one’s data flows


Privacy by Design in Action in Casinos


Biometric Encryption (BE)

What is Biometric Encryption?

• Class of emerging “untraceable biometrics” technologies that seek to translate the biometric data provided by the user;

• Special properties: - uniqueness - irreversibility


Biometric Encryption: A Positive-Sum Technology that Achieves Strong

Authentication, Security AND Privacy

• Privacy-enhanced uses of biometrics, with a particular focus on the privacy and security advantages of BE over other uses of biometrics;

• How BE technology can help to overcome the prevailing “zero-sum” mentality by effectively transforming one’s biometric to a private key.

www.ipc.on.ca/images/Resources/up-1bio_encryp.pdf


Advantages of Biometric Encryption

BE Embodies core privacy practices:

1. Data minimization: no retention of biometric image or template, minimizing potential for unauthorized secondary uses, loss, or misuse;

2. Maximal individual control: Individuals may keep their biometric data private, and can use it to generate or change unique (“anonymous”) account identifiers, and encrypt own data;

3. Improved security: authentication, communication and data security are enhanced.


Facial recognition a system problem gamblers can’t beat?

This coming May facial recognition technology will be used to scan the faces of every patron entering an Ontario casino. This scan will then be compared with a database of 15 000 individuals who have placed themselves on a self-excluded list.

When there is a match found the casino security is notified, if no match is found the image is discarded.

Privacy mechanisms have been implemented into this technology through a biometric encryption algorithm. This algorithm assures the public that there is “no permanent link between a biometric template of a person’s face and their private information.”

According to Commissioner Cavoukian measures must be taken to ensure the privacy of those who come to the casino and have not placed themselves on this list.

• Toronto Star, January 12, 2011


OLG’s new 4 step self-exclusion program

• Enrolment process - Images are taken for facial recognition process, conversation between the self-excluder and security is documented, and a digital form is signed agreeing to the terms of self-exclusion.

• Detection – Cameras are located at the entrance and exit of each casino. Faces are scanned in real time and encrypted into a unique algorithm.

• Tracking and identification – the self-excluded database is searched for a match of that algorithm. If detected, the self-excluder’s information is distributed to security. Security personnel double-check to make sure the system has identified a self-excluded person, and that no one has been falsely identified.

• Enforcement – If a self-excluded person is detected the casino, they are asked to leave and the incident is recorded in the database.


OLG Facial Recognition Program

• The system is designed to detect only self-excluded people – not cheaters or organized crime;

• Legacy, photograph-based system, needs to be maintained without the need for re-enrolment of individuals;

• Automated facial recognition system is the only technology that produces remote identification and is compatible with the legacy photograph-based system.


OLG Self-Exclusion program

• Completely voluntary self-excluded individuals – more than 12,000 in Ontario and growing;

• Great Need for reliable detection of those attempting to enter a gaming site – manual comparison alone does not work;

• Privacy of all casino patrons must be protected;

• Solution: Facial recognition in watch-list scenario with the use of Biometric Encryption;

• Novel “Made in Ontario” PbD application: collaboration of OLG, IPC, UofT, and iView Systems


OLG Facial Recognition Program

• OLG is subject to Ontario’s privacy legislation;

• OLG contacted us at the earliest stage and adopted the Privacy-by-Design approach – embedding the privacy protection means directly into the core technology;

• The research project was successfully completed at the University of Toronto, developing an essentially new variant of a BE algorithm called Quantized Index Modulation (QIM);

• The database tests showed that BE may be integrated with conventional facial recognition, with little or no accuracy degradation.


Facial Recognition with Biometric Encryption

• Biometric Encryption (BE): securely binds a person’s identifier (pointer to personal information) with facial biometrics;

• The pointer is retrieved only if a correct (i.e., self-excluded) person is present;

• The link between facial templates and personal information is controlled by BE;

• Final comparison is done manually;

• Privacy of both the general public and self-excluded individuals is protected.


Proof of Concept

• Live field test at Woodbine facilities: Correct Identification Rate (CIR) is 91% without BE, and 90% with BE – negligible accuracy impact;

• BE reduces False Acceptance Rate (FAR) by up to 50% – a huge improvement in accuracy;

• Accuracy exceeds state-of-the-art for facial recognition;

• Triple-win: privacy, security, and accuracy (unexpected) – all improved;

• Next: production version of facial recognition with BE.


How to Contact Us Mary O’Donoghue

General Counsel and Manager of Legal Services Information and Privacy Commissioner/Ontario

2 Bloor Street East, Suite 1400 Toronto, Ontario

M4W 1A8 mary.o’[email protected]

416 326-3922

Leg4

Technology

Transcript of Leg4