The Office of the Privacy Commissioner of Canada (OPC) announced the results of an investigation into a mobile messaging platform that allows users to send and receive instant messages over the Internet. The OPC coordinated its investigation with the Dutch Data Protection Authority (DPA). Commissioner Stoddart has previously stated that coordinated enforcement is a priority of the OPC.
The OPC found that the mobile app was not compliant with the Personal Information Protection and Electronic Documents Act (Canada) in respect of how it handles address book information. Once a user consents to the app using the user’s address book information, telephone numbers are uploaded to the providers’ servers using SSL/TLS encryption. This may occur up to two times a day or when a manually refreshes. Telephone numbers that are correlated to other users are retained in clear text by the provider. These are “in network” numbers to which instant messages could be sent. Telephone numbers that are not associated with other users of the app are not discarded. Instead they are retained in a hashed format. These are “out of network” numbers.
The OPC raised a number of concerns:
Users could not (as a general rule) manually add and amend contacts. Instead, as a condition of using the service, a user had to provide access to his or her complete address book.
The app retained out of network numbers (that is, information of non-users). The fact that the out of network numbers were hashed was not sufficient to justify the retention.
The anonymization technique was not complete because “the number could be recovered, with a modest amount of computing effort, if the out-of-network number database and salt value were breached.” In addition, the OPC found that the methodology applied by the provider meant that the hash was always the same for the same number. This meant that it was theoretically possible to search to see whether a number had been submitted before.
The OPC’s decision sets a high threshold for retaining information even in an anonymized form where the information is not needed for the operation of the service.