Federal Privacy Commissioner on Bill c-27 news release.

Report into the 2021 cyber attack on Newfoundland health information systems released.

Privacy Commissioner of Canada announced his office is launching a joint investigation into OpenAI

Federal Privacy Commissioner launches new guidance on workplace privacy

Cybersecurity: Best Practices for Setting Up a Security Operations Centre

Alberta IPC finds risk of significant harm from stolen server.

Updates to Chapter 3 for the Guide to FOIP and the Guide to LA FOIP are now available!

Steps for effectively deploying multi-factor authentication.

Concerns about AI


Learned Helplessness in the World of Data Privacy

July 13, 2022 - Rick Yachiw, Analyst

A theory in the study of psychology suggests we simply give up if we believe we have no control over what happens to us. This theory, discovered by psychologists Martin Seligman and Steven Maier, is known as “learned helplessness.”

The theory is straightforward: when we are subjected to something repeatedly and feel as though we cannot change the outcome, we just accept the outcome. For example, if we continually fail at something we try hard to accomplish, at a certain point we accept we will always fail, and so we resign ourselves to failing. Or we just stop trying.

How, then, does this theory apply to the world of data privacy? A recent news article on Tim Hortons’ violation of privacy rights in Canada suggests how.

In 2019, Tim Hortons updated its app to include the collection of geolocation data. That meant when you downloaded the app it would track your location and report that data back to Tim Hortons. In 2020, a Financial Post journalist found, through location data Tim Hortons was collecting on him, that Tim Hortons had collected information on where and when he traveled, including when he traveled on overseas vacations. In total, Tim Hortons had collected thousands of pieces of location data on him, and not just from when he was using the app.

After reports such as this came out, the Privacy Commissioner of Canada decided to open an investigation into the Tim Hortons app. Recently, he concluded Tim Hortons had violated Canada’s privacy laws by collecting more information from its customers than it required. He also found Tim Hortons was collecting data outside the reasons it cited for collecting the data in the first place.

While Tim Hortons claims to have removed geolocation tracking from its app and destroyed the data it collected, the fact such tracking occurred represents a larger issue with how much data we give away. Often, we do this without fully understanding what we are giving away or why. At a certain point, we may just accept it as the cost of doing business, shrug our shoulders and submit. We know, for example, we cannot participate in Tim Hortons’ giveaways without the app, so we download the app and resign ourselves to any associated negative consequences.

Tim Hortons stated it did not intend to use the location data it had collected in nefarious ways – or at all – but arguably such data can be invaluable to large corporations. Corporations are often faced with problems such as knowing the best places to open new locations or creating the types of products customers are likely to purchase or consume based on their lifestyle. Vast quantities of data can help them quickly and easily solve such problems.

Tim Hortons is not the first corporation to be caught in a data scandal of this nature. In early 2018, Cambridge Analytica, a data analytics firm based in the United Kingdom, was found to be collecting the personal data of millions of Facebook users without their consent. It was doing so to direct certain types of political advertising towards certain users. In so doing, it is said to have helped influence political campaigns and outcomes in the United States. It is even said to have helped influence the outcome of Brexit.

All this comes back to the concept of learned helplessness and how it applies to individual data privacy. When events such as Tim Hortons and Cambridge happen repeatedly, and laws do not change in ways that fully protect our data privacy rights, we may subconsciously – or consciously – submit to the tactics corporations use to scoop our data. That is, we may just accept there will be unexpected consequences. We no longer weigh the risks, and instead focus on what we think are the rewards.

There are simple ways, though, we can protect our personal data. Consider the following:

  1. The more you share online through social media apps such as Facebook, the more data there is out there on you. That leaves more data about you that corporations can collect to learn about your preferences and habits. They can then use this information, for example, to target you with specific types of advertising.
  2. Think about what specific data you share online and if it is necessary to share it for what you are doing. If it does not seem like a corporation or other entity requires certain data, do not provide it, or at the very least ask them why it is necessary for them to have it. Also see if there is the opportunity to opt out of the data collection.
  3. Keep your social media networks small, and your social media network activity private. Accept only those you know into your social media network and check your privacy settings to ensure only those in your network can see your activity.
  4. Beware of seemingly harmless social media quizzes that ask questions such as the name of your first pet or car you owned. Ask yourself – do these sound like the security answers I use for my online banking? If they do, it is probably not a coincidence.
  5. When you do set up answers for security questions, consider an answer that is not true but still something you will remember. That way, when you say on Facebook your first pet was named “Spot,” at least you know it will not be one of your security answers.
  6. Use private browsers when surfing online as they delete cookies, temporary Internet files and your browsing history.
  7. Use strong passwords and two-factor authentication. Using two-factor authentication requires you to enter a special code the site texts to your phone. When logging into a new or unknown device, you will need this code to log into your account. Others trying to get into your account using unknown devices will then not be able to without the code.
  8. Do what most of us do not do – read the fine print. Review privacy statements and policies to know what data on you a corporation will collect, why they will collect it, how they will use it and for how long, and what you can do if you suspect that corporation is violating its own privacy terms.

Had it not been for a few individuals digging deeper into the Tim Hortons app, we might have never known what was happening. Corporations love data, even if they do not have an immediate purpose for it. There are many steps you can take to protect your data privacy. Think about what data you are putting out there and how it can be used against you, then take even just small steps to protect your privacy. You do not have to resign yourself to learned helplessness – take the time to learn what you can do to protect your data privacy.


Categories: BlogTags: , ,

Back to Blog