By Nicholas Studley, CIPPIC Student

On March 29, 2019, Sidewalk Labs launched CommonSpace, an open-source application designed to streamline public life studies, a set of observations about how people use public spaces. Earlier, we blogged about Sidewalk’s “use case” for CommonSpace in Toronto. The launch in March announces the maturation of that proposal. 

CommonSpace is designed to automate the Public Life Data Protocol, which sets the standard for collecting observational data of human activities in open spaces. With the resulting data, city planners, community groups or others can develop a plan to improve the cities in which we live.  The Protocol specifies nine categories of information to be collected by a public or non-profit agency undertaking a public life study including: (1) agency information; (2) location of study; (3) typology of location; (4) gender of observed individuals; (5) age category of observed individuals; (6) travel mode of observed individuals; (7) posture of pedestrians behaving in space; (8) activity engaged; (9) objects list associated with a subject. 

How is Sidewalk protecting privacy?

The potential benefits of this type of application to measure the effectiveness of public space design may seem obvious, but so are the privacy risks. Sidewalk Labs is mindful of these privacy implications and has adhered to several best practices in anticipation of the public concern, including:

• Privacy by design principles
• Open by default
• Data anonymization
• Data minimization
• Encryption and other protections

Privacy by design is a commitment to addressing privacy risks during the design stage of a technology, rather than as an afterthought. Sidewalk’s commitment to privacy by design is evidenced by their Responsible Data Impact Assessment (“RDIA”). This assessment describes the privacy concerns associated with CommonSpace technology and Sidewalk’s efforts to mitigate them. The RDIA is released publicly prior to deploying the technology in the field.

Being open by default is a commitment to transparency in data collection. Sidewalk encourages partner organizations (i.e. those using the CommonSpace application) to share collected data. Ultimately, the decision over whether collected data will become public is the choice of Sidewalk’s partner organizations. Sidewalk has explicitly stated that if their team ever uses the CommonSpace application to collect data, it will be made publicly available (see Sidewalk Labs – Responsible Data Impact Assessment). The Gehl Protocol (the standardized methodology according to which data is collected) is also “open for any and all to use,” allowing people to understand the methodology and rationale behind any utilization of data. 

Data anonymization is a policy of de-identifying personal information wherever possible. In general, the CommonSpace application discourages personal information collection. Certain identifying features are not collected by the CommonSpace application and study volunteers are explicitly told not to enter identifying features into any free form data fields. In case this direction is not followed, free form data fields will not form part of any public disclosure. 

Data minimization is a commitment to collect as little data as necessary about individuals. According to Sidewalk, “CommonSpace was purposefully designed to collect the minimum amount of data needed to support public life studies.” The data collected by CommonSpace could include as many attributes as: perceived gender, perceived age, moving mode, posture in space, activity engagement, group size, carried objects, animals and a stationary geotag. CommonSpace limits demographic data collection to perceived age, perceived gender, posture and location. 

When the application is used in the future, Sidewalk will maintain custody of any data with control granted to study organizers, “who have full ability to manage and delete data.” Sidewalk will secure this data using encryption. Oversight over data use will be maintained by logging access records.

How could Sidewalk improve privacy protections?

    The information collected in the CommonSpace application is intended to be non-personal.  Regardless, as a best practice, individuals should be given an opportunity to consent to their information being collected. Currently, individuals are not notified that their information is collected, but surveyors are trained to answer questions about a study if asked. It is likely more feasible for Sidewalk’s partner organizations (the one’s performing the study) to garner consent. That said, CommonSpace could facilitate collection by prompting study organizers to post notices, or do something similar, before collecting information.

CommonSpace allows an individual to be designated as age 0-14. This ability is not consistent with the suggestion that information pertaining to youths should not be collected without parental consent and only in the rarest circumstances. Minimizing the collection of youth data was a guideline specific to the collection of “personal information” and Sidewalk describes the information being collected with CommonSpace as non-personal. Regardless, as a best practice, collecting youth data should be avoided where possible. 

Missing from Sidewalk’s disclosure is any mention of group privacy, which may be the greatest public risk of CommonSpace.  Sidewalk provides no discussion of this or of the conceptual harms associated with collective observation or surveillance.

Privacy legislation considerations

The Personal Information and Protection of Electronic Documents Act (“PIPEDA”) applies to the collection, use or disclosure of personal information in the course of a commercial activity. Personal information is information about an identifiable individual.

The CommonSpace application was piloted in 2017 by two not-for-profit organizations,  Parks People and the Thorncliffe Park Women’s Committee (“TPWC”). Not-for-profit status is not conclusive in determining whether PIPEDA applies to an organization. If Parks People or TPWC engage in “commercial activities that are not central to their mandate”, then PIPEDA will likely apply. Sidewalk Labs is a for profit entity. They have access to CommonSpace data and could be deemed as engaging in commercial activity. 

The information collected in the CommonSpace application is intended to be “non-personal”, meaning that PIPEDA might not apply to CommonSpace. However, there is always a risk that information could become identifiable in combination with other data. If identification through combination is a “serious possibility”, then even non-personal data could be subject to PIPEDA. 

While we cannot be sure which organizations will use CommonSpace in the future, its design makes it more suitable to municipalities or community groups. Any municipalities who partner with Sidewalk would also be subject to the Municipal Freedom of Information and Protection of Privacy Act.