Lab NotesNotesReading Notes

Reading Notes : Cavoukian, Ann. A Primer on Metadata: Separating Fact from Fiction

About: Cavoukian, Ann. A Primer on Metadata: Separating Fact from Fiction (Information and Privacy Commissioner of Ontario, Canada, 1973).

Cover of: Cavoukian, Ann. A Primer on Metadata: Separating Fact from Fiction (Information and Privacy Commissioner of Ontario, Canada, 1973)

Tweets from Privacy by Design (@embedprivacy) signaled the publication of A Primer on Metadata: Separating Fact from Fiction (18 pages PDF document). As I am currently working on a related subject, I read it at once… and was disappointed. The actual primer on what is metadata is only two pages long, rather minimal, inaccurate and not quite convincing.

Metadata (formal definition):

Metadata is (…) essentially information about other information, in this case, relating to our communications.”

In this case : “Metadata is information generated by our communications devices and our communications service providers, as we use technologies like landline telephones, mobile phones, desktop computers, laptops, tablets or other computing devices.”

Cavoukian, 2013, p. 3

Metadata (descriptive definition) : Metadata includes information that reveals the time and duration of a communication, the particular devices, addresses, or numbers contacted, which kinds of communications services we use, and at what geolocations. And since virtually every device we use has a unique identifying number, our communications and Internet activities may be linked and traced with relative ease – ultimately back to the individuals involved.”

Cavoukian, 2013, p. 3


As presented in the document, these two definitions are at odds with one another: the formal one referring to information items about other information items; but not the descriptive definition which is rather referring to information about processes. But computer specialists do recognize many kinds of metadata, even though they might use different typologies.

The few lines entitled “A Day in the Life…” (pp. 3-4) provide a good illustration of how (processes) “metadata created by the devices that two individuals use to communicate with each other can reveal a great deal” about them.

Finally, the section “Metadata May Be More Revealing Than Content” (pp. 4-5) reads more like a series of arguments from authority than as an actual demonstration.

Need for evidenced arguments

Coincidently, answering engineering students in a lecture made at Polytechnique Montréal last week, I had to remind that an information set would be metadata, not by some intrinsic nature, but merely by the context of its initial production and use. Classically, the term data referred to information items that are available (or to be produced) for the solution of a problem or the completion of a reasoning, an inquiry or a research. As soon as one so uses “metadata” (what ever the type), they become “data”. Thus, no longer are “metadata”.

From the very first universal purpose computing machine, computers – and digital devices since – require metadata to work. And they also produce other metadata as by-products of their processes. And from the dawn of informatics, those metadata were at once reused as data.

There is nothing new with using metadata to produce knowledge about people. A classic example is the introduction of the computerized cash registers. As the machine processes the customers’ purchases, it produces clock metadata than can be used to asses the clerks’ speeds to punch (now scan) items, to take payments and give change, to pack the goods and pass to the next customers.

Anytime an operation is linkable to a human user, the operations’ metadata can be exploited as data about this human user (and anyone related to that person). Videogames provides good examples of how the same outputs can simultaneously be processes’ metadata and players’ data.

These relative artificiality and mutability of the distinction between data and metadata become obvious when one considers (as these tweet structure maps show) that making a tweet of a maximum of 140 characters can easily require the production of between 500 and 1000 characters of metadata which include… the tweet message itself !

And indeed, the “metadata”/”data” relative weights in todays’ particular instances can often be startling… if one can still distinguish between the two.

Also, need to make evidences evident

How come that there is no readily available button on which I could click to see the whole tweet actually produced, not only the message I wrote and sent?

Or how come that there is no readily available command to display what information my mobile phone service actually produces minute by minute?

And as I pointed out to Polytechnique’s engineering students: if NSA’s work is essentially done with computerized devices, how come Congress does not have a dashboard that harness the metadata about what kinds of operations NSA actually does? If such metadata would have been available, could Director James Clapper, been able to lie so easily about NSA’s operations before Congress? And Congress only discovering it through documents leaked by a whistleblower? After all, would it not be only metadata about systems’ uses, not data from the individual intelligence operations themselves? 😉

Such are questions of critical and practical political significance. Because they breed other questions about who decides the production of such information. About its uses. About who control them. About their consequences. And so on. Of critical and practical significance also because they could turn a defensive stance into one of political affirmation. Such questions stem from an understanding of the nature of what information and information processing are. This is why it is so important to deepen and strengthen such understanding as well as to popularize it and make it useable by all citizens.

So if you know any instructive work on the subject…

ExperimentsInformation & LawLab NotesNotesReflections

Abandoning the concept (and illustration) of “information collection” for that of “production”

In its original 1990 version, the theory of interpersonal information processes refers to collection as one of information’s logical phases. The term collection is borrowed from protection of personal information law, which itself borrowed it from the lexicon of public and private bureaucracies. However, the word collection (action to pick a pre-existing object) masks the presence of a production of new informational artifacts. The result is that several implications are veiled, particularly those related to the intellectual property of the new information objects and to their pragmatic dimension.

The question then is: should collection really be considered as a logical phase of information? Or is it the chosen term that is inadequate? (more…)

"Beyond Privacy" ProjectCommunicationsLab NotesLiving between the linesNotes

“Beyond Privacy” Project: The Mandatory Multiplication of Electromagnetic Information Loaves


Provisional book cover: Title : "Living Between The Lines: Information Society Through Our Personal Information" Mentions: "Beyond Privacy Project : An open work-in-progress"

This post is about the “Beyond Privacy” Project: LIVING BETWEEN THE LINES information society through our personal information.

As this is an open work-in-progress book drafting project,

please do not hesitate to comment!

Every input is precious to help improve it.


Utility vehicles


Information objects allow us to interact across time and space. This capability varies depending on the physical support. The difference becomes obvious between solid matter and electromagnetic waves.

How would it feel for you to pull out a banknote and burn it?

If a twinge of lost, the source is not the combustion of a fraction of a gram of matter. If pleasurable excitement, it does not result that much from the momentary flame.

The emotion comes mainly from the irreversible loss of information items. Not just any ones! The vaporized in smoke writing conveyed a unit of value that we could share with others.

The destroyed information allowed us to get from other persons a good or a service. Or to repay them a debt. Or to hand them an assistance. Or offer them a gift.

Also vanished is the ability to offer to ourselves a gift.

Hence the emotion produced. We have forever destroyed information items representing a fragment of power in the human world.
Cover of the Voyager probes' golden disk. A circular plate on which are engraved the instructions to play the disk and a map of the location of the solar system.


DebatesField RemarksInformation & LawLab NotesLiving between the linesNotesObservations

“Lawful access” bill: journalists discovering being targeted

Débats - DebatesA sudden tug of war between the Charest government and journalists caused a shock wave the echoes of which have rippled through throughout the Canadian journalistic profession. A jolt that could help realize how the “lawful access” bill introduced this Monday, Feb. 13 also concerns journalists and media organizations.

A threat

Last week, the Charest government announced that the Director of Criminal and Penal Prosecutions and the Sureté du Québec (provincial police force) would investigate on leaks to media related to the Ian Davidson case, a retired Montreal police officer suspected of attempting to sell lists of police informants to organized crime. Neither the Minister of Public Safety Robert Dutil, nor Premier Jean Charest have agreed to guarantee that journalists would not be investigated or wiretap. (more…)

DebatesInformation & LawLiving between the linesNotesObservations

Winning against the “lawful access” bills: Two strategic intuitions

Débats - DebatesAre there actions we could start today in a decisive campaign against the adoption of so called “lawful access” bills by Canada? I came to answer “yes” while listening to a presentation by Antoine Beaupré, system administrator at Koumbit. It was during a public meeting entitled ” ‘Illegal access’ and the attack of internet freedoms”, on February 3, 2012, in Montreal.

Let’s remind us that the “lawful access” bills that already died three times because of dissolution of Parliament have not been tabled again yet. However, it is expected that the Harper government will go ahead. The latest versions of the legislation gave the police new powers to access data held by Internet services providers (ISPs). They allowed the mandatory disclosure of customer information without judicial oversight, as well as real-time monitoring across ISPs’ networks. All measures deemed unnecessary and dangerous, not only by civil libertarians, but by many police forces also. A detailed legal analysis was published recently by the British Columbia Civil Liberties Association.

The meeting was organized by Koumbit an IT workers coop that offers several services including web hosting: thus, it has already had its share of searches for information and of servers. Like many other businesses it that field, Koumbit fears the effects of the “lawful access” initiatives on the civil liberties of its customers and of all the citizens who use the Internet from anywhere in the world. Indeed, the opening presentation of Antoine Beaupré dealt with less the legal aspects of the bills as of their technical and political dimensions. (more…)

Field RemarksInformation & LawLab NotesLiving between the linesNotesObservations

Digital identities and assets in case of death or incapacity – A first summary

The text that follows both summarizes (but discussion is only just beginning) and complete previously published notes on the subject beginning with this one. This text is derived from my notes in preparation for the interview I gave to the La Sphère on the Première Chaine of Radio-Canada, February 4, 2012.

The personal story

As I became a grandfather in May, I thought it was a good time to review my will and mandate in case of incapacity. Except that I discovered that I had to ask my representatives or executors to handle lots of online accounts and digital documents. The large majority of my documents are to be found in digital forms: letters, records, invoices, contracts, tax documents, bank and accounting books, photos. These files are embedded in computers, hard drives, servers, USB keys, DVDs, data cards, media player protected by user names, passwords, and encryption keys.

Pierrot Péladeau en entrevue - in interview

As many of you, several dimensions of my life are carried on: (more…)

Field RemarksInformation & LawLab NotesLiving between the linesNotesObservations

What “easier to read” means? In regard to new Google “privacy” policies

Débats - Debates

Google wrote me seven emails, one of each of services I am registered in to tell me: “We’re getting rid of over 60 different privacy policies across Google and replacing them with one that’s a lot shorter and easier to read.

That declaration brings me to three observations from following how the story unfolds this week:

First, the initial difficulty for the media, civil society actors, industry and members of Congress to determine whether or not this announcement corresponded or not to some changes in how  Google uses for our information and our user profiles, and if so which ones exactly.

Secondly, the difficulty to understand “easy to read” configurations: for example, the announcement tells me that I can choose, or not, to get personalized Google search results according to my interests as revealed by my uses of Google +, Gmail and YouTube: I have look in vain the configuration page, I never found the management panel for these configurations commands (anyone found them?). And even for those commands available, the description of their actual effects is often not that obvious, even to me for which studying such things are part of day job.

Indeed, thirdly, if Electronic Frontier Foundation is right, this is how I should manage this personalization:

“For individuals who would like to continue using Google products, but want to create some type of silo between Google search, YouTube, and other products, there is an option to set up multiple Google accounts. Users can set up two or more accounts as long as they have different Gmail addresses; however, individuals using this strategy to protect their privacy should be careful not to commingle-consider using separate browsers for each of your Google accounts. To be extra careful, users might want to use the Data Liberation tool to grab a copy of all of their data from a particular Google product, delete the data from the original account, and then upload that data onto the new account. For example, an individual might set up a secondary Google account for browsing and sharing YouTube videos. She could then download all of her existing YouTube videos to her computer, delete them from her primary Google profile, and then use a separate browser to upload them to a new secondary Google account. Unfortunately, this is a somewhat laborious process. To help users who wish to keep separate accounts, Google should make the process simpler and easier.” (Source)

In short, may be “easy to read,” but not to understand, and even less to help empower the users.

But I would not blame only Google in particular. The whole industry has made little development in how to present reliable, verifiable, readily understandable pictures of what actually happens with one’s personal information to begin with. Policies writing and configuration design are still organization centered and dominated by jurists and engineers. In Canada, almost half of adult population has low literacy levels and certainly as much does not understand much about information processing. These are the users who should be the communication targets. And that means much more than simply providing “easy to read” wording…


Field RemarksInformation & LawLab NotesLiving between the linesNotesObservations

The Chambre des notaires corrects its position on the management of digital identities and assets

ObservationsEarlier this week, I reported that Antonin Fortin, Director of Communications and Assistant to the President of the Chambre des notaires du Québec (CNQ, notaries’ professional corporation), wrote about management of digital identities and assets in case of death or incapacity:

We are talking about a complex, relatively new and evolving phenomenon. In addition, the CNQ cannot substitute itself to the legislator and “create” law in this matter. To our knowledge, there is no guide to meet your expectations.

(My translation)

Having been invited to an interview on the subject on La Sphère radio show on Radio-Canada’s Première Chaine on Saturday, February 4, I wanted to get confirmation that this response did represent the official position of the corporation.

On the phone, Mr. Fortin told me that he read again my emails and then realized that he had not properly understood what was their subject-matter. He said that the official position of the Chambre des notaire would rather be that it asked Mr. Salvas Bertrand, a notary who works mainly in training and is interested in this subject, to study the issue and quickly formulate recommendations. These could possibly take the form of advices, guides and training contents.

Specifically, Antonin Fortin said he had forwarded my emails and my proposals to Mr. Salvas.

That is reassuring. Indeed, is the mission of a professional corporation not precisely to protect the public?

Field RemarksInformation & LawLab NotesLiving between the linesNotesObservations

The Chambre des notaires abdicates management of digital identities and assets


Last week I reported that my notary declared that she was unable to help me manage the components of my digital of identities and assets in case of death (will) or inability (mandate).

I also described calling the legal information service of the Chambre des notaires du Québec (notaries’ professional corporation). The answering notary found my questions quite relevant and about pressing issues. However, she told me that the corporation had no available guide, checklist, standard clauses for will or mandate in case of incapacity, nor specific training to its members about these issues.

After publishing this article, I wrote to Jean Lambert, president of the Chambre des notaires (CNQ). I briefly described my situation and actions I took before asking the following questions:

Are there any guides, checklists, model provisions or tips on these topics?

If not, what are you waiting for to help us to live and die peacefully in this twenty-first century?

Response from the Chambre des notaires

In the absence of Mr. Lambert, it was Mr. Antonin Fortin, director of Communications and assistant to the president who responded: (more…)

CommunicationsDebatesInformation & LawLab NotesLiving between the linesNotesReflections

Autonomy, Surveillance and Democracy: A Few Ideas for the Twenty-First Century

Text derived from my presentation

to the Citizen Forum on surveillance of communications

organized by the Quebec caucus of the New Democratic Party

Montreal, Notman House, Thursday, November 3, 2011

Regardless of the fate of the bill named “Lawful Access”, the information society will continue to develop. Then again, an information society is necessarily a surveillance society. Hence the question: what role the parliaments, governments and civil society should play to not only preserve freedoms and democracy, but to enhance them?

Here I propose – in quick rough strokes due to the short time available – some ideas for reference in regard to challenges the twenty-first century presents to us.

Social Life and Surveillance

Idea # 1: Surveillance is an integral component of all social life.

This is true of all human societies, likewise of many animal societies, and even vegetal ones.

Idea # 2: Surveillance takes many forms with very different, even opposite consequences.

I am a grandfather. Obviously I watched my children and grandchild. However, the forms that such surveillance takes can lead children to more and more autonomy, or, conversely, to dependence and submission.

That is why, idea # 3: The concepts proposed by author Ivan Illich of autonomy versus heteronomy, conviviality and counterproductivity are useful to this discussion.

These concepts can be applied, for example, to a convivial urban neighborhood that combines the functions of housing, labor, commerce and recreation. Such an area appears safe because its residents, workers, passersby and idle bystanders spontaneously and freely offer themselves mutual, continuous, autonomous surveillance.

Conversely, an unconvivial single function neighborhood that is deserted during the night or day appears to generate insecurity. No expensive police, guards or electronic surveillance will succeed to produce real security. And such surveillance is likely to increase heteronomous forms of power over individuals and community.

Hence, idea # 4: It is important to consider the complex interrelationships between environmental, physical, social and technical structures and conditions, on the one hand, and the forms of surveillance that these structures permit or not as well as their effects, on the other hand.

Assessment Criteria

And therefore, idea # 5: Respect for freedom is a necessary, but totally insufficient assessment criteria (thus ineffective alone).

In addition, idea # 6 (stated earlier): The information society is necessarily a society where surveillance is becoming widespread, increasing in power and scope, and is being democratized.

Let us illustrate this with a surveillance activity which, unlike the “Lawful Access” bill on the State’s power over private communications, is conducted by private actors on public communications, namely: the high-frequency stock transactions which constitute some 60% of the volume of North American exchanges. This surveillance involves the use of computers that, each microsecond, monitor and analyze all transactions around the planet. This surveillance allows the same computer to purchase securities at one instant and resale them a few seconds later at a profit. The speeds of surveillance, analysis and decision making are so great that human operators can only control possible failure occurrences. Such as those that caused the Flash Crash of May 6, 2010 when these automatic systems suddenly made the Dow Jones Index to plunge several hundred points within a few minutes.

Such capabilities are becoming more democratic. Let’s remember that today a lower end smartphone is already more powerful than these big central computer that, in the sixties, most thought only States could afford. That the customers of data mining software, indispensable to produce results from digital surveillance, are roughly divided into four areas: academic (teaching and research), business (marketing, R & D), police and military intelligence, and we call civil society (various organizations and individuals). That information items on the behavior of individuals and organizations have never been produced in such large numbers or have never been more accessible (just take all the wealth of personal information items disseminated via social media).

Some surveillance activities can easily be described as harmful, such as surveillance of the private communications of citizens or of their legitimate political activities. Other surveillance activities can easily be described as beneficial, such as those about who funds political parties and about who does what lobbying with which decision makers.

However, idea # 7: The majority of the surveillance activities that will emerge will not be so easily assessed: understanding their nature and their effects will require deliberations.

So idea # 8: Drawing on a proposition from economists Samuel Bowles and Herbert Gintis, we could state that: all surveillance should be subjected to the application of the principles of freedom, but that any surveillance involving some exercise of social power should also be subjected to the principles of democracy.

These principles are to be applied, no matter the public or private nature of the actions being monitored; or the state, commercial or civilian identity of those conducting the surveillance.

Logically, the same principles should also apply to the decision making on environmental, physical, social and technical structures and conditions that determine the forms surveillance may or may not take. Indeed, various social movements express the same demand, whether about shale gas extraction or high finance business: one’s obligation to subject to the action of another called for one’s right to know and right to have one’s say.

As a Preliminary Conclusion

Idea # 9: Such radical democratization calls for deep legal, parliamentary and political transformations from the local to the international levels.

Such changes could indeed be facilitated by possible information societies’ developments.

However, idea # 10: The exact forms that these changes should take remains yet to be defined.

Here, our situation is similar to those of different protests movements (such as Occupy Wall Street) that clearly identifies how current practices are unacceptable without being able to define what should be the alternatives. However, it is as equally urgent to conceive concrete solutions. Let us illustrate with two cases.

Electronic payment

The first case is about privatization of a decision of a public nature. It is the introduction in North America of smart banking cards that raise issues of individual and societal surveillance. Electronic payment is a “radical monopoly” to use another concept from Ivan Illich: if citizens retain the choice of the financial institution that will provide the banking card, there is only one electronic payment system that is imposed on all financial institutions and to all their customers on a given territory.

However, the choice of a new microprocessor based payment system is not trivial. This is because there are dozens of concepts for implementing this technology that are quite different in terms of individual surveillance. Some concepts can make electronic payments as anonymous as the use of paper money. For example, the financial institution knows by the end of the day that it should debit the account of such customer to such total amount, but remains unable to connect this with the various suppliers where the customer has spent money. At the other end of the spectrum, there are concepts that provide the financial institution with a wealth of information about who has purchased what from whom precisely at what time and how much. The choice between one type of concept and another has little to do with technical or budgetary constraints. It is in practice a political decision on the level of surveillance that financial institutions may or may not carry on the activities of their clients. But it is not elected parliaments that decide. Rather, parliaments have left the decision to private clubs of financial institutions (in Canada, to the Canadian Payments Association).

But it’s not just the surveillance of individual clients that is at issue. The generalization of electronic payments offers financial institutions a breathtaking real-time view of economic activities and situations of entire societies. This truly represents a strategic advantage in times of economic turmoil. Especially when compared to the situation of governments, media and civil society who discuss measures that will have some impact only several months into the future on the basis of statistics reflecting situations often four months old in the past. Why only financial institutions could have as up to date data?

In one individual surveillance as in societal surveillance, the democratic principle should apply – in addition to that of freedom – with respect to decisions about social powers of such magnitude. Should parliaments recover the power to legislate publically on these matters? Or should we try to democratize the work of clubs such as the Canadian Association of payment? Or follow a different model of democratic decision making?


The second case is about internationalization of a public decision. This is about passports used to monitor border crossings of citizens, and often their movements within these boundaries. Design standards of electronic and biometric components of passports are taken in international forums, such as the International Civil Aviation Organization (ICAO), by senior public servants of the Member States surrounded by lobbyists of the airline and surveillance technologies industries. National parliaments often only have the choice to endorse or not the standards already established elsewhere.

Again, we must find a way to preserve the principle of democracy against such technocratic fait accompli through international bodies. Should parliaments or governments publicly pre-debate options to be offered in international forums? Should we engage a democratization of discussions in international forums to allow a real voice to citizens to be affected by decisions? Or a combination of both? Or another model?

These are the types of changes, needing to be outlined, that I propose to explore with you during the following discussion.

CommunicationsDebatesLab NotesLiving between the linesNotes

Public conversation: Autonomy, Surveillance and Democracy: Who will benefit from the digital traces generated by our every move?

On Thursday, October 6, 2011 (7 to 9 pm), I will be the guest of an University of the Streets Café‘s conversation moderated by Sophie Ambrosi on the theme: Autonomy, Surveillance and Democracy: Who will benefit from the digital traces generated by our every move?

Computers, automatic tellers, phones and other electronic gadgets. Today, our relations with our close ones, other people and organizations go through machines processing thousands of information items about us. These texts, sounds and images become communications, transactions, records, decisions. They can be transformed into statistics and knowledge about individuals, groups and societies, even about the nature of the human animals (e.g., conditions of their health). Knowledge that can base decisions, trivial or major. The information society is necessarily a surveillance society. So what kinds of surveillance are reprehensible in a free and democratic society? And which ones are desirable? Under what conditions?

The conversation will take place at Café l’Artère, 7000, Avenue du Parc (near Jean-Talon) in Montreal. Everyone is invited and admission is free. The event is organized by the Institute for Community Development, Concordia University.

CommunicationsDebatesLab NotesLiving between the linesNotesObservationsReflections

For a Comprehensive Citizen Appropriation of Information and its Technologies

Written adaptation of a lecture given at a dinner for the 10th anniversary of Communautique on January 26, 2010 in Montreal.

Video of the conference (in French)

tablette cuneiformeI was asked to address the importance that information and communications technologies have taken over the last decade and will have in the foreseeable future. This from the point of view of citizens. I will do this exercise through the use of the concept of social appropriation, which is the process by which people integrate innovations into their lives to empower themselves, adapting and even hijacking them from their initial control or purposes to fit their needs and interests.

History shows that literacy can be a necessary condition for democracy. However, the fact that population is highly literate does not necessarily mean that it will live in a free and democratic society. Many well educated populations have lived at one time or another, under authoritarian or dictatorial, even totalitarian regime.

Similarly, one could argue that the fact that a population knows how to use technical devices does not mean that it control how technologies organize the relationships between citizens. Access to tools and skill development are necessary but not sufficient conditions for such mastery.

Let’s illustrate this assertion with some examples of devices currently deployed.

Body scanners
Earlier this January, the Federal Transport Minister, John Baird, announced the acquisition and installation of 44 body scanners in Canadian airports with a price tag of a quarter of a million piece. Let’s put aside for a moment the legitimate debates about the effectiveness, real or symbolic, of these devices or about their potential health harmfulness. In less than two months, we, Canadian citizens, will have the freedom to choose: either to be patted down with hands or to be patted down with eyes.

But is this the only choice offered by information technologies and digital imaging?

A colleague forwarded me the press file of all articles published following the announcement. There is hardly anyone who mentioned the fact that this purchase had been ordered without bidding, nor that we could have acquire software, to avoid full naked exposure: either by only signaling dubious spots or by projecting the exact image of the surface of the body of the person on a standard dummy (using morphing technique). The result of such an acquisition would have offered a very different choice between: either to be patted down with hands, or, simply to let electronically detection of the presence of objects on us.

Different types of body scanners

Apparently, no Member of Parliament has spoken of these alternatives. No journalist. No organization of citizens, consumers or human rights advocacy. Not even the official comment of the Commissioner of Canada’s privacy.

Maybe Minister Baird himself is unaware of the existence of these alternatives!

Yet as good digital citizens, many of us know how to use a digital camera and image processing software, how to find the minister’s press release on the Web, how to see his press briefing on our computer or telephone, and how to discuss that news in blogs or on Twitter. We do know technology!

Smart bank cards
Second example: Since 2008, Canadian financial institutions deploy their smart banking cards. No minister or MP, no consumer association or other organization of civil society, no media has provoked public debate on the model of payment system that could be supported by the addition of a microprocessor in customers, debit and credit cards.

Yet, since the invention of the so-called “smart” microprocessor card, hundreds of different ways to use it were devised. The range of available applications for banking goes from very talkative systems about every action taken by the user to other ultra-quiet ones, producing as little personal information as the use of paper money.

Different designs of smart banking cards

However, there can be only one system configuration, which de facto legislates the relationships between consumers, merchants and financial institutions.

We had choices! For example, between allowing banks to produce but very little information or, conversely, permit them to produce a lot, but by forcing them to share this valuable source of knowledge about in real time evolution of our economy.

For example, the government of Ms. Dominique Vien (Quebec’s Minister of Government Services, also a speaker at this luncheon meeting) must make difficult decisions about whether the State should keep its foot on the accelerator pedal of the economy, release that pedal a bit or rather put it on the brakes. However, several of the figures available to the government often can only describe a situation that is already four months old! That complicates decision making. Even more so because due to the same delays in production of information, we will be not able to know what have been the effects of today’s decisions before many months.

But the continued production by banks of detailed and real-time information about electronic payments (that you and I pay directly the production through our bank fees), combined with the power of today’s computers could reduce this gap for some key figures to something as short as in weeks, even days!

Yet, this public debate on the democratic choice of the quantity of information generated or not by the electronic payment systems and their possible use for the benefit not only banks but also the entire society has never been place.

But as good digital citizens, we do know how to use an ATM and how to donate to Haiti by Web transactions or by text message. We do know technology!
Which social appropriation?
This brings us back to the topic of social appropriation. Generally, we define “appropriation” as the process by which an individuals and groups incorporate an innovation in their practice and adapt it, even hijack it to fit their needs.

For 10 years, Communautique, its partners and many other organizations work for the appropriation of digital tools by citizens. They work and campaign to ensure universal access to Internet and computer. They train in the use of software, the Web, social networks and collaborative tools.

Social appropriation of tools is not enough

However, we must recognize that training in the use of tools is not enough since digital devices increasingly insinuate themselves in any object. Even in our pills …

Pills with microchip
Pharmaceutical companies are testing the use of tablets with imbedded microchip. In one experiment, the device sends a text message reminder to patients on their cell phone if they do not follow properly the doctor’s prescription.

Such a device could be configured to link patients, physicians and pharmacists in a hundred of different ways. For example, to verify if we do take our medicines. To automatically ask for new doses of our medicines to be delivered to us when our bottles are emptying. Even to call an ambulance, if we have swallowed the whole bottle at once.

The question is obviously about: who will decide on a configuration rather than another? Thus, to determine how will the relationships between patients, doctors and pharmacists be organized. And why not other relationships including also pharmaceutical companies, insurance companies and the world of biomedical research.

Did not we have our say? Especially if these devices are gradually being forced into the lives of us all?

Citizen appropriation
Democracy requires that appropriation by citizens goes beyond the mere handling of tools designed by others. It requires that citizens and the components of civil society can contribute to the development of tools that compel some organization of interpersonal relationships. Democracy requires a real possibility to participate in choices affecting the organization of these interactions.

This involves not only knowledge about tools and their handling, but also (as for the scanners, bank cards and pills examples), knowledge of different information that can be produced or not and the various ways they can be used or not.

Comprehensive appropriation of information and its technologies

So, real citizen appropriation must apply to as much to information and interpersonal relationships as to the computerized tools.

Let us step further. Not only would such an appropriation would be necessary to ensure some democratic nature to the information society, but it is also necessary to the very success of the computerization of its activities!

Already, online businesses can make substantial profits and government services online be meaningful only if the largest possible number of citizens have access to the internet and knows how to use them with confidence.

Ensuring adequacy of applications
Indeed, the success of many computer products and services will also increasingly depend on the ability of citizens to discuss information, tools and interpersonal relationships. In a research I conducted on online government services, I exchanged a lot with designers about what could make a system to be dysfunctional, thus engulfing citizens in some Kafkaesque bureaucratic purgatory rather than help them. My aim obviously was to understand, conversely, how to ensure that computerized service works well. The conclusion is summarized in this diagram that lists the factors to be considered.

Pragmatics of information in computerized interaction

I cannot discuss here with you all these factors in detail. Suffice to state for now that, in practice, it is required not only that the organization understands very well all the dimensions of its own processes (which is already a demanding job), but it must also understand as well why and how different people – users or consumers – use differently its service. How certain categories of people appropriate themselves the service differently for what different purposes. Conversely, it is also important that citizens understand well what the ends of the service and the information they exchange with the organization so they get the results they want and provide the right useful information for this purpose.

First, a very small example. In an application as simple as a change of address service, I asked the designer: “What address the Régie d’Assurance-maladie (Medicare Board) holds on the citizens insured? The designer replied: “Clearly, the address of domicile.” This is indeed what the law says, but I rose: “Are you sure?” The designer then starts to laugh: “Actually, we have no idea.” And from there, we explored all the cases where the citizen has delivered an address other than that of their domicile: such as students who give their parents’ address as a mailing address knowing that they might often change place of residence.

Whatever laws, forms and data models, it remains that the citizens are the ones who decide whether in the “address” box, they give a home address, mailing address, an address for service or otherwise.

Now, among the range of effective means to know and understand the uses, expectations, needs and constraints of citizens is public consultation. Who better than the citizens themselves or organizations who work daily with them may indicate their different uses and understandings of a particular service?

My second example is in the the very large and complex end of the spectrum. It is the huge project for computerization of medical records that, in the foreseeable future, will cost well over a billion dollars in Quebec, beyond five billion in Canada. We have already lost tens of millions of our taxes in inadequate solutions. And in the current situation, we will still lose tens of millions more along the way. And one of the causes of these inadequacies is precisely a lack of digital literacy in our society.

Senior government officials told me they can barely match the strategic vision with the real practical needs in the field. Yet meanwhile, we develop and we implement technical solutions. The approach is ultimately a costly process of trials and errors. Often I was asked the question: “It’s clear that he should consult directly with patients and the public, but how do we do that? Already among us, professionals who work daily on this, it is difficult for us to share a common understanding of the systems.”

The democratic challenge
To develop of our ability to discuss complicated technical devices among ourselves is indeed a significant cultural challenge. A challenge that must imperatively be met. Because otherwise we will face much more serious inefficiencies in number, importance and increasing costs (just think about the dramatic deterioration experienced in the customer services of several large companies, for example). Indeed, democracy itself is at risk if we progressively abandon the decisions about the organization of relationships between citizens to engineers, technocrats or lowest bidding suppliers. Decisions more often taken abroad because of the universalization of technical products or standards to ensure international interoperability of systems.

We’re still early in the long process of computerization of societies which will gradually creep into every corner of our lives, including even under our clothes, in our wallets and in our pills. Much of the information handlings in question bear interpersonal relationships while shaping them in detail in a way that will bind all parties. The democratic mastery of this form of effective legislation makes it necessary that all of us – private citizens, community organizations, governments and companies – do develop the idea of appropriation and its practice at a more comprehensive level that encompasses the social dimensions, including the downright political ones, of technical choices.

This is, of course, far more than the challenge of a decade, or even of a generation. This is the challenge posed by a true revolution that will likely extend throughout this century. While a considerable challenge, an exciting one for sure!

CommunicationsLab NotesLiving between the linesNotesObservations

For a Comprehensive Citizen Appropriation of Information and its Technologies: The Video

tablette cuneiformeI did not notice that the video was posted online for already a long time now. It was produced for the captation of my lecture given at Communautique 10th anniversary luncheon held on January 26, 2010 in Montreal. It deals with the importance from the citizens’ standpoint that information and communications technologies took during the last decade and which one will it take in the foreseeable future. An exercise into which I engaged from the concept of social appropriation. Access to that video is now embedded in this site.

The text of the conference will be also be posted here shortly.

Field RemarksLab NotesNotesReflectionsWhat's new

Illustrations to Sell the Idea of a Device Versus to Explain its Operation

This morning I attended a meeting in the context of the development of explanatory material aiming the general public about an elaborate interpersonal information system that intensively handle personally identifiable information about individuals.

The designers first concluded that before explaining the operation of the system, it was first necessary to defend its existence and relevance. Clearly, from what has been presented, such a goal does not call the same use of image than an explanation of its wireless tower

The explanation of how a system works requires the use of illustrations relating to information and their handling that stick strictly to the processes’ reality (as PIP can do). By contrast, explanation of the purpose of the system can proceed by evocation of a need to address or through practical scenarios. In other words, modes of illustration are then closer to those allegories and metaphors commonly used by consumer advertising and business communication. (more…)

Living between the linesNotesObservations

Encrypted Https Google Search: Effective or Symbolic Measure?

Observations Google recently announced that it now offers the possibility to search for documents in a confidential manner through the secure encrypted internet exchanges protocol Internet Secure Sockets Layer (SSL). Concretely, this means that between your computer and Google’s servers, no one can read directly, nor your queries, nor the searches’ results (just like for your financial transactions are made confidential under SSL).

To benefit from this new “beta” service, one must go to Your browser should then indicate that the communication is secure (for example, by displaying a padlock). The localized sites of Google (such as or do not offer this security, nor does this is available either for searching images and videos.

SSL Google Search

For sure, this is a significant symbolic gesture from the web giant. It has been applauded by the Center for Democracy & Technology as “a shining embodiment of the concept of Privacy by Design.”

For sure, the fact that a player as important as Google provides an increasing number of services under SSL (web access to Google Mail under SSL is already the default option since January 2010) could be a important signal to everyone on the Internet: it may be time to think about protecting a larger number of our Internet communications, even if it means slightly slower processing and transmission times (barely noticeable when one has computer and connections with some power).

However, is that new service actually changes anything to the experience of those whose exercise of their liberties or confidentiality of their work requires them to escape the surveillance of their employers, the Internet services providers (ISPs) or States? (more…)

Picture of Interpersonal Information Processes (PIP) for Social, Legal and Ethical Analysis and Communication

Toward PDF versionPicture of Interpersonal Information Processes (PIP) for Social, Legal and Ethical Analysis and Communication: Communication to the Legal IT Conference 4.0 – Law + Information Technologies, Young Bar Association of Montreal, Montreal, April 26 and 27, 2010


Presentation of a few experiences and of the process that led to the development of a method for the modeling of information processes that has been proven successful for achieving two complementary purposes, namely: to analyze, assess and manage the legal, social and ethical issues raise by interpersonal information or transaction systems; and to facilitate communication between the actors of such a given system or transaction, including its users with low writing or computer literacy. Picture of Interpersonal Information Processes (PIP) allows a systematic identification of legal norms and of other norms (such as technical standards, software rules, etc.) that apply or not to the legal or de facto roles played by these persons; the information produced and handled; the handlings performed on such information; the legal or de facto interpersonal relationships established between the people across the handlings, and the decisions or actions taken through these handlings or resulting from them. By establishing these elements, PIP provides jurists with a solid foundation for their legal analysis and communication and a possible broader examination of social and ethical issues involved. The use of visual representations is a means, to explain interpersonal information or transaction systems and their legal implications to the citizens who self-administer them while in Canada, 48% of adults have difficulty reading a simple text or are still unfamiliar with computers.

Complete text with illustrations:  HTML Version –  PDF Version

Picture of Interpersonal Information Processes (PIP) for Social, Legal and Ethical Analysis and Communication

Communication to the Legal IT Conference 4.0 – Law + Information Technologies

Montreal, April 26 and 27, 2010
Young Bar Association of Montreal

Pierrot Péladeau

Visiting Researcher Communautique
Member of the Ethics and Ageing Laboratory of the Centre recherche de l’Institut universitaire de gériatrie de Montréal
Associate Researcher at CEFRIO
Specialist in social assessment of interpersonal information systems

– – –

Link to PDF version

– – –

1. Introduction

Even though it was scheduled in the “Technology Showcase” section of the conference’s program, this presentation does not tackle some application software, even less a commercial product. It deals rather with the development of a method whose instructions and tools are meant to be openly and freely available.

This presentation has two objectives.

The first objective is to outline experiences and the process that led to the development of a method for the modeling of information processes that has been proven successful for achieving two complementary purposes, namely:

a) to analyze, assess and manage the legal, social and ethical issues raise by interpersonal information or transaction systems, and

b) to facilitate communication between the actors of such a given system or transaction:

• between those involved in its design and operation; and

• with its users, including those with low writing or computer literacy.

The second objective of this presentation is to invite those interested, not only to adopt and adapt this method, but also to participate in a community of practitioners interested in the analysis, evaluation and communication of interpersonal information or transaction systems.

2. Outline of the PIP method

Let’s start with a clarification comment. Clearly, Picture of Interpersonal Information Processes (PIP) is indeed a method that proves useful for the implementation of standards for personal information protection (also designated as “information privacy” standards). It is also valuable for conducting an “assessment of factors relating to privacy” (also known as “privacy impact assessment”).

However, the purposes of PIP go quite broader, i.e. ultimately:

  • to promote the social management of our information and of our digital tools, and
  • facilitate the democratization of information societies

through a more accurate and easily sharable understanding of how our relationships are supported by the handling of specific information.

In practical terms, PIP is a method for social analysis and for communication that may be used, among other things, for legal analysis and communication (as it may also serve similar purposes in other areas such as ethics or information management). When used by jurists, this method permits to take into account, not only the norms specific to the protection of personal information, but all the norms involved in all the interactions between people supported by a specific information handling.

Specifically, PIP facilitates the identification of:

  • any information handling that is supporting some interpersonal interaction

(regardless of whether the information items involved are:

  • personal or not, and if so,
  • related to an identifiable individual [personally identifiable information] or not);
  • all interactions between all those involved in the handling of information

(regardless of whether these persons:

  • are natural or legal, and
  • whatever their status and role with regard to this handling); and finally
  • all the norms involved in the interaction supported by the information handling

(regardless of the purpose of the norms or the source thereof).[1]

Figure 1: Norms applicable to information processes largely exceed those generally associated with protection of personal information

Figure 1: Norms applicable to information processes largely exceed those generally associated with protection of personal information

The wide range of the method explains why we have called it Picture of Interpersonal Information Processes using generic terms like “process” and “interpersonal” to describe its objects. With such a designation, we aim, among other goal, to avoid confusion with concepts specific to the protection of personal information which apply mainly to “records” or “files” (rather than to the entire process as PIP does) and to “personal information” (rather than all the kinds of information involved in an interpersonal relationship).

3. Relevance to jurists

PIP thus provides to jurists an instrument for the social analysis required as a prerequisite to the legal analytical work itself. As for its legal use per se, this method permits to take into account all the norms involved in the interactions between people supported by a manipulation of information. To achieve this, PIP helps in structuring a systematic identification of:

  • which persons (natural and legal) are interacting with which other persons (natural and legal);
  • which handlings of which information on what or whom are producing which results concerning whom;
  • which roles, legal or de facto, these persons are playing in relation to whom, and
  • which actual interpersonal relationships are being established between these persons through an information handling.
Figure 2: Norms applicable to role actually played by actors

Figure 2: Norms applicable to role actually played by actors

Once such context is established, PIP then allows a systematic identification of legal norms and of other norms (such as technical standards, software rules, etc.) that apply or not to:

  • the legal or de facto roles played by these persons;
  • the information produced and handled;
  • the handlings performed on such information;
  • the legal or de facto interpersonal relationships established between the people across the handlings, and
  • the decisions or actions taken through these handlings or resulting from them.

By establishing these elements, PIP provides jurists with a solid foundation for their legal analysis and communication and a possible broader examination of social and ethical issues involved.

4. Why a visual model

In the 1990s, several widespread discourses proclaimed that we were living in an era of dematerialization of human activities and productions. From a strict computational point of view, such statement is flatly wrong. On the contrary, we are in reality witnessing an unprecedented materialization of interpersonal relationships. In fact, digital technologies cause an ever increasing mediatisation of these relationships through physical objects, namely:

  • information items and programs (which physical media, far from having disappeared, have simply moved on to microscopic scales), and
  • machines (always as tangible and increasingly ubiquitous).

In principle, such materialization should greatly facilitate the identification of these interpersonal relationships, their reconstitution and their scrutiny. In principle, it would suffice to follow, step by step, the physical manifestations of the information flows and progress of the processes involved.

In practice, however, we witness the exact opposite: these interpersonal relationships appear increasingly difficult to recognize and to understand. Surprisingly, many organizations are still badly informed of their own processes and sometimes even of which information items they actually handle. And generally, this lack of knowledge is even greater among the individuals who are the very subjects of those information items and processes.

This apparent paradox derives from the fact that:

  • most of the processes occurring within and between machines are beyond the direct perception of the human senses, and
  • knowledge about these processes is often scattered, arcane (if it had been produced to begin with).

The consequences of such misunderstanding can be serious, including in legal terms.

4.1 First example: unawareness of the very existence of information items in the Directron Média case

The most blatant example of unawareness which I witnessed was at the hearing of the case Directron Média inc. c. Inspecteur général des institutions financières.[2] The dispute involved a commercial enterprise who wished to obtain a copy of the Central Enterprises Database (CED) held by Quebec’s Inspector General of Financial Institutions. The hearing lasted two long days. Yet in the end, it appeared that witnesses and lawyers for both sides had all that time depicted and discussed about an information system that was not the one that actually existed.

Contrary to what they presented, the CED did not contain only copies of the information items collected on the regulatory registration form and that were of a public nature under the Companies Information Act (typically individuals A, B, C, D and E are the directors of Company X – an information set that we will refer here as the “company’s record”). In fact, the core of the CED was a relational database that also detained physically (a fact of legal significance here) other information items not listed on that form provided under the Companies Information Act.[3] This database included, inter alia, other sets that we will refer here as “individual records” stating that individual C is a director of companies X, Y and Z. The same database also included what we will refer here to as “address records” explaining that this particular address is the one of such business and/or of such directors).

Obviously, the fact that information items are not mentioned in any act or any regulatory form does not mean they do not exist.

In this case of the CED, the reality of a large proportion of the information items it contained had apparently not been perceived, neither by the representatives of the public body who detained them, nor by those of the business that aimed to sell them at a profit. Yet the material reality of such information items produced significant legal consequences. For example, the public or confidential nature of the information items includes in the “individual records” was not to be decided by the specific rules of the Companies Information Act because these items are not mentioned in it. Accordingly, this matter was therefore to be set by other legal rules of general application, namely here, the Act on Access to documents held by public bodies and the Protection of personal information.

Yet a simple detailed description of the database’s contents could have avoided this misunderstanding as well as long hours of fruitless auditions because they were not bearing on the right object.

4.2 Second example: processes fed by information files systems about tenants.

Beyond the existence or non existence of information items, there is also the question of the nature of the process in which they take part. Here, the instance that impressed on me the most was my very first assessment project of an interpersonal information system: a study of information files on tenants carried out in 1982.

At that time, four Quebec associations of rental housing owners and some Canadian commercial companies were offering tenants reporting or rental housing brokerage services. A law student at the time, I decided to make this the subject of a legal applied research project. Spontaneously, jurists felt that these files mainly raised questions of respect for privacy and reputations provided under the Civil Code of Lower Canada and the Quebec’s Charter of Human Rights and Freedoms.[4] Building on this consensus and on publicly known facts, I could then have produced a legal assessment in a study conducted from a law library. However, I decided instead to investigate first about these files systems operating from Montreal, Saint-Jerome, Quebec City and Halifax.

I then discovered that these information services were very different from each other in terms of their objectives, the types of information produced, types of processing performed and the decisions about tenants they allowed to make. Accordingly, the discussion about their legality therefore touched on quite various legal norms and institutions, often far from those relating to respect for privacy and reputation (or even norms for the protection of personal information that apply today to such information handling).

One example among many: less than four months after the publication of my research report, Quebec’s National Assembly passed a first round of legislative amendments which, inter alia, prohibited discrimination in housing based on the fact that person has exercised remedies provided by law.[5] Indeed, the objective of some blacklists had been to discourage tenants to use them, thus to obstruct the implementation of the new Act respecting the Régie du logement (setting standards and creating a board to arbiter disputes between tenants and landlords).[6] The same round of amendments also prohibited discrimination because a person has a child or is pregnant (as some brokers screened different types of prospective tenants according to criteria set by their landlord clients). Never an abstract legal discussion process could have made such findings and produced such effects.

This experience has ingrained in me the idea of the need for a detailed understanding of an information handling and of its social dimensions as a prerequisite to any attempt to assess it legally, socially or otherwise. Because if one does not have clear understanding of who are the players interacting through what information and how, it becomes risky to correctly identify the applicable norms and principles, and therefore the social, legal and ethical implications.

4.3 Benefits of a visual mapping of processes

Information systems are increasingly complicated devices that must achieve a proper dynamic fit with many complex social realities. The fact that a growing proportion of information processes remains unobservable to the naked eye facilitate some precedence of perceptions over facts. For often, the stakeholders’ understanding can only be based on what is provided by forms and operating instructions, by contractual and regulatory texts, by metaphors and explanatory shortcuts, by promotional claims and official discourses.

In such context, the use of visual models facilitates understanding. A diagram such as an information flow chart or a business processes map is already verifiable proposition. This diagram may be confronted to the available documentation, to the devices’ behaviour or to key informants’ knowledge. The strict rules of diagram make-up force us to retain only the essential key elements, but all of those in a systematic, rigorous and comprehensive way.

Thus early on, I used various forms of diagrams as part of various assessment activities. However, my field experience as well as some theoretical work gradually led me to consider the need for a specific visual model for the social, legal and ethical analysis of interpersonal information processes.[7]

5. Genesis of PIP

5.1 A system for prevention of illegal access to prescription drugs

My first attempt to develop a visual model specifically for social, legal and ethical analysis took place in 2000-2001. It was conducted as part of an assessment assignment of a system for prevention of illegal access to prescription drugs. The context was that of a technical upgrading project of the system and its extension to a new class of drugs. Yet since its inception fifteen years earlier, this system was a continuing subject of controversy between members of the board of directors of the professional corporation who managed it as well as between thousands of health professionals drawn in its use. The corporation asked me to evaluate the existing system and identify potential solutions to the conflicts.

During its fifteen years of existence, this information system had been the subject of much internal debate and several legal advices. It had also been subjected to an investigation by the Surveillance Division of the Commission d’accès à l’information (Access to Information Commission which also has authority on personal information protection) and of a decision by its Judicial Division. Furthermore, the system has been the subject of two coroner inquests because it did not prevent some deaths by suicide through abuse of prescription drugs.

However, when I undertook this mandate, I was to find that there was not a single document spelling out exactly how the system worked. None. For fifteen years, the professional corporation, its directors, thousands of health professionals in various fields of practice, lawyers, commission and coroners have discussed and decided about this information system only from fragmented indications and perceptions.

A credible assessment process requires the production of a description of the system that would be sufficiently detailed, accurate and objective to be considered valid by all the stakeholders involved. So I requested authorization to investigate the different information processes supported by this system in order to produce its first detailed description. The final document contained 22 series of diagrams (including four sets spanning on more than two pages) with their corresponding descriptive texts. This exercise gave me the opportunity to lay the basis for a new visual model. Why a new one? Because the different models already used in computing, as useful as they are, are often flawed from a social and legal perspective.

For example, in the case of this system for prevention of illegal access to prescription drugs, a data model would have identified that the main personal entities were “health professionals” and “patients”. Such categorization would have been consistent with the Canadian health data model at the time.[8]

In a use cases model, “patients” disappear as they are not direct users of the system. So we end up with only health care professionals informing other professionals through the information system.

Figure 2: Norms applicable to role actually played by actors

Figure 2: Norms applicable to role actually played by actors

By contrast, an actual social analysis reveals that the system was indeed making “professionals” and “patients” to interact together. However, at times the actual interpersonal relations were between individuals acting as informers or as agents for the detection and prevention of law violations, on one hand, and individuals suspected or alleged to have committed illegal acts to obtain prescription drugs, on the other hand.

Indeed, it was precisely where the main source of conflict lied. And also where was to be found the solution, not only to the controversy but also to the inefficiency of the device to prevent suicide by abuse of legally obtained drugs. Indeed, the processes that were triggering requests to health professionals for intervention were based, not on a clinical logic, but rather on a legal one of implementation of the Criminal Code, namely the provisions about the fraudulent access to prescription drugs.

The immediate benefit of this picture of interpersonal process information was of course that it offered for the first time to the interested parties a document giving an overview of the system and a detailed description of the processes they support. Even an employee whose exclusive duty for more than ten years had been the operation of the system said that she learned new things about its operation. For example, she discovered – as much as the corporation did – that the professionals’ files management rules that weed out inactive patient records resulted in the systematic elimination of warnings that officially were still in force.

5.2 A data warehouse research

I conducted a subsequent experiment as part of the work of a committee on the ethics, confidentiality and privacy related issues of a medical research data warehouse project. I was a member of that committee. Some designers of data warehouse were also members of it. They had ample opportunity to provide us details about the various components of the device.

After several months of work of our committee, I tested the representation that we collectively had by producing a PIP model. It was a summary diagram presenting a most simplified and highest level overview of the processes, without dealing with the interpersonal relationships. We then realized that at least one third of the planned processes for the warehouse project had yet not been acknowledged. These processes had thus far eluded our analysis and our discussion.

Figure 4: Unacknowledged portions of information processes (upper ones, in red) as exposed by a PIP model

Figure 4: Unacknowledged portions of information processes (upper ones, in red) as exposed by a PIP model

Such experiments demonstrate the need for meticulous documentation of interpersonal relationships mediated by informatics and the great usefulness of visual modeling for such task.

6. Brief description of PIP

The general syntax of the model combines two types of pictures (or diagrams).

The first type describes the operating sequence of information processes looked at. In other words, these pictures describe the material information handling operations: what information is produced, stored, communicated and processed to produce what results.

The second type of pictures rather describes the relationships supported by a process or a portion of it. In other words, these pictures focus instead on identifying who are the people involved in these handlings and what roles each play in regard to information items and other people.

Experience has shown that in order to distinguish these two types of pictures and of realities, it is preferable that the production of these diagrams uses distinct pictograms.

Lets us state here that the PIP method is not prescriptive as to which symbols or pictograms should be used. Especially when it comes to communications and popularization, each user could use pictograms that are appropriate to the business sector, the cultural references of the addressees as well as the graphic signature of the issuing organization.

That being said, for the purposes of research and development of PIP, today we use two separate free access sets of generic icons.

Figure 5: Basic PIP-L pictograms

Figure 5: Basic PIP-L pictograms

For descriptions of relationships between actors, we use PIP-L (for Picture of Interpersonal Information Process – Language; acronym that can be pronounced “people”). This ad hoc pictographic system was developed in collaboration with Communautique and industrial designer Caroline Cyr.[9]

Figure 6: Sample of PICOL pictograms

Figure 6: Sample of PICOL pictograms

Then, for descriptions of the processes themselves, we use PICOL (Pictorial Communication Language). This pictographic system was developed at the University of Applied Sciences in Mainz, Germany, for the description of electronic communications systems.[10]

7. Using PIP for communication and popularization

7.1 Increasing communications needs-about processes

Beyond needs analysis, and legal analysis in particular, there are growing needs for successful communication about processes that would be easily comprehensible by end users and information subjects. Indeed, the processes arising from the application of a statute or a contract are increasingly computerized. These processes are even increasingly self-administered by the various parties involved, thus less and less supported by clerks or professionals responsible for records keeping or accounts management. So instead of training a few tens or hundreds of employees about often complicated processes, we end up with thousands, even millions of users who usually have to learn to operate them more or less on their own. The quality of communication with these users is therefore crucial to the proper performance of the processes.

Jurists who advise organizations or users need themselves to properly understand these processes to legally assess and explain them. Yet as we have already seen, often the available documentation offers a poor explanation or conflicts arise simply because of differing perceptions.

In addition, how to properly explain these processes and their legal implications to the citizens who self-administer them while in Canada, 48% of adults have difficulty reading a simple text, and therefore much less a technical or legal content. That is besides the fact that many are still unfamiliar with computers or, despite a certain familiarity, are struggling to make out the operation of any electronic device?

The use of visual representations is a means, among others, to facilitate such communication.

7.2 Example of an explanation of vote in the electoral system

In 2009, we experimented with Communautique and literacy organizations the use of PIP diagrams with groups of people with low literacy or low familiarity with computers.[11] We have succeeded through these diagrams, not only to explain certain processes, but also a number of basic concepts for understanding our information society. The example presented here is the explanation of vote in the Canadian electoral system from its informational basis. Among participants, there were few foreign immigrants learning French. We then realized how much this sort of explanation could be easily understandable by people unfamiliar with our electoral system.

Note that the following diagrams are a series of pictures of interpersonal relationships. We did not need to use specific description of the information processes involves in the electoral system.

Figure 8: Interpersonal relationships in candidature

Figure 8: Interpersonal relationships in candidature

We began the explanation by taking the information object meant to be handled directly by the citizens: the ballot. First, we focused attention on the fact that each line of the ballot talks about an individual, duly identified, which is a candidate for the post of deputy (representative to a legislative assembly) and that this individual is member or not of a party, also duly identified if it is the case.

Figure 7: Interpersonal relationships between candidatures

Figure 7: Interpersonal relationships between candidatures

Afterward, that the ballot is a list of candidates, duly identified, member or not of a party, duly identified, which are competing with each other for the vote of every person qualified to vote.

Figure 9: Interpersonal relationships in vote

Figure 9: Interpersonal relationships in vote

When voting, the voter indicates one’s choice among the candidates listed on the ballot. The vote is anonymous and the elector remains generally unidentifiable (anonymous personal information and generally not individually identifiable).[12]

Figure 10: Interpersonal relationships in election

Figure 10: Interpersonal relationships in election

If the individual votes are anonymous and unidentifiable, their compiling permits to determine how many votes of the electorate of a duly identified riding have been given to each candidate. The candidate receiving the most votes wins the election and becomes representative of the population of this riding.

Figure 11: Interpersonal relationships in legislative assembly

Figure 11: Interpersonal relationships in legislative assembly

The group of all elected deputies composes the Legislative Assembly responsible for enacting legislation. As these acts and other decisions being taken by vote, a competition relationship remains between the deputies and their parties. Finally, according to the British parliamentary tradition, the party or group of parliamentarians with the largest number of seats in the legislature is usually the first to be offered to form a government politically responsible for the State businesses and its public administration.

7.3 Example of an explanation of consent in patient records

The second example is an exercise on the important issue of consent or not to some personal information handling. The following diagrams were created for a seminar of specialists in protection of personal information. This was the second versions of diagrams originally developed for a training session to health and social services workers.

These two pictures compare the consent (or lack thereof) in two contexts:

  • regular communication of medical information between health professionals, and
  • electronic communication, as proposed by the Dossier Santé Québec electronic patient record system.

Note that once the drawings illustrate both the relationships (with PIP-L) and processes (with PICOL). They are not intended to describe the whole systems involved, but to focus primarily in making visually explicit:

  • the presence of consent;
  • the lack of consent;
  • the mandatory (statutory) nature of a set of operations, and
  • the possibility for the patient to refuse certain operations among them (opting out).

At first glance, there is no need to use words to understand that we are dealing with two very different modes of organizing communication and consent to it.

Figure 12: Picture of ordinary consent to communication of medical information

Figure 12: Picture of ordinary consent to communication of medical information

Figure 13: Picture of consent to electronic communication in Dossier Santé Québec

Figure 13: Picture of consent to electronic communication in Dossier Santé Québec

In the explanation of the Dossier santé Québec, the most critical point was the understanding of the opt-out option. Indeed, experience has shown that any attempt to explain it orally or in writing was laborious. Despite the details provided and restatements, the explanation often causes confusion among the addressees.

In contrast, use of the picture clarifies the explanation by defining precisely to what the opting out applies as well as its effects. In this diagram, we have successfully:

  • defined all the mandatory operations inside a box marked by the green circled arrow symbol showing the familiar road sign “mandatory direction” accompanied by the words “Law” which states that this obligation is legal;
  • identified each of the mandatory operations by marking them by the same “mandatory direction” symbol, plus the gears icon (meaning automatic), plus the “no consent” symbol;
  • signalled the presence of an opt-out by a diamond decision between “Yes” (and green PICOL “execute/continue operations” pictogram) and “No” (and red PICOL “cancel” symbol) that contains the word “option”;
  • identified the subset of operations that could be opted-out with a box (and thus, conversely, those who are not affected by exercise of opt-out).

8. PIP: a promising work in progress

Clearly, the use of the Picture of Interpersonal Information Processes method facilitates the production of rigorous analysis and the production of intelligible and unambiguous communications, particularly on the legal dimensions. However, the development of the method and of its use is still ongoing.

At first, it is necessary to organize transfer and appropriation of the method. We thank this conference’s organizers for their invitation which gives us a first opportunity to meet with jurists.

In the coming weeks, one will find on the PIP-PIP-L page, not only this presentation, but also access to symbols and then to various manuals and case uses.[13]

We will also provide training and guidance in using the PIP method, especially with the objective of appropriation that is at the heart of Communautique’s mission, especially through training of trainers and multiplying agents.

We intend to gradually build and moderate a community of practice and R&D, including the use of PIP method for communication purposes between computer projects’ stakeholders as well as with their users and other people involved. We also plan to develop real-life critical proof of concept project of use of PIP for communication.

So we send a warm invitation to all those interested, not only among jurists and lawyers but also all other categories of professionals and stakeholders involved in the design, development and operation of interpersonal information or transaction systems.

Finally, in the longer run, we are also looking to build software and methodological bridges with the practices and tools already used to design information systems in order to facilitate integration and use of PIP from the early stages of development of systems meant to support some form of interpersonal relationships.

[1] I discuss further this matter of all the norms involved in interpersonal information processes « Par delà la vie privée : ce que tout juriste devrait savoir sur les applications des technologies de l’information et des communications concernant les personnes physiques » (Beyond privacy: what every jurist should know about information and communications technologies’ applications regarding individuals)”, in Actes de la XIVe Conférence des Juristes de l’État. Cowansville, Québec: Les Éditions Yvon Blais, 2000, 133-148. Online version:

[2] [1990] C.A.I. 171 (89 0 36). On line version:

[3] L.R.Q., c. R-22

[4] Civil Code of Lower Canada (CCLC) and Charter of Human Rights and Freedoms, RSQ, c. C-12, s. 4 and 5.

[5] This provision became section 1899 of the present Civil Code of Quebec, RSQ c. C-1991.

[6] L.R.Q. c. R-8.1.

[7] I discuss in detail the advantages and disadvantages of existing visual models in « La modélisation visuelle des systèmes d’information en santé pour leur gestion administrative, légale, sociale et éthique » (The visual modeling of health information systems for their administrative, legal, social and ethical management) in L’informatique de la santé dans les soins intégrés : connaissances, applications, évaluation. Actes des 9e Journées Francophones d’Informatique Médicale. Sherbrooke, Société Québécoise d’informatique Biomédicale et de la Santé (SoQibs), 2003, 297-308. On line version:

[8] Working Group 1 (Health Information Model) of the Partnership for Health Informatics/Telematics. Conceptual Health Data Model v2.3. Ottawa, Canadian Institute for Health Information, mars 2001.

[9] PIP-L :

[10] PICOL :

[11] Project « Découvrir la société de l’information à travers nos informations personnelles » (Discovering the information society through our personal information) funded by the Canadian Council of Learning:

[12] There are scenarios like the one where, for instance, all voters of the same ballot box have vote identically, thus still anonymous ballots reveal in broad daylight the vote of each person listed as having voted, thus being identifiable in practice.

[13] PIP et PIP-L page:

CommunicationsLab NotesNotes

Presentation of PIP method at Legal IT Conference, April 26-27, 2010

I just received an invitation to make the following presentation at the Legal IT Conference 4.0 (Law + Information Technology) held in Montreal on April 26 and 27, 2010.

UPDATE #1: Access to that presentation will be open and free. It will take place in the Technology Showcase track, on Monday, April 26th.
UPDATE #2: It will be the second presentation of the 15:15 to 16:30 workshop (time was changed)

UPDATE #3: Text and visuals now online: English Abstract | Full text:  HTML –  PDF


1 comment |
Powered by WordPress | Designed by Elegant Themes