Evidence of meeting #57 for Access to Information, Privacy and Ethics in the 41st Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was facebook.
A video is available from Parliament.
November 27th, 2012 / 3:55 p.m.
Liberal
Scott Andrews Liberal Avalon, NL
Thank you very much. Welcome.
First I would like to have a little chat about what you mentioned at the end of your presentation with regard to the Irish Data Protection Commissioner. How many of these privacy commissioners or government agencies is Facebook dealing with around the world?
3:55 p.m.
Manager, Privacy and Public Policy, Facebook, Inc.
Our services are operated in Canada and the U.S. by Facebook, Inc., which is based in Menlo Park, California, and by Dublin-based Facebook Ireland Limited in the rest of the world. Our primary regulators are the Federal Trade Commission in the U.S. and the Irish Data Protection Commissioner in Ireland. Those are the relationships we primarily rely on. We spend a lot of time with those organizations.
We also have other relationships because we operate all over the world. We have relationships with regulators and policy-makers in various countries. For example, we have a robust relationship with the Privacy Commissioner here in Canada. We have found that we have had a very positive relationship with her office, and have been able to discuss many of our emergent issues and products with her office to get their feedback. That has been a very positive relationship. Many of our innovations in privacy have come out of our discussions with her.
3:55 p.m.
Liberal
Scott Andrews Liberal Avalon, NL
Between the Irish and the FTC, if one of the two of them tells Facebook to attain a certain level of privacy, does it go throughout the whole organization in every country? If the Irish set the bar here, and the FTC's bar is there, do you raise the global bar to the most up-to-date and what's requested?
3:55 p.m.
Manager, Privacy and Public Policy, Facebook, Inc.
In general, we try to operate our service in a way that is consistent globally. We want everybody on Facebook to have the same experience. When we make privacy decisions, we try to make them in a way that works for all of our users in all the jurisdictions where we have relationships. In general, when we receive feedback from either regulator, we take that feedback seriously. There may be instances where we make a decision that certain features will work differently in some jurisdictions, but we prefer to avoid that where possible and maintain a consistent experience for everybody.
3:55 p.m.
Liberal
Scott Andrews Liberal Avalon, NL
When speaking about advertising with the last member, you said the words “general information” is provided to advertisers. Do you want to elaborate a little on what general information is provided? Do you have a list—I think you may have a list on Facebook—of all your advertisers and who you share this information with?
3:55 p.m.
Manager, Privacy and Public Policy, Facebook, Inc.
When I referred to general information, what I meant was aggregated information. When we show advertisements to large groups of users, we may tell the advertiser general information about the people in that group. For example, we might say this advertisement was shown to 100,000 people, or we might say 50% of the people who saw your advertisement told us they were male. We're not providing information that is specific to an individual, just information that will give an advertiser a sense of the population they are addressing. That's what I meant by general information.
We don't have a specific list of all of the advertisers on Facebook, because that set of companies is constantly changing. The information they receive is not individually identifiable to users. When there are advertisements that appear on Facebook, there's an “x” that appears next to each ad. You can click “about this ad” to learn about Facebook advertising generally. There's also an indication there in most cases of the identity of that specific advertiser.
3:55 p.m.
Liberal
Scott Andrews Liberal Avalon, NL
We've also heard during our committee testimony that some of the advertisers are now linking up information off-line and trying to link the information they get with actual users. Are you familiar with this? Is this a concern of Facebook? Is it going on with some of the data you're providing to the advertisers?
3:55 p.m.
Manager, Privacy and Public Policy, Facebook, Inc.
With regard to the information that we provide to advertisers, again, there's no information specific to individuals in an identifiable way. I'm aware that there are some advertisers who have a practice of linking up this information. We do provide some analytics in a general way across large groups of people about off-line purchasing behaviour, and that's something we've talked about on our privacy page and we've explained to people how we do that in a privacy-sensitive way.
With regard to the entities that are able to receive information on Facebook, we have agreements with them that restrict their ability to leverage the information and use it in ways that we're not authorized on.
4 p.m.
Liberal
Scott Andrews Liberal Avalon, NL
Talking about wanting out, if someone wants out of Facebook, is there that option? I think you mentioned it. If they pull all their data out, once it's out, is it gone? Do you retain it for a certain period of time?
4 p.m.
Manager, Privacy and Public Policy, Facebook, Inc.
There are two different processes that we allow people to use in addition to downloading their information, which is the process that allows them to gain access to their information. You can do that without deleting your Facebook account. But assuming you've decided to sign off of Facebook, we provide two options. One is called deactivation and one is called deletion. We describe those together and give people the choice.
Deactivation is when you may want temporarily to suspend your Facebook account, but you may want to leave it intact so that you can come back to it later, have access to all of your content, and have access to all of your friends. That's one option that we provide.
The second option is deletion, which is what it sounds like. People can come to us and say, “I don't want to be on Facebook anymore and I want you to get rid of my account”. When that happens we tell them that there's a 14-day period during which they can change their mind. We instituted that because a lot of people started to delete their accounts and then came back later and said they'd changed their mind, and we weren't able to recover their data. So we now have a waiting period that we tell people about.
After that period, we begin the process. I should say, on the date that you delete your account, it's deactivated, so it no longer appears on the Facebook service. Fourteen days later we begin the process of deleting your data or anonymizing it in every place it exists on Facebook.
4 p.m.
Liberal
Scott Andrews Liberal Avalon, NL
You mentioned those retention periods. Do you have different retention periods for different items? Perhaps you could elaborate on that.
4 p.m.
Manager, Privacy and Public Policy, Facebook, Inc.
Thank you for the question.
When I said that we have different retention periods for different items, the reason is that we keep information for different purposes. In general, we want to have information in our records for only as long as it's needed to provide services. For example, if you post something on your timeline, there's no fixed retention period that's associated with that. We leave it on your timeline as long as you leave it there, and if you choose to delete that content or delete your account, then we begin the process of removing it from the various places on our service that it exists.
There are other pieces of information for which we have a more routinized data retention process. I referred earlier to social plug-ins, which are the light buttons that you see on various places on the web. In those cases, for logged-in Facebook users we store it for 90 days, and after that period we either delete or anonymize those pieces of information as well.
So different pieces of information are subject to different processes, but we try to be thoughtful about the way in which we retain the information.
4 p.m.
NDP
The Chair NDP Pierre-Luc Dusseault
Thank you, Mr. Andrews. Your time is up, unfortunately.
Mr. Butt now has the floor for seven minutes.
4 p.m.
Conservative
Brad Butt Conservative Mississauga—Streetsville, ON
Thank you, Mr. Chair.
Thank you very much, Mr. Sherman, for being here today. I don't think there's a single member of Parliament—I would be surprised if there is one—who isn't a Facebook subscriber, a Facebook customer. I could be wrong. I know Mr. Angus quit Twitter, but I think he still likes his Facebook page.
I'm glad you're here to give us a better sense of what you are trying to do. I'm fairly sure that your company's view is to have corporate responsibility and to make sure you're doing the best job you can do.
I come at this as a father of a 13-year-old and an 8-year-old daughter. My initial question would be whether you've taken any additional measures as they relate to minors who are Facebook subscribers and are participating. Do you do any monitoring of content within your organization to, let's just say, protect young people against themselves to some degree? I realize that when you post something, you've made a conscious decision to go and do that. But Mr. Angus is talking about private messages showing up, and other things going on.
Are you doing anything special, out of the ordinary, for underage users of the system, rather than for adults of the system, where we would assume that with adults, cooler heads would prevail when they're participating in Facebook?
Do you have anything special or specific that you do around underage users of Facebook?
4 p.m.
Manager, Privacy and Public Policy, Facebook, Inc.
We do. We take the safety of underage users, minor users, of Facebook very seriously. We actually have a dedicated manager on my team who focuses exclusively on those issues. The reason is that it's an important issue, not just to us who work on privacy, but to everyone at the company.
One example of a way that we try to create a safe environment for teenagers who use Facebook is the default settings. We talked earlier about that. The default settings in general are more limited for teenagers. The thinking is that adults should make their own decisions about who they want to share with, but we want to put minors in a place that's a bit more limited, speaking in a smaller community.
We don't monitor the content of our users in general, but we do have reporting functionality. We try to use a tool called “social reporting”, for example, which allows people who are concerned with Facebook content to engage in a conversation. For example, if you see content that you're concerned about as a user, you can report it to the user who posted it, to a trusted third party—for example, an adult you know. You can also report the content directly to Facebook. We have a team of professionals who review reported content and make judgments about what steps we should take. There are also some technological measures that we use, independent of teenagers' communications, just to look at the ways that adults communicate in order to help keep teenagers safe when they use Facebook.
4:05 p.m.
Conservative
Brad Butt Conservative Mississauga—Streetsville, ON
If someone feels they're being bullied or stalked or in any way inappropriately contacted through Facebook, what's your mechanism to deal with that? If I report as a Facebook user.... Maybe you could also explain the process or how it works with...what do you call it? It's “defriending”, I guess, or getting someone off your site. You may have accepted them as a friend, but you find out they're actually an abusive friend. They've tried to befriend you on Facebook for a malicious reason. They essentially are there to cause difficulty.
Can you explain how that system works—one, how someone is going to report if they feel they're being inappropriately contacted or abused on Facebook; and secondly, the process for defriending somebody?
I haven't figured out how to defriend yet. I'll have to take a lesson. You can tell me today and I'll learn.
4:05 p.m.
An hon. member
I do it all the time.
4:05 p.m.
Conservative
Brad Butt Conservative Mississauga—Streetsville, ON
You do it all the time? I don't know how to do it yet. I haven't figured it out yet. I need to get a lesson today.
4:05 p.m.
Manager, Privacy and Public Policy, Facebook, Inc.
I do very little defriending, but I'm familiar with the process.
4:05 p.m.
Conservative
4:05 p.m.
Manager, Privacy and Public Policy, Facebook, Inc.
In general we hope that people have a positive experience on Facebook and want to communicate. But we know there are situations in which people want to stop the communication, so we have a number of mechanisms in place to address that situation.
The first is the ability to unfriend somebody, which essentially is when you've engaged in a relationship with them on Facebook and you decide you want to terminate that relationship. Either party in the relationship can stop a friendship, and there are a number of different ways to do it.
The easiest way to do it is to go to their page, to their timeline, and there will be a button that will allow you to remove that friend relationship. That will still allow that person to see you on Facebook. They'll still see things you post publicly, or in groups or things like that, but they won't see things you share specifically with friends.
If you want to go a step further because there's somebody who is concerning you, you can block that person, which is a stronger mechanism. That prevents that person, for example, from creating a message to you. If they've been sending you private messages that you feel are inappropriate, you can prevent them from creating messages to you by using that block functionality.
There are other situations that may come up. When it goes beyond simple contact that you may find objectionable, we also want to know about it and to take steps where appropriate. On our “help center” page, there's a button at the top right at the corner that says “report an issue”. That gives you information on how to contact Facebook when you have this kind of problem, and other problems with content that you see on Facebook as well.
4:05 p.m.
Conservative
Brad Butt Conservative Mississauga—Streetsville, ON
Thank you very much.
Thank you very much, Mr. Chair.
4:05 p.m.
NDP
The Chair NDP Pierre-Luc Dusseault
We are starting the five-minute round of questions with Ms. Borg.
4:05 p.m.
NDP
Charmaine Borg NDP Terrebonne—Blainville, QC
Thank you, Mr. Chair.
Thank you, Mr. Sherman, for being here today to answer our questions. We have been studying this matter for some time. And it's good to hear from you directly about what is being done with our personal information and what measures you are taking to protect it.
I carefully read your most recent data use policy, published on November 21, 2012. Unless I'm mistaken, this is what you know about us: our GPS coordinates, our friends, our interests, our family members, the people we went to elementary and secondary school with. You can share that information, this portrait you have of us, with our friends, our partners, advertisers who buy ads on the site and developers who design the games, the applications and the websites we use. So you are sharing this information with a lot of people.
Do you get express and informed consent to share this information?
4:05 p.m.
Manager, Privacy and Public Policy, Facebook, Inc.
Thank you very much for your question.
As a preliminary matter, you listed a number of pieces of information that Facebook receives, and we describe in our data use policy the various ways that we may receive information from our users.
It's important to point out that we don't have that information about all of our users, so we rely on the information that people choose to give to us.
As an example, you mentioned GPS coordinates. We receive GPS coordinates from your mobile phone when you use Facebook, but we ask for permission to do that first. So you will specifically authorize your phone to give us your GPS coordinates if you need to do that in order to use location-enabled features within Facebook.
You can also choose, for example, on Apple's iOS platform, when asked, not to allow us to see your location. That will prevent you from using the location-enabled feature but will still allow you to use other aspects of Facebook.
I think it is important to point out that we list all of the categories of information that we may receive, but it's not the case that we receive that information about everyone.
With regard to the ways in which we share the information, different categories of information are shared in different ways. In general—we talked about advertisers—with regard to applications, we have a process that we discussed in detail with the Privacy Commissioner's office when we came up with it. That process tells the user what information the app would like to receive about them and it asks for permission before the person gets to that app.
There are other situations in which we may receive consent that is not through a specific dialogue but through users' acceptance of our data use policy. For example, we have service providers that help us provide the Facebook service. They provide technical services, for example, for us. Those entities may have access to Facebook data, but they are subject to contracts that restrict their use of it. In those instances we rely on our users' acceptance of the data use policy as consent to allow those entities access for that limited purpose.