Information & Ethics Committee on Nov. 25th, 2010

I can hear you and I can see you a little bit. The audio is fine. The screen is flickering quite a bit in terms of the video.

I have the same experience as Mr. Glick. I can hear you very, very well, but my screen image is jumping around quite a bit.

Thank you, Mr. Chairman.

Thank you for inviting us to the committee. It is a pleasure to appear in front of you.

With me this afternoon is Martin Aubut, who is senior manager, social commerce, of the Yellow Pages Group. Martin is an expert on the Internet. I thought having him with me today could be useful should your questions touch on issues that I am less familiar with.

In addition to my responsibilities as general counsel of Yellow Media Inc., the ultimate parent company of Canpages and Yellow Pages Group, I am the acting privacy officer of the company.

I thought I would start by giving you a brief introduction of Yellow Pages Group, also known as YPG, which acquired Canpages in June 2010.

Yellow Media Inc. is a leading Internet company in our network of companies, which includes Yellow Pages Group, Trader Corporation, and Canpages. Yellow Media owns and operates some of Canada's leading properties and publications, including Yellow Pages directories, YellowPages.ca, Canada411.ca, AutoTrader.ca, CanadianDriver.com, RedFlagDeals.com, and LesPAC.com.

Our online destinations reach over 11.5 million visitors monthly, and our mobile applications for finding local businesses, deals, and vehicles have been downloaded over two million times. We're also a leader in national digital advertising through Mediative, a provider of digital advertising and marketing solutions to national agencies and advertisers.

Predecessors of YPG published their first directories in 1908. We have operations in all the provinces and territories of Canada. There are approximately 2,500 employees at YPG, 530 at Canpages, and 1,200 at Trader.

Through the acquisition of Canpages, we hope to be in a better position to compete with other major online players such as Google. We believe that our acquisition of Canpages will sharpen our online competitiveness by expanding our sales force, capabilities, and offerings, thus accelerating our move online.

If you factor in the sales professionals we have at YPG, Trader, and Canpages, we have approximately 2,000 people in the sales organization. We're looking at a better utilization of that tremendous sales capacity, targeted at small and medium-sized Canadian enterprises.

You should know that Street View, the service currently offered on Canpages.ca, is licensed from two third parties, one of which is MapJack, for parts of the cities of Vancouver, Toronto, and Montreal. Street View has been in effect since 2008; Google Street View is used for the rest of Canada.

Depending on where you are within our universe of websites, we are currently using Street View technology from Google and Microsoft, in addition to MapJack, the provider that Canpages has historically used.

I am pleased to confirm to the committee that Canpages' supplier of the Street Scene service, MapJack, has not been used to collect either Wi-Fi network data or Wi-Fi payload data. Therefore, we have never been in possession of any such data.

Yellow Media Inc., YPG, Trader, and Canpages are fully committed to abiding by the privacy legislation applicable to our business.

We would be pleased to answer any questions the committee may have.

Thank you.

No, Mr. Chair. I will only thank the committee for having us back and will give the floor to Dr. Whitten, who I think has some remarks.

Thank you to the committee chair and to all the members of the committee for this opportunity to speak with you today.

I've devoted my career both as an academic and now as Google's director of privacy to one primary goal, which is to make it intuitive, simple, and useful for Internet users to take control of their privacy and security.

This is really the central challenge of privacy engineering. Products and services, particularly on the Internet, constantly evolve. Valuable new services, from social networking to online video to mobile computing, are constantly changing the way in which we interact with each other and use information.

These services, which are built in part from the information that providers learn from their users, offer tremendous value. Our goal is to offer our users innovative products that help them understand the world in new and exciting ways.

In order to do what we do, in order to provide great user experiences, we rely on our users' trust. It is our greatest asset. The information our users entrust to us enables us to better match searchers to the information they seek, to fight off those who would scam our users or undermine the usefulness of our search results, and to create new services, such as translation, speech-to-text, and many others.

We focus on building transparency, user control, and security into our products. We constantly review, innovate, and iterate to make sure we are honouring our users' privacy expectations and security needs. Because our users' trust is so critical to us, it's very important to us to note that we do not sell our users' personal information.

The Google Dashboard is a cornerstone of our efforts. If you haven't seen this tool, I invite you to take a look at www.google.com/dashboard. We developed the dashboard to provide users with a one-stop, easy-to-use control panel for the personal information associated with their Google accounts, from Gmail to Picasa to Search, and to more than 20 other Google products.

With the dashboard, a user can see, edit, and delete the data stored with her individual Google account. She can change her privacy settings, see what she is sharing and keeping private, and click into the settings for any individual product.

I was adamant when we created the dashboard that we not make it seem strictly a privacy tool. Above all, I wanted it to be a useful tool that our users would come back to and interact with even when they weren't consciously thinking about privacy.

We took a similar approach with our advertising network. Our ads preferences manager, which is linked from every ad in our advertising network, allows users to opt out of ad targeting and learn about our privacy practices. Equally important, it allows users to look at the categories of ads they will see, select new interest categories, and remove ones that don't match their interests.

By offering this useful service, we hope to get more people to understand and confirm their privacy settings. Interestingly, we have seen that for every one user who visits this page and opts out, four choose to edit their preferences, while ten view the page and choose to do nothing.

These are great examples of transparency and control designed into products in a way that is prompting individual users to learn more about how to control their information, and we're proud of this track record.

However, despite our best efforts, on occasion we have made mistakes. As this committee is well aware, in May, Google disclosed that we had mistakenly included code in the software on our Street View cars that collected samples of Wi-Fi payload data—information that was sent over open, unencrypted Wi-Fi networks. To be clear, Google never used this mistakenly collected data in any product or service, and there was no breach or disclosure of personal information to any third party. As soon as we learned about this incident, we disclosed what had happened and acknowledged our mistake.

Google is working hard to fully and completely address this incident. We recognize that we need to do better.

My colleague Jacob Glick spoke to you in November about some of our plans to strengthen our internal privacy and security practices. These plans include additional responsibilities for me, which I would appreciate telling you a bit about today.

I'm excited by the opportunity bring greater robustness to our privacy and security practices in my new role. With my expanded responsibilities, I will have the chance to oversee and work with both the engineering and the product teams to help ensure that privacy and security considerations are built into all of our products.

While the duties that go with this role are big, I am confident that I will be supported with the resources and internal support needed to help Google do better. Further, I believe that Google's commitment to redouble its efforts around staff training will go a long way.

Mr. Glick mentioned this when he appeared before this committee on November 4, and I'm happy to elaborate on this further for you. We want to deputize every Googler in this effort. We want to make certain that each product we roll out meets the high privacy and security standards that our users expect of us.

We are an innovative company, creating new products each year that are helping to transform how we organize information and relate to each other as people. Our users' trust is the foundation that Google's business is built upon. We are committed to not taking that trust for granted.

I look forward to answering your questions.

Thank you.

Sure. Thanks very much, Mr. Chair. I hope the members can hear me.

As you know, when we were at committee last time, we hadn't yet begun the analysis of what steps, if any, we could take to delete the data pursuant to the direction of the Privacy Commissioner. At that time, I promised that we would begin that analysis right away. We've begun that analysis; there's a process under way. It's not complete yet, but we hope to have a better understanding as this progresses.

I can tell you that the bottom line is the same as what I said it was last time we were here, which is that we want to be able to delete the data, but this is a difficult series of questions and something that we only get a chance to do once—that is, delete the data—so we want to make sure we do it right. There's a process under way to do that analysis, but it's not complete yet.

I can't say for certain, but my expectation is that by the new year we'll have some much more definitive answers as to what data we can delete, if any.

As part of the process set in motion by the Privacy Commissioner, we'll be reporting back to her in accordance with her draft findings. Because it's a process that's ongoing, I can't tell you definitively, but we're moving quickly. It's just that it is difficult.

Yes.

The first thing you should understand is that, strictly speaking, Canpages--or Yellow Pages Group--is not in the business of doing street mapping the way other providers are. We use a third party to do that service. When Canpages started doing this service back in 2008, it used a company called MapJack. Before coming here today, we received assurances from this company in relation to the fact that they would have collected that kind of information. They've confirmed to us that they have not collected that information, and we don't have that information.

I guess I can only repeat those assurances that I have received from the principals at MapJack. That being said, this company is based in Hong Kong, and my understanding of this company is that it's not a very large corporation. It was using technology that I think—and I guess maybe Martin needs to confirm—was much less sophisticated than the services offered or rolled out by Google and Microsoft.

What I can again repeat to the committee is the fact that these are the assurances we have received. The hosting of the mapping service of this technology is based here in Canada. We have the licence to use it here in Canada, but there is nothing other than the map services and the street scenes that we provide through the use of our websites.