Information & Ethics Committee on June 5th, 2012

There are two kinds of passwords. There is one kind where you must enter the password before you can actually enter the website and see anything at all. It is completely blind. You don't see anybody's names, photos, user IDs, comments, nothing, until you create a password and go inside. That is a large portion of Facebook and medical kinds of sites where patients talk to each other.

Then there are the other kinds of passwords that are simply there, so that I have my space and my friends see what I have written, and everyone can follow each other. We know that because there is a name associated with each comment. That's the second kind of password.

Those are searchable by whatever browser you want to use, the Googles, and that's the kind of data we collect—only the data that is physically viewable if you were to go online and not have your own password.

Strictly social media research companies—there are not a lot. Certainly, under 100 are social media research.

Then there are untold hundreds of other companies in the social media monitoring space. They're not members of any kind of research organization, no industry organizations, but they're doing similar kinds of things. They're counting, reading, and listening. Some of them are providing pieces of measurements, but they don't classify themselves as a market research company as mine is.

Thousands, millions? I do not have the exact number.

There are probably 100 new ones every single day.

Oh, for sure. There are the top 100 Facebooks, LinkedIns, and Twitters, but it goes far, far beyond that.

In the case of our association, I think the parliamentarians and legislatures can have faith and trust based on our track record over many years and the self-regulatory mechanisms we have in place. For example, we have a mechanism called the research registration system, under which companies go on our site and register the projects they have out with the public at any given point in time. That allows respondents across the country to phone in or by e-mail verify the legitimacy of the survey, because it has been registered with the self-regulatory association.

In the case of the social media companies, it's a difficult task, because they're so numerous and so varied and they cater to different sizes and types of audiences. Even for, say, an association within Canada, such as the Canadian Marketing Association, it would be a monumental task to bring all those types of companies into the tent and get them to agree to adhere to standards and proper self-regulation. I know there is a characterization out there now that social media marketing is like the wild west, because none of them belongs to self-regulatory associations.

I'll make a quick point here.

Self-regulation is a subject in its own right, but it is illegal to collect personal information and resell it in Canada without consent. So we're not relying on self-regulation to protect the privacy of Canadians: PIPEDA already bans that practice.

Response to most crime in Canada is complaint-driven. We don't preauthorize transactions and so forth. You have to be robbed before you complain to the police, before they investigate the robbery.

I understand what you're saying, but I don't think the assumption should be that commerce shouldn't take place until an agent of the state has approved it. It has to be responsive to criminality.

Thank you very much. It's nice to see you again.

Mr. Calkins is getting close to his maximum safe exposure to Warren Everson this week. You want to be cautious about that.

That's a really big mouthful of a question, as you know. I think society will use a defence in depth with regard to privacy. That defence will include a proper understanding of what the consent is. I certainly support the committee in the tone of your questions concerning frustration about consent being hard to follow and hard to understand. I don't suppose the suppliers of the service necessarily take much joy in it either.

I think the caution of the consumer can't be ignored. My children are much more concerned about Internet privacy than I am, because they have been lectured to about it so much and can cite off all the rules that exist for the social media they're employing. I don't know whether they represent any standard or not, but they are certainly not unconscious of the issue; they are suspicious.

Madam Borg started with asking whether there is a lack of trust. There is a lack of trust, and it's probably a darned healthy thing that it exists there.

We have seen in the last couple of years some pretty significant changes to privacy in the big offerings. Facebook has upgraded its privacy standards, and that's an ongoing debate. You can hardly pick up a newspaper without seeing discussion about it. I note that Google handles people who identify themselves as young consumers differently, as to how much information is available in their social chat services. I became aware not long ago of a service called Hangout, where people can go and hang out. When a stranger enters that enclave, everyone is notified, and if the stranger does not properly identify, the site closes, so they would have to reassemble it. There are all kinds of technical security and privacy services that have been invented by the technical side of the business, conscious of consumer concern.

I'm just going to say one more thing. As you proceed in your hearings, obviously you're going to want to know exactly what the law currently makes illegal and how often it has been employed by people. It's my contention that the law is not bad in Canada. Probably public awareness is quite low as to exactly what recourse exists.

These days, as Warren was saying, kids are being raised with privacy in the digital age. From the youngest age, this is a normal everyday conversation, whereas for many of us it didn't even come about until, let's say, 10 years ago. So this is brand-new information; it's completely different from how we were raised, and we're still wrapping our heads around it. Kids are far more aware of it; it's just normal for them. They know what is good and what's bad in terms of wanting or needing privacy. That's why they have more opinions on it than a lot of us have.

In terms of our people using defaults appropriately, I think a lot of industry is doing just what we're talking about here, its own self-regulation. When somebody changes a default setting, as in the case of Facebook, everyone is in an uproar if they don't like it, and there are some quick work-arounds to make adjustments to it. It's happening in one website after another website: people continue to speak up when they don't like what the default setting is, there's a whole bunch of discussion around it, and then tweaks are made.

So I think there is a lot of self-regulation going on in the industry, and it will only get more and more and better and better as people become more familiar with how it should be and how they want it to be.

This is already part of what the MRIA code looks at. All information must be de-personalized. This is the exact same thing we are doing within the social media space. Our ethical standards are exactly the same as they would be for survey research. Names are not published in research reports; there are no user names, photos, e-mail addresses, physical addresses. That kind of information is not appropriate, and we do not allow that sort of information to be published in final reports.