This week, I changed much of the tech behind this site. If you see anything that looks like a bug, please let me know!

Evidence of meeting #43 for Access to Information, Privacy and Ethics in the 41st Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.

A video is available from Parliament.

On the agenda

MPs speaking

Also speaking

Warren Everson  Senior Vice-President, Policy, Canadian Chamber of Commerce
Brendan Wycks  Executive Director, Marketing Research and Intelligence Association
Annie Pettit  Vice-President, Marketing Research and Intelligence Association

11:35 a.m.

Liberal

Scott Andrews Liberal Avalon, NL

You collect that. So what you're advocating today is separate from what these companies do with their data. There are two distinctive types. Facebook could have its data on individuals and they can sell it, push it, and market it. You do it outside. Okay.

You mention that you don't go into a password, but most of these sites, the social media sites, have passwords. You have to access them. How do you get the data without accessing...? When you Google something, what comes up, comes up, and often you're linked to the site to go get it. So how do you square that circle?

11:40 a.m.

Vice-President, Marketing Research and Intelligence Association

Annie Pettit

There are two kinds of passwords. There is one kind where you must enter the password before you can actually enter the website and see anything at all. It is completely blind. You don't see anybody's names, photos, user IDs, comments, nothing, until you create a password and go inside. That is a large portion of Facebook and medical kinds of sites where patients talk to each other.

Then there are the other kinds of passwords that are simply there, so that I have my space and my friends see what I have written, and everyone can follow each other. We know that because there is a name associated with each comment. That's the second kind of password.

Those are searchable by whatever browser you want to use, the Googles, and that's the kind of data we collect—only the data that is physically viewable if you were to go online and not have your own password.

11:40 a.m.

Liberal

Scott Andrews Liberal Avalon, NL

How many different social media companies are we talking about? We know the big ones, but how many are out there that would have to comply with all the privacy issues?

11:40 a.m.

Vice-President, Marketing Research and Intelligence Association

Annie Pettit

Strictly social media research companies—there are not a lot. Certainly, under 100 are social media research.

Then there are untold hundreds of other companies in the social media monitoring space. They're not members of any kind of research organization, no industry organizations, but they're doing similar kinds of things. They're counting, reading, and listening. Some of them are providing pieces of measurements, but they don't classify themselves as a market research company as mine is.

11:40 a.m.

Liberal

Scott Andrews Liberal Avalon, NL

I'm going to come back to that, but here is the second part of my question. How many social media companies are there, like the Facebooks, the Twitters?

11:40 a.m.

Vice-President, Marketing Research and Intelligence Association

Annie Pettit

Thousands, millions? I do not have the exact number.

11:40 a.m.

Liberal

Scott Andrews Liberal Avalon, NL

We all talk about the big ones, but how are we going to make something that's applicable to not only the big social media companies but the small social media companies...?

11:40 a.m.

Vice-President, Marketing Research and Intelligence Association

Annie Pettit

There are probably 100 new ones every single day.

11:40 a.m.

Liberal

Scott Andrews Liberal Avalon, NL

Really?

11:40 a.m.

Vice-President, Marketing Research and Intelligence Association

Annie Pettit

Oh, for sure. There are the top 100 Facebooks, LinkedIns, and Twitters, but it goes far, far beyond that.

11:40 a.m.

Liberal

Scott Andrews Liberal Avalon, NL

Back to the market companies. Near the end of your statement you talked about self-regulating. How do we as politicians trust people to self-regulate when there are so many of them out there? I'm sure there are good ones and bad ones, but how do you have faith that some sort of self-regulation will work?

11:40 a.m.

Executive Director, Marketing Research and Intelligence Association

Brendan Wycks

In the case of our association, I think the parliamentarians and legislatures can have faith and trust based on our track record over many years and the self-regulatory mechanisms we have in place. For example, we have a mechanism called the research registration system, under which companies go on our site and register the projects they have out with the public at any given point in time. That allows respondents across the country to phone in or by e-mail verify the legitimacy of the survey, because it has been registered with the self-regulatory association.

In the case of the social media companies, it's a difficult task, because they're so numerous and so varied and they cater to different sizes and types of audiences. Even for, say, an association within Canada, such as the Canadian Marketing Association, it would be a monumental task to bring all those types of companies into the tent and get them to agree to adhere to standards and proper self-regulation. I know there is a characterization out there now that social media marketing is like the wild west, because none of them belongs to self-regulatory associations.

11:40 a.m.

Liberal

Scott Andrews Liberal Avalon, NL

Go ahead.

11:40 a.m.

Senior Vice-President, Policy, Canadian Chamber of Commerce

Warren Everson

I'll make a quick point here.

Self-regulation is a subject in its own right, but it is illegal to collect personal information and resell it in Canada without consent. So we're not relying on self-regulation to protect the privacy of Canadians: PIPEDA already bans that practice.

11:40 a.m.

Liberal

Scott Andrews Liberal Avalon, NL

Any time you have this, how does the government or how does anybody police it? It must be very difficult to police, unless it's complaint-driven.

11:45 a.m.

Senior Vice-President, Policy, Canadian Chamber of Commerce

Warren Everson

Response to most crime in Canada is complaint-driven. We don't preauthorize transactions and so forth. You have to be robbed before you complain to the police, before they investigate the robbery.

I understand what you're saying, but I don't think the assumption should be that commerce shouldn't take place until an agent of the state has approved it. It has to be responsive to criminality.

11:45 a.m.

Liberal

Scott Andrews Liberal Avalon, NL

That leads me to the question I had for you.

Do I have some time?

11:45 a.m.

NDP

The Chair NDP Pierre-Luc Dusseault

No, I am sorry.

We now move to Mr. Calkins, for seven minutes.

11:45 a.m.

Conservative

Blaine Calkins Conservative Wetaskiwin, AB

Thank you very much, Chair.

Mr. Everson, thank you very much for coming today.

I saw you last week at committee. You're a man of many talents. You're able to come and talk about a wide breadth of issues on behalf of the chamber. It's much appreciated.

Of course, Mr. Wycks and Ms. Pettit, thank you very much for being here.

I have some concerns about the industry in general. I want to talk about something Michael Geist, who testified before our committee last week, said. He said the devil is in the defaults. I thought that was quite apropos. From my perspective, what I would like to see out of this is that the need to protect individual Canadians' privacy be balanced against the economic growth that you talked about, Mr. Everson.

I think that's key. I'm glad we have some semblance of self-regulation here and have an inward-looking organization like yours, which basically monitors how we're doing things and how we're conducting ourselves. I think that's a great thing. I believe we should only have government where necessary, not necessarily have government in all aspects of our lives. But I do think the government has a role to play here, and I'll be getting to that.

I'd like to talk about “the devil's in the defaults”. I have young kids who have iPods and all these other kinds of devices. I do what I can as a parent to protect my children, to protect the integrity of our network in our house, but there's only so much that it's reasonable to do. I read through pages and pages of agreements—user agreements and so on. They're written in a language that frankly I don't think most lawyers could even understand, much less lay people. I'm surprised often, when I find out, that the default settings on most things that I accept an agreement to.... They sometimes frighten me in the degree to which I've allowed my personal information to be shared.

I would like to ask you, Mr. Everson, do you think we have an appropriate balance right now? You were fairly complimentary to PIPEDA. Do you think we have enough protection from the perspective of protecting people's information right up front, right at the very first opportunity, by the use of default settings as to what can be shared and what can't be shared?

To Mr. Wycks and Ms. Pettit, from a self-regulatory perspective, do you think the groups that you represent—the organizations, your clients, the people you study, the people you do work on behalf of—are using defaults appropriately?

11:45 a.m.

Senior Vice-President, Policy, Canadian Chamber of Commerce

Warren Everson

Thank you very much. It's nice to see you again.

Mr. Calkins is getting close to his maximum safe exposure to Warren Everson this week. You want to be cautious about that.

That's a really big mouthful of a question, as you know. I think society will use a defence in depth with regard to privacy. That defence will include a proper understanding of what the consent is. I certainly support the committee in the tone of your questions concerning frustration about consent being hard to follow and hard to understand. I don't suppose the suppliers of the service necessarily take much joy in it either.

I think the caution of the consumer can't be ignored. My children are much more concerned about Internet privacy than I am, because they have been lectured to about it so much and can cite off all the rules that exist for the social media they're employing. I don't know whether they represent any standard or not, but they are certainly not unconscious of the issue; they are suspicious.

Madam Borg started with asking whether there is a lack of trust. There is a lack of trust, and it's probably a darned healthy thing that it exists there.

We have seen in the last couple of years some pretty significant changes to privacy in the big offerings. Facebook has upgraded its privacy standards, and that's an ongoing debate. You can hardly pick up a newspaper without seeing discussion about it. I note that Google handles people who identify themselves as young consumers differently, as to how much information is available in their social chat services. I became aware not long ago of a service called Hangout, where people can go and hang out. When a stranger enters that enclave, everyone is notified, and if the stranger does not properly identify, the site closes, so they would have to reassemble it. There are all kinds of technical security and privacy services that have been invented by the technical side of the business, conscious of consumer concern.

I'm just going to say one more thing. As you proceed in your hearings, obviously you're going to want to know exactly what the law currently makes illegal and how often it has been employed by people. It's my contention that the law is not bad in Canada. Probably public awareness is quite low as to exactly what recourse exists.

11:50 a.m.

Vice-President, Marketing Research and Intelligence Association

Annie Pettit

These days, as Warren was saying, kids are being raised with privacy in the digital age. From the youngest age, this is a normal everyday conversation, whereas for many of us it didn't even come about until, let's say, 10 years ago. So this is brand-new information; it's completely different from how we were raised, and we're still wrapping our heads around it. Kids are far more aware of it; it's just normal for them. They know what is good and what's bad in terms of wanting or needing privacy. That's why they have more opinions on it than a lot of us have.

In terms of our people using defaults appropriately, I think a lot of industry is doing just what we're talking about here, its own self-regulation. When somebody changes a default setting, as in the case of Facebook, everyone is in an uproar if they don't like it, and there are some quick work-arounds to make adjustments to it. It's happening in one website after another website: people continue to speak up when they don't like what the default setting is, there's a whole bunch of discussion around it, and then tweaks are made.

So I think there is a lot of self-regulation going on in the industry, and it will only get more and more and better and better as people become more familiar with how it should be and how they want it to be.

11:50 a.m.

Conservative

Blaine Calkins Conservative Wetaskiwin, AB

My last question is about the differentiation between data and information. When information is collected about me as a user on the site, my personal information is there, if I happen to be creating an account, for example, but there are also traces of my user information, the sites I go to, things that I may visit, my interests, my hobbies. They can glean this kind of information.

When it comes to reselling this information or data, are you confident, from an industry self-regulation perspective, and comfortable with the fact that enough de-identification of some of the personal things is actually happening? If they happen to know what age group I'm in and what I happen to be looking at or shopping for on the Internet, that's one thing; if they know my name, address where I live, and what I'm shopping for on the Internet, that's a completely different thing.

Are you satisfied that there's enough de-identification? Do we have enough legislative framework around the de-identification of the information that's being resold between the data collector and those who might be interested in it?

11:50 a.m.

Vice-President, Marketing Research and Intelligence Association

Annie Pettit

This is already part of what the MRIA code looks at. All information must be de-personalized. This is the exact same thing we are doing within the social media space. Our ethical standards are exactly the same as they would be for survey research. Names are not published in research reports; there are no user names, photos, e-mail addresses, physical addresses. That kind of information is not appropriate, and we do not allow that sort of information to be published in final reports.

11:50 a.m.

NDP

The Chair NDP Pierre-Luc Dusseault

Thank you. I am going to have to stop you there because Mr. Calkins' time is up.

We now start the question and answer period where each round is five minutes.

Your turn, Mr. Angus.

June 5th, 2012 / 11:50 a.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

Thank you for a fascinating discussion.

Mr. Everson, I was a two-time board director of the Chamber of Commerce. At the time I was on the board, I was representing a small northern Ontario media company, and we were looking at the possibility of where we could move in terms of digital culture. I agree with you; I think the opportunities have exploded since, and even as we were watching it develop. I think Canadians are well positioned to take advantage of this. We have to encourage that. I think it's part of what our work at this committee is to do, to find out how we build the climate that allows that kind of innovation.

The issue here is about consumer confidence and the threat of data breach. Those are the issues I think we need to look at. When we ran our magazine, our database was our commodity. That was the value of our work. It's what allowed us to do value-added sales. We had many groups offer to buy this data from us, but it was an issue of trust with the people who purchased our products. They were our subscribers. We kept that.

If someone had wanted to breach that data, they would have actually had to break into the house, steal the computer, and then they would have gotten it. Now, however, in terms of what's online, it seems that when we have this discussion about informed consent, we're talking about an understanding of an old style of business model—you click on something, and it's about a commercial relationship or a sharing of information—but in the age of big data, it's a question of function creep. It's so easy to access data. You can access data through algorithms just casually. This is the concern.

My concern is about a breach of consumer confidence. For example, if I'm at a café and I use their WiFi, there's an agreement. I sign that yes, I'll abide by the rules. But we had the case with Google Street View going by. They were gathering WiFi hotspots, and that was a good business model for them. But there was the whole matter of load data that was collected as well, which could include e-mails, medical records.

I didn't sign on for that in giving initial informed consent. The people who gathered that data might not have even been looking for it, but the data is gathered up.

So, Mr. Everson, how do you see establishing some kind of framework to ensure that consumers have confidence, that the model is able to develop, and above all, that data breaches—because they would affect people's security—don't happen?