Information & Ethics Committee on Oct. 16th, 2012

In what context are we talking about? Are we talking about in social media?

Well, it depends on whether or not you are a social media platform or not. We've been talking about Facebook a lot. Obviously, Facebook has quite a bit of data and has all of your profile information. They have that information.

I certainly don't speak for Facebook, but my understanding is that for the most part, they keep that data to themselves. It's their greatest asset, it's not something—

What they provide to marketers is access to the platforms. They'll say to the marketers, “We won't give this to you, but you tell us what kind of people you want to hit, for example, members of the ethics committee, and we'll do our best to direct your ads to those people.”

A similar thing is, if you are the marketer, obviously, you won't have that information. You will indicate your target group and say that you're looking for certain characteristics. Then a social media platform will do its best to display it to those people. Certainly, the advertisers don't have access to that.

It's hard to generalize, but for the most part, that is true. Again, that's a big piece of what the business is for those companies. Once they hand over that detailed information to another party, putting aside the privacy issues involved in that, they've given away the store, in a way. That's their main selling point.

Thank you for the question, Mr. Andrews.

I can't speak specifically to their activities in other countries.

The Facebook class action was a worthwhile exercise, during which we had developed changes in response to the different treatment that Facebook had of user data. I have noticed a tendency that Facebook, to my mind, seems to introduce a set of changed conditions and terms; they respond to the public response to the changed conditions and terms and roll it back, and then at a future point, those terms may be reintroduced.

They set the bar at a level. There's public response and a backlash. Then those terms and uses sometimes end up working their way into the Facebook system regardless.

I do think that greater legislation is required in order to effect meaningful consequences for these companies.

That's a subject for a very lengthy debate on which we could canvass. I had at first thought about studies just like this one. I also had thought about reaching out to industry as one way to do it, and to see different ways that they could allow for people's privacy.

I guess what I don't want to see is a wholesale exposition of data that's offered by Canadians to these companies in good faith and that's subsequently used for unintended purposes. I think that's something that should be looked at by Parliament to craft an adequate response.

The choice of jurisdiction clause is something that should be boiled down to simply saying that [Technical difficulty--Editor] afforded to you in Canada may not exist should you choose to enter into the service.

Facebook at one point was criticized, as our earlier witness stated, for having terms of service that were as long, if not longer, than the Declaration of Independence.

I think that key primary points should be addressed. If a pop-up occurs in a window, the key primary points as to how that will affect the user in very short language should at least inform the first part of that pop-up. A lot of times what happens is that the entirety of the terms and service changes are reproduced within that pop-up window, and the “accept” button is featured when the pop-up window occurs. You can click “accept” without necessarily scrolling down through the multitude of terms and changes to the conditions that occur. I know that there was technology employed at one point that required the user at least to scroll down to say that they had looked through the terms—they'd had a cursory glance—before they could click accept.

I do think that simplification exists.

That is a complex issue. I think that the primary terms that affect the change should be reduced.

I think that users have a number of means of control on the Internet. Some of those controls are featured in browser preferences. For example, you can set up browsers for various safe zones to reject or accept certain cookies and other types of information. When users are using the Internet, when they're using a social media application, they certainly have control over what they post, how they post it, whether they put in their full birth date for example and put it on their homepage, and whether they make that viewable by anybody who is surfing the Internet.

Moving forward, and I don't know whether you heard about this when you were in Washington, there are initiatives looking at things like interest-based advertising in the U.S.A. which we're working on bringing to Canada and Canadianizing. This is the Digital Advertising Alliance, DAA, initiative. Sometimes when you're surfing you may see a little triangle with an “i” in it on an ad. You can click on that and it will give you information about why you're seeing that ad, why it's being displayed to you.

It will also give you options to go to a centralized page where you can choose whether or not you want it to be placed in cookies on your machine to give you that kind of targeted advertising. It gives you quite a bit of choice as to whether you don't want to receive any or you don't want certain companies sending you targeted ads and collecting information. There's quite a bit of leeway for user choice.

Coming back to the simplicity of the picture example, I would have concerns about unforeseen uses of data that can potentially occur. The general rule is that once you've shared information on the Internet, it's difficult to guarantee that you'll have any right of retrieving that information; it could very well be out there for good. For example, if a user shares information through Facebook and Facebook has a third party application that's engineered and the user subsequently enters into an agreement to allow that app to use the data that the user has provided, what guarantee does the user have that the third party application developer won't necessarily go rogue?

There's a different transit of information. There's a transit from the user of that picture to Facebook, a use by the third party application developer of that photo. What does the third party application developer ultimately do with that photo? What uses could that have that are outside of Facebook's ability to recall and outside of the user's ability to retrieve? That would be a concern that I would have.

Yes.

Some models are being developed. Unfortunately I cannot remember its name but one developer is trying to develop a kind of control panel on the flow of information so the user, not social media, would control and own information. Technically all this is using Turing machines. They are machines that could apply any kind of algorithm you could imagine. Technically it is possible to conceive alternative models.

The issue is how we get there and that's clearly from the existing framework. Right now it's wide open, and we don't want to infringe on innovation.

Theoretically it is possible. People are working on it, but I know of no one who knows the road to get there to achieve this.