Information & Ethics Committee on Nov. 20th, 2012

Good afternoon, Mr. Chair, and my thanks to all members. I appreciate the opportunity to present at this committee.

My name is Karna Gupta. I'm the president and CEO of ITAC, which is the Information Technology Association of Canada. We represent 350 or more companies across the country, but 65% of our members are SMEs.

The ICT industry produces today about $160 billion of revenue for the country, and we make up probably 750,000 ICT and related jobs. It is a key to the future growth of the Canadian economy across all sectors. ITAC has long advocated a comprehensive digital economy strategy to improve Canada's growth and prosperity.

Today I want to talk about three key pillars of that strategy in the context of privacy policy.

First is innovation. When it comes to social media, we have only scratched the surface in innovation and spinoff benefits for consumers and businesses. Protecting personal information as this unfolds is essential. We need to find the best way to do this while promoting innovation and growth. Smart regulation is the second pillar of our strategy. The third is digital literacy. We need a national, digital skills strategy to help Canadians learn to use the tools for the 21st century effectively and safely.

You have probably heard a lot about Canada's innovation gap. The ICT investment gap between Canada and the U.S. is widening. The labour productivity gap between Canada and the U.S. persists at 10% to 20%. In a 2012 World Economic Forum report, Canada fell in the innovation ranking to 21st place from 15th the year before. No other top-ranked country dropped that much.

What does social media have to do with all of this? The adoption of ICT is the key driver for productivity, and the popularity of social media like Facebook, Google, or LinkedIn has spurred a tremendous amount of ICT development in all sectors. It shows an amazing potential for increased productivity and social change.

Let's look at some of the economic numbers. The World Economic Forum in 2012 ranks Canadians in 13th place in Internet use but in 6th place in the use of social networks. It is estimated that by the end of this year 60% of Canadians will own a smart phone, a rise in phone ownership largely driven by the use of applications and social media.

Canadians are adopting the technology, and we're well placed to capitalize on it. As for growth potential in the related industries, all of the current research predicts that Canada will add 70,000 jobs by 2015 as a direct result of cloud computing and more cost-effective ways of storing data.

One of the most promising spinoffs for Canada is data analytics, the ability to interpret large quantities of information and seize the market opportunity to solve social problems. It is estimated that the worldwide market for these services will grow to $15 billion to $20 billion by 2015. Canada has strong expertise in this space. For example, the Ontario Centres of Excellence along with the federal government, IBM, and seven other academic institutions have set up a virtual network to help small and medium enterprises manage the data sets to solve critical challenges. In Vancouver, police use data analytics to coordinate leads and resource deployment to improve public safety. They claim that property crimes are down as much as 24%.

Companies use data analytics to outperform their competitors and seek higher profits. Based on a recent survey, most companies that use cloud-based solutions outperform their peers by 68%. That's the link to productivity. All of this social media and social networking that spurs innovation drives productivity.

This is also a highly mobile and a global industry.

Our digital economy strategy needs to ensure that Canada is a destination nation for business to grow and prosper because the jobs and the economy we are talking about are highly migratory. They will go where all of the conditions are right. One important factor in ensuring this growth is a regulatory environment that supports what we call smart regulation.

Let's talk about some of the issues around privacy. Canada's current privacy framework is seen as a model by several countries in the world. It does a good job in the crucial area of protecting personal information and promoting innovation. Our members and a number of other sources tell us that the framework works well because it is principles based and it's neutral across technologies or business sectors. They say that the current framework adapts to the fast-changing area of social media and related industries where we cannot anticipate the future applications. It is very critical to underscore that we cannot anticipate a lot of the future applications. They also say that consistent rules across all sectors are better for investment and compliance by companies.

What do we have here? It promotes innovation by allowing collaborative and constructive dialogue with the Privacy Commissioner. New features come into play. This does not happen in the EU where the rules are more prescriptive. In fact, a study by one Harvard academic has found that the EU rules have led to reduced venture capital investment into companies that use online data.

Also, it's effective. The Privacy Commissioner's guidance, rulings, and impressive collaboration with her international counterparts has achieved a real change. It shows by the strong social media adoption rate in Canada. Ranking number six in the world is quite impressive.

Finally, I want to say a few words about digital literacy, another important pillar of our digital economy strategy.

To grow and prosper, Canadians need the skills to make effective and safe use of digital data. Our members play an active role in this. I also want to applaud the Privacy Commissioner for her active role in educating Canadians on the use of online media. There is an excellent opportunity to leverage existing organizations, like ITAC, to help build on this outreach program. We can be used as a portal to help IT businesses, especially SMEs, to understand and comply with the privacy rules.

In closing, Mr. Chair, the protection of personal information is extremely important and I know that our members take this very seriously. At the same time, Canada needs a digital strategy that promotes innovation and encourages businesses to locate here and grow here. As l have described, social media is helping to drive a number of our new and related industries in Canada, which shows great potential for our economy. It's at an early and fragile stage. We need to ensure that we have an environment that fosters these industries in order to realize that potential.

I thank you for your time, Mr. Chairman.

Thank you, members, for the opportunity to present to you.

Good afternoon, hon. members of the committee.

My sincere thanks to you for inviting me here, today. It is both a pleasure and an honour to say what I came here to say. I think this is a particularly important and current topic. It is urgent that we take a consistent approach to deal with this issue in Canada.

Before I begin, I would just like to reiterate that this presentation is both mine and Professor Leslie Regan Shade's, from the University of Toronto, with whom I prepared the brief that was submitted to you. So I speak for both of us, and I have no intention of taking credit for the work that we did jointly.

As you know, the right to privacy is a human right that is absolutely essential. This right entails important concepts such as human dignity, reputation, honour and joie de vivre. Equally essential, the right to privacy is closely connected to the rights and freedoms that are critical to safeguarding our democracy. These rights include the right to freedom of expression, the right to freedom of association and peaceful assembly, and, of course, the right to participate in public affairs.

It is generally acknowledged that the right to privacy has four broad dimensions. The first dimension is preservation of anonymity, meaning that a person is not identified or identifiable. Second, we have freedom from surveillance, which means not being monitored or watched by external entities. The third dimension is the preservation of a private space, which has to do with having a space deemed inviolable, a sanctuary. The fourth and last dimension of the right to privacy is obviously everyone's right to have access to sound management of personal information. It has to do with an individual's ability to control access, circulation, sharing and accuracy of their personal information.

It does not come as a surprise when I say that the development of social media raises major problems for each of those four dimensions. That being said, our presentation today essentially focuses on the fourth point, the management of personal information, which is quite clearly considered as a fundamental component of the right to privacy.

The protection of personal information calls for nine specific criteria to be applied. Everyone about whom information is collected should: be properly informed that information is being collected; voluntarily participate in the collection; be able to identify the actors who are collecting the information; know the ways in which the information is being collected; be able to identify the nature of the information collected; know what uses will be made of the information; be able to identify the actors who may have access to the information and the rules that govern the confidentiality of the information; be able to assess whether the information is properly protected; and be able to access the information collected and rectify or remove personal information collected elsewhere.

We feel that those nine criteria should be used as benchmarks for assessing the measures taken by social media sites in order to protect the personal information of Canadians. But we are seeing many problems with that. One of the main issues with the protection of personal information on social media sites is the proliferation of standards and protection policies in relation to privacy. We are concerned about the lack of an exhaustive, clear and consistent framework that provides social media users with a set of clear standards on the protection of personal information. Users would then know what their rights are, regardless of the platform or social media they choose to use.

That is why we conclude that it would be fully appropriate for authorities in charge of the protection of privacy in Canada to draft and adopt a social media site privacy charter, in partnership with Canadian civil society. All social media that have activities in Canada should comply with the charter.

If time permits—please stop me if that is not the case—I will conclude my presentation by describing all the elements that, in our view, should be included in that type of charter.

For now, I would like to talk about the problem relating to the protection of personal information on social media sites. We believe that this problem has three parts and that it largely stems from the business model preferred by social media sites.

We believe that this problem has three parts and that it largely stems from the business model preferred by social media sites.

Generally speaking, a social media site can create value and generate profits by monetizing its users' personal information. That is usually done in two ways: by charging interested individuals and businesses a fee to access the personal information of users and to interact with them—that is the model preferred by dating sites and some professional networking sites—and, more recently, through advertising offers that rely on collecting, handling and analyzing personal information available on social media sites.

A social media site like Facebook aggregates an audience and it sells it to advertisers. That is its job, its business model. The specific nature of the product offered by Facebook to its clients truly relies on its ability to provide marketing and advertising products that are tailored to the tastes and preferences of every user. In other words, personal information is currently a currency of exchange between users, social media sites and their business clients. Any changes in the practices that govern the collection, analysis and handling of personal information therefore have a direct impact on service delivery and, in turn, on the revenue generated by businesses that use social media sites.

In terms of the protection of personal information on social media sites, we have identified three components that each come with specific problems. Let us give you a quick overview.

The first component has to do with collecting, handling and sharing personal information. In this regard, we have observed the following problems.

First, minors, and more specifically children, are always vulnerable to the personal information collection processes used by marketing agencies. The development of games, interactive applications and marketing processes on social media is extremely attractive to children, who do not have the tools they need to effectively protect their own privacy. To our knowledge, there is no legislation in Canada to protect minors' personal information online from violations by commercial actors.

Second, we are seeing an explosion in personal information collection and handling policies. Application and game developers are investing massively in social media sites. All these developers and marketing agencies have their own confidentiality and privacy policies. The rise in contractual agreements with social media users, resulting from the incorporation of applications in social media sites, makes it difficult for users to know exactly to what extent and which parameters are being used to protect their personal information.

In addition, on certain social media sites, we are observing the absence of real control available to users for identifying and selecting the third parties that will be able to access their personal information and, where applicable, for determining what information is collected and denying permission to transmit that information. Once you agree to have an application on your Facebook page, it is very difficult to determine what the developer of that application will do with your personal information and who they will share it with. It is very difficult to maintain control over that information.

There is also an absence of exhaustive studies of the risks that the new cross-tabulation and facial recognition techniques present for privacy and personal information protection. In other words, most users now have a number of accounts open on various social media sites. Each of those sites has its own purposes, its own objectives, and users have to figure out which confidentiality policies seem to best meet their needs.

The risk is that, with the new techniques for cross-referencing data, you can track an individual's entire private life by multiplying the inquiries done on social media sites the user visits. The danger is there, and the problem is growing.

Finally, we are seeing that social media sites are vulnerable to cyber attacks. For example, in June 2012, LinkedIn had six million user passwords stolen. In 2011, I believe, someone got access to the account of the Facebook president and founder and managed to reveal his most intimate photos in an entirely public manner. The issue of privacy on social media sites is not at all regulated.

The second aspect of our brief and my presentation has to do with the information available to users on changes to the collecting, handling and sharing of personal information.

In that respect, we are seeing that the problem is that there is a real lack of transparency about the real and anticipated effects of any change to the confidentiality parameters relating to the privacy of users who have accounts on social media sites.

In the past few years, changes to the confidentiality parameters, which are often made unilaterally, have led to deep controversies and resistance within the user communities, have been of concern to privacy rights organizations and have led to class action lawsuits.

Imposing changes to the confidentiality parameters on social media sites poses three very specific problems for users.

First, it deprives users of the ability to determine themselves the level of protection they want to apply to their personal information.

Second, the many changes to the confidentiality parameters generates real confusion over the years for users and decreases their trust in the privacy policies in effect on social media sites.

Third, unilaterally imposing changes to the confidentiality parameters on social media sites shows the lack of healthy and productive dialogue between users and managers of social media sites on the issue of privacy.

The third and final aspect of our brief focuses on education concerning the risks associated with social media.

Yes, fine.

To conclude, there are basically six risks and pitfalls associated with disclosing personal information on social media sites: psychological and sexual violence, particularly targeting minors; cyberbullying, particularly targeting adolescents; re-identification, meaning the loss or absence of anonymity on social media sites and the disclosure of information deemed to be private or confidential; identity theft, which is a growing concern; employment-related dangers and risks; and lastly, multiple attacks on honour and reputation.

In short, the problem is that for users to be able to coherently determine the parameters related to their privacy requires a very high level of technological literacy. Actually, only people who have the cultural, socio-economic and educational resources necessary are currently able to make enlightened choices about social media. The problem is that two classes of users are being created: one class of users who have the skills required to manage their privacy, and one class of users who are at risk of having their private life disclosed without their consent to various parties and third parties.

If you have any questions during the question period about the principles of the social media site privacy charter that we would like to see established in Canada, I would be pleased to answer them.

Thank you for your attention.

Thank you for your question.

I know you attended the WCIT in Montreal. As you heard from the rest of the world, we live in an open world, so you cannot control everything and contain it in a lockdown mode. We need to make sure we have the ability to manage the risks that are out there.

The Privacy Commissioner today is doing a very credible job engaging the industry, in setting up what the frameworks are, and what needs to be. The consultation process is ongoing.

If you have specific prescriptive rules of a certain type, what may happen is you might be looking backward rather than forward. You have to change it every so often. This world is moving very fast.

At the same time, you've all heard the terms “crowd sourcing” and “crowd funding”. If you want to spur innovation and growth in the country, you need to allow the digital world to come into Canada, live here, grow here, and nurture industries here. You have to be inviting.

As a nation we need to strike a delicate balance, that we not only create a condition whereby we not only attract companies coming in and businesses grow, but at the same time we make sure we have the right protective tools and the ability to deal with them.

For example, today any Federal Court has the power to award punitive damages if the company is out of line in any area. The Privacy Commissioner could lay down certain rules and guidelines if somebody is out of line. For industry not to be engaging in this conversation and just having a set of rules would be very difficult because again you're looking backward rather than forward.

Digital deliveries need to start at school. We are working with several organizations that are building programs today at a high school level and even at the polytechnic and university level to deal with the digital literacy that young people get into. It is no different from anything else that previous generations have learned.

They need to know how to use the tools and what's important or not important to put into the digital world. Once you put anything out there it almost has a permanent life. That teaching and learning has to get in early, but you cannot quite say you cannot use it.

At a very early stage, schools need to get into how the kids should use an online tool, whether it be games or anything else, their personal information, and what they can or cannot put in.

When I talk to CCICT and other groups that are working in this domain, I hear the generation gap is playing a big role. Kids need to learn. We learned a lot from our own parents, but kids today don't get proper guidance from their parents because they are not quite as literate digitally as they need to be. The generation gap is a huge factor in terms of teaching our children what is appropriate or not in this new digital world.

It is a major issue. Schools, the academics and the educators need to step in to do that, because they don't get that guidance at home. The kids at home get their guidance from across the street, but they don't know how to get online. There is a huge problem in that space.

There are three points I would like to make.

First, there has to be a fundamental change in attitude, meaning, we need to stop seeing privacy protection as an expenditure for social media sites and other organizations. Protecting the privacy of Canadians is a long-term investment that will ensure better trust in the product by users and that makes it possible to drastically reduce the very real risks associated with cybercrime in particular. Protecting everyone's personal information is an investment, not an expense. Once we see the problem from that perspective, we will have already taken a huge step forward.

Second, we are seeing that, in this increasingly digital society, we are quite simply reproducing social and economic inequalities. In fact, the privacy protection problems first and foremost affect all the most socio-economically vulnerable groups in Canada. So it is important to think about privacy as an issue of social and economic inequality.

Third, we need a national privacy protection strategy for the digital era. It should be consistent, involve academics and independent organizations that focus on the issue, but it would also require extensive research, which should be of quality and subject to concrete applications that would enable Canadians across the country to better protect their privacy in a digital environment. Basically, it would be very important to establish this kind of national strategy.

When we talk to our members today, their general commentary is that they're very engaged with the Privacy Commissioner in developing all of the framework. There is no need to put a predetermined fine relative to anything. The courts can do that, if there is something breached, so that authority is already there. The general consensus was that we do not need to create anything different. The Privacy Commissioner has the trust of the industry today and they work extremely well together on an ongoing basis. The industry's view is that they would like to see it stay that way.

I have not seen any data to indicate that at this stage.

That is at the heart of the problem. You are absolutely right. It's extremely difficult, if only because of the volume of data being exchanged and the extensive use of the media today to adopt a perspective that allows us to manage everything. I think what we need, first and foremost, is a set of consistent standards that would serve as a framework and would very clearly require the various players, regardless of their business model, to respect the standards across the country.

In addition, there must be increased accountability of those players to Canadian public institutions. We also need some non-judicial processes—and I stress the word "non-judicial"—to resolve conflicts between users and managers of social media sites. The lines of communication between the people who manage the sites and the people who use them must be improved. The lack of productive and non-judicial conflict management mechanisms create the tensions we are currently seeing.

Above all, it is important for us that users be more involved in the dialogue on privacy issues. They know what problems they are facing and they have solutions. They have brilliant ideas that escape the experts most of the time. Let's start a dialogue with those people.

There is a line to be drawn as to what personal information should not be compromised. The privacy framework we currently have has the principle that certain data should be deleted if it is no longer needed or intended to be used. That was passed by the Privacy Commissioner and most of the companies that are engaged in this discussion. The currency here is trust. They comply with that.

Now, in terms of your other question on how the business model works, we, as consumers, also demand that things be sent to us based on our data. If I'm at the corner of Laurier and some other street, I would want to know where the closest Starbucks is. I would want to know where the cheapest gas is in town. I'm demanding that information on the other end, as a consumer, that the businesses need to send to me.

It is a push-and-pull issue that is playing out here. If all of the data is removed, we, as individual consumers, cannot pull for a certain set of data we need to make our lives easier and to make a certain set of choices, purely from a marketing point of view, from what the companies provide. But there is a set of data that should be on the other side of the line, so to speak, and should not be disclosed. Again, the companies comply. After a time lapse, certain data is not passed on, and some is deleted after that. That line is constantly being negotiated, as we all know, between the Privacy Commissioner and the industry. It's an ongoing process as the market evolves.