Information & Ethics Committee on April 19th, 2018

It's important for us to invest very heavily in protecting user privacy and, to some of the other questions that have been asked today, to take steps to ensure integrity on the platform. I'd say two things about that. The first is that you're right that we need a focus, and particularly across the company what we've tried to do is to get people who work on our products and services—not in the context of the Facebook platform, which we're talking about today, but in other areas as well—to focus their work on promoting integrity, protecting people's data, protecting people's experiences, and promoting our broader obligation. Certainly we need to focus in that way.

As a part of our broader obligation, looking across Facebook developers and other third parties that we have relationships with, in the category of Mr. Kogan for example, we're going to have to invest very heavily in additional personnel and processes to make sure we have oversight in those areas as well.

One way to look at it and the things that Rob went through in his opening statement is to say that the process we're engaged in is very much locking down the platform. In a way, what you're talking about is making sure certain things.... We already made significant changes in 2014, as Rob mentioned, but even today, subsequent to the Cambridge Analytica news reports, we are doing a whole bunch of things not only retroactively to look at what happened with these apps, but also prospectively to change the way apps work on Facebook and drastically limit the amount of information they can get. That's just right.

The other thing I should just point out is that obviously our CEO has been very clear that this is going to be a significant investment. We expect a material impact on profitability. I think he said that, but I just wanted, again, to make that clear to the committee as well.

I think we at Facebook, and actually we as a broader society too, should be investing in more ways of communicating with people about privacy, rather than less. One of the things that I know the Privacy Commissioner of Canada has emphasized is that there are different kinds of uses of information that require different kinds of notice, and some uses are more sensitive than others. I certainly agree with that sentiment.

I think the way we've approached this at Facebook is to provide more detailed information in places like our privacy policy, so that people who want to dig into the details of how information is used and how they can control it can do that, and also to communicate on a day-to-day basis with people outside of the privacy policy, in ways that are maybe more accessible, about specific information, such as how to control who can communicate with you and how Facebook uses information as a part of delivering ads and how you can control that, etc. I think all of those are important.

I think your idea of doing communications within schools or in communities to help people gain literacy and the ability to make choices that are right for them is a thoughtful one, and I think that's something we should take on board.

If I may just add to that, on the specific thing about reaching out to the broader ecosystem and working with partners, certainly we do that in Canada with MediaSmarts, as I mentioned, which is Canada's digital literacy organization. They work closely with schools in classrooms across the country. I think that is an important ultimate backstop.

That's not to say that we don't have responsibility on our part, and I think Rob was very clear. Not only have we historically done this, we're doing more. I think the recent controls we've announced make it even easier. Before this, I think you had to go to potentially up to 20 different screens to control your experience on Facebook. We're now centralizing all of that in one map, if you will, where you can play with all the dials and have complete control over your experience and your privacy on Facebook.

We completely agree that it's very important, and we are moving to roll that out, not just in Canada but around the world.

I think certainly we've said that we intend to undertake an investigation with regard to Cambridge Analytica and the situation there. We need to understand what happened and where that information went. If it's still out there, we need to make sure that it's taken care of.

With regard to other situations, I think you're right: it's possible that there are other situations out there. The one that I think you may be referring to is a situation of scraping, where even public information that's available on Facebook and on the Internet was collected by a party. If that was done, that was in violation of our policies, and I think that's another area where we have taken steps but need to take more steps.

I think it's certainly a possibility that there are other incidents out there. It's incumbent upon us to do the work to understand those and mitigate them.

That's something we need to get to the bottom of. We have undertaken already an effort to look back at apps that would have had access to that level of data prior to locking down our platform in 2014. We're in the process of doing that. We don't have firm answers on exactly what the scale of the problem is at this point, but it's something that we do need to undertake and that we're working to do expeditiously.

In addition to looking backward, we have an obligation to look forward, and that involves really three things. The first thing is making sure we are locking down the information that is available, so going forward, the type of information that was available previously won't be available.

The second thing is, for the limited information that is available, we need to make sure we're exercising effective oversight and that we're understanding who has that information and what they're doing with it.

The third thing, as we've talked about earlier today, is communication. We need to commit, and we have committed, to communicating much more quickly and much more practically with people when these situations arise.

There are two answers to that. One is a policy answer, and one is an enforcement answer.

With regard to the policy piece, it was at the time, and continues to be, a violation of our rules for a developer to use information in that way. It would restrict both their use of the information that they directly receive from Facebook, as well as any downstream uses, such as the profiling that you are talking about. Those would both be violations of our rules. We're undertaking to investigate that ourselves.

We understand that the Information commissioner in the U.K., which has jurisdiction over Cambridge Analytica, is undertaking an investigation, and we're co-operating with that. We understand that the Privacy Commissioner in Canada is doing so as well, and we're co-operating there. We need to co-operate with both of those investigations and understand what's happening.

With regard to enforcement, after the regulators who are undertaking the investigations have told us that it is safe for us to do so, one of the things we need to do is to understand whether any of that downstream data exists. If it still does, we would take the position that it's just in the same category as their earlier data and needs to be deleted as well.

If you put information on Facebook, you own that data, and that is stated explicitly in our terms of service.

That's correct. If you put data on Facebook and you want to delete it, you can delete that specific piece of data. As we referred to earlier, you can delete your account entirely and remove all the data in your account, if that's what you want to do.

One of the lessons we have learned as part of this is communicating more proactively with people if their data is misused, and that's something that we intend to do as well.