Evidence of meeting #102 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was election.

A video is available from Parliament.

On the agenda

MPs speaking

Also speaking

Colin Bennett  Professor, Department of Political Science, University of Victoria, As an Individual
Thierry Giasson  Full Professor, Department of Political Science, Université Laval, As an Individual
Maxime Bernier  Beauce, CPC
Marshall Erwin  Director, Trust and Security, Mozilla Corporation

9:35 a.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

After reading your article, I noted, and you reiterated the same point, that there is an increased attentiveness when you see negative ads. Right now we see a lot of negative ads circulating on the Internet.

There are a couple of pieces that I want you to comment on, to see what sort of reaction these extreme ads would provoke. I was in Latvia, travelling on a different committee, prior to the deployment of Canadian forces there. One of the things we were briefed on was that some disinformation would be occurring and to be aware of it. We've seen examples on the Internet where Canadian soldiers are being accused of doing certain things, which is total disinformation. We also saw that in Nigeria during the election campaign, where some very horrific images were used against one political party.

If negative ads are increasing attentiveness, what kinds of reactions are they going to provoke in the people who watch them?

9:35 a.m.

Full Professor, Department of Political Science, Université Laval, As an Individual

Prof. Thierry Giasson

It focuses our attention, but that often quickly triggers mechanisms to protect our partisan opinion.

When shown an election ad that attacks the party that the person intends to vote for, or that they belong to or campaign for, ego protection mechanisms are activated in people's cognitive processes to deconstruct the argument presented. This focuses our attention and triggers a stronger cognitive process, but there is not necessarily a ripple effect. If the ego protection mechanism works, it will instead lead us to establish our partisan position more firmly and protect us from the potentially persuasive effect of the advertising.

Of course, I have not studied the cases you mentioned so I could not comment on them. In the case in Africa that you mentioned, we could assume that the citizens who support the party being attacked will use an argument, more or less consciously, to protect their political convictions concerning the party under attack.

9:35 a.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

Do I have any time?

9:35 a.m.

Conservative

The Chair Conservative Bob Zimmer

You have two minutes.

9:35 a.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

The reason I was interested in your paper—and Mr. Bennett can also comment on this—is that we have a realm called the Internet and as technology gets more specific, there is more micro-targeting of certain individuals with the information we have. My concern is whether that micro-targeting can be used in an extremely negative way to influence someone to do the wrong thing, whether it be terrorist activities or other things. How worried should we be that this micro-targeting can influence someone, as you said, in a heightened response, heightened attentiveness? Is there something we can do? What is your advice? Is that a worry for you also?

9:40 a.m.

Professor, Department of Political Science, University of Victoria, As an Individual

Prof. Colin Bennett

I think we have to make some distinctions between forms of micro-targeting. Of course, the more innocuous form is where particular segments of the population are singled out for messaging about a particular policy proposal. On the face of it, there is nothing particularly controversial about that. I would just point out that the actual business model of Cambridge Analytica was based on the belief that different individuals, with different psychological characteristics, would respond emotionally in different ways to similar messages about policy, both negative and positive. Most Canadians would find that something we do not want in this country.

One key to it is advertising standards, so that's part of the picture, but of course another key to it is what political parties can and cannot do in using commercial sources of data and these companies in their campaigning. It's a complicated picture involving different sets of legislative standards in Canada, as well as different institutions.

9:40 a.m.

Conservative

The Chair Conservative Bob Zimmer

Thank you, Mr. Saini.

Last up, we have Mr. Bernier, for five minutes.

9:40 a.m.

Maxime Bernier Beauce, CPC

Thank you, Mr. Chair.

My question is for you, Mr. Giasson. In your opening statement, you mentioned that democracy has evolved and that political parties now use somewhat more sophisticated data to achieve their ends. Before that, there were polls. Actually, parties still use polls to gauge what's popular and what isn't with a view to being elected and better representing their constituents. That's part of democracy. Wanting to know which policies are supported by the electorate in order to win elections and better represent it can be seen as a positive for democracy.

Normally, polling companies have to state who they are when surveying the population. Respondents know the name of the company conducting the poll and for which political party they're doing it. Today, things are more complex. The Internet and social media are sources of information from which to develop more targeted policies. This can lead to better representation.

The issue you raised relates to lack of transparency. People don't know that, in order to win elections, political parties use information to “better represent them” and bring forward policies that suit their needs.

What are the best practices in the area? The issue of transparency came up earlier. What can we do to ensure greater transparency so that political parties can keep polling their constituents—which, again, is a positive for democracy? What federal legislation or regulation needs amending so that people know what's what whenever they click on an online petition or what have you?

9:40 a.m.

Full Professor, Department of Political Science, Université Laval, As an Individual

Prof. Thierry Giasson

Your use of quotation marks around the notion of better representing people is significant, as it's really a matter of perspective. Some would say that the data isn't used to represent people, but rather to better target them. After all, we're only really talking about “some” citizens. You're playing semantics a bit, Mr. Bernier. We're not talking about the electorate as a whole.

You know just as well as I do that, when the leader of a political party addresses the Canadian people, they aren't talking to each and every Canadian man and woman, but indeed to a particular segment of the population, about issues that matter to those voters. They aren't really talking to however many Canadians are not in that particular segment. The analyses of polling data and personal information show that those other Canadians are much less likely to react positively to the party in question. So, we're playing semantics a bit, but the quotation marks you used in your remarks are very significant.

Data are in fact being used and transparency is therefore of critical importance. It lies at the heart of the issue we are facing today. The Canada Elections Act needs an overhaul to address, on the one hand, the issue of how political parties can collate data, and on the other, the whole question of research. The act allows political parties to spend money on research during a campaign, but it doesn't clearly define what is meant by research.

If we decide to allow political parties to compile personal information on voters in Canada, the issue needs to be well defined according to specific parameters, in the Canada Elections Act as well as in the Privacy Act.

We will need to make political parties subject to the regulations governing privacy protection and management of personal information. There is legislation on the books that restricts the types of related activities that different kinds of organizations can engage in, but it doesn't apply to political parties. These need to be brought back into the Canadian regulatory framework so that we may restrict what they do with their information and ensure that it complies with the basic principles of the Canada Elections Act. We also need to develop mechanisms that would ensure greater transparency within political parties.

Earlier, in response to a question posed by your colleague Mr. Kent, I gave the example of someone who accesses the Conservative Party of Canada's website. Whenever someone accesses your or any other party's website, a little window pops up to welcome them, asking for their e-mail address, and even their phone number and postal code. The data is then collated, but no one tells us what it will be used for. It would be easy to have a little dialogue box pop up with “Yes, I agree” and “No, I disagree” options that would alert the constituent as to the possible ways in which the political party in question might use their information.

It's still a bit like the wild west right now; we don't know what you're doing. That's why we need to make some key information available to people, but also to ensure that political parties are subject to new elections and privacy regulations.

9:45 a.m.

Beauce, CPC

Maxime Bernier

I have a quick question for you.

In order to win elections in the future, will political parties have to increasingly target special interest groups, lobby groups, or Canadians who want to gain specific advantages from the government? Is that the future of politics or can a politician have a future by advocating for broader policies without targeting lobby groups?

9:45 a.m.

Full Professor, Department of Political Science, Université Laval, As an Individual

Prof. Thierry Giasson

One does not preclude the other.

9:45 a.m.

Conservative

The Chair Conservative Bob Zimmer

Could we have a very brief answer, please?

9:45 a.m.

Full Professor, Department of Political Science, Université Laval, As an Individual

Prof. Thierry Giasson

I can say that all political parties, including yours, already do that.

9:45 a.m.

Beauce, CPC

Maxime Bernier

Thank you.

9:45 a.m.

Conservative

The Chair Conservative Bob Zimmer

Thank you.

The last question goes to Mr. Baylis.

9:45 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

Professor Bennett, you put up three policy ideas. The first one, as I understand it, is that our Canadian policy should be in line with the GDPR. The second one is that you'd like to see political parties brought under PIPEDA. What was your third point? Did I understand correctly that you would like to see a voluntary code of ethics? Is that what you're proposing?

9:45 a.m.

Professor, Department of Political Science, University of Victoria, As an Individual

Prof. Colin Bennett

I think legislation is necessary, but I also think that it requires some analysis. PIPEDA applies principally to commercial organizations. Political parties are not commercial organizations. There is an argument that at the moment when political parties are purchasing data on consumers commercially, they are indeed subject to PIPEDA to the extent that they are engaging in those transactions, but that might be contentious.

My point is that there are four ways to get here. There are at least four legislative regimes: the Canada Elections Act, the Privacy Act, PIPEDA, and stand-alone legislation. PIPEDA provides the principles, but I'd like to see the Privacy Commissioner do some analysis on this and come out with some recommendations, perhaps jointly with the Chief Electoral Officer. That's going to take some time. In advance of that, I would like to see the political parties declare publicly that they comply with the 10 privacy principles in the national standard. I think the NDP has already said that publicly, but I'm not entirely clear.

The final point I'd make is that when it was revealed that Mr. Wylie had worked with the Liberal Party, there was immediately a debate in the media about that. That led to responses from the different political parties about what they do and do not do. The process has already begun in terms of becoming more transparent, and I would like to see that extended so that every political party takes a good, hard look at what political data it captures on Canadians and how it captures it online and off-line, and do exactly the same kind of good due diligence privacy management that is expected of the commercial sector.

9:50 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

Just a simple thing, then, do you see a pledge to follow the principles as an intermediary step before we get around to proper legislation?

9:50 a.m.

Professor, Department of Political Science, University of Victoria, As an Individual

Prof. Colin Bennett

I would like to see a code of practice. This was actually recommended by the Chief Electoral Officer in his report a few years ago. Compliance with that code of practice would be a condition for receiving the voters list.

It's an interim step. I don't think it is enough, because a third party, such as the Privacy Commissioner, would need to have the ability to investigate if there are complaints. However, I don't see why that couldn't be done initially. If I understand what Minister Scott Brison said publicly, the government is looking at that option, and I think it would be an interesting first step.

I would also emphasize what I said about British Columbia. I think there is going to be increasing pressure on political parties in B.C., because of our law, to comply with the legislation here. If that occurs, it only makes sense for political parties to comply with the same standards across the rest of the country. It shouldn't be difficult and it shouldn't be contentious, but I realize that this has been said about other issues.

9:50 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

Thank you.

Ms. Vandenbeld, go ahead.

9:50 a.m.

Liberal

Anita Vandenbeld Liberal Ottawa West—Nepean, ON

Thank you.

Mr. Giasson, I believe you were talking about the GDPR, and one of the elements was algorithmic transparency. Can you explain how parties are using algorithms and what that transparency would look like?

9:50 a.m.

Full Professor, Department of Political Science, Université Laval, As an Individual

Prof. Thierry Giasson

It was Mr. Bennett who was talking about the general data protection regulations in his presentation. I talked about algorithmic data analysis in my presentation.

As I explained, the parties collect data from various sources. The aggregate data is entered into a data base and then run through algorithmic processes, statistical analysis for social sciences, and logistic regressions. The co-occurence of a certain number of socio-demographic and political characteristics are identified in order to create voter profiles.

We determine the connections between these various voter profiles and those who traditionally vote for the party. The data base provides the parties wtih information on their own voters. That helps them to determine the profiles that line up most with their voters from a socio-political perspective, and then choose the voter who might potentially vote for them if the party puts forward certain policies.

The algorithms are there to process a disparate volume of data and give them meaning in order, in fact, to make it possible to profile voters. Essentially, that is now the focus of the digital strategists, software engineers, or computer scientists who work for political parties.

9:50 a.m.

Conservative

The Chair Conservative Bob Zimmer

Thank you, Ms. Vandenbeld.

We're definitely at time or a bit past, because we started a little later. I want to say thank you, especially to Mr. Bennett, who is surprisingly fresh being up testifying at 5:45 in the morning. As well, Mr. Giasson, thank you for appearing before the committee.

We're going to suspend for about five minutes until we bring in the next witness. We're also going to grab some time for committee business at the end.

9:55 a.m.

Conservative

The Chair Conservative Bob Zimmer

I'd like to welcome everybody back to the Standing Committee on Access to Information, Privacy and Ethics.

Now we have before us the Mozilla Corporation, which is being represented by Marshall Erwin, director of trust and security.

Mr. Erwin, go ahead for 10 minutes.

9:55 a.m.

Marshall Erwin Director, Trust and Security, Mozilla Corporation

Thank you.

Today is a challenging time for the Internet, particularly as it relates to the collection, use, and sharing of people's personal information from the web. These challenges are demonstrated by the breach of trust involving Facebook and Cambridge Analytica, but they are not unique to those companies.

We as an industry, in partnerships with governments and committees like this one, have a responsibility to build a healthier Internet ecosystem that gives people meaningful control over their privacy. Mozilla appreciates the seriousness with which this committee is taking this issue, and we thank you for inviting us here to express our views.

My name is Marshall Erwin. I am the director of trust and security at the Mozilla Corporation. My role primarily involves working with our product and engineering teams to understand the privacy properties of the Firefox browser to make sure that, within that browser, we are practising the same principles that we preach on a day-to-day basis regarding privacy.

First, I am going to talk about Mozilla's approach to privacy, and then I'll talk a bit more generally about our perspective on where the industry is.

Mozilla is a mission-driven organization dedicated to creating an Internet that truly puts people first, where individuals shape their own experience and are empowered, safe, and independent online. That commitment to our mission is why, when the story regarding Facebook and Cambridge Analytica first broke, we made the decision to pause our advertising on Facebook. That advertising remains paused today.

That commitment to our mission also lives within the Firefox browser that we produce and that is used by hundreds of millions of people around the world. We practise a set of data privacy principles within that browser that shape the data collection we have.

Firefox is essentially your gateway to the Internet. As such, the browser, the piece of software that runs on your computer or your phone, will manage and have access to a lot of sensitive information about you and about the websites you visit. That is information that stays on your device; Mozilla does not collect it. As a browser-maker, we actually don't know very much about how our users browse the web or about their interests. That is a big challenge for us, but it's also by design. If you are using the Firefox browser to do something sensitive or personal, you can have confidence that Mozilla is not going to learn about that.

Mozilla does collect a limited set of information from the browser by default to help us understand essentially how people are using the technology. This is information, for example, about the types of features you use in the browser, but it is not about your web-browsing activity itself, which is an important distinction that we make.

Mozilla has a set of policies and processes in place to govern the data collection we have. I can talk about these in a lot more detail, but what I think is important for this committee to understand is that it is possible to build a product that hundreds of millions of people use that collects some data by default while respecting the users' privacy and not putting that privacy in jeopardy. That is what we have done at Mozilla with the Firefox browser.

It can be difficult to find the right balance between privacy and the features that people want. This is not easy. We believe that we strike the right balance with the browser. Unfortunately, that is not where the rest of the industry is today.

Let's talk a bit about the technology industry, where it is doing well, and where it needs to improve.

The technology industry, especially its biggest players, is doing a decent job providing people with privacy controls. If you are a Facebook user and you care about your privacy, you can take steps to limit what data the company retains and what data it shares with others. However, the industry is coming up short in three areas that I want to call your attention to.

First, those privacy controls are often buried and difficult to find. The industry does not proactively help people understand and use their privacy settings. As a result, Internet users might have technical privacy controls, but they do not have meaningful control over their privacy today.

Second, the default state of those controls is not reasonable and does not align with users' expectations of what will happen when they use a product or a service. Users are defaulted into the collection and sharing of sensitive data. This violates what we call the sensible settings principle that we practise within Firefox. These sensible settings do not exist for much of the technology industry today.

Third, the data collection and sharing that are tied to those privacy settings are still expansive and permissive. The basic limited data principle—again, one that we practise within Mozilla—is not one that is followed by the industry.

If you examine the issues regarding Facebook and Cambridge Analytica, you will find that all those issues are at play.

I want to call the committee's attention to one specific issue that deserves further consideration, which is the collection and use of people's browsing activity as they navigate the web, sometimes referred to as cross-site tracking on the Internet. This type of activity is often associated with the Facebook's Like button.

If that button is on a website that you visit, and irrespective of whether you click that button, Facebook may collect data about the page you visited and use that data in targeted advertising.

The three problems within the industry that I identified are all still present here. Internet users do not have meaningful control over this tracking activity, nor do they even understand that it exists. The default is to track users across the web, and there are few limits on the data collection through that tracking. This tracking is a problem. It creates privacy risks and it undermines the basic trust that people have when they go online today.

Facebook argued before the U.S. Congress two weeks ago that its cross-site tracking activity is no different than what companies like Twitter, Pinterest, and Google do every day. Facebook was right about that. This is a common tactic across the industry and is not unique to Facebook in any way. However, we are at an important inflection point. Organizations like Facebook should be asking what they can do to lead the industry to some place that does not involve tracking people across the web without giving them meaningful control over that tracking.

There is a critical role for committees like this one to play in pushing Facebook and other companies to explain their cross-site tracking activity, to state plainly whether they believe their users understand and have meaningful control over that tracking, and to articulate what they are doing to lead the industry to a better place on this issue.

Again, I want to thank the committee for inviting us here today. I look forward to answering any questions you may have on Mozilla's overall approach to privacy or the perspectives that we have on the industry.