Evidence of meeting #102 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was election.
A video is available from Parliament.
10:05 a.m.
Conservative
The Chair Conservative Bob Zimmer
Thank you for your testimony.
I just want to say to committee members that, with the time limitations that we have, we have to be crisp. If we go to seven minutes times four, that's 28 minutes.
First, we have Mr. Picard.
10:05 a.m.
Liberal
Michel Picard Liberal Montarville, QC
Thank you for being here.
I'm happy to hear about the way Firefox is working, because I do use Firefox. When I use Firefox, I am just getting at someone else's page. When I end up on Facebook, or Amazon, or whatever page, what is the role of Firefox while I'm looking at these pages? Is it still on and does it still monitor my activity? Since I'm using your browser, does it know, first, that I am on Facebook and, second, what kind of activity I have on Facebook?
10:05 a.m.
Director, Trust and Security, Mozilla Corporation
When you are using Firefox and you navigate to Facebook, the browser is still on. It is still running on your computer. What that means is that potentially Firefox can know what you are doing on Facebook and then could potentially provide that information to us. Again, I say “potentially”, because that is not what we do. We very purposefully do not do that. We don't feel that this is the appropriate role for the browser. That is why we have a set of policies in place to govern the data collection that we have—exactly what Firefox gets to know about your activity on Facebook, and what data Firefox, the software running on your device, actually tells Mozilla.
As I said, although potentially any browser can monitor your activity and then disclose that activity to the company that makes the browser, that is not the position we are in or want to be in. We do not want to know about your activity on Facebook.
10:05 a.m.
Liberal
Michel Picard Liberal Montarville, QC
If you allow me, I'll switch to French.
Currently, “potentially” is a dangerous word in the industry. It opens the door to all manner of technological development.
What type of data, other than that of users in real time, do Firefox or Mozilla obtain from third parties to develop their own marketing?
10:05 a.m.
Director, Trust and Security, Mozilla Corporation
It's important to know that there are a few types of data that, again, potentially could be accessed through Firefox. We divide that data into three categories. The first is what we call technical data. For example, this is data about the operating system that you're using when you use Firefox. The second is what we call interaction data, which is data about how you engage with the browser itself. The third category of data that we identify is web activity data, like the URLs that you browse to or the fact that you visit Facebook.
Our data collection focuses on the first two categories by default. A useful example to keep in mind here is the back button. We collect data from Firefox to understand how people are using the browser, so if you hit the back button, it's useful for us to know that this is something you are using to navigate through the tool. We do not collect data about the page you were on when you hit that button, or the page that you are navigating back to. We want to know how you are experiencing the browser, but not information about the websites and how you are interacting with those websites.
10:10 a.m.
Liberal
Michel Picard Liberal Montarville, QC
If I understand correctly, the various visits by a user on various sites or pages is the third category of data for which you do not retain information. In other words, the existing technology can follow the activity of one person on the different sites that person visits.
Is that data available? An extreme example related to criminal activity comes to mind. If we need to know whether such and such a person visited such and such a site, that data is available through your technology.
10:10 a.m.
Director, Trust and Security, Mozilla Corporation
It's important to distinguish between us and the party that you might be engaging with when you visit a website. If a law enforcement entity came to Mozilla and said that it needed information about someone's web-browsing activity, we largely would not be able to satisfy that request. It is data that we do not have and do not collect. There is the cross-site tracking I mentioned earlier, which happens sometimes by third parties using Firefox. Those third parties might have that data, and a law enforcement entity would have to go to them to get it.
10:10 a.m.
Liberal
Michel Picard Liberal Montarville, QC
Why should I provide any personal information to a service for which I am not offered any services or products? Let me explain. If I use the Mozilla browser and use a social network such as Facebook, I am using a service to talk to people, to get information.
I do not have a business return as such. The opposite is true when I register on my bank's virtual site, for example, and I buy books on Amazon, since I need to have merchandise delivered. If I need to make transactions through my bank, then it makes sense that I provide personal information.
Why should I provide information from the outset? If I do not need to provide information for this type of service, then why is the provider making the effort to collect what little information it can to which I never consented?
10:10 a.m.
Director, Trust and Security, Mozilla Corporation
You mean, why would Firefox have the means to do that? We don't. Firefox is a piece of software running on your computer. As such, like any piece of software running on your computer, it has the potential to do a lot of things. The question is, what does it do? It doesn't collect that data at all.
10:10 a.m.
Liberal
Michel Picard Liberal Montarville, QC
Your business seems to be small relative to the rest of the market.
Are you saying that the service you offer would be the best model for service providers that do not market goods? A social network, unlike an online store, has no good reason to collect personal data. In your case, by all accounts, you can operate without access to that information.
10:10 a.m.
Director, Trust and Security, Mozilla Corporation
I think our technology raises a different set of privacy challenges than a social networking service. I would say, though, that the set of principles we stand for on privacy are applicable to both. In practice, it would take some work by a company to translate that into questions of what data it should collect and how its consent model works. Those principles apply both to Mozilla and to those other companies.
Over the last two decades, essentially, in really seeking to make those principles meaningful within the browser, we have successfully built a product that is very respectful of people's privacy. I think that if other companies were to take those principles and translate them into their technology, they would be able to do the same.
The technology itself might raise a different set of issues and questions about what the consent model is, what data is collected, what a company learns, and what it's not going to learn. Those answers will vary based on the technology, but I think the principles still apply. Again, practising those principles has allowed us to build a browser that we feel is quite respectful.
10:15 a.m.
Conservative
10:15 a.m.
Conservative
Peter Kent Conservative Thornhill, ON
Thanks for being here with us today.
Over recent years, but particularly in the last six to eight weeks, there has been an awful lot written and opined with regard to the rush and the focus by social media companies to use new technologies, evolving technologies, and artificial intelligence to add to their business plans and profitability.
The five data privacy principles of Mozilla, and the restraint you described in terms of not going where other social media companies have gone, have obviously affected your profitability. How does Mozilla compare with Facebook in terms of annual revenues?
10:15 a.m.
Director, Trust and Security, Mozilla Corporation
Off the top of my head, I would say it's a different piece of technology, much smaller than Facebook in terms of total revenue.
Our revenue model is a bit different. We have partnerships with search providers. When you search within Firefox, you land on a search page, and we get a portion of the revenue generated from those searches. Our revenue is much smaller than that of Facebook.
10:15 a.m.
Conservative
Peter Kent Conservative Thornhill, ON
When Mozilla withdrew its advertising from Facebook, what was the primary reason? Was it the unwillingness to be associated with Facebook as the scandal was evolving, or was it fear that your advertising was vulnerable to abuse?
10:15 a.m.
Director, Trust and Security, Mozilla Corporation
I would actually give you a slightly different reason. We looked at the settings, the third party data-sharing settings that existed within the Facebook platform when that story broke, and it was clear that, at a minimum, those settings were not sufficient or transparent, and possibly not accurate.
Also, as I mentioned, overall across the industry there is a problem with the default state of settings. I think you could see that in where those settings were that day. The default was still set to sharing fairly expansive data with third party app developers.
When we looked at those settings, we thought that this was just not the right level. It didn't appear to be accurate or transparent, and the level of sharing was still too broad. It was a moment when we could take a stand and say, “We are not going to advertise, at a minimum, until those settings are fixed.”
10:15 a.m.
Conservative
Peter Kent Conservative Thornhill, ON
Your biography tells us that you began your career in the intelligence community. You worked for five years as a counterterrorism and cybersecurity analyst, and you have done work for the Congressional Research Service on National Security Agency surveillance leaks and legislative changes.
Given your background and your career, would you consider the Cambridge Analytica/Facebook scandal a matter of national security in the United States or in Canada?
10:15 a.m.
Conservative
Peter Kent Conservative Thornhill, ON
I mean with regard to democratic election interference, or attempted interference.
10:15 a.m.
Director, Trust and Security, Mozilla Corporation
Overall, if you look at what has happened with the election, you'll see that there are critical challenges to our democratic processes today that are certainly national security challenges. I haven't really thought through the specifics of Facebook and Cambridge Analytica, so I wouldn't be prepared today to say that these specific issues are national security ones.
Overall, the level of data collection that is happening across the Internet, coupled with the new and innovative ways to get messages to people, has raised a host of challenges to our democratic institutions. Certainly those have materialized in terms of national security issues.
10:15 a.m.
Conservative
Peter Kent Conservative Thornhill, ON
Facebook has made it clear, although with very unclear answers, that it does not like the GDPR. I think Mr. Chan, the Canadian representative for Facebook, said that Facebook would accept some regulation but made it quite clear that it would not be the GDPR. Would Mozilla accept the GDPR regulations as they are about to come into effect in Europe next week?
10:15 a.m.
Director, Trust and Security, Mozilla Corporation
As they come into effect in Europe, we are accepting them.
Your question and the question that I know this committee—
10:20 a.m.
Conservative
10:20 a.m.
Director, Trust and Security, Mozilla Corporation
What we want in terms of a regulatory regime is a principles-based approach, one that does not micromanage the technical decisions that companies are going to make. That's point one that we think is a priority.
The second point is a strong enforcement regime that gives those regulatory requirements their teeth. When we think about this in the United States, in Canada, and in Europe, the question is, does the right set of principles apply? Is that in place, and is the enforcement structure there?
Specifically with respect to Canada, with PIPEDA, I am not a PIPEDA expert, but I think you do have a strong foundation in place. You might consider changes to align PIPEDA with the GDPR, but I think it's important that you actually have a good baseline. A baseline does not really exist in the United States today.