Evidence of meeting #134 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was facebook.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

David Carroll  Associate Professor, Parsons School of Design, The New School, As an Individual
Chris Vickery  Director of Cyber Risk Research, UpGuard, As an Individual
Jason Kint  Chief Executive Officer, Digital Content Next

4:55 p.m.

Conservative

The Chair Conservative Bob Zimmer

Next up, for five minutes, we have Mr. Kent.

4:55 p.m.

Conservative

Peter Kent Conservative Thornhill, ON

I'd like to come back first to Mr. Vickery. Canadian government departments—a number of them, any number of them—have been hacked any number of times in the last 10 years, most notably by Chinese operators either contracted by the Chinese government or suspected to have an interest in serving Chinese government interests.

The Government of Estonia, in 2007, weathered a huge cyber-attack by Russia. I'll just quote the Estonian website, which reassures Estonians about the security of their site. It says:

After Estonia’s experience with the 2007 cyber attacks, scalable blockchain technology was developed to ensure integrity of data stored.... Estonia became host to the NATO Cooperative Cyber Defence Centre of Excellence and the European IT agency.

All of that said—and it does seem to be a good system—do you believe their system is impenetrable by those who would hack it, either through the agencies, the various government agencies holding data, or through one of the users, one of the possessors of an identity card and the chip it contains?

4:55 p.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

Absolutely not. I would not take the assurances in that regard on their own website to be the bare truth. If they're citing something that happened in 2007, that was 12 years ago. Has nobody tried to hack them since? Can they come up with no other examples? Something that happened 12 years ago is the beginning of time, practically, in Internet speak.

4:55 p.m.

Conservative

Peter Kent Conservative Thornhill, ON

That said, they seem confident that they haven't been hacked. They acknowledge the attack then, and it's been documented and analyzed—

February 5th, 2019 / 4:55 p.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

I guarantee they've been hacked since then. I'll guarantee it. They may not admit it, they may not know about it, but I'll guarantee it's happened.

4:55 p.m.

Conservative

Peter Kent Conservative Thornhill, ON

Okay.

Mr. Carroll and Mr. Kint, when the GDPR came into effect last May, a significant number of major mainstream North American news organizations shut down access to their websites by their European subscribers because of the fear that their websites, as they existed, significantly violated some of the new GDPR regulations. To your knowledge—and I ask both of you—through academia or through the marketplace, have any of those companies come to you with requests for advice, guidance, or acknowledging and notifying that they are changing some of their website operations?

4:55 p.m.

Chief Executive Officer, Digital Content Next

Jason Kint

Not as many sites backed out as you would think based on the press. I think that's very much a talking point that those who don't like GDPR like to use, in particular Google. Tribune Publishing—it was called Tronc at the time—which has a lot of properties underneath it, decided to pull out. That made for a lot of sites. The concern was that 4% turnover of all revenue...and their digital business and probably the number of users they had in Europe was not actually that big as a local newspaper company. It made a decision, which was just a tradeoff of risk versus “Is it worth it?”

The real problem is that the rollout of GDPR, in particular, was troublesome for most publishers. We sent a letter to Google, on behalf of 5,000 publishers here in North America and Europe, because it waited until a month before. It was literally a two-year process. We were trying for a long time to get what its plans were, and then just a month before the GDPR came into effect, it decided to let everybody know what the plans were. It very much wanted to press enforced consent down on the publishers, so that every publisher had to get consent through Google, and then the publishers had to carry that liability as part of it. We sent a letter to Competition Commissioner Vestager in the EU specifically about this issue. It caused a lot of publishers to have to make last-minute decisions.

5 p.m.

Conservative

Peter Kent Conservative Thornhill, ON

There have been no changes since then?

5 p.m.

Chief Executive Officer, Digital Content Next

Jason Kint

No changes.

Those publishers you referenced who had backed out have not gone back into the market, but I think they likely will. That's a bad outcome, obviously, when the free press isn't available because of regulation.

5 p.m.

Conservative

Peter Kent Conservative Thornhill, ON

Mr. Carroll.

5 p.m.

Associate Professor, Parsons School of Design, The New School, As an Individual

David Carroll

I had an opportunity to engage with the industry and the marketplace in many ways prior to GDPR. For example, in 2015, when Apple enabled ad blocking in iOS, that created a considerable discussion in the publishing industry around the effects of this, so I engaged with industry at that time.

What's interesting in looking back on that debate is that it was whether ads were annoying or it was privacy anxiety. I was trying to argue that it was privacy anxiety, and they didn't want to believe me.

Now, after Cambridge Analytica and GDPR, you can make the case that privacy anxiety is a driver in the ad blocking question; therefore, how does it fit into GDPR consent interfaces that explain the business to consumers so they can understand how monetizing works? To me, it's the idea that GDPR was a kind of teachable moment for consumers and the industry, to say that this is how this industry works.

The problem is that the research shows that the more people understand how digital advertising works, the less they like it.

5 p.m.

Conservative

The Chair Conservative Bob Zimmer

Thank you, Mr. Kent.

Next up, for five minutes, Michel.

5 p.m.

Liberal

Michel Picard Liberal Montarville, QC

Thank you.

I want to go back to digital services, and I will ask my questions in French.

When I buy merchandise at a store, I'm not required to provide my email address or any other information, no matter how confusing it may be for the person at the cash register, who wonders what to do on the machine. I'm able to buy something without providing personal information. I shouldn't need to provide information to buy sports equipment.

However, I believe that when I'm dealing with the government, I'm required to provide personal information. I'll be given a social insurance number if I can at least provide my name and some references. It's the same for my driver's licence. If I don't provide references, I can't obtain a driver's licence or social insurance number. As a result, I can't find legitimate work because the employer needs my social insurance number. I'm required to provide personal information to the government.

In order to provide optimal and more effective service, the government can't help but turn to digital services and the Internet. It must develop techniques, ways and tools to provide more effective service. I'm of the school of thought that no system is 100% secure, simply as a result of the human factor or the possibility of an inside job. These are the worst threats that can't be controlled. Therefore, the government is forced to design a service that will be vulnerable.

How far can it go? How far should it go? Should it consider that, in spite of everything, it must provide digital services?

5 p.m.

Chief Executive Officer, Digital Content Next

Jason Kint

I heard a couple of themes in the question that I think are important observations. One is that the rules of offline content, whether they be what is appropriate or the actual law, haven't properly translated to online content. The same expectations that you would have in a store when you're buying something, you should expect online, which is not asking me for data that isn't necessary—the data minimization that Chris talked about.

I think that's important, and I would stop at that point.

5:05 p.m.

Associate Professor, Parsons School of Design, The New School, As an Individual

David Carroll

I think the metaphor Mr. Kint was using for how the online world needs to reflect the expectations and practices of the offline world is really important. We use the metaphor of privacy in the home as an interesting way of thinking about digital privacy. When you invite someone into your house, if it's a stranger, then you might not let them go beyond the entryway. Other people you might let into your kitchen, and other people you might let use your bathroom. Do you let anybody rifle through your bedside table drawer? No. Privacy is a continuum, and I think that continuum needs to be clarified for government services so that when citizens provide identity authentication, they understand it through an off-line-world metaphor.

Of course, government is different from the marketplace. Validating identity as a citizen is different from validating identity as a consumer.

Michel Picard Liberal Montarville, QC

Mr. Vickery.

5:05 p.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

I caution against using too many real-world metaphors to get people to understand the online world. There aren't very many good ones out there. To think about a website as a home or whatever the heck doesn't work for me. Yes, you will have to put government services online. You will have to provide digital government stuff. That's inevitable—unless you want to be a backwoods caveman society, as I'm sure you do not. You have to develop the norms and acceptable practices of the online world. You can't tie it too much to metaphors from the off-line world, because there aren't very many good analogies that fit, piece to piece to piece.

Michel Picard Liberal Montarville, QC

Thank you.

5:05 p.m.

Conservative

The Chair Conservative Bob Zimmer

Thank you.

Before I go to our last questioner on the list, we do have some time, about 20 minutes, so if you still have a question to ask, just signal the chair. We will put your name down and we will go the full time.

You have three minutes, Mr. Johns.

Gord Johns NDP Courtenay—Alberni, BC

Thank you, Mr. Chair.

Thank you for being here today and for your testimony.

As society becomes increasingly digitalized, do you believe that modifications to the Privacy Act or other legislation should be required for political parties to protect the personal information of Canadians?

I'll start with you, Mr. Kint.

5:05 p.m.

Chief Executive Officer, Digital Content Next

Jason Kint

I referred to putting a lot of check marks next to your recommendations, and around two I have question marks. Frankly, that was one of them. The argument of being able to also reach certain users is also a good one. The limitations, based on your current privacy law, on how it can be used for political speech I think is something I would want to understand more before I actually weighed in with a hard opinion on it.

Gord Johns NDP Courtenay—Alberni, BC

Do you want to add anything, Mr. Carroll?

5:05 p.m.

Associate Professor, Parsons School of Design, The New School, As an Individual

David Carroll

Sure. I think the lesson I learned from pursuing my Cambridge Analytica data was the fundamental necessity of the right of access. The right of access needs to be applied horizontally across the entire civil society, in both the marketplace and the government.

As to this idea that any citizen or consumer should be able to ask an entity for his or her data and be confident that it will be disclosed, what other rights do you stack on top of that? In the case of a political party, if you asked a political party to give you your voter profile, the party should be required to disclose that. If the citizen then wants to dispute or delete it, those are reasonable requests.

Gord Johns NDP Courtenay—Alberni, BC

Okay.

In terms of the digital divide, how can we ensure equal access to government services for people who may not have easy access to the Internet or who, like me, live in rural areas with poor broadband connections? Do you have any thoughts on that?

Mr. Kint, perhaps you can lead off.

5:10 p.m.

Chief Executive Officer, Digital Content Next

Jason Kint

That has always been a concern, particularly for our news members. At least in the United States, it's been an important initiative. Competition is hugely important in what we call MVPD, the telecom space, with protection of the open Internet in particular to make sure that access is available and further investment to make sure it's subsidized in some way to get access to as many as possible. I think we've gone back and forth on this over the last three or four years in U.S. policy.