Information & Ethics Committee on Feb. 5th, 2019

Hello. It is a pleasure to appear once again before the committee. I've always enjoyed speaking with you, and feel that I can bring a lot to the table.

I reviewed the previous meetings' recordings for this specific subcommittee, talking about data and privacy along the pathway of moving Canada to digital online government services, and where things are now and where they are going to be, as well as different concerns the committee has. While I am open to answering questions about the AggregateIQ/Cambridge Analytica situation, I will not focus on that in my opening remarks. I am going to address some issues that were brought up in those previous meetings that I listened to and reviewed just recently.

Right now, it feels that Canada needs to make a decision on which direction the tech strategy needs to go in, or wants to go in. There is an opportunity to jump headlong into the game with all of the other big players and to try to be on the leading edge of the government digital crossroads, but it seems to me that the most natural position from what I heard in the previous discussions is to take a stance of, okay, let the other guys make the mistakes and do the advance running, sprinting at the head of the crowd, and then incorporate the things that work into your systems, and not the things that don't work. That seems to be the most advantageous position that I heard.

Another contention was on whether or not it should be mandatory to bring people into this digital environment, whether Canadians feel wary or not or trusting enough to give all of their personal data, medical data, over to a Big Brother type of situation. If you make it mandatory, then when there is, or if there is, any sort of data breach or vulnerability or problem that's taken advantage of, you risk a huge hit in public confidence in the system.

I would recommend that Canada try to have it be adopted by success, rather than being forced upon people, so that if a neighbour, by word of mouth, tells somebody else, “I made an appointment with my doctor; it was so easy, you should get online and do this, too”, that would be a lot better than if there were a data breach and those two neighbours were then talking about how much they hated being forced into the situation.

I heard a lot of discussion about blockchain, and some people trying to float the opinion that blockchain is going to solve things. I would be very wary of blockchain technology in its current state, and even in the future. Blockchains are basically where everybody has everything. It's a distributed ledger. It's not necessarily a secret key thing, or technology. I believe the great many failures of various coins on blockchains have indicated the somewhat inevitable issues that can crop up, and it's just not mature enough to be handling medical data and personal data, and especially for voting. That's a nightmare.

Another issue that was brought up was anonymizing data, and how important it is to have these pools of data so they can be studied and shared among the government departments and easily ported from one database to another, and how great that can be. Yes, you can get some great insights from that sort of study and looking at everything from a meta, overall angle, but there really is no such thing as anonymized data. It's a little bit of a misnomer. You can have data that you redact certain elements from, or drop certain things and try to make it hard to re-identify the people, but all you actually do when you anonymize data is that you make it harder and harder for the little players to re-identify folks. I guarantee that the big data brokers and the banks and the insurance companies can re-identify the data in most anonymized datasets simply based upon what they have already and are able to reference. It's just a matter of how much data the entity has that determines how long it takes them to re-identify it, so be very careful with anonymized data and thinking it's foolproof.

I don't just want to bring up issues or problems. I also want to bring forward some ideas, some brainstorming, of different ways to implement secure data-sharing among various government departments. The idea that privacy and security is built in by design is very powerful.

I think there is an opportunity for you to take the mindset of asking, if you were creating all of existence and you could create the laws of physics, the fundamental building blocks of the ecosystem that your data is going to live in, how you would do it so that it's secure.

I would do it in a way that database A and database B don't even speak the same language, can't communicate with each other, cannot pool data together, and I'd have a translator in the middle that they pass the data to, which would then translate it to each other.

That's just an idea I had. The advantage there is that you can have the translator be not available 24 hours a day, seven days a week, so that when everybody is asleep on a Saturday night, you don't have to worry about a bad guy getting into one and being able to access all of the others. It's all about segmentation, breaking things into pieces, compartmentalizing. Even though that makes it a little bit harder on the programming end of things, I think you'll get a much better outcome if you plan this sort of thing ahead of time, do it the right way and make sure everybody involved is of the right mindset.

Finally, I want to say that if there's one thing that needs to be done the old-fashioned way, it's voting. Digital voting is laden with all sorts of problems, with corruption. If there's one thing we need to do with hand-marked papers, it is voting. I'm very disappointed in how the United States has come to handle voting, and I wish much better for your country.

Thank you.

Good afternoon.

Thank you for the opportunity to speak before your committee today. I have closely followed the work of this committee, including its superb representation by the chair and vice-chairs in last November's International Grand Committee on Disinformation and ‘fake news’. I am honoured to be here, and I appreciate your overall interest in consumer privacy.

I am the CEO of DCN. Our mission is to serve the unique and diverse needs of high-quality digital content. This includes small and large premium publishers both young and centuries old. To be clear, our members do not include any social media, search engine or ad tech companies. Although 80% of our members' digital revenues are derived from advertising, we are working with our members to grow and diversify.

DCN works as a strategic partner for its membership by advising and advocating with a particular eye on the future.

As you are aware, there are a wide variety of places where consumers can find online content. In light of this dynamic, premium publishers are highly dependent upon maintaining consumer trust. As an organization, DCN has prioritized shining a light on issues that erode trust in the marketplace, and I'm happy to do so today. This makes enhancing consumer privacy while also growing our members' interests a critical strategic issue for DCN.

Over the past decade, there has been a significant increase in the automation of content distribution and monetization, particularly with advertising. We've shifted to a world where the buying, the bidding, the transacting, and the selling of advertising happens with minimal human involvement. We do not expect nor do we seek to reverse this trend, but today I hope to explore with you a few of the major challenges impacting the industry, the public and democracy.

The first area I would like to explore is the rise of what your December report aptly labels “data-opolies”. Unfortunately, an ecosystem has developed with very few legitimate constraints on the collection and use of consumer data. As a result, personal data is more highly valued than context, consumer expectations, copyright or event facts.

Today, consumer data is frequently collected by unknown third parties without any consumer knowledge or control. Data is then used to target users across the web, without any consideration of the context, and for as cheaply as possible.

In our mind, this is the original sin of the web—allowing for persistent tracking of consumers across multiple contexts. This dynamic creates incentives for bad actors and sometimes criminal actors, particularly on unmanaged platforms like social media where the bias is for a click, whether it's from a consumer or a bot.

What is the result? A massive concentration of who is benefiting from digital advertising, namely Google and Facebook. Three years ago, DCN did the original analysis, including giving them the label of “the duopoly”. The numbers are startling. In the $150 billion-plus digital ad market across North America and the EU, 85% to 90% of the incremental growth and over 70% of the total ad spend is going to just these two companies.

Then we started digging deeper and, as in your report, we connected their revenue concentration to their data practices. These two companies are able to collect data in a way that no one else can. Data is the source of their power. Google has tracking tags in which they collect data on users across approximately 75% of the top one million websites. We also learned, thanks to evidence provided in the U.K. to the DCMS committee, that Facebook has tracking tags on over eight million sites. This means that both companies see much of your browsing and location history.

Although your work is mostly focused on Facebook, we would strongly encourage you to also review the role of Google in the digital ad marketplace. DCN recently helped distribute research conducted by Dr. Doug Schmidt of Vanderbilt University, which documented the vast data collection of Google.

Google has used its unrivalled dominance as a browser, operating system and search engine to become the single greatest beneficiary in the provision of ad tech services. Google has no peer at any stage of the ad supply chain, whether buying, selling, transacting or measuring advertising. In any other marketplace, this would be illegal. In the financial world, it is akin to being the stockbroker, the investment banker, the stock exchange and the stock itself.

Therefore, we believe that recommendations 12 and 13 in your report are important as you seek to understand the clear intersection between competition and data policy. The emergence of these data-opolies has created a misalignment between those who create the content and those who profit from it. It has also allowed a vicious cycle in which the industry rules and the consumer privacy bar are set to protect incumbent industry interests rather than consumer trust.

We would also encourage you to further explore law professor Maurice Stucke's arguments, along with Anthony Durocher's from your Competition Bureau, recommending a shift beyond price-centric analysis as companies offer free products to exploit consumer data. With the U.K. ICO's findings regarding Facebook's privacy practices from 2007 to 2014, which your own report labels as “severe”, I would call attention to a research paper published last week by Dina Srinivasan, titled “The Antitrust Case Against Facebook”, in which Ms. Srinivasan documents this bait and switch by Facebook in its early years, originally using privacy protection as a paramount differentiator in a very competitive set of free products of social networks that were forced to compete on quality and, over time, lowering the quality of privacy.

Finally, the scandal involving Facebook and Cambridge Analytica underscores the current dysfunctional dynamic. Under the guise of research, GSR collected data on tens of millions of Facebook users. As we now know Facebook did next to nothing to ensure that GSR kept a close hold on that data. Facebook's data was ultimately sold to Cambridge Analytica to target political ads and messaging, including in the 2016 U.S. elections.

With the power Facebook has over our information ecosystem, our lives and our democracy, it's vital to know whether or not we can trust the company. Many of its practices prior to reports of the Cambridge Analytica scandal clearly warrant significant distrust. Although there has been a well-documented and exhausting trail of apologies it's important to note there has been little to no change in the leadership or governance of the company. With this in mind, there is an acute need to have a deeper probe, only made more apparent by the company's repeated refusals to have its CEO offer evidence to DCMS and your grand committee. They've said the buck stops with CEO Mark Zuckerberg, but at the same time he's avoided the most difficult accountability questions. There is still much to learn about what happened and how much Facebook knew about the scandal before it became public. The timeline is troubling to me.

We learned from Mr. Zuckerberg's testimony to the U.S. Senate judiciary committee that a decision was made not to inform Facebook users that their data had been sold to Cambridge Analytica after The Guardian reported in December 2015. The Guardian reporter had said he reached out to GSR as early as late 2014, nearly a year before reporting on it. GSR co-founder Aleksandr Kogan testified to Senator John Thune that he and his partner had met with Facebook several times throughout 2015. Even more incredulous to me was that Facebook hired to its staff Kogan's so-called equal partner at GSR, Joseph Chancellor, on November 9, 2015, an entire month before The Guardian reported. Time and again, Facebook has been asked when exactly Mr. Zuckerberg became aware of Cambridge Analytica, yet Facebook only offers a non-answer by replying that he became aware in March of 2018 that the data had not been deleted. On a personal note, I find this answer offensively obtuse.

Considering that the FTC has a consent decree with Facebook to report any wrongful uses of data, it's incredibly relevant to know when its CEO was first aware of Cambridge Analytica. We now know Facebook spent significantly more time and resources in 2016 helping Cambridge Analytica buy and run ad campaigns than they did trying to clean up their self-titled “breach of trust”. Although Facebook's CEO testified to the U.S. Congress in April 2018 that they immediately worked to have the data deleted upon being made aware in 2015, Facebook has already submitted evidence to DCMS that no legal certifications happened with Cambridge Analytica until well into 2017 when its CEO returned a fairly useless piece of paper.

Finally, Facebook disclosed in September 2018 that Mr. Chancellor no longer worked at Facebook without any explanation after a nearly six- months-long investigation, which began only after the TV show 60 Minutes drew further scrutiny to his role.

Equally troubling in all of this, other than verbal promises from Facebook, is that it's not clear what would prevent this from happening again. Moving forward, we urge policy-makers and industry to provide consumers with greater transparency and choice over data collection when using practices that go outside consumer expectations. Consumers expect website or app owners to collect information about them to ensure that the site or app works. Indeed, data collecting used within a single context tends to meet with consumers' expectations, because there is a direct relationship between these activities to the consumer experience, and because the consumer's data is collected and used transparently within the same context. However, as happened in the case of Facebook and Cambridge Analytica, data collected in one context and used in another context tends to run afoul of consumer expectations.

Also, it is important to note that secondary uses of data usually do not provide a direct benefit to consumers. We would recommend exploring whether service providers that are able to collect data across a high threshold of sites, apps and devices should even be allowed to use this data for secondary uses, without informed and specific consent. A higher bar here would solve many of the issues previously mentioned.

Finally, it is important to shed light on these practices and understand how best to constrain them going forward. I appreciate your efforts to better understand the digital landscape. By uncovering what happened and learning from it, you are helping to build a healthy marketplace and to restore consumer trust.

The problem with that model is that it only takes one little defect in the armour to ruin the whole thing. Day in and day out for the past few years, I have been hunting down data breaches. I found quite a few and every single company's website that's involved in these data breaches has a statement to the effect that, “We follow industry standard practices”, “we use umpteenth level security and encryption”, etc. I find these databases to be open to the public Internet, not encrypted. They have no password and no user name whatsoever. It only takes one developer to mess things up and cut a corner and do something that is a little too risky and not best practice.

Compare that to the claims of the Indian government with the Aadhaar database. They have have made similar claims for that database, yet on several occasions, it's been proven that they have had massive data breaches, both in the access portal and in the basic encoding system of the Aadhaar ID card itself.

I don't know if I believe Estonia when they say they've had no data breaches or problems whatsoever, or if that's just bluff and bluster. Maybe that's something I could look into a little more in-depth.

Yes.

I'd like the opportunity to go back and reread the report with that question in mind, but I think I admire the audacity of the report to cross potentially a third rail of how our political parties are supposed to be regulating themselves on these issues. That, in my observation, went further than Information Commissioner Denham's recommendation to put an ethical pause on micro-targeting.

I do appreciate that. I think this is the main question for multiple governments around the world. How does the exemption of political targeting break down the whole system? In the case of Cambridge Analytica, political data was used for commercial purposes, and commercial data was used for political purposes. It's quite difficult—

It's an important start. The level of transparency required to hold this kind of advertising accountable needs to be maximal, I believe. For example, most Facebook users are not aware that political parties and campaigns upload their voter registration files into Facebook to target them individually, by name. The way you find that in the Facebook interface is very difficult, and it doesn't show that one-to-one level marketing in even Facebook's transparency tool that it launched here in Canada.

I think the maximum amount of disclosure will be beneficial to concerned citizens as well. I think it comes down to that granular level. You should know that you've been targeted as an individual voter for particular messages, rather than the segmentations that they claim. Also, people need to know if they've been assigned to what's called a “lookalike audience” as well. That creates a similar kind of one-to-one targeting without your name being attached to it.

I would advocate for as much disclosure as possible when it comes to political advertising, and maybe advertising in general.

I think the banking idea is not a bad one. That is a highly regulated industry accustomed to things such as very intense audits, keeping paper trails, and doing everything by the book—hopefully. I think they are definitely a good industry to lean on; however, I would be very, very cautious about how you allow the data to then be used in other ways. I would make very bright lines with whoever you go with to lean on and use their expertise and infrastructure, whatever, indicating what is acceptable and what is not. You can't budge or blur the lines here. This is a bright line, and these are the penalties if you break the line, and then enforce that if it happens.

Yes, I would caution against allowing the segmented siloed databases to talk to each other. If you need data, get it from the person the data belongs to, because if the databases can talk to each other, the data doesn't really belong to that individual citizen; they're just an optional gatekeeper at that point.

I think that if you mix and match administrators, that's basically the same thing as mixing and matching the databases. The administrators are just human, and humans want to eliminate work and make things as simple as possible, so that's where corners get cut.

I think the reaction to the Cambridge Analytica scandal worldwide shows that we have a visceral response to it. We don't know exactly why it upsets us, but it became a household name around the world overnight. To that specific thing, we understand that there are incentives at play, and the government doesn't have an incentive to profit from data or necessarily to use it for nefarious acts. There isn't the sense that there could be rogue actors abusing a system.

My opinion is that as long as breaches at the government level are protected against, as the sort of worst-case scenario, trust in digital government is much more possible than trust in digital advertising.

I would only add that this does speak to the issue of why Facebook needs to be held accountable. There's a study each year from Edelman called the “Trust Barometer”, and we saw that institutional trust declined in light of Facebook. Edelman went deeper for the first time and started to unpack what was happening, particularly with the trust in media, which is the part I get most concerned about in my role. The trust in journalism was going up or rebounding, and it was actually the trust in platform itself where the issue was. These platforms are embedded in our lives, and they start to affect trust in other areas, so the question of whether we could trust the media started to be impacted by what was going on with Facebook and the declining trust of that platform.

They just put out their new research three weeks ago, and there was a 30-point gap in trust between social media and traditional media. It worries me when you have a platform that's kind of gone awry and it starts to affect everything.

I think it's holding Facebook accountable. It forces them to raise the trust in their own product, which can be a very long term issue for them—they might be stuck in this bad cycle—and it raises the trust level in the entire platform.

From our perspective it's been very disappointing. I sent a letter on behalf of our association to Mr. Zuckerberg in November 2016 around the time of the election, asking for what we described as “moonshots”, saying that it was that big a problem. They clearly have some of the best engineering minds in the world and enormous resources to solve issues like this.

We've been very disappointed. It's been more of a PR strategy than anything, and it seems as though in the last few months it's shifted even more aggressively toward that.

Toward PR and criticizing the media and anybody who's trying to hold them accountable.

From my perspective, particularly with Facebook, we're past that, and that's where I'm hopeful that the FTC steps in and enforces the consent decree. It's on probation from seven or eight years ago.

For many of the issues you led your question with, including the way the political parties use the data, we need to go way further upstream to the actual collection and use of the data. That's where it sits with Facebook. I can give you another 10 symptoms of the problem, from bots and ad fraud to users installing ad blocking because they don't even want to see ads. I can give you a whole list of ways it's affecting my world, but those are all symptoms of the problem. Even disinformation is a symptom of a problem, and the problem is the data collection at a pervasive level across the web. That needs to be restricted for companies that have the access to most of the activity that happens.

Yes, across the U.S. and North America, and 85% of the growth is going to two companies whose business is data collection.

Yes, one of the things that's most challenging, going back to their strategy, is that you'll hear Mr. Zuckerberg and Ms. Sandberg both make the point that this is their business and this is the way it works. If not, everybody is going to have to pay for the product, and 2.3 billion people around the world are going to have to pay for it, including in developing nations.

There are steps that can be taken in between that hold them to a higher bar in which they make a little less money.

Yes, I think that's a bold but necessary step. I commented on that earlier, that I admire the audacity of taking that position.

One thing that got lost in the story is that it was illegal to create political profiles of Americans, according to U.K. law. There was a big debate over whether psychometrics worked or not, and that was a red herring to the unlawful profiling, according to U.K. law. In many ways it seems that the directors of Cambridge Analytica/SCL misunderstood the jurisdictional question. The higher-order question is: why did this business become internationalized? Why was U.S. voter data processed in another country?

I think the first issue at play here is around how we can keep voter data inside the countries of the voters as an initial way to protect it.

Sure. How could a political party even justify hiring a foreign company to work on their campaign? How is that even acceptable?

Within the given infrastructure that's here, how can campaigns and vendors be scrutinized by citizens, civil society, academia and the government itself? If the business of this political engine feels as if it is being scrutinized, that's the best we can hope for in terms of their being on their best behaviour. But moving forward, there are fundamental changes that need to happen.

Yes. You have a number of recommendations in your report that will start to address the problem. We've talked a lot about the data piece: limiting their use of data, because that's where the value is coming from. As soon as you put a constraint on that, it restricts that profit.

There are very interesting developments, particularly in Europe, around copyright, and it seems they are moving forward again as of yesterday. I'd study those. They've been through a lot of the difficult balancing between copyright and free speech protection.

Yes, there are opportunities there. In your report, some of the evidence that Tristan Harris and a few others provided looked at ways to hold them liable for when they make recommendations. That is interesting to me, when we start to talk about not just links to the content but then using their AI to present recommendations. We have to actually put some liability on them. The real reason they're making money is that they have no liability for anything, but at the same time they get all the money. When there's a problem, it's not their problem; it's the Internet's problem or it's society's problem.

An original seed of corruption in this whole problem is the concept of micro-targeting. There is something to be said for having an Internet and index and aggregated sources and all that stuff that is useful for looking things up. We've always had phone books and things of that nature, but typically they were the same for everybody. When I look at the Mona Lisa, I don't have a personalized version of it coming to me that I find more attractive compared with the person next me. It is a human experience to experience what everybody else is experiencing.

When you throw in micro-targeting, you up the ante on how much this data is worth and how much you can squeeze out of—

It would be really interesting to create incentives for the industry to realign itself towards non-personal data and away from personal data.

Certainly. The question is how the government can push the industry away from personal data towards a way to monetize non-personal data. There are ways to achieve similar results without using personal data.

In regard to the copyright question, there hasn't been a lot of talk or brainstorming around how taxation can reincentivize the industries, whether it's taxing personal data and exempting non-personal data, whether it's taxing use to fund through copyrights and funding for journalism. There are different models that could be explored to address these issues together, because it's hard to talk about copyright without also talking about data. It's hard to talk about antitrust without also talking about data. The way these issues collude together is very tricky.

I would try to avoid the government mandating this, but there are things we can learn from the GDPR in Europe. It is probably the most-discussed regulation around data right now, and probably the most forward-looking.

There's something in there called purpose limitations, which basically says that if I give you consent to use my data for a certain purpose, you can't use it beyond that. That speaks to a lot of what I commented on in my opening remarks around context and consumer expectations.

It's about using the data in the way the user expects based on the original negotiation or relationship when they started, and then limiting it to that. The way Google makes money is by moving from Gmail to location tracking, etc.

As far as we understand, Apple is not using that data to also then micro-target ads at you or use it for any other purpose.

That's within the device. We can get deep into the weeds but it's—

Either way, without going into the weeds on who's doing what, I think a higher bar is definitely in order and should be discussed for the companies that see a substantial amount of your activity; I call them service providers. That may mean that they can't use the data for that purpose. It's no different from walking into a store, say Target, and they're going to track your data as part of the store experience. That's probably acceptable and you can choose not to go to Target ever again because you don't like it. But if you walk into Target and then they track you outside of the store, everywhere you go, that's the problem you're speaking of, and that's where there needs to be a higher bar.

The GDPR in the EU and, to a degree, the new California Consumer Privacy Act, which will come into effect in 2020, offer us models for setting limits. One limit that you proposed is a limit on data retention. One interesting part about GDPR is the requirement to disclose the data retention duration at the moment of gaining consent. When you sign up for a service the requirement is, “we will hold your data for six months”, and you are learning that limitation at the moment of signing up and giving consent.

I think we have some good models now to work from to evaluate and to see how these limits are set. The other limits that my colleague Mr. Kint has been referencing—limiting use based on the context of collection and prohibiting uses across contexts—would be also important frameworks to establish. The key here is also enforcement. My experience working with the Information Commissioner's Office as well as the court system in the U.K. shows that enforcement of these limits is where the rubber hits the road.

I would confirm that last point.

I saw that you were recommending giving more powers to the privacy commissioner. That's hugely important. I think the powers that the ICO commissioner had came in at the 11th hour. She was fortunate to have those, so I would recommend that. Certainly, GDPR, has real teeth to it, with the 4% fine of global turnover. That makes a difference, and we're starting to see some of that enforcement.

I have a lot of check marks next to your recommendations. There are a lot of really good recommendations. The things I put stars next to are super important things like modernizing the Competition Act and really recognizing that these companies—with which, as Mr. Baylis points out, you don't have a fair deal because they have so much power and so much data that you have to use them, and there are only two different operating systems, let's say, or only one search engine—actually should be evaluated based on the data, as part of the trade-in value. The fact that they're free shouldn't allow them to run away with a monopoly.

I'd like to bring up the concept that data doesn't really go away. Companies can claim they've deleted it or say whatever the heck they want, but it has been rolled into other things by then. There are derivatives of it and they probably did keep some backups.

I would focus more on the data becoming stale after a while. Therefore, implement new rules, regulations, laws, to tighten their ability to collect the superfluous amounts of data, and let that other data become stale, old and of no use because it's so old. Don't worry about trying to wrest it out of their hands, because you're never going to.

One aspect of the Estonian model that is important and valuable is the principle of collecting once. Not requiring citizens to keep inputting their data is the key idea of this unified national identity, and it prevents this problem that citizens in most countries face of constantly giving the same information to multiple different entities. Each time data is supplied, another weak point is created.

Figuring out how to make the supply-once and secure-forever model work logically makes a lot of sense, because it also helps separate identity from other data. Having mechanisms to create de-identification and anonymization built into the structure works well and so on.

The Aadhaar model in India, another national identity system. has come up. I can corroborate what Mr. Vickery said about it. I've had students doing their own research who found these systems to be alarmingly easy to penetrate, at least in India. To have a digital model that does not also have a strong data protection regime on top of it is a risky endeavour. In some ways Estonia might be well-placed, because it has both this digital government and 20 or 30-year tradition of European data protection linked to it.

We also look at China as an extreme in the other direction, where a surveillance industry.... The distinction between private enterprise and the government is completely blurred and the use of surveillance for social control and social coercion is quite alarming. We do look at the new emerging privacy and data models around the world to figure out which places are figuring it out.

I'm not a security expert, so I'll turn most of my time over to Chris. I have heard positive reflections on the Estonian model and I have not heard the security concerns. The way it's described, it makes sense, but I haven't heard of any issues. It's most often the example that comes up in a positive light and is starting to be studied. It may just be a test of time to make sure it's the right one, but I'll let Chris weigh in.

I believe it's healthiest to assume there has been a breach at all times, to make a system so segmented and resilient that even if there is a breach, you can find it, recover quickly and the damage will be minimal. I don't think you should put all your eggs in one basket. I believe the solution to having people submit the same info over and over again is to minimize the amount of information that is necessary from them. For example, here in the United States, we're not supposed to give out our social security numbers all the time, according to the government, yet every doctor's office asks for that number. Doctors' offices shouldn't be asking for it.

Minimize, optimize, make it streamlined, but I just don't think putting all of your eggs in one basket is a good idea.

Absolutely not. I would not take the assurances in that regard on their own website to be the bare truth. If they're citing something that happened in 2007, that was 12 years ago. Has nobody tried to hack them since? Can they come up with no other examples? Something that happened 12 years ago is the beginning of time, practically, in Internet speak.

I guarantee they've been hacked since then. I'll guarantee it. They may not admit it, they may not know about it, but I'll guarantee it's happened.

Not as many sites backed out as you would think based on the press. I think that's very much a talking point that those who don't like GDPR like to use, in particular Google. Tribune Publishing—it was called Tronc at the time—which has a lot of properties underneath it, decided to pull out. That made for a lot of sites. The concern was that 4% turnover of all revenue...and their digital business and probably the number of users they had in Europe was not actually that big as a local newspaper company. It made a decision, which was just a tradeoff of risk versus “Is it worth it?”

The real problem is that the rollout of GDPR, in particular, was troublesome for most publishers. We sent a letter to Google, on behalf of 5,000 publishers here in North America and Europe, because it waited until a month before. It was literally a two-year process. We were trying for a long time to get what its plans were, and then just a month before the GDPR came into effect, it decided to let everybody know what the plans were. It very much wanted to press enforced consent down on the publishers, so that every publisher had to get consent through Google, and then the publishers had to carry that liability as part of it. We sent a letter to Competition Commissioner Vestager in the EU specifically about this issue. It caused a lot of publishers to have to make last-minute decisions.

No changes.

Those publishers you referenced who had backed out have not gone back into the market, but I think they likely will. That's a bad outcome, obviously, when the free press isn't available because of regulation.

I had an opportunity to engage with the industry and the marketplace in many ways prior to GDPR. For example, in 2015, when Apple enabled ad blocking in iOS, that created a considerable discussion in the publishing industry around the effects of this, so I engaged with industry at that time.

What's interesting in looking back on that debate is that it was whether ads were annoying or it was privacy anxiety. I was trying to argue that it was privacy anxiety, and they didn't want to believe me.

Now, after Cambridge Analytica and GDPR, you can make the case that privacy anxiety is a driver in the ad blocking question; therefore, how does it fit into GDPR consent interfaces that explain the business to consumers so they can understand how monetizing works? To me, it's the idea that GDPR was a kind of teachable moment for consumers and the industry, to say that this is how this industry works.

The problem is that the research shows that the more people understand how digital advertising works, the less they like it.

I heard a couple of themes in the question that I think are important observations. One is that the rules of offline content, whether they be what is appropriate or the actual law, haven't properly translated to online content. The same expectations that you would have in a store when you're buying something, you should expect online, which is not asking me for data that isn't necessary—the data minimization that Chris talked about.

I think that's important, and I would stop at that point.

I think the metaphor Mr. Kint was using for how the online world needs to reflect the expectations and practices of the offline world is really important. We use the metaphor of privacy in the home as an interesting way of thinking about digital privacy. When you invite someone into your house, if it's a stranger, then you might not let them go beyond the entryway. Other people you might let into your kitchen, and other people you might let use your bathroom. Do you let anybody rifle through your bedside table drawer? No. Privacy is a continuum, and I think that continuum needs to be clarified for government services so that when citizens provide identity authentication, they understand it through an off-line-world metaphor.

Of course, government is different from the marketplace. Validating identity as a citizen is different from validating identity as a consumer.

I caution against using too many real-world metaphors to get people to understand the online world. There aren't very many good ones out there. To think about a website as a home or whatever the heck doesn't work for me. Yes, you will have to put government services online. You will have to provide digital government stuff. That's inevitable—unless you want to be a backwoods caveman society, as I'm sure you do not. You have to develop the norms and acceptable practices of the online world. You can't tie it too much to metaphors from the off-line world, because there aren't very many good analogies that fit, piece to piece to piece.

I referred to putting a lot of check marks next to your recommendations, and around two I have question marks. Frankly, that was one of them. The argument of being able to also reach certain users is also a good one. The limitations, based on your current privacy law, on how it can be used for political speech I think is something I would want to understand more before I actually weighed in with a hard opinion on it.

Sure. I think the lesson I learned from pursuing my Cambridge Analytica data was the fundamental necessity of the right of access. The right of access needs to be applied horizontally across the entire civil society, in both the marketplace and the government.

As to this idea that any citizen or consumer should be able to ask an entity for his or her data and be confident that it will be disclosed, what other rights do you stack on top of that? In the case of a political party, if you asked a political party to give you your voter profile, the party should be required to disclose that. If the citizen then wants to dispute or delete it, those are reasonable requests.

That has always been a concern, particularly for our news members. At least in the United States, it's been an important initiative. Competition is hugely important in what we call MVPD, the telecom space, with protection of the open Internet in particular to make sure that access is available and further investment to make sure it's subsidized in some way to get access to as many as possible. I think we've gone back and forth on this over the last three or four years in U.S. policy.

I can relate that to my home state of New York. A major telecom cable provider, as a condition of a merger, was supposed to provide broadband services to rural areas in the state of New York, but failed to do so. The state threatened to kick this provider out of the state if they did not comply. It comes down to enforcement. When you give these companies privileges, they need to pay back.

We have no confirmation yet that the data has been deleted. The information—

Correct.

I can say that just last week at the Sundance Film Festival, a documentary on Netflix premiered. I think some members of this committee are in the film, because the DCMS committee is featured prominently. A former employee featured in the film shows evidence that Facebook-like data was still being pitched to clients after they claimed it was deleted.

We're still seeing evidence bubble up that there haven't been truthful statements. That's why it's not over yet.

Yes. I have seen concerns dealing with the insolvency proceedings. Mr. Vickery has also shown me forensic evidence that adds to your concerns.

I think that enforcing transparency in the system is a first important step, giving people this right of access that, when they exercise it, will lift the veil off the black box. I mean that beyond just getting your data, but also the confidence values of predictions—what Chris is talking about, the way our data gets put into data models, then applied to other things and all that stuff requiring transparency.

Related to that, liability for data collection would then reduce the amassing and consolidation of it. As we've discussed here, the fact that two companies have amassed such massive profiles gives them their outsized power.

The incentives are quite different between a private entity that is trying to monetize data and a government entity that is trying to provide services that are not directly linked to the monetization. You pay your taxes, and you get services, as opposed to your data being used to merchandise your attention. There are technical issues that need to be discussed, but it's hard to equate these two different directionalities with each other.

Yes, it's weird in the United States. The Internal Revenue Service knows all of our transactions and could do our taxes for us; they're just not allowed to. I think there are interesting ways this does play out, yes.

The right of access definitely needs specific exemptions on the government side, but I would also bring up another necessary exemption, which is to protect journalism and journalists. I think there is GDPR to an extent, but the idea is that journalists need to protect sources, and an opponent of a story could reveal a source inadvertently through the subject access request. You have to be very thoughtful about where you carve out these privileges and responsibilities, and they exist in the private sector in certain ways and definitely in the government sector.

I think you can definitely take a default position that transparency is desirable, so it's about where transparency does not work rather than looking for transparency opportunities.

Privileges, yes.

I recommend a model going forward that basically defines the terms in very strict ways. If something can be accessed without your permission, you are not the gatekeeper to it, you don't own it and you don't control it. If the government has a criminal record of person X, person X does not own that criminal record. It is a record kept about person X, whereas if Walmart has a shopping history of that person, you could make laws saying that the person has to say it's okay for them to collect it and everything. It's a very different beast, and you've got to let people know that the government holds data on you that you do not own and control. It's just not possible.

I don't mean to dodge the question, but I will answer it in a way that relates to what the information commissioner in the U.K. has ruled in relation to her investigation. Inferred data is considered personal data when it is attached to an identity. It's this idea of creating predictions about people and that when you attach them to their voter file, it constitutes personal data.

I think it gets to your question about campaigns that are trying to predict the behaviour of potential voters, and it's based on predictions rather than verifiable, deterministic facts. That could be one boundary that needs to be further negotiated. For example, if I have a gun license, then you have a verifiable fact that I support gun rights. Whereas, if you're using my social media chatter to infer my feelings about gun rights, that's a different threshold that needs to be defined.

I knew that would happen. It was around content moderation. It was this idea that within a certain set period—I think you suggested 24 hours, maybe—it should be possible to eliminate content. I know that's being rolled out in a couple of different counties in Europe. I think it's probably wise to watch and study it.

Yes.

Oh, oh!

Absolutely.

I do. I think that's an interesting point in the recommendations. I think it was in the evidence from Tristan Harris.

The safe harbour has been used widely, including in our safe harbour in the U.S. There has been a lot of press recently around the harms that are happening within recommendations—within YouTube and the AI, which is clearly aligned with profit and designed by humans. There's an issue there.

The auditing of algorithms is the concept you have in there, too, which I think is very wise to look at.

I would leave you with a very bleak current outlook on it. Things need to change dramatically.

Right now, things are 10 times worse than you think they are, and we need action. We need less talk and more action.

Everybody has breach fatigue because they see all of the data breaches in the news and everything. The number of data breaches that get mentioned in articles is abysmally small. The number of data breaches that actually occur and the amount of data being passed around, whether you want to count employees sharing too much or sending to their personal email or something such as that just in the course of business, is 10 times, 100 times larger than anybody on this committee has their head wrapped around. It is horrifying how bad it is out there right now.

The United States, Canada and other countries need to adopt some version of the GDPR, some adaptation of what has been put in that model. The California act moves the needle in the United States and there will be an aggressive race before the California act comes into play to pre-empt state law with a national privacy act of some sort.

It's really a key moment for the United States and Canada to lead and, in a sense, catch up with two decades' worth of data protection that our friends across the Atlantic have achieved.

I absolutely agree that the model of the GDPR is important. However, to add to that, I would really amplify what's in recommendations 12 and 13 regarding the Competition Act and the intersection with data and the value of data. That solves a lot of issues. It solves liability issues; it solves holding large power plays accountable.

If you start there, you intersect with what I consider really the core issue here: the collection of data in order to make money in ways that are well beyond consumer expectations. Then you bring in enforcement on top of that.

I was at a major privacy conference in Brussels last week. I was on Commissioner Denham's panel and there was a lot of discussion about consent and data. I asked an audience of about 300 people to raise their hand if they used a Google product. Everybody raised their hand. Then I said, “Raise your hand if you're okay with Google tracking and collecting data on everything you do”, and nobody raised their hand, of course.

Then I looked at Commissioner Denham and I said, “You have an enforcement issue, because 90% of these people have given consent to do something they don't actually want to have happen.”

We need to solve that problem and you have an opportunity to lead the international community here by building from what Europe has done.

It's an honour to be here. Thank you.

It's an honour to be here. Thank you for having us.