Information & Ethics Committee on Feb. 5th, 2019

The problem with that model is that it only takes one little defect in the armour to ruin the whole thing. Day in and day out for the past few years, I have been hunting down data breaches. I found quite a few and every single company's website that's involved in these data breaches has a statement to the effect that, “We follow industry standard practices”, “we use umpteenth level security and encryption”, etc. I find these databases to be open to the public Internet, not encrypted. They have no password and no user name whatsoever. It only takes one developer to mess things up and cut a corner and do something that is a little too risky and not best practice.

Compare that to the claims of the Indian government with the Aadhaar database. They have have made similar claims for that database, yet on several occasions, it's been proven that they have had massive data breaches, both in the access portal and in the basic encoding system of the Aadhaar ID card itself.

I don't know if I believe Estonia when they say they've had no data breaches or problems whatsoever, or if that's just bluff and bluster. Maybe that's something I could look into a little more in-depth.

Yes.

I'd like the opportunity to go back and reread the report with that question in mind, but I think I admire the audacity of the report to cross potentially a third rail of how our political parties are supposed to be regulating themselves on these issues. That, in my observation, went further than Information Commissioner Denham's recommendation to put an ethical pause on micro-targeting.

I do appreciate that. I think this is the main question for multiple governments around the world. How does the exemption of political targeting break down the whole system? In the case of Cambridge Analytica, political data was used for commercial purposes, and commercial data was used for political purposes. It's quite difficult—

It's an important start. The level of transparency required to hold this kind of advertising accountable needs to be maximal, I believe. For example, most Facebook users are not aware that political parties and campaigns upload their voter registration files into Facebook to target them individually, by name. The way you find that in the Facebook interface is very difficult, and it doesn't show that one-to-one level marketing in even Facebook's transparency tool that it launched here in Canada.

I think the maximum amount of disclosure will be beneficial to concerned citizens as well. I think it comes down to that granular level. You should know that you've been targeted as an individual voter for particular messages, rather than the segmentations that they claim. Also, people need to know if they've been assigned to what's called a “lookalike audience” as well. That creates a similar kind of one-to-one targeting without your name being attached to it.

I would advocate for as much disclosure as possible when it comes to political advertising, and maybe advertising in general.

I think the banking idea is not a bad one. That is a highly regulated industry accustomed to things such as very intense audits, keeping paper trails, and doing everything by the book—hopefully. I think they are definitely a good industry to lean on; however, I would be very, very cautious about how you allow the data to then be used in other ways. I would make very bright lines with whoever you go with to lean on and use their expertise and infrastructure, whatever, indicating what is acceptable and what is not. You can't budge or blur the lines here. This is a bright line, and these are the penalties if you break the line, and then enforce that if it happens.

Yes, I would caution against allowing the segmented siloed databases to talk to each other. If you need data, get it from the person the data belongs to, because if the databases can talk to each other, the data doesn't really belong to that individual citizen; they're just an optional gatekeeper at that point.

I think that if you mix and match administrators, that's basically the same thing as mixing and matching the databases. The administrators are just human, and humans want to eliminate work and make things as simple as possible, so that's where corners get cut.

I think the reaction to the Cambridge Analytica scandal worldwide shows that we have a visceral response to it. We don't know exactly why it upsets us, but it became a household name around the world overnight. To that specific thing, we understand that there are incentives at play, and the government doesn't have an incentive to profit from data or necessarily to use it for nefarious acts. There isn't the sense that there could be rogue actors abusing a system.

My opinion is that as long as breaches at the government level are protected against, as the sort of worst-case scenario, trust in digital government is much more possible than trust in digital advertising.

I would only add that this does speak to the issue of why Facebook needs to be held accountable. There's a study each year from Edelman called the “Trust Barometer”, and we saw that institutional trust declined in light of Facebook. Edelman went deeper for the first time and started to unpack what was happening, particularly with the trust in media, which is the part I get most concerned about in my role. The trust in journalism was going up or rebounding, and it was actually the trust in platform itself where the issue was. These platforms are embedded in our lives, and they start to affect trust in other areas, so the question of whether we could trust the media started to be impacted by what was going on with Facebook and the declining trust of that platform.

They just put out their new research three weeks ago, and there was a 30-point gap in trust between social media and traditional media. It worries me when you have a platform that's kind of gone awry and it starts to affect everything.

I think it's holding Facebook accountable. It forces them to raise the trust in their own product, which can be a very long term issue for them—they might be stuck in this bad cycle—and it raises the trust level in the entire platform.