Information & Ethics Committee on May 29th, 2019

Thank you very much.

Good morning, Chair Zimmer, members of the committee, and international guests.

My name is Mark Ryland. I serve as the director of security engineering in the office of the chief information security officer at Amazon web services, the cloud computing division of Amazon.

Thank you for giving me the opportunity to speak with you today. I'm pleased to join this important discussion. I'd like to focus my remarks today on how Amazon puts security and customer trust at the centre of everything we do.

Amazon's mission is to be the earth's most customer-centric company. Our corporate philosophy is firmly rooted in working backwards from what customers want and continuously innovating to provide customers better service, more selection and lower prices. We apply this approach across all our areas of business, including those that touch on consumer privacy and cybersecurity.

Amazon has been serving Canadian customers since we first launched amazon.ca in 2002. Amazon now has more than 10,000 full-time employees in Canada. In 2018, we announced plans to create an additional 6,300 jobs.

We also have two tech hubs, one in Toronto and another in Vancouver. These are clusters of offices employing more than 1,000 software engineers and a number of supporting technical workers, building some of our most advanced global systems. We also have offices in Victoria for www.abebooks.com, and our AWS Thinkbox subsidiary in Winnipeg.

We operate seven fulfillment centres in Canada, and four more have been announced. They will all open this year, in 2019.

I would now like to talk about our cloud platform.

Just over 13 years ago, Amazon launched Amazon web services, which is our cloud computing business. Montreal is home to our AWS Canada region, which is made up of a number of distinct data centres. We launched AWS, because after over a decade of building and running amazon.com, we realized we had developed a core competency in operating massively scaled technology infrastructure and data centres. We embarked on a broader mission of serving developers and businesses with information technology services that they can use to run their own businesses.

The term “cloud computing” refers to the on-demand delivery of IT resources over the Internet or over private networks. The AWS cloud spans a network of data centres across 21 geographic regions around the globe. Instead of owning and maintaining their own data centres, our customers can acquire technology such as compute power, storage, and databases in a matter of seconds on an as-needed basis by simply calling an API or clicking a mouse on a graphical console.

We provide IT infrastructure and services in the same way that you just flip a switch to turn on the lights in your home and the power company sends you electricity.

One of this committee's concerns was democracy. Well, we're really democratizing access to IT services, things that only very large organizations could previously do, in terms of the scale involved. Now the smallest organizations can get access to that same type of very sophisticated advanced technology with simply a click of a button and just paying for their consumption.

Today AWS provides IT services to millions of active customers in over 190 countries. Companies that leverage AWS range from large Canadian enterprises such as Porter Airlines, Shaw, the National Bank of Canada, TMX Group, Corus, Capital One, and Blackberry to innovative start-ups like Vidyard and Sequence Bio.

I want to underline that privacy really starts with security. Privacy regulations and expectations cannot be met unless systems are maintaining the confidentiality of data according to their design. At AWS, we say that security is “job zero”, by which we mean it's even more important than a number one priority. We know that if we don't get security right, we don't really have a business.

AWS and Amazon are vigilant about the security and privacy of our costumers and have implemented sophisticated technical and physical measures to prevent unauthorized access to data.

Security is everyone's responsibility. While we have a world-class team of security experts monitoring our systems 24-7 to protect customer data, every AWS employee, regardless of role, is responsible for ensuring that security is an integral component of every facet of our business.

Security and privacy are a shared responsibility between AWS and the customer. What that means is that AWS is responsible for the security and privacy of the cloud itself, and customers are responsible for their security and the privacy of their systems and their applications that run in the cloud. For example, customers should consider the sensitivity of their data and decide if and how to encrypt their data. We provide a wide variety of encryption tools and guidance to help customers meet their cybersecurity objectives.

We sometimes say, “Dance like no one's watching. Encrypt like everyone is.” Encryption is also helpful when it comes to data privacy. In many cases, data can be effectively and permanently erased simply by deleting encryption keys, for example.

More and more, organizations are realizing the link between IT modernization offered by the cloud and a better security posture. Security depends on the ability to stay a step ahead of a rapidly and continuously evolving threat landscape, requiring both operational agility and the latest technologies.

The cloud offers many advanced security features that ensure that data is securely stored and handled. In a traditional on-premises environment, organizations spend a lot of time and money managing their own data centres, and worry about defending themselves against a complete range of nimble, continuously evolving threats that are difficult to anticipate. AWS implements baseline protections, such as DDoS protection, or distributed denial of service protection; authentication; access control; and encryption. From there, most organizations supplement these protections with added security measures of their own to bolster cloud data protections and tighten access to sensitive information in the cloud. They also have many tools at their disposal for meeting their data privacy goals.

As the concept of “cloud” is often new to people, I want to emphasize that AWS customers own their own data. Customers choose the geographic location in which to store their data in our highly secure data centres. Their data does not move unless the customer decides to move it. We do not access or use our customers' data without their consent.

Technology is an important part of modern life, and has the potential to offer extraordinary benefits that we are just beginning to realize. Data-driven solutions possess potentially limitless opportunities to improve the lives of people, from making far faster medical diagnoses to making farming far more efficient and sustainable. In addressing emerging technology issues, new regulatory approaches may be required, but they should avoid harming incentives to innovate and avoid constraining important efficiencies like economies of scale and scope.

We believe policy-makers and companies like Amazon have very similar goals—protecting consumer trust and privacy and promoting new technologies. We share the goal of finding common solutions, especially during times of fast-moving innovation. As technology evolves, so too will the opportunities for all of us in this room to work together.

Thank you. I look forward to taking your questions.

We will share.

Thank you, Mr. Chair.

We're pleased to be here today.

My name is John Weigelt. I'm the national technology officer for Microsoft here in Canada. My colleague Marlene Floyd, national director of corporate affairs for Microsoft Canada, joins me. We appreciate the opportunity to appear before this committee today. The work you've undertaken is important given our increasingly digital world and the impact of technology on jobs, privacy, safety, inclusiveness and fairness.

Since the establishment of Microsoft Canada in 1985, our presence here has grown to include 10 regional offices around the country, employing more than 2,300 people. At our Microsoft Vancouver development centre, over 700 employees are developing products that are being used around the world. Cutting-edge research on artificial intelligence is also being conducted by Ph.D.s and engineers at the Microsoft research lab in Montreal. That's in partnership with the universities there.

Powerful technologies like cloud computing and artificial intelligence are transforming how we live and work, and are presenting solutions to some of the world's most pressing problems. At Microsoft we are optimistic about the benefits of these technologies but also clear-eyed about the challenges that require thinking beyond technology itself to ensure the inclusion of strong ethical principles and appropriate laws. Determining the role that technology should play in society requires those in government, academia, business and civil society to come together to help shape the future.

Over 17 years ago, when Bill Gates asserted that “trustworthy computing” would be the highest priority at Microsoft, he dramatically changed how our company delivers solutions to the marketplace. This commitment was re-emphasized by our CEO, Satya Nadella, in 2016. We believe privacy is a fundamental human right. Our approach to privacy and data protection is grounded in our belief that customers own their own data. Consequently, we protect our customers' privacy and provide them with control over their data.

We have advocated for new privacy laws in a number of jurisdictions, and we were early supporters of the GDPR in Europe. We recognize that for governments, having computer capacity close to their constituents is very important. Microsoft has data centres in more regions than any other cloud provider, with over 100 data centres located in over 50 regions around the world. We're quite proud that two of these data centres are located here in Canada, in Ontario and Quebec.

Protecting our customers and the wider community from cyber-threats is a responsibility we take very seriously. Microsoft continues to invest over $1 billion each year in security research and development, with thousands of global security professionals working with our threat intelligence centre, our digital crimes unit, and our cyber-defence operations centre. We work closely with the Government of Canada's recently announced Canadian Centre for Cyber Security. We have partnered with governments around the world under the government security program, working towards technical information exchanges, threat intelligence sharing and even co-operative botnet takedowns. Further, Microsoft led the Cybersecurity Tech Accord, signed by over 100 global organizations that came together to defend all customers everywhere from malicious cyber-attacks and to do more to keep the Internet safe.

Microsoft was also proud to be a signatory to the Paris call for trust and security in cyberspace announced in November by French President Emmanuel Macron at the Paris peace summit. With over 500 signatories, it is the largest ever multi-stakeholder commitment to principles for the protection of cyberspace.

Another focus of your committee has been the increasing interference by bad actors in the democratic processes of numerous countries around the world. We fully agree that the tech sector needs to do more to help protect the democratic process. Earlier this week, we were pleased to endorse the Canada declaration on electoral integrity announced by Minister Gould.

Microsoft has taken action to help protect the integrity of our democratic processes and institutions. We have created the Defending Democracy program, which works with stakeholders in democratic countries to promote election integrity, campaign security and disinformation defence.

As part of this program, Microsoft offers a security service called AccountGuard at no cost to Office 365 customers in the political ecosystem. It is currently offered in 26 countries, including Canada, the U.S., the U.K., India, Ireland and most other EU countries. It's currently protecting over 36,000 email accounts. Microsoft AccountGuard identifies and warns individuals and organizations of cyber-threats, including attacks from nation-state actors. Since the launch of the program, it has made hundreds of threat notifications to participants.

We have also been using technology to ensure the resiliency of the voting process. Earlier this month, we announced ElectionGuard, a free, open-source software development kit aimed at making voting more secure by providing end-to-end verification of elections, opening results to third party organizations for secure validation, and allowing individual voters to confirm that their votes were counted correctly.

At Microsoft, we're working hard to ensure that we develop our technologies in ways that are human-centred and that allow for broad and fair access by everyone. The rapid advancement of compute power and the growth of AI solutions will help us be more productive in nearly every field of human endeavour and will lead to greater prosperity, but the challenges need to be addressed with a sense of shared responsibility. In some cases this means moving more slowly in the deployment of a full range of AI solutions while working thoughtfully and deliberately with government officials, academia and civil society.

We know that there is more that we need to do to continue earning trust, and we understand that we will be judged by our actions, not just our words. Microsoft is committed to continuing to work in deliberate and thoughtful partnership with government as we move forward in this digital world.

Thank you, and we're happy to receive your questions.

Members of the grand committee and the standing committee, thank you.

I'm here today because all is not well with the Internet. For sure the open Internet is the most powerful communications medium we've ever seen. At its best, it creates new chances to learn to solve big problems to build a shared sense of humanity, and yet we've also seen the power of the Internet used to undermine trust, magnify divisiveness and violate privacy. We can do better, and I'm here to share a few ideas about how.

My name is Alan Davidson. I'm the vice-president for policy, trust and security at the Mozilla Corporation. Mozilla is a fairly unusual entity on the Internet. We're entirely owned by a non-profit, the Mozilla Foundation. We're a mission-driven open-source software company. We make the Firefox web browser, Pocket and other services.

At Mozilla we're dedicated to making the Internet healthier. For years we've been champions of openness and privacy online, not just as a slogan but as a central reason for being. We try to show by example how to create products to protect privacy. We build those products not just with our employees but with thousands of community contributors around the world.

At Mozilla we believe the Internet can be better. In my time today, I would like to cover three things: first, how privacy starts with good product design; second, the role of privacy regulation; and third, some of the content issues that you folks have been talking about for the last few days.

First off, we believe our industry can do a much better job of protecting privacy in our products. At Mozilla we're trying to do just that. Let me give you one example from our work on web tracking.

When people visit a news website, they expect to see ads from the publisher of that site, from the owner of that website. When visitors to the top news sites, at least in the U.S., visit, they encounter dozens of third party trackers, trackers from sites other than the one that they're visiting, sometimes as many as 30 or 40. Some of those trackers come from household names and some of them are totally obscure companies that most consumers have never heard of.

Regardless, the data collected by these trackers is creating real harm. It can enable divisive political ads. It can shape health insurance decisions and is being used to drive discrimination in housing and jobs. The next time you see a piece of misinformation online, ask yourself where the data came from that suggested that you would be such an inviting target for that misinformation.

At Mozilla we've set out to try to do something about tracking. We created something we call the Facebook container, which greatly limits what Facebook can collect from you when you're browsing on Firefox. It's now, by the way, one of the most popular extensions that we've ever built. Now we're building something called enhanced tracking protection. It's a major new feature in the Firefox browser that blocks almost all third party trackers. This is going to greatly limit the ability of companies that you don't know to secretly track you as you browse around the web.

We're rolling it out to more people, and our ultimate goal is to turn it on by default for everybody. I emphasize that because what we've learned is that creating products with privacy by default is a very powerful thing for users, along with efforts like our lean data practices, which we use to limit the data that we collect in our own product. It's an approach that we hope others adopt, because we've learned that it's really unrealistic to expect that users are going to sort through all of the privacy policies and all the different options that we can give them to protect themselves. To make privacy real, the burden needs to shift from consumers to companies. Unfortunately, not everybody in our industry believes that.

Let me turn to my second point, which is that we believe that regulation will be an essential part of protecting privacy online. The European Union has been a leader in this space. Many other companies around the world are now following suit and trying to build their own new data protection laws. That's important because the approach we've had for the last two decades in our industry is clearly not working anymore. We've really embraced in the past this notion of notice and choice: If we just tell people what we're going to collect and let them opt out, surely they'll be fine. What we found is that this approach is really not working for people. We've been proponents of these new data protection rules, and we hope you will be too.

We believe that a good privacy law should have three main components. It needs clear rules for companies about what they can collect and use; it should have strong rights for individuals, including granular and revocable consent about specific uses; and it should be implemented within an effective and empowered enforcement agency, which is not always the case. We think that's an important component.

Critically, we believe that you can build those laws and you can include those components while still preserving innovation and the beneficial uses of data. That's why we're supporting a new federal privacy law in the U.S. and we're working with regulators in India, Kenya and in other places to promote those laws.

My third point is that given the conversation you have all had for the last few days, I thought it would be useful to touch on at least some of our views on the big issues of content regulation. Of all the issues being examined by the committee, we believe that this is the most difficult.

We've seen that the incentives for many in the industry encourage the spread of misinformation and abuse, yet we also want to be sure that our reactions to those real harms do not themselves undermine the freedom of expression and innovation that have been such a positive force in people's lives on the Internet.

We've taken a couple of different approaches at Mozilla. We're working right now on something we call “accountability processes”. Rather than focusing on individual pieces of content, we should think about the kinds of processes that companies should have to build to attack those issues. We believe that this can be done with a principles-based approach. It's something that's tailored and proportionate to different companies' roles and sizes, so it won't disproportionately impact smaller companies, but it will give more responsibility to larger companies that play a bigger role in the ecosystem.

We've also been really engaged in the issues around disinformation, particularly in the lead-up to the EU parliamentary elections that just happened. We're signatories to the EU Code of Practice on Disinformation, which I think is a very important and useful self-regulatory initiative with commitments and principles to stop the spread of disinformation. For our part, we've tried to build tools in Firefox to help people resist online manipulation and make better choices about and understand better what they're seeing online.

We've also made some efforts to push our fellow code signatories to do more about transparency and political advertising. We think a lot more can be done there. Candidly, we've met with mixed results from some of our colleagues. I think there is much more room to improve the tools, particularly the tools that Facebook has put out there for ad transparency. There is maybe some work that Google could do, too. If we can't do that, the problem is that we'll need stronger action from government. Transparency should be a good starting point for us.

In conclusion, I'd say that none of these issues being examined by the committee are simple. The bad news is that the march of technology—with artificial intelligence, the rise of the Internet of things and augmented reality—is only going to make it harder.

A concluding thought is that we really need to think about how we build our societal capacity to grapple with these problems. For example, at Mozilla we've been part of something called the responsible computer science challenge, which is designed to help train the next generation of technologists to understand the ethical implications of what they're building. We support an effort in the U.S. to bring back the Office of Technology Assessment to build out government's capacity to better understand these issues and work more agilely. We're working to improve the diversity in our own company and our industry, which is essential if we're going to build capacity to address these issues. We publish something every year called the “Internet Health Report”, which just came out a couple of weeks ago. It's part of what we view as the massive project we all have to help educate the public so that they can address these issues.

These are just some of the examples and ideas we have about how to work across many different levels. It's designing better products, improving our public regulations and investing in our capacity to address these challenges in the future.

We really thank you for the opportunity to speak with you today and we look forward to working with you and your colleagues around the world to build a better Internet.

Thanks.

Thank you.

Good morning, members of the committee, and thank you for inviting me to speak with you today about Apple's approach to privacy and data security.

My name is Erik Neuenschwander, and I've been a software engineer at Apple for 12 years. I worked as the first data analysis engineer on the first iPhone. I managed the software performance team on the first iPad, and I founded Apple's privacy engineering team. Today I manage that team responsible for the technical aspects of designing Apple's privacy features. I'm proud to work at a company that puts the customer first and builds great products that improve people's lives.

At Apple we believe that privacy is a fundamental human right, and it is essential to everything we do. That's why we engineer privacy and security into every one of our products and services. These architectural considerations go very deep, down to the very physical silicon of our devices. Every device we ship combines software, hardware and services designed to work together for maximum security and a transparent user experience. Today I look forward to discussing these key design elements with you, and I would also refer the committee to Apple's privacy website, which goes into far more detail about these and other design considerations in our products and services.

The iPhone has become an essential part of our lives. We use it to store an incredible amount of personal information: our conversations, our photos, our notes, our contacts, our calendars, financial information, our health data, even information about where we've been and where we are going. Our philosophy is that data belongs to the user. All that information needs to be protected from hackers and criminals who would steal it or use it without our knowledge or permission.

That is why encryption is essential to device security. Encryption tools have been offered in Apple's products for years, and the encryption technology built into today's iPhone is the best data security available to consumers. We intend to stay on that path, because we're firmly against making our customers' data vulnerable to attack.

By setting up a device passcode, a user automatically protects information on their device with encryption. A user's passcode isn't known to Apple, and in fact isn't stored anywhere on the device or on Apple's servers. Every time, it belongs to the user and the user alone. Every time a user types in their passcode, iPhone pairs that input with the unique identifier that iPhone fuses into its silicon during fabrication. iPhone creates a key from that pairing and attempts to decrypt the user's data with it. If the key works, then the passcode must have been correct. If it doesn't work, then the user must try again. We designed iPhone to protect this process using a specially designed secure enclave, a hardware-based key manager that is isolated from the main processor and provides an additional layer of security.

As we design products, we also challenge ourselves to collect as little customer data as possible. While we want your devices to know everything about you, we don't feel that we should.

For example, we've designed our hardware and software to work together to provide great features by efficiently processing data without that data ever leaving the user's device. When we do collect personal information, we are specific and transparent about how it will be used, because user control is essential to the design of our products. For example, we recently added a privacy icon that appears on Apple devices when personal information is collected. The user can tap on it to learn more about Apple's privacy practices in plain language.

We also use local differential privacy, a technique that enables Apple to learn about the user community without learning about individuals within that community. We have pioneered just-in-time notices, so that when third party apps seek to access certain types of data, a user is given meaningful choice and control over what information is collected and used. This means third party apps cannot access users' data like contacts, calendars, photos, the camera or the microphone without asking for and obtaining explicit user permission.

These and other design features are central to Apple. Customers expect Apple and other technology companies to do everything in our power to protect personal information. At Apple we are deeply committed to that because our customers' trust means everything to us. We spend a lot of time at Apple thinking about how we can provide our customers not only with transformative products, but also with trusted, safe and secure products. By building security and privacy into everything we do, we've proved that great experiences don't have to come at the expense of privacy and security. Instead, they can support them.

I'm honoured to participate in this important hearing. I look forward to answering your questions.

Thank you.

We support the privacy principles of user control, consent and so forth. We think the actual legislation is new enough and creates some burdens that we don't think directly impact user privacy in a positive way. While we're fully compliant and fully supportive of the principles, we don't necessarily think it's something that should be applied universally at this point.

Yes, as well as user control. That's really the key principle.

Yes, we would.

We believe that the user experience should be very smooth and clear, and that people's expectations should be very reasonably met. For example, with the Echo device, you use a mobile application to set up your device, and it makes it very clear what the privacy rules are.

It's not an explicit opt-in consent, but it makes it clear about the recordings and it gives you full control over the recordings. It gives a full list of recordings and the ability to delete any particular one, or all of them. It's a very explicit and clear user interface for that.

Possibly. There may be legal rulings that we.... That's part of the issue. A lot of specifics are unclear until there are more regulatory or judicial findings about what the exact meaning of some of the general principles is.