Evidence of meeting #155 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was apple.
A video is available from Parliament.
10:30 a.m.
Liberal
Frank Baylis Liberal Pierrefonds—Dollard, QC
You mentioned that if they're not willing to self-regulate, you felt that they should be regulated. Did I understand that correctly?
10:30 a.m.
Vice-President, Global Policy, Trust and Security, Mozilla Corporation
What I was trying to say is that if we can't get better information....Transparency is the first step here, and it can be a really powerful tool. If we could have transparency and more notice to people about what political advertising they're seeing, that could go a long way toward helping to deal with these disinformation campaigns and this election manipulation. If we don't get that transparency, that's when it will be more reasonable for governments to try to step in and impose more restrictions. We think that's a second-best answer, for sure. That's what I think we were trying to get at.
10:30 a.m.
Liberal
10:30 a.m.
Liberal
Frank Baylis Liberal Pierrefonds—Dollard, QC
My older brother Charlie here has made an argument that some things should require consent—you talked about granular consent—while some things should just be prohibited. Do you agree with this line of thought?
10:30 a.m.
Vice-President, Global Policy, Trust and Security, Mozilla Corporation
We have said we believe that. We think it's important to recognize that there is a lot of value that people get out of different kinds of tools, even around things like health or financial or location information, so we want to give people that ability. Probably when you get to kids and certain kinds of health information, the bar needs to be very high, if not prohibited.
10:30 a.m.
Liberal
Frank Baylis Liberal Pierrefonds—Dollard, QC
My colleague here, my younger brother Nathaniel, has said that certain age things.... For example, we prohibit driving at a certain age and we prohibit drinking at a certain age. Are there any thoughts from the rest of the panel on this concept of just out-and-out prohibiting some data collecting, whether it's age related or some type of data? Do any of you have anything to add to that?
10:30 a.m.
Manager of User Privacy, Apple Inc.
In my earlier answers I talked about how we seek to leave the data on the user's device and under their control. I'd separate collection by a corporate entity from collection from a device that's under the user's control. Where possible, we want to leave that control in the hands of the users through explicit consent and through retaining the data on their device.
10:30 a.m.
Liberal
Frank Baylis Liberal Pierrefonds—Dollard, QC
If it's collected, but not used or seen by a corporation such as yours.... If the corporation has collected it and just held it, and then I can delete it or not, you see that as differentiated from collecting it for use elsewhere. Is that what you're saying?
10:30 a.m.
Manager of User Privacy, Apple Inc.
I do see collection from a company compared to being on the user's device as different. I almost wouldn't want to use the word “collection”. Maybe we should say “storage” or something.
10:30 a.m.
National Technology Officer, Microsoft Canada Inc.
I take pause when I try to answer that question, to be thoughtful around potential scenarios. I try to imagine myself as a parent and how these tools would be used. I really think it depends on the context in which that interaction occurs. A medical setting will be dramatically different from an online entertainment setting.
The context of the data is really important in managing the data, in terms of the obligations for safeguarding protections or even for the prohibition of collecting that data.
10:30 a.m.
Liberal
10:30 a.m.
Conservative
May 29th, 2019 / 10:30 a.m.
Liberal
Frank Baylis Liberal Pierrefonds—Dollard, QC
Leading into cloud computing, it sounds like a beautiful cloud, but there's no cloud. There's a physical server somewhere. That's what we're talking about. Let's forget the cloud; it's a physical server. The laws that apply to it depend on where that server actually sits.
We talk about Apple, Microsoft or Amazon—and Amazon, this is a big part of your business. If we Canadian legislators make a bunch of laws that protect Canada, but your server happens to be outside of Canada, our laws have zero impact.
Are you doing anything about aligning with government laws by making sure that these servers sit within the confines of the country that's legislating them?
10:35 a.m.
Director, Security Engineering, Office of the Chief Information Security Officer for Amazon Web Services, Amazon.com
We do have our data centres in multiple countries around the world, including Canada. There is legal control there, but we have to obey the laws of all the countries where we operate. Those laws may have extraterritorial impact as well.
10:35 a.m.
National Technology Officer, Microsoft Canada Inc.
We have delivered data centres in 54 regions around the world and we've put data centres here in Canada, in Toronto and Quebec City. I happen to be accountable for making sure that they're compliant with Canadian laws and regulations, be it the Office of the Superintendent of Financial Institutions, the federal government's legislation or provincial privacy legislation. It's critically important to us that we make sure we respect the local legal environment. We treat data that's stored in those data centres like a piece of paper. We want the laws to make sure that they treat that electronic information like the piece of paper.
We have been staunch advocates for the CLOUD Act, which helps to clarify the conflict of laws that are a challenge for multinational companies like ours. We abide by laws around the regions, but sometimes they conflict. The CLOUD Act hopes to set a common platform for understanding around mutual legal assistance treaties, or to follow on from that—because we all understand that mutual legal assistance treaties are somewhat slow and based upon paper—this provides new legal instruments to to provide confidence to governments that their residents' information is protected in the same manner that it would be protected in local data centres.
10:35 a.m.
Conservative
The Chair Conservative Bob Zimmer
Thank you.
Thank you, Mr. Baylis.
It hasn't come up yet, so that's why I'm going to ask the question.
We're here because of a scandal called Cambridge Analytica and a social media company called Facebook. We wanted to differentiate between who you are. You're not social media; social media was here yesterday. You're big data, etc.
I have a comment specifically for Apple. This is why we wanted Tim Cook here. He has made some really interesting comments. I'll read exactly what he said:
First, the right to have personal data minimized. Companies should challenge themselves to strip identifying information from customer data or avoid collecting it in the first place. Second, the right to knowledge—to know what data is being collected and why. Third, the right to access. Companies should make it easy for you to access, correct and delete your personal data. And fourth, the right to data security, without which trust is impossible.
That's a very strong statement. Apple, from your perspective—and I'm also going to ask Mozilla—how do we or how would you fix Facebook?
10:35 a.m.
Manager of User Privacy, Apple Inc.
I don't know that I would presume to even understand the aspects of Facebook enough to fix it.
What I know we can focus on is primarily two ways. I always put technological solutions first. What we want to do is put the user in control of the data and of access to the data on their device. We've taken it upon ourselves as part of our platform to put the operating system as a barrier between applications and the user's data, and to require that user's consent, as mediated by the operating system, to come in between that app and its data. This is a set of things that we've evolved over time.
You've heard comments today about trying to keep usability front of mind as well, so we're trying to keep things clear and simple for users to use. In doing that, we've built refinements into our technology platform that allow us to expand that set of data that the operating system.... Again, this is separate from Apple, the corporate entity. The operating system can take a step forward and put the user in control of that access.
That's a process that we're going to remain committed to.
10:35 a.m.
Conservative
The Chair Conservative Bob Zimmer
To me, changing legislation around this is very difficult, given all the parameters that are around us. It might be simpler for somebody like Tim Cook and an ideology that considers users as paramount. It might be simpler for Apple to do this than for legislators around the world to try to pull this off. However, we're giving it a soldier's try. We're definitely trying.
Mr. Davidson, do you have any comment on how we fix Facebook?
10:40 a.m.
Vice-President, Global Policy, Trust and Security, Mozilla Corporation
It's very hard from the outside to decide how to fix another company. I think a lot of us are really disappointed in the choices they've made that have created concern among a lot of people and a lot of regulators.
Our hope would be for privacy and more user control. That's a huge starting point.
I guess if I were going to say anything to my colleagues there, it would be to be a little less short term in their thinking about how to address some of these concerns. I think they have a lot of tools at their disposal to give people a lot more control over their information.
There are a lot of tools in the hands of regulators right now to try to make sure we have good guardrails around what companies do and don't do. Unfortunately, it sets a bad standard for other companies in the space when people aren't obeying good privacy practices.
We all can do things on our side too. That's why we built the Facebook container in our tracking tools: to try to give people more control.
10:40 a.m.
Conservative
The Chair Conservative Bob Zimmer
Thank you for your answer.
I'm getting signals for questions again. We'll start with my co-chair and we'll go through our normal sequencing. You'll have time. Don't worry.
We'll go to Mr. Collins to start it off.
10:40 a.m.
Chair, Digital, Culture, Media and Sport Committee, United Kingdom House of Commons
Thank you.
I will start with Mr. Ryland and Amazon.
Following on from the chair's comments about Facebook, if I connect my Amazon account to Facebook, what data am I sharing between the two platforms?
10:40 a.m.
Director, Security Engineering, Office of the Chief Information Security Officer for Amazon Web Services, Amazon.com
I'm not familiar with any way in which you do connect your Facebook account to Amazon. I know that Amazon can be used as a log-in service for some other websites, but Facebook is not one of those. I'm not familiar with any other connection model.
10:40 a.m.
Chair, Digital, Culture, Media and Sport Committee, United Kingdom House of Commons
You're saying you can't do it. You can't connect your Facebook and Amazon accounts.
10:40 a.m.
Director, Security Engineering, Office of the Chief Information Security Officer for Amazon Web Services, Amazon.com
As far as I know, that's true. I'll follow up to make sure that's true.
