Information & Ethics Committee on May 29th, 2019

But you still want to do business with the bad guys.

Thank you.

I want to go back to Mr. Ryland and my earlier question in relation to Amazon displaying the names and email addresses of customers. Were you categorical that it did not happen?

I'm certainly not familiar with the incident. I don't believe so, but we'll follow up.

There were two articles on November 21, 2018, in The Guardian and The Telegraph. Both of them stated that Amazon suffered a major data breach that caused the names and email addresses of customers to be disclosed on its website.

I'd be happy to follow up on that.

Thank you. I just wanted to clarify that. It's very much on the record.

I have a question about data portability and the GDPR principle. It struck me as an issue.

In terms of big data, it's where it sits, how it's housed and what form it's kept in, etc. Is that something you embrace? Do you want to hold proprietary data, so that it's exclusive to your corporation, or is it something you're comfortable with using open formats to share? Where are each of you at on data portability at the moment?

We think access and data portability are extremely important parts of the GDPR and are actually really important pillars of any good privacy rules. Not only that, but they also could have a positive effect in the competition space. We think there's a lot of promising work to be done in not just getting people to be able to see what people have—and we do that when we hold data—but also in making it useful.

It's not just, “I can download my entire Facebook corpus of data”—which I've done and people should do, and it's really interesting—but it's also making it useful, so that I could take it somewhere else if I wanted to.

We're committed to the GDPR and the data portability principles. The big question comes around the interoperability of those profiles or that data, and making sure that you can move them from one place to another in a format that's appropriate. The jury is still out about where people want to move their data and in what formats.

Microsoft has advanced on that. I know at one stage there was an alleged issue at Microsoft in terms of proprietary formats, but I know now there's always an option to “save as” in a more open format. Is that where you've gone with that?

Absolutely. We've even seen in cloud computing the industry move to take arbitrary activities and move them from one place to another. That's something that we've embraced. We've also looked to the open-source/open data community for advice and guidance.

In the expectation of GDPR, Apple launched a data and privacy portal. Users can download their personal information, both under access and under portability, in human and machine-readable formats.

Speaking for Amazon web services, where I work, importing and exporting are fundamental capabilities of our platform. We never have an import service that doesn't have an accompanying export service, whether they are virtual machine formats or other kinds of import/export data formats. We have tools always going bidirectionally.

We also work a lot with the open-source community for the portability of application codes and so forth. For example, a lot of our platforms are supporting things like docker formats for containers, Kubernetes for cluster management and so forth. Users can very readily create highly portable systems and data portability across platforms. That's something customers expect, and we want to meet those customer needs.

You're saying it's the likes of Apache and the open-source foundations and those sorts of guidelines. We're merging open standards, and I suppose they're being embraced to an extent, or maybe they were pre-GDPR-type community concepts, but they're pretty much across the board now. Is that the case?

Absolutely.

Yes, okay. That's very good. Thank you.

Thank you, Chair.

Mr. Davidson, you mentioned earlier in a reply to Mr. Baylis that with regard to political ads, your first preference was for company action to promote transparency. I'd like to highlight two instances in which it seems that company action has fallen short.

In April 2018, Facebook implemented new rules for political ad transparency. They acknowledged they were slow to pick up foreign interference in the 2016 U.S. elections. They said they were increasing transparency around ads and that this would increase accountability, yet in late October 2018, Vice News published a report showing how easy it was to manipulate the so-called safeguard that Facebook had put in place. The reporters had been required to have their identification verified as having U.S. addresses before they could buy ads, but once verified, the reporters were able to post divisive ads and lie about who paid for them.

That's for Facebook.

Separately, in August 2018, Google said it had invested in robust systems to identify influence operations launched by foreign governments, but shortly after that, a non-profit organization, Campaign for Accountability, detailed how their researchers had posed as an Internet research agency and bought political ads targeting U.S. Internet users. According to CFA, Google made no attempt to verify the identity of the account and they approved the advertisements in less than 48 hours. The adverts ran on a wide range of websites and YouTube channels, generating over 20,000 views, all for less than $100.

Therefore, it does not sound as if the platforms are anywhere close to fulfilling their assurance to safeguard against foreign interference.

Would you agree with that?

I think we clearly have a long way to go, absolutely, and it's been frustrating for those of us working in this space because we think that ad transparency is an incredibly important tool in being able to do this, and the other tools are not as good.

Yes. It does not seem that it's a technical problem per se, because the researchers flagged that they used the Russian IP address to access Google's Russian advert platforms and supply the details of the Internet research agency, and they went as far as to pay for the adverts using Russian rubles.

That seems to suggest to us that it's more about a desire to sell ads rather than to cut foreign interference.

I'd caution you a little. The jury is still out. It's still early days. There's a lot more to do, I think. Perhaps the experience in the parliamentary elections in Europe and the elections in India will be informative. That's where people were trying to take much more proactive steps. I think we need to be able to assess that. That's partly why transparency is important.

Platforms need to do more, but as somebody else among your colleagues has pointed out, we should also look at who is perpetrating these acts—

Definitely, yes.