Evidence of meeting #155 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was apple.
A video is available from Parliament.
9:10 a.m.
Liberal
9:10 a.m.
Conservative
9:10 a.m.
Conservative
Peter Kent Conservative Thornhill, ON
Thank you, Chair.
Thanks to all of our witnesses for appearing today.
My first question is for Mr. Ryland at Amazon.
In September of last year, your vice-president and associate general counsel for Amazon, Mr. DeVore, testified before a U.S. Senate committee and was very critical, I think it's fair to say, of the California consumer act that was passed.
Among the new consumer rights in that act that he was critical of was the right for users to know all of the business data that is collected about a user and the right to say no to the sale of that business data. It provides, in California, the right to opt out of the sale of that data to third parties. He said the act was enacted too quickly and that the definition of personal information was too broad.
I wonder if you could help us today by giving us Amazon's definition of protectable personal information.
9:10 a.m.
Director, Security Engineering, Office of the Chief Information Security Officer for Amazon Web Services, Amazon.com
First of all, let me say that I work in Amazon web services on our security and privacy of our cloud platform. I'm not a deep expert broadly across all of our privacy policies.
However, I will say that certain elements of consumer data are used in the core parts of business. For example, if we sell a product to a customer, we need to track some of that data for tax purposes and for other legal purposes, so it's impossible to say that a consumer has complete control over certain things. There are other legal reasons that data must sometimes be retained, for example.
9:10 a.m.
Conservative
Peter Kent Conservative Thornhill, ON
Have you had any users request or ask about the user data that has been collected about them and whether it has been sold?
9:10 a.m.
Director, Security Engineering, Office of the Chief Information Security Officer for Amazon Web Services, Amazon.com
Yes, absolutely.
First of all, we do not sell our customer data. Full stop.
Second, we have a privacy page that shows you all the data we have accumulated about you—your order history, digital orders, book orders, etc. We have a whole privacy page for our Alexa Voice Service. All that gives users control and insight into the data we're utilizing.
9:10 a.m.
Conservative
Peter Kent Conservative Thornhill, ON
Then despite Mr. DeVore's criticism, Amazon is complying with the California act and, I would assume, would comply with any other legislation passed anywhere in the world that was similar.
9:10 a.m.
Director, Security Engineering, Office of the Chief Information Security Officer for Amazon Web Services, Amazon.com
We will always comply with the laws that apply to us wherever we do business. Absolutely.
9:10 a.m.
Conservative
Peter Kent Conservative Thornhill, ON
Thank you.
I'd like to ask a question now to Mr. Davidson about Mozilla.
I know that Mozilla, with all of its good practices and its non-profit public benefit mandate, does work with Google and with Bing. I'm just wondering how you establish firewalls for user data accumulation that those two organizations would otherwise collect and monetize.
9:10 a.m.
Vice-President, Global Policy, Trust and Security, Mozilla Corporation
It's a great question. It's pretty simple for us. We just don't send data to them beyond what they would normally get from a visitor who visits their website—the IP address, for example, when a visitor comes and visits them.
We make a practice of not collecting any information. If you're using Firefox and you do a search on Bing or on Google, we don't collect anything, we don't retain anything and we don't transmit anything special. That has allowed us to distance ourselves, honestly, and we have no financial incentive to collect that information.
9:10 a.m.
Conservative
Peter Kent Conservative Thornhill, ON
I have a question for Mr. Neuenschwander.
In September of last year, the news broke that the Mac application Adware Doctor, which was supposed to protect Apple users from privacy threats, was in fact recording those users' data and delivering them to a server in China. Apple shut that down, but for how long was that exposure up? Have you determined who exactly was operating that server in China?
9:10 a.m.
Manager of User Privacy, Apple Inc.
I remember that event and the action the App Store team took on it. Off the top of my head, I don't remember exactly the exposure. I'd be happy to go back and look up that information and get back to you with it.
9:15 a.m.
Conservative
9:15 a.m.
Manager of User Privacy, Apple Inc.
At this time, I don't remember exactly how long that exposure was.
9:15 a.m.
Conservative
Peter Kent Conservative Thornhill, ON
This was, I understand, a very popular Mac application. How thoroughly do you research those applications in the reasonable capitalist rush to monetize new wonders?
9:15 a.m.
Manager of User Privacy, Apple Inc.
For applications that are free on the store, there's no monetization for Apple in the App Store.
Since we introduced the App Store, we've had both a manual review and, in more recent years, added an automated review of every application that's submitted to the store, and then for every update of the applications on the store. Those applications undergo a review by a dedicated team of experts on the App Store side.
There is a limit that we don't go past, which is that we don't surveil our users' usage of the applications. Once the application is executing on a user's device, for that user's privacy we don't go further and take a look at the network traffic or the data that the user is sending. That would seem creepy to us.
We continue to invest on the App Store side to try to have as strong a review as we can. As applications and their behaviours change, we continue to enhance our review to capture behaviours that don't match our strong privacy policies on the stores.
9:15 a.m.
Conservative
Peter Kent Conservative Thornhill, ON
For Microsoft and Ms. Floyd, in 2013 the European Commission fined Microsoft in the amount of some €561 million for non-compliance with browser choice commitments. There doesn't seem to have been any violation since. Does that sort of substantial fine teach lessons? We're told that even hundreds of millions of dollars or hundreds of millions of euros—even into the billion-dollar mark—don't discourage the large digital companies. I'm wondering about compliance and the encouragement to compliance by substantial financial penalties, which we don't have in Canada at the moment.
9:15 a.m.
National Technology Officer, Microsoft Canada Inc.
As we mentioned, trust is the foundation of our business. Any time there's a negative finding against our organization, we find that the trust is eroded, and it ripples throughout the organization, not only from the consumer side but also on the enterprise side.
That fine was substantive, and we addressed the findings by changing how we deliver our products within the marketplace, providing the choice to have products without that browser in place.
When we look at order-making powers here in Canada or whatnot, we can see that having that negative finding will really impact the business far more broadly than some of those monetary fines.
9:15 a.m.
Conservative
Peter Kent Conservative Thornhill, ON
Would you encourage the Canadian government to stiffen its regulations and penalties for non-compliance with privacy protection?
9:15 a.m.
National Technology Officer, Microsoft Canada Inc.
I would encourage the Canadian government to have the voice you have around how technologies are delivered within the Canadian context. We have people here locally who are there to hear that and change the way we deliver our services.
9:15 a.m.
NDP
Charlie Angus NDP Timmins—James Bay, ON
Thank you, Mr. Chair.
I was talking to my friend at Apple about how I bought my first Mac Plus in 1984 with a little 350k floppy disk, and I saw it as a revolutionary tool that was going to change the world for the better. I still think it has changed the world for the better, but we are seeing some really negative impacts.
Now that I'm aging myself, back in the eighties, imagine if Bell Telephone listened in on my phone. They would be charged. What if they said, “Hey, we're just listening in on your phone because we want to offer you some really nifty ideas, and we'll have a better way to serve you if we know what you're doing”? What if the post office read my mail before I got it, not because they were doing anything illegal but because there might be some really cool things that I might want to know and they would be able to help me? They would be charged.
Yet in the digital realm, we're now dealing with companies that are giving us all these nifty options. This was where my colleague Mr. Erskine-Smith was trying to get some straight answers.
I think that as legislators, we're really moving beyond this talk about consent. Consent has become meaningless if we are being spied on, if we're being watched and if our phone is tracking us. Consent is becoming a bogus term, because it's about claiming space in our lives that we have not given. If we had old school rules, you would not be able to listen in on our phones and not be able to track us without our rights, yet suddenly it's okay in the digital realm.
Mr. Davidson, I'm really interested in the work that Mozilla does.
Is it possible, do you think, for legislators to put some principled ground rules down about the privacy rights of citizens that will not completely destroy Silicon Valley and they will not all be going on welfare and the business model will still be able to succeed. Is it possible for us to put simple rules down?
9:20 a.m.
Vice-President, Global Policy, Trust and Security, Mozilla Corporation
Yes.
I can say more.
