Evidence of meeting #99 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was facebook.

A video is available from Parliament.

On the agenda

MPs speaking

Also speaking

Daniel Therrien  Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Chris Vickery  Director of Cyber Risk Research, UpGuard, As an Individual

9:20 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

We read about it.

9:20 a.m.

Conservative

Peter Kent Conservative Thornhill, ON

I wonder whether I could ask you for your impression of what he said. Were any of your concerns eased or heightened by his responses?

9:20 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Not particularly. There have been many media reports. We're investigating Facebook, so again, what I'm saying relates to media reports and facts other than those I'm investigating. But I think it's fair to say that the public record is clear that Facebook has made many promises over the years to its users to rectify this or that, to put them in control of their personal information. This has been done year after year for a number of years, and Facebook is not the only company that acts this way.

9:20 a.m.

Conservative

Peter Kent Conservative Thornhill, ON

No, no, I realize that.

9:20 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

This leads me to accountability. Responsibility on the part of companies is necessary, but it is not sufficient. There needs to be an independent person to look at whether they're truly accountable.

9:20 a.m.

Conservative

Peter Kent Conservative Thornhill, ON

Thank you.

Let me ask a quick question to you, Mr. Vickery, and I certainly have more as we go through these two hours. Facebook has been maintaining, perhaps for reasons of liability, that this was not in fact a breach but simply a user abuse of the service conditions. We know about the breach associated with the Equifax scandal, for example, but would you consider this a breach of another sort?

9:20 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

I have been asked that, and my answer would be, yes, I would. However, I need to explain that in my work, I draw a line of classification between a malicious breach and a non-malicious breach. I would classify this as not necessarily a malicious breach, but it was a violation of the expected way in which this data would be handled in that it was gathered under the guise of academic research not to be utilized for commercial or other purposes—and clearly it was. It did cross that boundary. Facebook asked that it be deleted, etc. We all know that tale.

I would call it a data breach, but only [Technical difficulty—Editor] the difference between a hack and a different type of data breach.

9:20 a.m.

Conservative

The Chair Conservative Bob Zimmer

Thank you, Mr. Kent.

Next up, for seven minutes, is Mr. Angus.

April 17th, 2018 / 9:20 a.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

Thank you, gentlemen. This has been very, very eye-opening.

I'd like to start with you, Mr. Therrien. In 2008, CIPPIC, the Canadian Internet Policy and Public Interest Clinic, launched its complaint, with your predecessor, on Facebook. At that time, they identified the issue of third party applications as a threat to privacy.

In the world of 2008, there was much a feeling, and I was very much in that world, of a deregulated Internet—you know, let them build—and Facebook was a fun place to meet former people from high school. Ten years later, it has morphed into the primary source of news—false news, real news—and has become the major, dominant player in many of the elections around the world.

Looking at the European data protection supervisor who says that the result of Facebook's dominant control are growing political extremism and isolation and political points of view, I want to ask you, looking back on that 2008 review, about those third party applications. Would it have made a difference if the Privacy Commissioner had come down harder? Did you have the tools at that time to address those breaches? And now, in light of what we're seeing with Cambridge Analytica, do we need really much stronger tools to be able to address these issues?

9:20 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I should start by saying that one of the issues we'll be looking at this time is whether Facebook in 2018 continues to respect the conditions to which they agreed to in 2008 and 2009. In 2008-09 my office, of course under another commissioner, was satisfied that Facebook had done certain things to comply with recommendations that the OPC had made. You're right to say that there is some similarity in the issues between the investigation then and the current set of facts and that wording with the use of information by third party applications. All of this is to say that we'll look at that question again.

Would stronger powers have made a difference? At the time, and still today, all that the OPC can do is make recommendations, not order anything. To be able to order certain conduct would certainly have helped. Would it have prevented this? Perhaps not.

I think the combination of a number of measures, with clearer rules around consent—clearly, the rules around consent are extremely unclear, which I've addressed in my report and you've addressed as a committee in your report—is part of the solution. Another important part of the solution is that the regulator, the OPC, be able to inspect the activities of companies proactively, not only when a complaint is made, to ensure that they are truly accountable. To wait until complaints are filed means that the problem needs to have been identified by an individual. Because of the opaqueness of the system, that will be rare. That's why I'm saying that part of the solution is also the authority to inspect without grounds, so that we can verify, and order-making and fines would have made a difference. Would it prevent everything? No.

9:25 a.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

No. But I guess my concern is that given what we've seen with the allegations coming out of Myanmar, and allegations or concerns being raised in Iceland about Facebook's election day app identifying people to go vote, it has a huge impact on the voting system. We have a provincial election in Ontario. My Facebook feed is full of ads that I can tell are not from any political party, but somebody's putting them out there.

Whether or not the frame of privacy is enough, Facebook seems to see itself as beyond jurisdiction. Do we need to have a larger, more robust form of legislation that involves perhaps the electoral commission, perhaps media standards in terms of the proliferation of fake news? The concern about privacy here is about the ability to target individuals and to then feed them fake information. This is the allegation that came out of Brexit and Nigeria: that those people can significantly move voters through their friend circuits.

You don't have the powers to handle all of those. How do we as a nation bring massive data monopolies to the table to be accountable?

9:25 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

You're right that there are many issues, or I would call them regulatory areas, to cover. Whether they should be covered in one piece of legislation or in several I leave to you, but I certainly agree that the big tech giants play on a number of consequences regulated under many laws. You have identified privacy and elections, and I think also perhaps monopolies: are they a utility offering a public service as opposed to a company that gathers information to give a service and in the meantime makes certain profits? That's another question.

All of these questions are relevant. They are all relevant, they all need to be addressed. I'm not sure mechanically how it works, but I think generally they should all be looked at. The regulators should be able to talk to one another, because these issues intersect.

9:25 a.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

Would you suggest that this is something our committee needs to look at in terms of how we actually ensure that we have legislation that defends the democratic integrity and rights of citizens in the face of digital monopolies? Is that something that you think our committee could take up to provide recommendations on?

9:30 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

9:30 a.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

Thank you.

9:30 a.m.

Conservative

The Chair Conservative Bob Zimmer

Thank you, Mr. Angus.

Next up for seven minutes is Mr. Saini.

9:30 a.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

Good morning, Mr. Therrien and Mr. Vickery. Thank you very much for being here, especially you, Mr. Vickery. I'm not really a morning person, so I can only imagine 6:30 a.m. in California.

Mr. Therrien, I want to start with you, please. There have been differing reports as to the number of Facebook profiles that were affected. Mr. Wylie has said 50 million. Facebook has said 87 million. Can you tell us how many Facebook accounts were affected by this breach in Canada?

9:30 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

We are relying at this point on the data that Facebook is providing to us. Facebook explained the variation in numbers essentially by saying that they themselves don't know precisely. The 87 million number I think is a function of how many people used the application, the quiz, that was at the origin of this, according to the allegations.

9:30 a.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

So that quiz you're talking about....

Sorry.

9:30 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Then they make assumptions as to how many friends this leads to. There is a chain at play here. So even Facebook does not know precisely how many people have been affected.

9:30 a.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

According to the reports, the company that did the survey had downloaded or had access to 270,000 people who filled out the survey, and it looks like the average was 322 or 332 friends to come up with this number of 87 million. So you're relying on Facebook, but you're not 100% guaranteed of how many Canadian profiles were actually affected.

9:30 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

Not at this point. We'll of course try to nail the number down in terms of the number of Canadians during our investigation.

9:30 a.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

Facebook has stated that they would be sending out notifications to the people in Canada who were affected by this breach. Do you know whether all Canadians have been informed, yes or no?

9:30 a.m.

Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada

Daniel Therrien

I don't know that. It has begun, but has it been completed...? It has begun.

9:30 a.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

Okay.

Now, you've also stated in the media that you will be joining the investigation in B.C. with the privacy commissioner's office there. We know that in the last few weeks, the U.K. information office in London, England, has raided the offices of Cambridge Analytica, so a lot of information will be retained or discovered through that process. Do you have any ability to work with the U.K. information office to make sure that with regard to the information that has been discovered, you would have access to that to help in your own investigation in Canada?