Evidence of meeting #99 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was facebook.
A video is available from Parliament.
10:30 a.m.
Director of Cyber Risk Research, UpGuard, As an Individual
Yes, absolutely.
10:30 a.m.
NDP
Charlie Angus NDP Timmins—James Bay, ON
Okay. Thank you.
I'm concerned about the cryptocurrency issue you mentioned and these ad networks they were setting up, because one of the things that Christopher Wylie stated was that the real money wasn't in elections. The real money was after.... He talked about the ability to influence governments if you've got the right government in. With AggregateIQ, does it look like this database is being used for other commercial purposes that would have furthered their interests?
10:30 a.m.
Director of Cyber Risk Research, UpGuard, As an Individual
The potential is there.
I want to emphasize that I see AggregateIQ more as a division of a larger entity. You could think of them being more like a development department within a larger corporation.
10:30 a.m.
Director of Cyber Risk Research, UpGuard, As an Individual
I would say that corporation is likely to be thought of as SCL. I see their goals and end points aligning in parallel.
10:30 a.m.
Conservative
The Chair Conservative Bob Zimmer
Thank you, Mr. Angus.
We'll go to Monsieur Picard for seven minutes.
10:30 a.m.
Liberal
Michel Picard Liberal Montarville, QC
I would like to come back to the theme of our study, that is, the information that we describe as personal and what we do with it. The different possible scenarios aside, I believe that the use of this information by a company is only an ancillary dimension of the essential problem that we have to study.
I have two questions, which I will illustrate with two scenarios. Based on those scenarios, I would like your comments on my understanding of the problem.
My questions are as follows. Is the government's role to define in detail what constitutes personal information? Or would the role of the government be to ban any transaction that contains this personal information?
Here are my two scenarios.
In the first, I do business with a book supplier: Amazon, as it happens. I find it normal and expected that, when I purchase my first book or on a subsequent visit, Amazon will suggest a number of other books based on the preferences of other readers, or buyers, or just simply based on my own history of buying books from Amazon. In establishing my relationship with the company, I provided it with a certain amount of personal information, so that it can provide me with a service based on its expertise in this area.
Here is my other scenario. I am naive enough to announce that, in a month, I will be going on a cruise for a week. It would not be surprising if a user who reads my Facebook feed and works in a travel agency contacts me to let me know about some cruise-related deals. Nor should I be surprised at the risk of my house being broken into during the one-week absence I announced. Both the criminal and the travel agent used my personal information, but I was the one who made it public. This is personal information that I shared on Facebook with my friends and followers, which is the service that the social network offers. So I made that information public.
Let me go back to my questions. Both scenarios describe realistic situations. Who is responsible for defining the granularity of personal information? Each type of company requires different categories of information. In addition, to the extent that a transaction depends on the expertise of the company—such as Amazon—of which I am a customer, I do not expect that company to sell my personal information to another company for purposes, including commercial solicitation, other than those established in my relationship with Amazon, that is, buying books.
Which role do you think is better, or should we consider a mix of both?
Perhaps Mr. Therrien could answer first.
10:30 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I'm going to expand on your questions. If I misinterpret them, please tell me.
Basically, individuals give certain information in order to get a service. One of the consequences is that information is communicated at the time the service is provided. In the case of Amazon, for example, the company uses the information of people who are like you or who share your interests, that is, people who have liked a particular book. I would say that too is personal information to an extent, within the meaning of the definition of the term.
The conclusion that Amazon takes from your interests, for example, that you like detective novels, is actually the result of your personal information, but that conclusion itself becomes your personal information too: your actual or potential interest in detective novels is personal information about you.
The role of the state is to define what personal information is. In that respect, I think that the legislation is doing a good job, because it provides a very broad brush that provides me with the interpretation that I am giving to you.
Is it the role of the government to prohibit the use of personal information? No. The use should be regulated, but it should not be prohibited.
Have I answered your question?
10:35 a.m.
Liberal
10:35 a.m.
Director of Cyber Risk Research, UpGuard, As an Individual
With regard to the usage of your personal information, just for starters, I agree that we need to define what personal information is. Everyone needs to understand what the rules are and to not have any ambiguity there. So yes, I would say that there need to be clear definitions that everyone plays by. The usage by Amazon is not one of “malintent”; it is to offer a better experience for you, and clearly to not be taken advantage of. Now, that does go up to some interpretation....
I think your other example of posting something on Facebook is a little different, in that you chose to post that. Facebook did not share that on your behalf. You put it up on your Facebook wall. It's clear that you opted in to show this to the world. Getting a few calls from a travel salesman might be the appropriate consequence of oversharing that data, and maybe you won't do it in the future, but that was totally your decision. There wasn't another company making the decision for you.
10:35 a.m.
Liberal
Michel Picard Liberal Montarville, QC
If a company looks at my line for the last two years and from analysis decides that my behaviour is such-and-such, and therefore another company starts to get in touch with me based on what is published publicly, it means that there's no bad intention anywhere. You cannot look at the end user as doing something wrong, but rather as using what is available to the company and proceeding.
10:35 a.m.
Director of Cyber Risk Research, UpGuard, As an Individual
I believe that's a very risky area to get into if you're saying that something you chose to put out in the public should be off limits. If you put something publicly on the public Internet, it's fair game for anybody in the public to view. Maybe the actions that companies take in response to that data being available could be seen as not so great; they'll deal with the reputational consequences of that when they decide to use that publicly available information.
10:35 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Mr. Chair, if I may...?
10:35 a.m.
Conservative
The Chair Conservative Bob Zimmer
We're out of time, Mr. Therrien. My apologies. Do you have a brief comment?
10:35 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
Mr. Chair, I'll try to be brief on the notion of what is publicly available.
A number of things could be said, but one of the elements to bear in mind is this: did the person who put up the information as being publicly available realize that this was what they were doing? This goes to what information should be given to individuals so that they make the appropriate consent decisions. Many people have no clue what they're doing. That's one point.
Another point, to be brief, is that there are regulations currently in Canada that define publicly available information. They are outdated. I would encourage you to look at them.
10:40 a.m.
Conservative
The Chair Conservative Bob Zimmer
Thank you. I know that it's a difficult subject to be brief with.
Mr. Erskine-Smith, you have literally 20 seconds, and if you can use less, that would be great.
10:40 a.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
Mr. Vickery, you've mentioned that you downloaded the information you accessed on GitHub. You've said today that you think there is a potential illegality with respect to using information for a commercial purpose for which it was not collected. Have you shared this information with the proper authorities, including our Privacy Commissioner? If not, would you be willing to do so?
10:40 a.m.
Director of Cyber Risk Research, UpGuard, As an Individual
I was very quickly in contact with federal authorities in my country, and I am fully willing to co-operate with investigations that are relevant to Canada.
10:40 a.m.
Conservative
The Chair Conservative Bob Zimmer
Thank you, Mr. Vickery.
We're going to suspend and go into committee business. If all the guests who are not part of committee could exit as soon as possible, it would be appreciated.
Once again, thank you to Mr. Vickery and Mr. Therrien for testifying today.
[Proceedings continue in camera]