:
It being 3:30 p.m., I will call the meeting to order and extend to everyone here a warm welcome.
This meeting has been called pursuant to the Standing Orders and is our last meeting to deal with witnesses on our study of the street-imaging applications Google, Canpages, etc. The committee has before it four witnesses today. Two of them are coming to us through video conference.
We have Mr. Jacob Glick, Canadian policy counsel with Google Inc. He is joining us from Toronto via telephone conference. We're also joined by Alma Whitten, who is the engineering lead for privacy for the worldwide Google organization. She also is joining us via telephone conference, from London, England.
In addition, we have two officials from the Yellow Pages Group Co., which recently, I understand, purchased the Canpages operation. We have François Ramsay, senior vice-president, general counsel, and secretary responsible for privacy, and Martin Aubut, senior manager for social commerce.
I want to welcome everyone here to the meeting, but before we ask for any opening remarks, I want to ensure that our technology is working.
Mr. Glick, are you on the line? Can you hear me?
:
Thank you, Mr. Chairman.
Thank you for inviting us to the committee. It is a pleasure to appear in front of you.
With me this afternoon is Martin Aubut, who is senior manager, social commerce, of the Yellow Pages Group. Martin is an expert on the Internet. I thought having him with me today could be useful should your questions touch on issues that I am less familiar with.
In addition to my responsibilities as general counsel of Yellow Media Inc., the ultimate parent company of Canpages and Yellow Pages Group, I am the acting privacy officer of the company.
I thought I would start by giving you a brief introduction of Yellow Pages Group, also known as YPG, which acquired Canpages in June 2010.
Yellow Media Inc. is a leading Internet company in our network of companies, which includes Yellow Pages Group, Trader Corporation, and Canpages. Yellow Media owns and operates some of Canada's leading properties and publications, including Yellow Pages directories, YellowPages.ca, Canada411.ca, AutoTrader.ca, CanadianDriver.com, RedFlagDeals.com, and LesPAC.com.
Our online destinations reach over 11.5 million visitors monthly, and our mobile applications for finding local businesses, deals, and vehicles have been downloaded over two million times. We're also a leader in national digital advertising through Mediative, a provider of digital advertising and marketing solutions to national agencies and advertisers.
Predecessors of YPG published their first directories in 1908. We have operations in all the provinces and territories of Canada. There are approximately 2,500 employees at YPG, 530 at Canpages, and 1,200 at Trader.
Through the acquisition of Canpages, we hope to be in a better position to compete with other major online players such as Google. We believe that our acquisition of Canpages will sharpen our online competitiveness by expanding our sales force, capabilities, and offerings, thus accelerating our move online.
If you factor in the sales professionals we have at YPG, Trader, and Canpages, we have approximately 2,000 people in the sales organization. We're looking at a better utilization of that tremendous sales capacity, targeted at small and medium-sized Canadian enterprises.
You should know that Street View, the service currently offered on Canpages.ca, is licensed from two third parties, one of which is MapJack, for parts of the cities of Vancouver, Toronto, and Montreal. Street View has been in effect since 2008; Google Street View is used for the rest of Canada.
Depending on where you are within our universe of websites, we are currently using Street View technology from Google and Microsoft, in addition to MapJack, the provider that Canpages has historically used.
I am pleased to confirm to the committee that Canpages' supplier of the Street Scene service, MapJack, has not been used to collect either Wi-Fi network data or Wi-Fi payload data. Therefore, we have never been in possession of any such data.
Yellow Media Inc., YPG, Trader, and Canpages are fully committed to abiding by the privacy legislation applicable to our business.
We would be pleased to answer any questions the committee may have.
Thank you.
:
Thank you to the committee chair and to all the members of the committee for this opportunity to speak with you today.
I've devoted my career both as an academic and now as Google's director of privacy to one primary goal, which is to make it intuitive, simple, and useful for Internet users to take control of their privacy and security.
This is really the central challenge of privacy engineering. Products and services, particularly on the Internet, constantly evolve. Valuable new services, from social networking to online video to mobile computing, are constantly changing the way in which we interact with each other and use information.
These services, which are built in part from the information that providers learn from their users, offer tremendous value. Our goal is to offer our users innovative products that help them understand the world in new and exciting ways.
In order to do what we do, in order to provide great user experiences, we rely on our users' trust. It is our greatest asset. The information our users entrust to us enables us to better match searchers to the information they seek, to fight off those who would scam our users or undermine the usefulness of our search results, and to create new services, such as translation, speech-to-text, and many others.
We focus on building transparency, user control, and security into our products. We constantly review, innovate, and iterate to make sure we are honouring our users' privacy expectations and security needs. Because our users' trust is so critical to us, it's very important to us to note that we do not sell our users' personal information.
The Google Dashboard is a cornerstone of our efforts. If you haven't seen this tool, I invite you to take a look at www.google.com/dashboard. We developed the dashboard to provide users with a one-stop, easy-to-use control panel for the personal information associated with their Google accounts, from Gmail to Picasa to Search, and to more than 20 other Google products.
With the dashboard, a user can see, edit, and delete the data stored with her individual Google account. She can change her privacy settings, see what she is sharing and keeping private, and click into the settings for any individual product.
I was adamant when we created the dashboard that we not make it seem strictly a privacy tool. Above all, I wanted it to be a useful tool that our users would come back to and interact with even when they weren't consciously thinking about privacy.
We took a similar approach with our advertising network. Our ads preferences manager, which is linked from every ad in our advertising network, allows users to opt out of ad targeting and learn about our privacy practices. Equally important, it allows users to look at the categories of ads they will see, select new interest categories, and remove ones that don't match their interests.
By offering this useful service, we hope to get more people to understand and confirm their privacy settings. Interestingly, we have seen that for every one user who visits this page and opts out, four choose to edit their preferences, while ten view the page and choose to do nothing.
These are great examples of transparency and control designed into products in a way that is prompting individual users to learn more about how to control their information, and we're proud of this track record.
However, despite our best efforts, on occasion we have made mistakes. As this committee is well aware, in May, Google disclosed that we had mistakenly included code in the software on our Street View cars that collected samples of Wi-Fi payload data—information that was sent over open, unencrypted Wi-Fi networks. To be clear, Google never used this mistakenly collected data in any product or service, and there was no breach or disclosure of personal information to any third party. As soon as we learned about this incident, we disclosed what had happened and acknowledged our mistake.
Google is working hard to fully and completely address this incident. We recognize that we need to do better.
My colleague Jacob Glick spoke to you in November about some of our plans to strengthen our internal privacy and security practices. These plans include additional responsibilities for me, which I would appreciate telling you a bit about today.
I'm excited by the opportunity bring greater robustness to our privacy and security practices in my new role. With my expanded responsibilities, I will have the chance to oversee and work with both the engineering and the product teams to help ensure that privacy and security considerations are built into all of our products.
While the duties that go with this role are big, I am confident that I will be supported with the resources and internal support needed to help Google do better. Further, I believe that Google's commitment to redouble its efforts around staff training will go a long way.
Mr. Glick mentioned this when he appeared before this committee on November 4, and I'm happy to elaborate on this further for you. We want to deputize every Googler in this effort. We want to make certain that each product we roll out meets the high privacy and security standards that our users expect of us.
We are an innovative company, creating new products each year that are helping to transform how we organize information and relate to each other as people. Our users' trust is the foundation that Google's business is built upon. We are committed to not taking that trust for granted.
I look forward to answering your questions.
Thank you.
:
Certainly. I would be happy to.
Let me first clarify a bit about what I was getting at in saying that we didn't want it to be only a privacy tool. As my privacy team works to build privacy tools and to build transparency and control into all of Google's products, one of the things we're very aware of is that there's very often a valid critique that these settings and options for users are buried underneath a privacy link or a privacy option where nobody ever actually goes.
We wanted to be ambitious about addressing that problem by making the dashboard as much as possible a place where people would simply go to see all the information in their account for all kinds of reasons: because they're looking for something or because it's useful to them in other ways. By doing that, it would keep them informed about the information, about the data that was in all the different Google services they might have used over time.
It would keep them informed about which services they might have used at one time, then forgotten about and never gone back to again, but that still have some of their data. They would be informed in this way even if they never had that moment of thinking that they should check on their privacy. We felt that was a way for us to reach, to protect, and to better serve more of our users, even if they weren't necessarily people who were already very conscious of privacy as a question.
:
That is an excellent question and I hope that I will be able to put the committee at ease by providing it with some assurances.
I can tell you that Canpages, actually Yellow Pages Group Co., is not a highly developed technology company. Neither Canpages nor Yellow Pages Group Co. have the technology inside the company to produce a service like Street Scene or Street View.
When Olivier Vincent came to address the committee in June 2009, he explained, if I am not mistaken, that we were right at the start of services like Street Scene.
Against that background, Canpages still had the foresight to require confidentiality assurances from its supplier. If I am not mistaken, Mr. Vincent told the committee that the company had committed to destroy and discard any image in which things like vehicle licence plates and faces, I believe, had not been blurred.
:
It would be inappropriate for me to speculate on that, because I'm not a U.S. lawyer.
Mr. Bill Siksay: Are you--
Mr. Jacob Glick: But there's no mystery. In fairness, I don't want to leave you thinking that there's some mystery law here that hasn't been identified. It's precisely what the commissioner said in paragraph 69, which is simply the “applicable laws...including laws of evidence”.
Mr. Chair, members of this committee will be aware that there are, for example, pending lawsuits in the United States related to this issue, so we need to ensure that the laws of evidence are respected. It's not to say that any decisions have been made one way or the other. As I said in my opening, I think everyone here wants the exact same outcome, which is the deletion of all this data.
If I can say on a personal note--
:
Just let me just double-check something.
Just on that point, I can give you my understanding of parliamentary law, and of course when you get into these international situations, it does become somewhat complicated. But Mr. Poilievre accurately stated that anything that's said before a parliamentary committee, including this committee, is subject to parliamentary privilege and, as a result, cannot be used in any courts, tribunals, or evidence-gathering bodies in Canada. What the Chair is not totally clear on—and I'm not going to opine on it—is whether that parliamentary privilege, which is well known, extends to other international bodies, like the U.S. Supreme Court. I don't have a definitive answer.
I don't know that answer, but I can tell you assuredly that anything said here—and that would include anyone who is testifying before the committee via teleconference—cannot be used in any other court, or tribunal, or body, for that matter.
:
Thank you for that question.
To clarify what I said, when I called the Privacy Commissioner in May to advise her of this unfortunate circumstance, I asked her what she wanted done with the data then. She asked that we preserve the data because perhaps she wanted to launch an investigation or review it in some manner. In fact, her office did launch an investigation and did review the data. We held on to the data at that time.
At the same time, conversations like this were happening in other places in the world. A level of analysis was done at that time in those other places. Where it was deemed appropriate by the local data privacy authority, and where it was deemed appropriate under the various legal systems, data was deleted.
We are now x number of months down the road, and we need to do that analysis given the circumstances of today, not the circumstances of May.
I'm still a little bit concerned about the actual process for making sure this never happens again. I was a bit surprised to learn that the engineer who made this assumption about whether it was a significant privacy breach is still employed by Google.
As we try to push responsibility for making decisions in organizations down as far as we possibly can, I'd like you to outline what special privacy training will actually look like. Will the offending engineer be the person delivering this as some sort of equivalent to community service? I don't understand how this person can excuse what they did. I don't understand why they're actually still working for Google.
In every sort of training I've ever done, whether it was with family practice residents or new candidates, the basics are: know what you know, know what you don't know, and know to whom and when to go for help. If people are making this gross kind of assumption about what is or isn't a privacy problem, I'd like to know what kind of curriculum you're going to deliver. What does “intense training” mean when somebody at that level has been able to pull off this rather massive breach with whatever previous training there was?
:
Thank you. That's an excellent question. I'm very glad to have a chance to answer it in more detail.
What the member said about making sure that you know what you don't know and that you know who to ask is very key to the training and the process improvements we're putting in place. It's very important for us to educate all of our engineers and product managers, but we're not going to be able to make them international experts in all aspects of privacy. If we were to aim to do that, it would not be setting up to succeed.
Above all, we want to educate them to not try to figure this out for themselves. Privacy is a complex topic, and addressing it properly within Google--or anywhere, really--requires a wide variety of expertise. It requires expertise in law, obviously and most certainly. It requires technical expertise to make sure there's a clear understanding of what exactly the technology is doing, what the systems are doing, and what the potential of that technology is. It requires expertise in the psychology of user understanding: of how the people who are going to interact with products will understand the options available to them. And it requires expertise in policy and communications in all of these things.
A very important point we will be making over and over again in our training is that individual engineers should never be making these judgment calls by themselves. We want to educate them on the privacy landscape and privacy concerns.
We want to very much educate them on Google's own articulated privacy principles of transparency, control, and responsible stewardship above all, but we also want to educate them very, very strongly and reinforce that education in many ways on the improved processes we are putting in place, to make sure that those fail-safes are there, that the thoughtful review is in place, and that individual engineers don't try to “lawyer” questions by themselves.
:
Well, let me take a step back. First of all, I understand that we have agreed with the report from the Privacy Commissioner's equivalent in the United Kingdom, who has accepted our desire to delete the data in the U.K. I don't know that we've actually deleted the data yet. That's the question that's open in my mind and I just don't know the answer to that.
But the same is true in the Canadian context, which is that we also want to, desire to, delete the data in the Canada context. The only question is whether we are allowed to under the law and we have to do the analysis to determine whether we can or not.
What I was saying earlier with respect to the Privacy Commissioner was that initially, in May, when I contacted her office, she asked that we retain the data so that they could review it as part of an investigation, which they did undertake and which they did complete. Now, having concluded that investigation, they are saying that we are free to delete the data. We accept that, and we want to delete it, but we have to conduct the proper legal due diligence.
I want to thank our guests for being here today and also our online guests for joining us.
I think it's important to take a step back and remember what got us into this study in the first place. It was the concern relating to Street View and the collection of images. But I think from my understanding of where we are at this point, we agree that it's a very useful tool and a worthwhile project. The privacy concerns that were initially at the forefront I think have largely been addressed, with the blurring of faces and licence plates and also the rapid removal of images upon the request of the users. I'm happy about that part.
As it relates to inadvertent data collection, I think all of us still have some concerns that this issue shouldn't have arisen, but I think Google has handled it in a very responsible way. We have legitimate concerns around this table, and I think all Canadians are concerned about the protection of their private information, but Google has, as I've said, taken positive steps to correct the mistake that was made. I, for one, appreciate that.
You've apologized for the error. You're taking concrete steps to ensure that this sort of situation doesn't reoccur. Also, as I understand it, you're working in close partnership with the Privacy Commissioner to be sure that you are in fact in compliance with Canadian law.
My question is to Dr. Whitten. It relates to the international aspect of privacy. Does Google have a privacy expert for each country? Or do the efforts of the privacy commissioners from the various countries, as they meet in their international conferences and work out some types of agreements across international boundaries, help you enough to create a level playing field so that there's not a need for an expert for each and every country?
:
Thank you for that question.
I would say it is really a combination of both. We do have local expertise on the ground in as many countries as possible--in fact, in most countries. I spoke to the earlier question from the member about the need to bring in all of these different kinds of expertise across legal and engineering functions.
We're also very conscious of that cross-culturally, and of the need for our privacy review to bring in perspectives from all of the different parts of the world where our products are going to be seen, used, and experienced. That's part of the reason why I am now based in Europe: to make sure that even in my own person I can bring in a little bit of extra balancing, having started out in the United States and then bringing that over there.
Canada is certainly one of the countries where we pay very, very close attention to the work of your Privacy Commissioner and to her voice on the international stage. We rely very heavily on Jacob's relationship and close communications with her office. We do similar things in all of the countries where we're present.
:
Yes, and there are a number of points I would make in response to that.
The first is that in the collection of basic Wi-Fi access point data in order to provide a geolocation service, which I will explain a little more in a moment, we were not being particularly innovative. We were latecomers to that field.
I'm aware of a number of companies in the United States, in Germany, and around the world that were already doing this: collecting the basic Wi-Fi access point information in order to provide geolocation services. In looking at this, we probably looked around and saw that this was already a standard in the industry and that in collecting the basic information we were not doing something new or different.
Just to provide clarity for what this information is and what the purpose of collecting it was for us, the simplest example I can give is to say that when you're standing on that street corner or you're in that taxi cab and you pull out your smartphone or your BlackBerry, it gives you a display of the wireless networks that it can see so that you can connect to them if they're open or if you're a subscriber to them. Exactly that information that your BlackBerry is seeing is what we would see and intend to collect. It's the information that is broadcast by every Wi-Fi service in order to allow people legitimately to see it and to connect to it.
The purpose of collecting this information is so that when I'm standing on that street corner and I want to use Google Maps, say, to give me directions to my destination, my cellphone, as part of that location service, can use the fact that it can see three different particular Wi-Fi networks, let's say, from where I am standing, as a way to detect my location in order to give me directions.
The reason for doing this in addition to or instead of the original traditional model using GPS—geographical positioning services—to provide the information is that, first of all, receiving that information from a satellite, as is done in GPS, is a much stronger power draw on the device that one is using, and it also doesn't work very well inside buildings. So the use of that basic broadcast information from Wi-Fi services to triangulate and to allow people's location to be determined to provide them direction is something that works very well. That's why quite a few companies have been doing it.