:
Thank you very much for inviting me to speak to you today.
I will make my remarks in English, but I will be happy to answer questions in either English or French.
[English]
I'd like to begin by saying that I think it is very important that more attention be given to data protection and privacy in relation to the activities of social media companies. I do find it somewhat ironic that the committee's mandate was framed in terms of studying the efforts and measures taken by social media companies to protect the personal information of Canadians. It's a bit like studying the efforts made by foxes to protect the lives of chickens.
I note that to the extent that Google, Facebook and other social media companies attempt to protect the personal information of Canadians, these efforts have been shaped by data protection law. The adequacy of our data protection legislation must therefore be a focus of attention.
The amendments from the first five-year review in 2006 have yet to make it through Parliament; the second five-year review is already late in getting under way. These should be matters for concern, particularly since the data protection environment has changed substantially since the law was first enacted.
The current law is particularly weak with respect to enforcement. The commissioner has no order-making powers and lacks the ability to impose fines or other penalties in the case of particularly egregious conduct.
The focus on social media and privacy, in my view, has two broad aspects. The first relates to how individuals use these tools to communicate amongst themselves. In this regard we hear concerns about employers accessing Facebook pages, people posting the personal information of other people online, criminals exploiting Facebook information, and so on. These are concerns about the information that individuals have chosen to share, the consequences of that sharing, and the norms that should govern this new mode of interpersonal exchange.
The second aspect, and the one on which I'll focus my attention, is the role of these companies in harvesting or in facilitating the harvesting of massive amounts of information about us in order to track our online activity, consumption habits, and even patterns of movement. In this respect, attention given to large corporations such as Facebook and Google is important, but there are also many other players in the digital environment who are engaging in these practices.
The business models of social media companies are generally highly dependent on the personal data of their users. In fact, social networking, search engines, email and many other services are offered to us for free. By hosting our content and tracking our activities, these services are able to extract a significant volume of personal data. The nature and quality of this data is constantly enhanced by new innovations. For example, information about the location and movements of individuals is highly coveted personal information. More and more individuals carry with them location-enabled smart phones and they use these devices for social networking and other online activities. Even computer browsers are now location-enabled, and thus information about our location is routinely gathered in the course of ordinary Internet activities.
The point is that more and more data of increasingly varied kinds is being sought, collected, used, and disclosed. This data is compiled, matched, and mined in order to profile consumers for various purposes including targeted behavioural marketing. In some cases, this data may be shared with third party advertisers, with application developers, or with related companies. Even where the data is de-identified, its fine-textured nature may still leave individuals identifiable, as companies such as AOL and Netflix have learned the hard way.
Individuals may also still be identifiable from detailed profile information. The substantial volumes of information gathered about us make us highly vulnerable to data security breaches of all kinds. It's become very difficult to protect our personal data, particularly in contexts where privacy preferences are set once, and often by default, and the service is one that we use daily or even multiple times each day. Facebook or a search engine would an example of those.
It's often difficult to determine what information is being collected, how it's being shared and with whom. Privacy policies are often too long, too unclear, and too remote for anyone to actually read and understand. We now enter into a myriad of transactions every day and there simply isn't time or energy to properly manage our data. It's a bit like walking through a swamp and being surrounded by a cloud of mosquitoes. To avoid being bitten we can swat away; we can even use insect repellents or other devices, but in the end we're inevitably going to be bitten—often multiple times.
It's also becoming increasingly difficult to avoid entering this swamp. People use social media to keep family and friends close regardless of how far apart they live or because the social network communities have become a part of how their own peer groups communicate and interact. Increasingly, businesses, schools, and even governments are developing presences in social media, which give even more impetus to individuals to participate in these environments. Traditional information content providers are also moving to the Internet and to Facebook and Twitter, and are encouraging their readers, listeners, and viewers to access their news and other information online and in interactive formats. These tools are rapidly replacing traditional modes of communication.
To date, our main protection from the exploitation of our personal information in these contexts has been data protection law. Data protection laws are premised on the need to balance the privacy interests of consumers with the needs of businesses to collect and use personal data, but in the time since PIPEDA was enacted, this need has become a voracious hunger for more and more data, retained for longer and longer periods of time. The need for data has shifted from the information required to complete particular transactions or to maintain client relationships to a demand for data as a resource to be exploited. This shift risks gutting the consent model on which the legislation is based. This new paradigm deserves special attention and may require different legal norms and approaches.
Under the traditional data protection model, the goal was to enable consumers to make informed choices about their personal data. In the big data context, informed choices are very difficult to make. Beyond this, there is an element of servitude that is deeply disturbing. Nancy Obermeyer uses the term “volunteered geoslavery” to describe a context where location-enabled devices report on our movements to any number of companies without us necessarily being aware of this constant stream of data. She makes the point that equipping individuals with sensors that report on their activities leaves them vulnerable to dominance and exploitation—yet this is a growing reality in our everyday lives. Going beyond the simple collection of data, social networking services encourage users to make these sites the hub of their daily activities and communications.
Our personal data is a resource that businesses, large and small, regularly exploit. The data is used to profile us so as to define our consumption habits, to determine our suitability for insurance or other services, or to apply price discrimination in the delivery of wares or services. We become data subjects in the fullest sense of the word. There are few transactions or activities that do not leave a data trail.
As noted earlier, many so-called free services, such as social networking sites, document sharing sites, cool apps, and even Internet searching, are actually premised upon the ability to extract user information. In the 2011 decision of the Quebec Superior Court in St. Arnaud c. Facebook, a judge refused to certify a class action lawsuit against Facebook. To do so would have required classifying the terms of use for the site as a consumer contract so that Quebec law could override the clause that provided that all disputes would be settled under the laws of California and in California courts. The Quebec court found that there was no consumer contract because the Facebook service is entirely free, whereas a consumer contract is premised on payment and consideration. The judge found that there was no obligation placed on users that could be regarded as a form of consideration.
The case demonstrates how the provision of personal data is overlooked as an element of the contract between the company and the individual. It is treated as a matter governed by the tangential privacy policies. This lack of transparency regarding the quid pro quo makes it the consumer's sole responsibility to manage their personal information.
Concerns that excessive amounts of personal information are being collected can then be met by assertions that people simply don't care about privacy. To regard the sharing of personal data as part of a consumer contract for services, by contrast, places both competition law and consumer protection concerns much more squarely in the forefront. In my view, it is time to explicitly address these concerns.
Another social harm potentially posed by big data is, of course, discrimination. Oscar Gandy has written about this in his most recent book. We understand how racial profiling leads to injustice in the application of criminal laws. Profiling, whether it's based on race, sex, sexual orientation, religion, ethnicity, socio-economic status or other grounds, is a growing concern in how we are offered goods or services. Through big data, corporations develop profiles of our tastes and consumption habits. They channel these back to us in targeted advertising, recommendations, and special promotions. When we search for goods or services, we are presented first with those things that we are believed to want.
We are told that profiling is good because it means that we don't have to be inundated with marketing material for products or services that are of little interest. Yet there is also a flip side to profiling. It can be used to characterize individuals as unworthy of special discounts or promotional prices, unsuitable for credit or insurance, uninteresting as a market for particular kinds of products and services. Profiling can and will exclude some and privilege others.
I have argued that big data alters the data protection paradigm and that social networking services, along with many other free Internet services, are major players in this regard. To conclude my remarks, I would like to focus on the following key points.
First, the collection, use, and disclosure of personal information is no longer simply an issue of privacy, but also raises issues of consumer protection, competition law, and human rights, among others.
Second, the nature and volume of personal information collected from social media sites and other free Internet services goes well beyond transaction information and relates to the activities, relationships, preferences, interests, and location of individuals.
Third, data protection law reform is overdue and may now require a reconsideration or modification of the consent-based approach, particularly in contexts where personal data is treated as a resource and personal data collection extends to movements, activities, and interests.
Fourth, changes to PIPEDA should include greater powers of enforcement for data protection norms, which might include order-making powers and the power to levy fines or impose penalties in the case of egregious or repeated transgressions.
Those are my comments. Thank you very much.
Good morning. My name is Michael Geist. I am a law professor at the University of Ottawa, where I hold the Canada research chair in Internet and e-commerce law. I was a member of the national Task Force on Spam, and I currently serve on the Privacy Commissioner of Canada's expert advisory committee, but I appear before this committee today in a personal capacity representing only my own views.
My opening comments will identify several areas for potential government action, but I want to provide a bit of context with three key caveats.
First, which I think may be stating the obvious, is that social media is an enormously important and positive development. The number of users is staggering and its role as a key source for communication, community, and political activity grows by the day. The opportunities presented by social media should be embraced, not demonized, in my view, and government should be actively working to ensure that it incorporates social media into its policy consultation processes.
Second, Canada has played a leadership role, to a certain extent, in the use and regulation of social media. The Privacy Commissioner of Canada was the first to conduct a major privacy investigation into Facebook and has led on other issues with respect to social media and Internet companies.
Third, while we have had some influence through those investigations, Canada has not led in creating the social media services used by millions around the world. I believe that the failure to articulate and implement a national digital economy strategy comes back to haunt us in these circumstances, where the ability to place an unmistakable Canadian stamp on social media is undermined by the policy failures that have done little to encourage the development of Canadian e-commerce and social media.
With those caveats, what is there to be done? I'd like to focus on four areas of interest.
First, I think we need to finish what we've started.
The government has introduced and even passed legislation that can be helpful in addressing some of the concerns that arise from social media, yet these initiatives have stalled short of the finish line. Anti-spam legislation, for example, received royal assent in 2010, yet has still not taken effect as final regulations have not been approved. In fact, Industry Canada officials now indicate that it could be well into 2013 before the regulations take effect. Given the amount of work that went into this legislation, I find it shocking that it has been left in limbo.
Moreover, Bill , the PIPEDA reform bill that seeks changes arising from the 2006 privacy review continues to lag in the House of Commons, with there frankly seeming to be no interest in moving forward with the bill. Indeed, I'd argue that the bill is even now outdated, and a full PIPEDA review to address emerging concerns such as order-making power—as you just heard—and damages, and tougher security breach requirements than those found in the bill is needed. In fact, the Bill security breach reporting rules are primarily bark with little bite, given the absence of penalties for failure to comply.
Successive governments have promised a digital economy strategy for years and have failed to deliver. The strategy has come to be known as the “Penske file”, a reference to the Seinfeld episode that involves working on an imaginary file. While other countries are now years into implementing their strategies, in Canada we still lag behind.
I think it also should be noted that these issues must increasingly be addressed in concert with the provinces. The line between federal and provincial jurisdiction on many of these issues is blurry, and legal challenges against federal legislation is a real possibility. Work is needed to begin to develop minimum standards that can be implemented at the provincial level, should federal leadership be challenged in the courts by companies seeking to circumvent their privacy obligations.
Second, the devil is in the defaults. In many respects, social media and Internet companies are the most powerful decision-makers when it comes to privacy choices. As my colleague Professor Ian Kerr says, the devil is in the defaults. In other words, the choices made by leading social media companies with respect to default privacy settings are the de facto privacy choice for millions of users. Given the increasing pressure to generate revenues, we can expect that those default choices are going to change in more aggressive ways to make use of user data.
There are examples of companies that are doing good work in this area. Twitter recently implemented do-not-track options that won plaudits from the Federal Trade Commission in the United States. Google offers its users transparency tools so they can obtain detailed information about what information is collected, some of the ways Google uses it, and how they can modify some of their privacy choices. The company has also been transparent about law enforcement requests for information and copyright takedown demands.
There needs to be continued work on these defaults, as well as initiatives to provide users with greater information and transparency, and steps to ensure that companies live by their privacy commitments.
Third is the issue of lawful access. The introduction of Bill brought with it an avalanche of public outrage and concern over proposed Internet surveillance legislation. While much of the focus was on mandatory warrantless disclosure of subscriber information by telecom service providers, the potential for social media and big data Internet sites to serve much the same purpose cannot be overlooked.
A recent investigation by the Privacy Commissioner of Canada into Nexopia, a Canadian social network, identified hundreds of law-enforcement requests for customer name and address information, frequently for accounts that should have been deleted months earlier. Social media, as we've heard, generates a treasure trove of personal information that must enjoy full privacy protection and court oversight before disclosure. Indeed, documents that I recently obtained under access to information indicate that Public Safety is thinking about how these rules are applied to social media sites and services. I believe that Bill C-30 needs to go back to the drawing board to effectively account for these privacy concerns.
Fourth is the question of new legal issues, which Professor Scassa has identified a number of. I would argue that while much can be done to use or augment existing rules, social media and Internet sites do raise some unique issues that may require targeted responses. In the interest of time I would like to quickly identify two.
First is the issue of “do not track”. As you may know, cookies can be used to trace the web-browsing habits of users, including when they visit third-party sites. For example, Facebook inserts a cookie on user browsers that traces your activity as you surf the Internet. Any site with nothing more than a Facebook “like” button, as found on Conservative, NDP, and Liberal websites, means that Facebook records a visit to that site and retains that information for months. A growing number of sites, including Yahoo, AOL, and Twitter, respect the functionality found in Firefox browsers that allows users to choose not to be tracked. Google has said it will implement similar technology in its Chrome browser.
However, many sites have been slow to adopt the do not track option, and Facebook has thus far declined to do so. Given the failure of the industry to self-regulate, it is appropriate for government to step in with stronger measures to ensure that this form of user choice is implemented and respected.
Second is the growing problem of social media misuse. For example, in recent months there has been an increasing number of stories of employers requiring employees to provide their Facebook user ID and password as a condition of a job interview. Seeking the same information with direct questions would typically be prohibited, so this is used to circumvent long-standing standards and principles within employment law. In response, the State of Maryland recently passed a law banning employers from requiring employees or job applicants to provide access to their personal digital and social media accounts. Several other states in the United States are working on similar legislation, and I believe that Canada should follow suit.
Thanks very much for your attention.
I'm the principal investigator of MediaSmart's Young Canadians in a Wired World research project. We've been collecting data about young people's experiences of online privacy for the past 12 years, which coincidentally means that we've been collecting data throughout the lifetime of PIPEDA. Over that time, we've tracked significant shifts that, I would suggest, provide important context for the work the committee has set out for itself. So I'd like to start my comments with a brief discussion of these shifts and then leave you with four specific recommendations.
In 2000, when PIPEDA came into force, the idea behind the legislation was that it would develop infrastructural mechanisms that would encourage people to have trust in e-commerce so that they would participate in this new form of wealth creation. When it came into force, we sat down and talked to parents and kids. The parents we talked to were very enthusiastic about this project. They had a lot of faith that the Internet was going to bring a lot of benefits to their children, and they felt that the companies that were developing these technologies were giving their kids tools to help them deepen their educational experience and also to help prepare them for the marketplace of the future.
They also told us that they trusted their kids when they went online to exercise good judgment. They weren't going to watch them all the time. They'd be in the background. They figured that their kids would make a few mistakes, but that when they kids got into trouble, they would come and say, “Hey, I need some help”. When we asked them if they would consider monitoring their children when they were online, they all told us, “Oh, no, that would be a breach of the trust between me and my child. If I did that, I would be invading my kid's privacy, so I would not do that”.
For their part, the kids we talked to in 2000 described the Internet as a completely private space. Adults couldn't even find it, let alone control it. They weren't worried about online privacy in 2000 because they were convinced that they had total anonymity when they were online. Interestingly enough, when they were deciding where to go when they were on the web, they looked for corporate brands because they felt that the companies that owned these brands were trustworthy. They were friends; they could trust them.
By 2004, for parents, certainly, the Internet had gone from being a panacea to a source of family conflict. They were aware their kids could release personal information online. They knew this was problematic. They had strict rules in the house, “Just don't do it”, but they spent an awful lot of time limiting, managing, and fighting over their kids' online activities.
The kids we talked to in 2004 had fully integrated online technologies into their personal lives, which I think underlines Professor Geist's introductory comments about the benefits of social media. These kids use this media and continue to use it to try on different identities, to deepen their connections to their real-world friends, and to follow their own interests. In 2004 they sometimes still did this anonymously, but most of the time they wanted to identify themselves because, contrary to popular opinion, they weren't talking to strangers. They were talking to the kids they went to school with and they needed to identify themselves so they could find their friends when they were online.
Even though they knew they could be watched, and they knew they were on so-called public media, online privacy was still incredibly important to these kids. I would suggest to you being very cautious about any claim that kids don't care about privacy because they post their lives on Facebook. Anyone who says that just hasn't taken the time to talk to kids; they care deeply about online privacy. It was becoming a growing concern for them in 2004, and in a follow-up survey of 5,500 Canadian school kids, about half of the kids we surveyed were beginning to notice that ads were popping up and were built into the places they went online.
Fast-forward to 2011. Now parents tell us that because kids go online through multiple points of entry or devices— laptops, computer labs, library networks, iPods, smart phones, iPads, gaming consoles—it's becoming increasingly difficult to supervise their kids' online activities. They also told us that it was highly problematic because they needed to supervise more because releasing personal information is now just taken for granted. You go online, because that's what you're expected to do. They were angry at online companies because from their point of view, these companies were encouraging their kids to disclose everything in order to make a profit. This resentment and lack of trust is a significant shift from 2000, when high-tech companies were seen to be building a future in which their kids would be empowered through technology.
Over that same time period, corporate sites, especially those sites targeting children, shifted from talking about privacy to talking about safety. It makes sense from the corporation's point of view, because when I'm talking about privacy, I'm the privacy risk because I'm collecting your information. If I'm talking about safety, I can tell you and your parents not to worry, because I'm keeping an eye out, I'm watching your child and I'll keep them safe.
Interestingly enough, almost all of the parents we talked to in 2011 were overwhelmed by this discourse of online danger. In fact, the sense of fear was so strong that they argued that good parents can no longer trust their kids and no longer exercise the benign neglect that was so common in 2000. And again, many of them blamed online corporations. As one Toronto parent said, “I really resent the fear that these companies have instilled in people.” All the parents said they were not even sure what the dangers were. All they know was that they're very afraid. They don't want to spy on their kids because that will hurt their relationship with them, but if they have to do it to keep them safe, they will spy on them.
For their part, the kids knew it. They told us that the unregulated private space they so enjoyed in 2000 and 2004 is now fully monitored, and they know it's fully monitored by parents, by schools, by their own peers, and by the corporations that own the sites they visit.
This puts kids in a very uncomfortable position, precisely because network technologies are so embedded into their social interactions. Interestingly enough, too, the kids said that all they needed was space to talk to their friends. They want parents and adults in the background, but they need privacy if they're to get the benefits of social interaction.
A number of them started talking about getting off Facebook and getting off their cell phones, because they were under so much surveillance. Interestingly enough, they all reported that the surveillance they experienced from all of those different people eroded the relationships of trust that are essential to their getting the help they need when they need it.
They're also beginning to question what will happen now that employers and police can get access to their Facebook profiles. They are also beginning to worry about what they called “the creepy people in the corporation who are watching them”. When you hear kids talk about creeps, creeping or being creepy, pay attention. That means somebody has overstepped the norms that are associated with exposure and have invaded their privacy.
It was particularly difficult when corporations did this, because when the 40-year-old creep sent you a message on Facebook, you simply blocked or un-friended him. The kids said “We can't do that with the corporations, because they own the sites we're on”. They also felt that privacy policies were written in totally incomprehensible language on purpose, precisely so companies wouldn't have to reveal what they were doing with their information.
Although kids still tend to congregate on corporate sites, like Facebook and YouTube, they no longer see online corporations as friendly or trustworthy. I think that's particularly important to keep in mind, because PIPEDA was designed to create that level of trust.
What can we do about it? How can we make it better? I have four suggestions for you.
First, I suggest that we need to increase the transparency of the business plans behind these sites. In 1999, when a number of us appeared before your predecessor committee, the government talked about PIPEDA being a floor and not a ceiling. As soon as it was passed, it quickly became the ceiling.
I would suggest that there's a great deal of empirical evidence out there that the consent mechanisms that we rely on and user license agreements and privacy policies are not being drafted to inform the individual so they can make choices about what they disclose; they're being drafted to protect the organization collecting the information from litigation.
In addition, it's becoming increasingly difficult to discover how that information is being used. I want to give you two very quick examples to illustrate that.
In 2000, I did a lot of research on a site called Neopets, which allows kids to create an online pet. They have to earn points on that site in order to buy their pet products and they would earn points by filling out market surveys.
In 2000, kids were asked to fill out a survey on breakfast food, for example, and in that context they were asked additional questions, like: How much money do your parents make? Do you have a big house? How many cars are in your family? What kind of cars do your parents drive? They were also asked to identify, off a list of 60 interests or things they might be interested in. The list included things like beer, liquor, cigars, cigarettes, and gambling. That information was then used to embed advertising into the site to encourage certain kinds of consumption.
I have some idea of the business plan behind that site. Since that time, because of concerns that were raised, both in Canada and the United States, those practices have become far less transparent. I can only get access to that kind of information now by snail mail and if I guarantee to them that I am a corporation. As a researcher, as a parent, and as a concerned citizen, I'm out of luck. I can't tell you what they're doing with the information.
It also has become much more difficult to see how this information is being used. Collection no longer occurs right in front of you. It occurs in the background. I got a friend request from Facebook, though I've never had a Facebook account. I have no relationship with this company. It said there was somebody called Melissa that I might want to be friends with, so I should join their network. I've never had a relationship with them, but they managed to track me to my daughter, even though we don't have the same last name, and even though she's never had a Facebook account either. I didn't release that information. I have no relationship with that company, and yet it is able to try to manipulate my behaviour through some business use that is non-transparent.
Second, I urge the committee to look not just at the use of personal information—
:
Well, sure. This is an issue that I think most of our peer countries, most of the developed world, have identified as absolutely crucial to future long-term innovation and economic prosperity, as well as integral to what our education system, entertainment, and culture look like. It plays a role in so many different ways.
I think, as we've seen over the last number of months, whether through Bill C-30, or SOPA in the United States, or ACTA in Europe, the reality is that there's a very important political and participatory dimension here as well.
Unlike most other countries that have developed digital economy strategies, focusing on everything from ensuring widespread access to bridging the digital divide in terms of just basic access to computers, as well as the digital literacy and skills that Professor Steeves talked about, and the policy to ensure that we create the right framework to ensure that businesses start here and grow here, what we've seen in Canada is virtually nothing on that front.
In fact, there was a perfectly good consultation on this a couple of years ago when Industry Minister Clement was minister. There was a lot of feedback on it. We've seen a lot of other countries that have provided models we could look to, and yet there has been no digital economy strategy put forward. Few legislative initiatives have been put forward. I mentioned one, the anti-spam bill, but, 18 months after the bill received royal assent, there is still no finalization of the regulations themselves.
We've seen things like CAP, the community access program, eliminated during the most recent budget at the very time when there was at least an opportunity to look for some private sector leadership. In the United States you've got efforts between the government and large ISPs to provide low-cost computers, and low-cost broadband connectivity to ensure that the poorer parts of our society have access. We don't have any of that taking place in Canada.
So when you come into committee and you start asking what are some of the big policy issues that we have to grapple with, part of the problem is that you've got virtually no leading Canadian companies that are imbuing the kind of Canadian values that we're talking about in what they're doing.
You've got little leverage in trying to ensure compliance, because all of these companies are located outside of the jurisdiction. While that's not to say that you can't do anything—we've seen that there are some measures that can be taken—we'd be on far stronger ground, frankly, if we'd just get on with this issue of trying to set out a framework for the future.
:
I guess I'm of two minds on some of this stuff. There is no question that there is a necessity of ensuring that the kinds of choices and policies being put forward are better understood.
Quite candidly, I don't think any of these things are designed to be read, to begin with. Even if we did have better language, the reality is that given the number of sites people visit and interact with, and given the move towards mobile and wireless environments, the notion that people are going to sit and read the privacy policy before they engage in a website every time is unrealistic.
More realistic is to set in place some of the mechanisms, such as “do not track”, to ensure that with the choices people would make, the reasonable person would likely say, “I'm quite comfortable providing you with a certain amount of information”. It may be the case that they are not even aware of the implications of that, but let's take it as a given that a person who uploads a photograph or posts some of their likes or dislikes is doing so with some amount of knowledge it is being used and distributed to whatever circle they may have identified. We have concerns about how that may be misused and aggregated and the rest of it, but there is some amount of knowledge and choice there.
Then there are things around tracking your activity online. As I mentioned, literally all of your political parties have the “like” buttons. They have the tweet buttons to make it easy to retweet. We all like these things because they make it easy for us to tell our network. The reality is that every time you insert that on a website, it actually sends a message back without anything else. As long as you are logged into Facebook or Twitter—whatever the site happens to be—it is sending a message back to Facebook that the person has now visited that website.
I believe that kind of tracking activity goes well beyond the reasonable expectation of what a user expects. I frankly would be suspicious about any kind of plain language that would make it clear enough for a person to say, “Yes, this is what I would like you to do. As long as I happen to have some sort of Facebook widget included on the page, I would like you to track every website that I happen to visit for the next two months”.
We need mechanisms to allow people to opt out of that more readily. We have seen some of those mechanisms, but too many of the large players have been reluctant to do so, because I think it runs counter to some of their business models. That's why there is a role for government to step up to the plate. If they are not willing to self-regulate appropriately, then government is going to do it for them.
:
Sure, I'll take that one.
There were recommendations with the first PIPEDA review to have a tiered consent mechanism that recognized differences in ages. The suggestion was that under a certain age, companies shouldn't be able to collect any information at all. Then as kids become older, they can opt into programs where they can say the companies can have that information and can flash them a few ads. But it put real restrictions on what they would be able to do. Probably most importantly, there was a suggestion that once somebody turned 18, there should be a big delete button so that the information was forgotten.
If you look at how kids use technology, they use it to meet their developmental needs. When you talk to 11-year-olds, younger kids, they're actually the ones who make me the most comfortable. They sound the most mature. They say that they don't do any of the social networking stuff, certainly not in the broad world, because that's for older kids. They're very aware of the risks, and they manage them quite well.
When they hit 13 and 14, they're at a different developmental stage. They're exploring their identities through performance. They tend to do outrageous things, writ large, for a couple of years.
Then when they hit 15 to 17, right up to the early 20s, they explore their identities through social networks. If you think of it from their point of view, these technologies are fabulous, because they give them an opportunity to meet their needs as they become individuals and grow to be adults.
I certainly would not want to have to look at anything I wrote when I was 14 in any kind of public environment. Certainly for kids, yes, I think you need a forget button. There is definitely something different when you're a minor.
One of the interesting things that's come out of the research is that there was this belief that these digital natives would be different from us. Ironically, when they hit about 29, they start acting just like you and me, and they use technology the same way we do. They grow up, in other words.
So yes, they are different. I share the same concerns about using consent as a mechanism to provide that protection, because you have to identify an age for that system to work.
I was launching some research yesterday with a youth panel, and an 11-year-old told CBC all about how all of his 11-year-old friends in grade 6 have Facebook accounts. They know that they're supposed to be 13, but they just click the right button. I think we do a disservice to kids if we say that we have to put them under surveillance to make sure that they're old enough. That won't help. Certainly, having broader restrictions that say that kids are kids, so don't collect their information, and when they get older, don't use it in particular ways....
There was the Nexopia complaint, for example. Nexopia was the most popular social networking site for kids. One of the commissioner's recommendations was that they not retain information over a certain period of time. Nexopia just said, “Sorry, we're keeping it. There's a lot of money in this stuff”. You're talking about 12-, 13-, and 14-year-old kids.
The other thing is the use the information is put to. I don't have time to go into any details, but I can point to some research we're doing with young girls. The site is embedded with marketing material that uses very stereotypical images, particularly for gender. I've just done some really fascinating qualitative research with young women. They talk about how this restricts what they can do, and they're constantly trying to force it back. It's actually narrowing the kinds of people they can be rather than broadening the world for them.
Yes, we do have to think about kids differently. I think the way to do that is to look at the uses of the information and just say that it's not reasonable to collect information from eight-year-olds and then use it to try to sell them anything.
:
One of the problems with answering that question is the lack of transparency. I would like a lot more information about the business plan behind these sites—and certainly describing how the back engine works—and then I would feel more comfortable in responding.
What I can tell you is what we know about the front engine. There's a lot of research that tracks how people respond to media images around gender, for example. Perhaps the best explanation would be to look at some of the work coming out of our eGirls project, another research project I've been involved in. Young women are telling us that when they're on these sites, they're surrounded by particular images of very thin, highly sexualized young women who are identified primarily through a relationship with a male. For background for our work on that project, we started with an environmental scan. We looked at 1,500 public profiles on Facebook of girls who ostensibly live in the Ottawa area. Those were public profiles. We didn't look at private profiles.
Now, of those 1,500, every single one we looked at, with one outlier, reproduced that stereotypical image of gender: highly sexualized young women, with the pouty faces and the bikini shots, with all the talk being about the boyfriend.
Now, there aren't any quantitative studies indicating there's a causal relationship between marketing and behaviour like that. There's an assumption, certainly on the part of marketing companies, that the reason these marketing images are used is so that they can steer behaviour, which they appear to be quite successful at doing. What we do know from talking to young people who live in these environments is that these very stereotypical images get in the way. For the young women who embraced them and sought to emulate them, they were wistful, in the sense that, “Gee, I just can't do it that well. No matter how much I diet, I'll never be that skinny”. For the women who wanted to be someone else, they said they constantly had to negotiate with these images and push back against them. That's driven by the marketing message they're getting.
One of the things that's interesting about the trajectory of what's happened in Canada—and Michael is right that we used to be leaders in all sorts of areas—is how well we did with Canada's SchoolNet. We provided public spaces where kids could talk to each other, spaces that weren't commodified, that weren't commercialized. The federal government got out of that business shortly after PIPEDA was passed. By default, what we're seeing is a lot of organizations that have kids' best interests in mind are using corporate sites to do things.
For example, a lot of schools—and we did a lot of work on this with teachers recently—are telling us they use Google Docs. There's no acknowledgement that that information can even be collected and used and reshaped to manipulate the kids who use that particular platform. Frankly, I don't think my kids should doing their homework in a store, you know?
I think the way behavioural marketing and advertising actually works is that it doesn't look like advertising. So if you talk to kids and you ask them what Facebook is, they tell you it's a social network. It's not a social network; it's a research lab. It's designed to collect information about people so it can be used and marketed back to them.
It's highly effective. We have definitely seen shifts—certainly in my research—about the way that kids respond to these particular images. I'd point you to all the research coming out about body image problems, and the increased use of cutting. There are all sorts of consequences. In this regard, I was at a meeting in Edmonton recently, where a number of doctors and academics got together because we see this as a health issue.
It's been a fascinating discussion. I certainly think we always have to keep the potential in mind. Indeed, the democratic involvement of new media is very transformative.
My concern is about the issue of function creep, this notion we're hearing around the table that if you sign an agreement, you make your consent. But you consent for a specific piece of information that you share, and yet that information is then re-shared and re-shared into this vast data mine. This is a question of privacy rights that has to be clarified when we are signing onto something.
My daughter in grade 9 emailed me the other day and told me she wasn't allowed on her Gmail account unless she gave Google her cellphone number. I thought that was really odd. I phoned her and asked her what happened. She told me she couldn't get her Gmail unless she gave Google her cell number.
The next day my Gmail account came up, and it told me to put in my cellphone number, please, for greater security. I didn't want to give them my cellphone number. My grade 9 daughter is smarter than me, and she wasn't going to give hers. You had to look down at the bottom of the page for a very small thing that said “Click if you don't want to do this”.
When you look at it, they were asking my 14-year-old daughter to give them her cell number. Now, Google is a great corporate citizen, but she didn't sign on to Gmail to give them her cellphone information.
I guess in this question of function creep, I'm wondering what role we have in terms of saying, okay, wait a minute; that's beyond the pale. Are you going to use this cellphone number of a teenaged girl strictly for her personal security, or is this going to be added into the vast data mine that someone else is going to be able to access?
I think these are questions that we have an obligation to ask as legislators.