I call to order this meeting of the Standing Committee on Access to Information, Privacy and Ethics. This is meeting 155.
This is the last of our international grand committee meetings this week, the International Grand Committee on Big Data, Privacy and Democracy.
With us today from Amazon, we have Mark Ryland, director of security engineering, office of the chief information officer of the Amazon web services.
From Microsoft Canada Inc., we have Marlene Floyd, national director of corporate affairs, and John Weigelt, national technology officer.
From the Mozilla Foundation, we have Alan Davidson, vice-president of global policy, trust and security.
From Apple Inc., we have Erik Neuenschwander. He is manager of user privacy.
We're going to get into your testimony. I wanted to say that the CEOs were invited today, and it's unfortunate that they didn't come. Again, as I've said to many of you just prior to the meeting, this is supposed to be a constructive meeting on how to make it better, and some of the proposals that your companies have right from the top are good ones, and that's why we wanted to hear them today and have the CEOs answer our questions, but we do appreciate that you're here.
We'll start off with Mr. Ryland for 10 minutes.
Good morning, Chair Zimmer, members of the committee, and international guests.
My name is Mark Ryland. I serve as the director of security engineering in the office of the chief information security officer at Amazon web services, the cloud computing division of Amazon.
Thank you for giving me the opportunity to speak with you today. I'm pleased to join this important discussion. I'd like to focus my remarks today on how Amazon puts security and customer trust at the centre of everything we do.
Amazon's mission is to be the earth's most customer-centric company. Our corporate philosophy is firmly rooted in working backwards from what customers want and continuously innovating to provide customers better service, more selection and lower prices. We apply this approach across all our areas of business, including those that touch on consumer privacy and cybersecurity.
Amazon has been serving Canadian customers since we first launched amazon.ca in 2002. Amazon now has more than 10,000 full-time employees in Canada. In 2018, we announced plans to create an additional 6,300 jobs.
We also have two tech hubs, one in Toronto and another in Vancouver. These are clusters of offices employing more than 1,000 software engineers and a number of supporting technical workers, building some of our most advanced global systems. We also have offices in Victoria for www.abebooks.com, and our AWS Thinkbox subsidiary in Winnipeg.
We operate seven fulfillment centres in Canada, and four more have been announced. They will all open this year, in 2019.
I would now like to talk about our cloud platform.
Just over 13 years ago, Amazon launched Amazon web services, which is our cloud computing business. Montreal is home to our AWS Canada region, which is made up of a number of distinct data centres. We launched AWS, because after over a decade of building and running amazon.com, we realized we had developed a core competency in operating massively scaled technology infrastructure and data centres. We embarked on a broader mission of serving developers and businesses with information technology services that they can use to run their own businesses.
The term “cloud computing” refers to the on-demand delivery of IT resources over the Internet or over private networks. The AWS cloud spans a network of data centres across 21 geographic regions around the globe. Instead of owning and maintaining their own data centres, our customers can acquire technology such as compute power, storage, and databases in a matter of seconds on an as-needed basis by simply calling an API or clicking a mouse on a graphical console.
We provide IT infrastructure and services in the same way that you just flip a switch to turn on the lights in your home and the power company sends you electricity.
One of this committee's concerns was democracy. Well, we're really democratizing access to IT services, things that only very large organizations could previously do, in terms of the scale involved. Now the smallest organizations can get access to that same type of very sophisticated advanced technology with simply a click of a button and just paying for their consumption.
Today AWS provides IT services to millions of active customers in over 190 countries. Companies that leverage AWS range from large Canadian enterprises such as Porter Airlines, Shaw, the National Bank of Canada, TMX Group, Corus, Capital One, and Blackberry to innovative start-ups like Vidyard and Sequence Bio.
I want to underline that privacy really starts with security. Privacy regulations and expectations cannot be met unless systems are maintaining the confidentiality of data according to their design. At AWS, we say that security is “job zero”, by which we mean it's even more important than a number one priority. We know that if we don't get security right, we don't really have a business.
AWS and Amazon are vigilant about the security and privacy of our costumers and have implemented sophisticated technical and physical measures to prevent unauthorized access to data.
Security is everyone's responsibility. While we have a world-class team of security experts monitoring our systems 24-7 to protect customer data, every AWS employee, regardless of role, is responsible for ensuring that security is an integral component of every facet of our business.
Security and privacy are a shared responsibility between AWS and the customer. What that means is that AWS is responsible for the security and privacy of the cloud itself, and customers are responsible for their security and the privacy of their systems and their applications that run in the cloud. For example, customers should consider the sensitivity of their data and decide if and how to encrypt their data. We provide a wide variety of encryption tools and guidance to help customers meet their cybersecurity objectives.
We sometimes say, “Dance like no one's watching. Encrypt like everyone is.” Encryption is also helpful when it comes to data privacy. In many cases, data can be effectively and permanently erased simply by deleting encryption keys, for example.
More and more, organizations are realizing the link between IT modernization offered by the cloud and a better security posture. Security depends on the ability to stay a step ahead of a rapidly and continuously evolving threat landscape, requiring both operational agility and the latest technologies.
The cloud offers many advanced security features that ensure that data is securely stored and handled. In a traditional on-premises environment, organizations spend a lot of time and money managing their own data centres, and worry about defending themselves against a complete range of nimble, continuously evolving threats that are difficult to anticipate. AWS implements baseline protections, such as DDoS protection, or distributed denial of service protection; authentication; access control; and encryption. From there, most organizations supplement these protections with added security measures of their own to bolster cloud data protections and tighten access to sensitive information in the cloud. They also have many tools at their disposal for meeting their data privacy goals.
As the concept of “cloud” is often new to people, I want to emphasize that AWS customers own their own data. Customers choose the geographic location in which to store their data in our highly secure data centres. Their data does not move unless the customer decides to move it. We do not access or use our customers' data without their consent.
Technology is an important part of modern life, and has the potential to offer extraordinary benefits that we are just beginning to realize. Data-driven solutions possess potentially limitless opportunities to improve the lives of people, from making far faster medical diagnoses to making farming far more efficient and sustainable. In addressing emerging technology issues, new regulatory approaches may be required, but they should avoid harming incentives to innovate and avoid constraining important efficiencies like economies of scale and scope.
We believe policy-makers and companies like Amazon have very similar goals—protecting consumer trust and privacy and promoting new technologies. We share the goal of finding common solutions, especially during times of fast-moving innovation. As technology evolves, so too will the opportunities for all of us in this room to work together.
Thank you. I look forward to taking your questions.
We're pleased to be here today.
My name is John Weigelt. I'm the national technology officer for Microsoft here in Canada. My colleague Marlene Floyd, national director of corporate affairs for Microsoft Canada, joins me. We appreciate the opportunity to appear before this committee today. The work you've undertaken is important given our increasingly digital world and the impact of technology on jobs, privacy, safety, inclusiveness and fairness.
Since the establishment of Microsoft Canada in 1985, our presence here has grown to include 10 regional offices around the country, employing more than 2,300 people. At our Microsoft Vancouver development centre, over 700 employees are developing products that are being used around the world. Cutting-edge research on artificial intelligence is also being conducted by Ph.D.s and engineers at the Microsoft research lab in Montreal. That's in partnership with the universities there.
Powerful technologies like cloud computing and artificial intelligence are transforming how we live and work, and are presenting solutions to some of the world's most pressing problems. At Microsoft we are optimistic about the benefits of these technologies but also clear-eyed about the challenges that require thinking beyond technology itself to ensure the inclusion of strong ethical principles and appropriate laws. Determining the role that technology should play in society requires those in government, academia, business and civil society to come together to help shape the future.
Over 17 years ago, when Bill Gates asserted that “trustworthy computing” would be the highest priority at Microsoft, he dramatically changed how our company delivers solutions to the marketplace. This commitment was re-emphasized by our CEO, Satya Nadella, in 2016. We believe privacy is a fundamental human right. Our approach to privacy and data protection is grounded in our belief that customers own their own data. Consequently, we protect our customers' privacy and provide them with control over their data.
We have advocated for new privacy laws in a number of jurisdictions, and we were early supporters of the GDPR in Europe. We recognize that for governments, having computer capacity close to their constituents is very important. Microsoft has data centres in more regions than any other cloud provider, with over 100 data centres located in over 50 regions around the world. We're quite proud that two of these data centres are located here in Canada, in Ontario and Quebec.
Protecting our customers and the wider community from cyber-threats is a responsibility we take very seriously. Microsoft continues to invest over $1 billion each year in security research and development, with thousands of global security professionals working with our threat intelligence centre, our digital crimes unit, and our cyber-defence operations centre. We work closely with the Government of Canada's recently announced Canadian Centre for Cyber Security. We have partnered with governments around the world under the government security program, working towards technical information exchanges, threat intelligence sharing and even co-operative botnet takedowns. Further, Microsoft led the Cybersecurity Tech Accord, signed by over 100 global organizations that came together to defend all customers everywhere from malicious cyber-attacks and to do more to keep the Internet safe.
Microsoft was also proud to be a signatory to the Paris call for trust and security in cyberspace announced in November by French President Emmanuel Macron at the Paris peace summit. With over 500 signatories, it is the largest ever multi-stakeholder commitment to principles for the protection of cyberspace.
Another focus of your committee has been the increasing interference by bad actors in the democratic processes of numerous countries around the world. We fully agree that the tech sector needs to do more to help protect the democratic process. Earlier this week, we were pleased to endorse the Canada declaration on electoral integrity announced by .
Microsoft has taken action to help protect the integrity of our democratic processes and institutions. We have created the Defending Democracy program, which works with stakeholders in democratic countries to promote election integrity, campaign security and disinformation defence.
As part of this program, Microsoft offers a security service called AccountGuard at no cost to Office 365 customers in the political ecosystem. It is currently offered in 26 countries, including Canada, the U.S., the U.K., India, Ireland and most other EU countries. It's currently protecting over 36,000 email accounts. Microsoft AccountGuard identifies and warns individuals and organizations of cyber-threats, including attacks from nation-state actors. Since the launch of the program, it has made hundreds of threat notifications to participants.
We have also been using technology to ensure the resiliency of the voting process. Earlier this month, we announced ElectionGuard, a free, open-source software development kit aimed at making voting more secure by providing end-to-end verification of elections, opening results to third party organizations for secure validation, and allowing individual voters to confirm that their votes were counted correctly.
At Microsoft, we're working hard to ensure that we develop our technologies in ways that are human-centred and that allow for broad and fair access by everyone. The rapid advancement of compute power and the growth of AI solutions will help us be more productive in nearly every field of human endeavour and will lead to greater prosperity, but the challenges need to be addressed with a sense of shared responsibility. In some cases this means moving more slowly in the deployment of a full range of AI solutions while working thoughtfully and deliberately with government officials, academia and civil society.
We know that there is more that we need to do to continue earning trust, and we understand that we will be judged by our actions, not just our words. Microsoft is committed to continuing to work in deliberate and thoughtful partnership with government as we move forward in this digital world.
Thank you, and we're happy to receive your questions.
Members of the grand committee and the standing committee, thank you.
I'm here today because all is not well with the Internet. For sure the open Internet is the most powerful communications medium we've ever seen. At its best, it creates new chances to learn to solve big problems to build a shared sense of humanity, and yet we've also seen the power of the Internet used to undermine trust, magnify divisiveness and violate privacy. We can do better, and I'm here to share a few ideas about how.
My name is Alan Davidson. I'm the vice-president for policy, trust and security at the Mozilla Corporation. Mozilla is a fairly unusual entity on the Internet. We're entirely owned by a non-profit, the Mozilla Foundation. We're a mission-driven open-source software company. We make the Firefox web browser, Pocket and other services.
At Mozilla we're dedicated to making the Internet healthier. For years we've been champions of openness and privacy online, not just as a slogan but as a central reason for being. We try to show by example how to create products to protect privacy. We build those products not just with our employees but with thousands of community contributors around the world.
At Mozilla we believe the Internet can be better. In my time today, I would like to cover three things: first, how privacy starts with good product design; second, the role of privacy regulation; and third, some of the content issues that you folks have been talking about for the last few days.
First off, we believe our industry can do a much better job of protecting privacy in our products. At Mozilla we're trying to do just that. Let me give you one example from our work on web tracking.
When people visit a news website, they expect to see ads from the publisher of that site, from the owner of that website. When visitors to the top news sites, at least in the U.S., visit, they encounter dozens of third party trackers, trackers from sites other than the one that they're visiting, sometimes as many as 30 or 40. Some of those trackers come from household names and some of them are totally obscure companies that most consumers have never heard of.
Regardless, the data collected by these trackers is creating real harm. It can enable divisive political ads. It can shape health insurance decisions and is being used to drive discrimination in housing and jobs. The next time you see a piece of misinformation online, ask yourself where the data came from that suggested that you would be such an inviting target for that misinformation.
At Mozilla we've set out to try to do something about tracking. We created something we call the Facebook container, which greatly limits what Facebook can collect from you when you're browsing on Firefox. It's now, by the way, one of the most popular extensions that we've ever built. Now we're building something called enhanced tracking protection. It's a major new feature in the Firefox browser that blocks almost all third party trackers. This is going to greatly limit the ability of companies that you don't know to secretly track you as you browse around the web.
We're rolling it out to more people, and our ultimate goal is to turn it on by default for everybody. I emphasize that because what we've learned is that creating products with privacy by default is a very powerful thing for users, along with efforts like our lean data practices, which we use to limit the data that we collect in our own product. It's an approach that we hope others adopt, because we've learned that it's really unrealistic to expect that users are going to sort through all of the privacy policies and all the different options that we can give them to protect themselves. To make privacy real, the burden needs to shift from consumers to companies. Unfortunately, not everybody in our industry believes that.
Let me turn to my second point, which is that we believe that regulation will be an essential part of protecting privacy online. The European Union has been a leader in this space. Many other companies around the world are now following suit and trying to build their own new data protection laws. That's important because the approach we've had for the last two decades in our industry is clearly not working anymore. We've really embraced in the past this notion of notice and choice: If we just tell people what we're going to collect and let them opt out, surely they'll be fine. What we found is that this approach is really not working for people. We've been proponents of these new data protection rules, and we hope you will be too.
We believe that a good privacy law should have three main components. It needs clear rules for companies about what they can collect and use; it should have strong rights for individuals, including granular and revocable consent about specific uses; and it should be implemented within an effective and empowered enforcement agency, which is not always the case. We think that's an important component.
Critically, we believe that you can build those laws and you can include those components while still preserving innovation and the beneficial uses of data. That's why we're supporting a new federal privacy law in the U.S. and we're working with regulators in India, Kenya and in other places to promote those laws.
My third point is that given the conversation you have all had for the last few days, I thought it would be useful to touch on at least some of our views on the big issues of content regulation. Of all the issues being examined by the committee, we believe that this is the most difficult.
We've seen that the incentives for many in the industry encourage the spread of misinformation and abuse, yet we also want to be sure that our reactions to those real harms do not themselves undermine the freedom of expression and innovation that have been such a positive force in people's lives on the Internet.
We've taken a couple of different approaches at Mozilla. We're working right now on something we call “accountability processes”. Rather than focusing on individual pieces of content, we should think about the kinds of processes that companies should have to build to attack those issues. We believe that this can be done with a principles-based approach. It's something that's tailored and proportionate to different companies' roles and sizes, so it won't disproportionately impact smaller companies, but it will give more responsibility to larger companies that play a bigger role in the ecosystem.
We've also been really engaged in the issues around disinformation, particularly in the lead-up to the EU parliamentary elections that just happened. We're signatories to the EU Code of Practice on Disinformation, which I think is a very important and useful self-regulatory initiative with commitments and principles to stop the spread of disinformation. For our part, we've tried to build tools in Firefox to help people resist online manipulation and make better choices about and understand better what they're seeing online.
We've also made some efforts to push our fellow code signatories to do more about transparency and political advertising. We think a lot more can be done there. Candidly, we've met with mixed results from some of our colleagues. I think there is much more room to improve the tools, particularly the tools that Facebook has put out there for ad transparency. There is maybe some work that Google could do, too. If we can't do that, the problem is that we'll need stronger action from government. Transparency should be a good starting point for us.
In conclusion, I'd say that none of these issues being examined by the committee are simple. The bad news is that the march of technology—with artificial intelligence, the rise of the Internet of things and augmented reality—is only going to make it harder.
A concluding thought is that we really need to think about how we build our societal capacity to grapple with these problems. For example, at Mozilla we've been part of something called the responsible computer science challenge, which is designed to help train the next generation of technologists to understand the ethical implications of what they're building. We support an effort in the U.S. to bring back the Office of Technology Assessment to build out government's capacity to better understand these issues and work more agilely. We're working to improve the diversity in our own company and our industry, which is essential if we're going to build capacity to address these issues. We publish something every year called the “Internet Health Report”, which just came out a couple of weeks ago. It's part of what we view as the massive project we all have to help educate the public so that they can address these issues.
These are just some of the examples and ideas we have about how to work across many different levels. It's designing better products, improving our public regulations and investing in our capacity to address these challenges in the future.
We really thank you for the opportunity to speak with you today and we look forward to working with you and your colleagues around the world to build a better Internet.
Good morning, members of the committee, and thank you for inviting me to speak with you today about Apple's approach to privacy and data security.
My name is Erik Neuenschwander, and I've been a software engineer at Apple for 12 years. I worked as the first data analysis engineer on the first iPhone. I managed the software performance team on the first iPad, and I founded Apple's privacy engineering team. Today I manage that team responsible for the technical aspects of designing Apple's privacy features. I'm proud to work at a company that puts the customer first and builds great products that improve people's lives.
At Apple we believe that privacy is a fundamental human right, and it is essential to everything we do. That's why we engineer privacy and security into every one of our products and services. These architectural considerations go very deep, down to the very physical silicon of our devices. Every device we ship combines software, hardware and services designed to work together for maximum security and a transparent user experience. Today I look forward to discussing these key design elements with you, and I would also refer the committee to Apple's privacy website, which goes into far more detail about these and other design considerations in our products and services.
The iPhone has become an essential part of our lives. We use it to store an incredible amount of personal information: our conversations, our photos, our notes, our contacts, our calendars, financial information, our health data, even information about where we've been and where we are going. Our philosophy is that data belongs to the user. All that information needs to be protected from hackers and criminals who would steal it or use it without our knowledge or permission.
That is why encryption is essential to device security. Encryption tools have been offered in Apple's products for years, and the encryption technology built into today's iPhone is the best data security available to consumers. We intend to stay on that path, because we're firmly against making our customers' data vulnerable to attack.
By setting up a device passcode, a user automatically protects information on their device with encryption. A user's passcode isn't known to Apple, and in fact isn't stored anywhere on the device or on Apple's servers. Every time, it belongs to the user and the user alone. Every time a user types in their passcode, iPhone pairs that input with the unique identifier that iPhone fuses into its silicon during fabrication. iPhone creates a key from that pairing and attempts to decrypt the user's data with it. If the key works, then the passcode must have been correct. If it doesn't work, then the user must try again. We designed iPhone to protect this process using a specially designed secure enclave, a hardware-based key manager that is isolated from the main processor and provides an additional layer of security.
As we design products, we also challenge ourselves to collect as little customer data as possible. While we want your devices to know everything about you, we don't feel that we should.
For example, we've designed our hardware and software to work together to provide great features by efficiently processing data without that data ever leaving the user's device. When we do collect personal information, we are specific and transparent about how it will be used, because user control is essential to the design of our products. For example, we recently added a privacy icon that appears on Apple devices when personal information is collected. The user can tap on it to learn more about Apple's privacy practices in plain language.
We also use local differential privacy, a technique that enables Apple to learn about the user community without learning about individuals within that community. We have pioneered just-in-time notices, so that when third party apps seek to access certain types of data, a user is given meaningful choice and control over what information is collected and used. This means third party apps cannot access users' data like contacts, calendars, photos, the camera or the microphone without asking for and obtaining explicit user permission.
These and other design features are central to Apple. Customers expect Apple and other technology companies to do everything in our power to protect personal information. At Apple we are deeply committed to that because our customers' trust means everything to us. We spend a lot of time at Apple thinking about how we can provide our customers not only with transformative products, but also with trusted, safe and secure products. By building security and privacy into everything we do, we've proved that great experiences don't have to come at the expense of privacy and security. Instead, they can support them.
I'm honoured to participate in this important hearing. I look forward to answering your questions.
I was talking to my friend at Apple about how I bought my first Mac Plus in 1984 with a little 350k floppy disk, and I saw it as a revolutionary tool that was going to change the world for the better. I still think it has changed the world for the better, but we are seeing some really negative impacts.
Now that I'm aging myself, back in the eighties, imagine if Bell Telephone listened in on my phone. They would be charged. What if they said, “Hey, we're just listening in on your phone because we want to offer you some really nifty ideas, and we'll have a better way to serve you if we know what you're doing”? What if the post office read my mail before I got it, not because they were doing anything illegal but because there might be some really cool things that I might want to know and they would be able to help me? They would be charged.
Yet in the digital realm, we're now dealing with companies that are giving us all these nifty options. This was where my colleague Mr. Erskine-Smith was trying to get some straight answers.
I think that as legislators, we're really moving beyond this talk about consent. Consent has become meaningless if we are being spied on, if we're being watched and if our phone is tracking us. Consent is becoming a bogus term, because it's about claiming space in our lives that we have not given. If we had old school rules, you would not be able to listen in on our phones and not be able to track us without our rights, yet suddenly it's okay in the digital realm.
Mr. Davidson, I'm really interested in the work that Mozilla does.
Is it possible, do you think, for legislators to put some principled ground rules down about the privacy rights of citizens that will not completely destroy Silicon Valley and they will not all be going on welfare and the business model will still be able to succeed. Is it possible for us to put simple rules down?
I'll split that into two parts, I guess.
One, when the application gains the foreground and is able to execute, they can reload the content, if they see fit to reload the content. At that point, you've transferred control to that application, and it will be able to execute and reload, if you'd like.
It's our goal, actually, to minimize those reloads as part of the user experience. It's also our goal that the application currently in the foreground should get, within a sandbox, within a set of limitations we have, the maximum execution and other resources of the device. This can mean that the operating system will remove some of the resources of background applications.
In terms of the reloading that you're seeing, iOS, our operating system, could contribute to that, but fundamentally, regardless of what resources are preserved for that background application, when you transition back to an app, it has execution control and it can reload if it sees fit.
My question will focus on a more technical subject.
You, and especially Amazon and other similar organizations, have a lot of information and personal data on your clients.
I'm sure that you're taking every possible measure to secure all the data. However, given the emergence of artificial intelligence, you may have received services to help you predict the market in the future.
It could be useful—especially for Amazon—to be able to predict, let's say for next summer, which item on order could qualify for a discount and be put on sale.
Perhaps some subcontractors or individuals have provided services related to the new algorithm systems. Basically, they sold these services to help you.
Can these subcontractors, if you use them—of course, you don't need to tell us—guarantee that, when they use your company's data to provide this type of service, they won't sell personal information to other people or to larger organizations? These organizations would be very happy to obtain the information, whether they use it to sell advertising or for other purposes.
Do any organizations provide this type of service?
We have a very robust data governance model at Microsoft whereby we recognize and are able to attribute and mark data and appropriately protect it. In areas where we need subcontractors, we use a very limited set.
A lot of adjudication occurs before we select our subcontractors, and they must enter into agreements with us to maintain the privacy of the data they are safeguarding. We have strict rules around the use of that data and the return of that data to us. We have a very robust program of policies, procedures and technical safeguards around subcontractor use to ensure that data isn't misused.
Artificial intelligence is an area of key interest to us, and certainly Satya Nadella, in his book Hit Refresh, has put together principles around the responsible use of AI to empower people. It's really the first principle. We've embraced them within our organization, ensuring that we have a robust governance structure around AI. We have a committee that looks at application of AI both inside and outside the organization to make sure we use it responsibly.
Putting these pieces in place internally helps us better manage and understand how those tools are being used and put them in place in an ethical framework. We're quite pleased that we're working with governments around the world, be they the EU with their AI ethics work or the recent OECD guidelines, or even here in Canada with the CIO Strategy Council's work on an AI ethics framework, so that we can help people and other organizations get a better sense of some of those responsible techniques, processes and governance models that need to be put in place.
Going back to security and data privacy and encryption, I think Apple talked about the Key Store on the iPhone and iPad, and Mozilla, I think, also has a Key Store-type feature in the browser.
One of the challenges of security is that our passwords, I think, have become so secure that nobody knows what they are anymore, except for the devices themselves. On the Apple Key Store—I think it's called the Key Store application—you can ask it to generate a password for you, and then you can ask it to remember it for you. You don't know what it is, but the app and the device know what it is, and I guess that's stored in the cloud somewhere. I know you gave an overview at the start.
I suppose Mozilla has a similar feature that allows you to ask the platform to remember the password for you, so you have multiple passwords, and I think probably Microsoft does as well in its browsers. Again, if you log in to Mozilla or Edge or any browser, you find you can autopopulate all your password keys. We end up with this situation like Lord of the Rings, in a “one ring to rule them all” scenario. In our attempts to complicate and derive better security, we've ended up with one link in the chain, and that link is pretty vulnerable.
Maybe I could get some comments on that particular conundrum from all the platforms.
I think the application you're referring to is the Keychain Access application on the Mac and on iOS devices. Within “settings”, “passwords” and “accounts”, you can view the passwords. They are, as you say, auto-generated by the platform. Most users experience that through our Safari web browser, which offers a feature to link into the keychain. It is, as you say, stored in the cloud.
It is stored in the cloud end-to-end encrypted—I want to make that clear—so it's actually encrypted with a key that Apple never possesses. While we put that in the cloud, both to allow you to recover the passwords and to synchronize them among all devices that you've signed in to iCloud, we do that in a way that does not expose the passwords to Apple.
I think that you're right that passwords continue to be an area of challenge in terms of protecting user accounts. You see many companies, certainly Apple among them, moving to what's called two-factor authentication, in which merely the password is not sufficient to gain access to the account. We're very supportive of that. We've taken a number of steps over the years to move our iCloud accounts to that level of security, and we think that it's good industry progress.
The last thing I would say is that absolutely, the password data is extremely sensitive and deserves our highest level of protection. That's why, separate from the Keychain Access application you're talking about on the Mac, on our iOS devices and now on our T2—that's the name of the security chip in some of our latest Macs—we're using the secure enclave hardware technology to protect those passwords and separate them from the actual operating system. We have a smaller attack surface for that, so while it's absolutely a risk that we're highly attentive to, we've taken steps, down in our hardware design, to protect the data around users' passwords.
Just to chime in, we see that local hardware-based protections based on encryption are important to help support that password protection. Work that together with multifactor authentication, perhaps using something you have, something you own.
I think an interesting counterpoint to this and an interesting add-on is the ability to make very robust decisions about individuals, about their use of a particular system. We use anonymized, pseudonymized data to help organizations recognize that “Hey, John's logging in from here in Ottawa, and there seems to be a log-in coming from Vancouver. He can't travel that fast.” Let's alert somebody to do that on an organizational perspective to intervene and say, “Look, we should perhaps ask John to refresh his password.”
There's another thing that we're able to do, based upon the global scope of our view into the cyber-threat environment. Often malicious users share dictionaries of user names and passwords. We come across those dictionaries, and we are able to inform our toolsets so that if organizations—say, food.com—find out that one of their names is on there, they are able to go back there as well.
For data associated with the use of a particular toolset, anonymization and pseudonymization help to provide greater assurance for privacy and security as well. Let's make sure we recognize that there's a balance we can strike to make sure that we maintain privacy while at the same time helping safeguard those users.
I'd like to begin with the lack of utility of the idea of consent anymore. When you want to use a certain app or you want to use something, there are good purposes and bad purposes. Let's say that, for instance, I'm on my iPhone and I'm leaving Parliament and it's 9 p.m. My iPhone tells me exactly which route to take to get to my home. It knows where I live because it has seen that I take that route every day, and if I suddenly start taking a different route to a different place, it will know that as well.
Well, that's great when I want to know whether or not I should take the 417, but for my phone to know exactly where I'm sleeping every night is also something that could be very disturbing for a lot of people.
We don't really have a choice. If we want to use certain services, if we want to be able to access Google Maps or anything like that, we have to say yes, but then there's that alternate use of that data.
By the way, on the comment about this being a public hearing, we have a tickertape right on the side of the wall there that says this is in public. I wish there were a tickertape like that when you're searching on the Internet so that you know whether what you're doing is going to be recorded or made public.
My question, particularly to Apple, is on your collection of data about where I've been. It's not just a matter of where I'm going that day. It's not that I want to get from A to B and I want to know what bus route I should take; it's that it knows exactly the patterns of where I am travelling in terms of location.
How much of that is being stored, and what are the other purposes that this could be used for?
When we look at the marketplace, we see it's continuously moving, right? What was put in place for security controls 10 years ago is different today, and that's part of the efforts of the community that's out there securing the IT environment.
From our case, we analyze those common techniques. We then try to make sure that those techniques go away. We're not just trying to keep up; we're trying to jump ahead of the malicious user community so that they can't repeat their previous exploits and they will have to figure out new ways to do that.
We look at tools like encryption, tools like hardening up how the operating system works, so that things don't go in the same place every time. Think of it as if you change your route when you go home from Parliament at night, so that if they are waiting for you at the corner of Sparks, then they won't get you because you have changed your route. We do the same thing within the internal system, and it breaks a whole bunch of things that the traditional hacker community does. We also include privacy within that, and accessibility, so our whole work is around trust, security, privacy and accessibility.
At the same time, there is a broader Internet community at large, so it's nothing we can do alone. There are Internet service providers, websites, and even home computers that get taken over by these zombie networks. Hackers have started to create networks of computers that they co-opt to do their bidding. They may have up to a million zombie computers attacking different communities. It really takes the Internet down and bogs it down with traffic and whatnot.
In order to take that down, you need technical sophistication to be able to take it over, but you also need the support of legal entities within regions. One of the things that's unique for us is that our cybercrime centre has worked with government authorities in finding novel legal precedents that allow these networks to be taken down, so in addition to the technology side, we make sure we're on side from the legal side to conduct our operations.
Lastly, what we did for the Zeus and Citadel botnets, which were large zombie networks that had placed themselves into corporate Canada, was work with the Canadian Cyber Incident Response Centre as well as the corporation to clean up those infections from those machines so they would go quietly, and they could start up again.
Yes, I would be happy to.
We face robust competition in all the markets we operate in. Cloud computing is a great example. There are not a large number of players in the cloud market, but competition is very strong, prices are dropping, and it enables, as my colleague was saying, new kinds of business models that were really previously impossible.
I worked for some years in our public sector business at Amazon Web Services. What I saw there was that we had very small companies, 10-, 20- or 30-person companies, competing for large government contracts that would have been impossible for them to compete for prior to the existence of cloud computing. It would have required a very large, dedicated government contractor to compete for these large contracts because they required so much infrastructure and so much capital investment in order to go after a large contract.
With the ability to get onto many IT services from cloud, you now have this great democratization, to reuse that word, of international market access, of mom-and-pop shops with international market access, whether through Amazon sellers on our retail site or through using our cloud platform. I think competition is really strengthened because some of these large-scale players enable people to access a broader set of markets.
Good morning, everybody.
I'm sure you're all aware of the term “data-opoly”. Right now, in front of us, we have Apple, which controls a popular mobile operating software system. We have Amazon, which controls the largest online merchant platform software. We also have Microsoft, which has the ability to acquire a lot of data and use it to gain market advantage.
In talking about competition, I want to go beyond what Ms. Stevens said. When we look at the European Union right now, we see that Apple violated European state aid rules when Ireland granted undue tax benefits of 13 billion euros. In some cases, you paid substantially less tax, which was an advantage.
In the case of Amazon, the European Commission targeted Amazon's anti-competitive most favoured nation clause, and Luxembourg gave Amazon illegal tax benefits worth some 250 million euros.
My point is not in any way to embarrass you, but obviously there is a problem with competition. The problem stems from the fact that there are different competitive regimes or competition laws, whether it be in Europe, whether it be the FTC, or whether it be Canada. In European competition law, a special duty is imposed on dominant market players. That is not the same as the United States, because the same infractions were not charged in the United States. Do you think it's something that should be considered because of your dominant market status?
We do think that ad transparency is a major tool to think about in how we fight disinformation protection, particularly in the election context. We've been working with some of the other big players as part of this EU code of practice, to try to get better transparency tools out there for consumers to see what ads they're seeing and for researchers and for journalists to understand how these big disinformation campaigns happen. We have a fellow at the Mozilla Foundation working on this. The big frustration, honestly, is that it's very hard to get access to these archives of ads, even though some of our colleagues have pledged to make that access available.
We recently did an analysis. There are five different criteria that experts have identified—for example, is it historical? Is it publicly available? Is it hard to get the information? It's those kinds of things.
We put out a blog post, for example, that Facebook had only met two of the five criteria, the minimum criteria that experts had set for reasonable access to an ad archive. Not to pick on them—we've already picked on them publicly—but I'll say we hope we can do more, because I think without that kind of transparency....
Google did better. It got four out of five on the experts' chart, but without more transparency around ads, we're really stuck in trying to understand what kinds of disinformation campaigns are being built out there.
Mr. Davidson, you mentioned earlier in a reply to Mr. Baylis that with regard to political ads, your first preference was for company action to promote transparency. I'd like to highlight two instances in which it seems that company action has fallen short.
In April 2018, Facebook implemented new rules for political ad transparency. They acknowledged they were slow to pick up foreign interference in the 2016 U.S. elections. They said they were increasing transparency around ads and that this would increase accountability, yet in late October 2018, Vice News published a report showing how easy it was to manipulate the so-called safeguard that Facebook had put in place. The reporters had been required to have their identification verified as having U.S. addresses before they could buy ads, but once verified, the reporters were able to post divisive ads and lie about who paid for them.
That's for Facebook.
Separately, in August 2018, Google said it had invested in robust systems to identify influence operations launched by foreign governments, but shortly after that, a non-profit organization, Campaign for Accountability, detailed how their researchers had posed as an Internet research agency and bought political ads targeting U.S. Internet users. According to CFA, Google made no attempt to verify the identity of the account and they approved the advertisements in less than 48 hours. The adverts ran on a wide range of websites and YouTube channels, generating over 20,000 views, all for less than $100.
Therefore, it does not sound as if the platforms are anywhere close to fulfilling their assurance to safeguard against foreign interference.
Would you agree with that?
If I could come back to the topic of competition, antitrust and monopolies in the new marketplace, there's been a lot of discussion recently, particularly in the United States, about the new digital monopolies and the fact that they may be a lot more durable than monopolies in the past—the railroads, the phone companies and so forth. They can overwhelm competition by either buying it or destroying it.
Yesterday I quoted, to the Facebook representative who was before us, the writings of Chris Hughes, the disillusioned former co-founder of Facebook. I know there's been some suggestion from some of our panellists today that their companies may be willing to accept versions of the European legislation, but one of Mr. Hughes' headlines suggests that Facebook should, in fact, be broken up and be subject to antitrust application. He said, “Facebook isn't afraid of a few more rules. It's afraid of an antitrust case”.
I know the defence against antitrust prosecution is a little more difficult because your big data monopolies use the excuse that your service is free and that there's not a tangible or identifiable dollar cost to what consumers are buying.
Again, this question may be greater than your job descriptions allow, which is why we asked that CEOs be present with us today, but I wonder, particularly in the case of Amazon and Microsoft, if you could discuss your companies' views with regard to countering these growing antitrust discussions and calls for breakup in the interests of greater competition and greater consumer protection.
I'll start with Mr. Ryland.
I'd be happy to say a few words about that.
Again, our business model is very traditional. We're selling goods and services—they have monetary value—both in our retail Amazon.com business and our cloud computing business, and we are facing robust competition across all kinds of different services and platforms that are not limited to online. There's a vast variety of channels and mechanisms that people use to acquire IT services, whether it be for a cloud or other kinds of capabilities. It's just a very different business model from our perspective, and our use of data to enhance the consumer experience is, we believe, very much adding value for consumers, and they really enjoy the experience of using these technologies.
I think it's a very different approach to some of the issues that you raise. Again, that's kind of a high-level statement, and beyond that, in terms of specifics around competition law, I've already disclosed that I'm not an expert.
Again, I think our business model is very traditional in that regard, so I think it's a bit different.
I think that as you look at our longevity since the seventies, we've seen ebbs and flows. We used to have a phone. We have a great browser, but it has undergone a number of revisions. The vision of having a PC on every desktop has now changed to a phone in every pocket. We see these ebbs and flows that move through the environment.
As for the consumer data environment, consumers will go to services that are popular to them, and they will have ebbs and flows. Certainly if you speak with millennials today, the millennials are off in different places. For example, my children, who are kind of in that space, although they'll disagree that they're millennials, will say, “Dad, I'm not there, so don't talk to me on that channel—talk to me on this channel.” These things ebb and flow.
The data then lends itself to algorithms. We see an algorithmic age coming, and people using algorithms as a monetization technique. We see a move from algorithms to APIs and people monetizing APIs.
What we have is this continual innovation engine that's moving forward. We need to work together to try to figure out those unintended consequences, the lessons that we are learning along the way when it comes to disinformation, such as, for example, the squishy bag that happens when we push down on one place and then are surprised when it's “Oh, we didn't think about that.” Working together, then we can put in place those instruments to be able to do that.
I've abstracted this out, I know, from your question around anti-competition and antitrust, but I'd like to look at it from the macro level and how these things ebb and flow. How do we then put in place strong protection mechanisms for businesses and for people? That's through partnerships.
I think if we've learned anything from the last few days, it's that we continue to live in an age of surveillance capitalism that has the potential for serious consequences to our elections, to our privacy and to innovation, frankly.
While it has been frustrating at times, I do think we have made progress. We have had every single platform and big data company now say what they haven't said previously: They are going to embrace stronger privacy and data protection rules.
We had the platforms yesterday note that they need public accountability in their content control decisions and yesterday they acknowledged corporate responsibility for algorithmic impacts, so there is progress, but there is also a lot more work to do with respect to competition and consumer protection, and with respect to moving from an acknowledgement of responsibility for the algorithms that they employ to real accountability and liability when there are negative consequences to those decisions.
I think there's a lot more work to do, and that will depend upon continued global co-operation. I think our Canadian community has worked across party lines effectively. This international committee has now worked effectively across oceans, in some cases, and across countries.
The last thing I will say is that it's not just about addressing these serious global problems with serious global co-operation among parliamentarians; it requires global co-operation from companies. If there is any last takeaway, it is that the companies simply didn't take it seriously enough.
Thank you to our two excellent chairs. Thank you to our witnesses.
I think we have seen something extraordinary. I've been very proud of the Canadian Parliament and our willingness to be part of this process.
There's been some extraordinary testimony in terms of the quality of questions, and I've been very proud to be part of it. Two extraordinary facts are that we have never in my 15 years ever worked across party lines on pretty much anything, and yet we came together. Also, we have never, ever worked across international lines. We can thank a Canadian whistle-blower, Christopher Wylie, who opened the door to the digital Chernobyl that was happening around us.
As politicians, we stay away from complex technical things. They frighten us. We don't have the expertise, so we tend to avoid them, which I think was a great advantage for Silicon Valley for many years.
These things are not all that technical. I think what we've done these last two days with our international colleagues—and what we will continue to do internationally—is to make it as simple and clear as possible to restore the primacy of the person in the realm of big data. Privacy is a fundamental human right that will be protected. Legislators have an obligation and a duty to protect the democratic principles of our country, such as free expression and the right to participate in the digital realm without growing extremism. These are fundamental principles on which our core democracies have been founded. It's no different in the age of the phone than it was in the age of handwritten letters.
I want to thank my colleagues for being part of this. I think we came out of this a lot stronger than we went in, and we will come out even further. We want to work with the tech companies to ensure that the digital realm is a democratic realm in the 21st century.
Thank you all.
Thank you very much, Mr. Chairman.
I'd just like to start by congratulating you and the members of your committee for the excellent job you've done in hosting and chairing these sessions. I think it's done exactly what we hoped it would do. It has built on the work we started in London. I think it's a model for co-operation between parliamentary committees in different countries that are working on the same issues and benefiting from related experience and insights.
The sessions have been split between what we call social media companies yesterday and other data companies here. Really what we're talking about is that while there are different functions, these are all basically huge data businesses. What we're interested in is how they gather their data, what consent they have for doing so and how they use it.
Across the sessions, time and again we saw companies unwilling to answer direct questions about how they gather data and how they use it. Whether it's asking how Amazon and Facebook share data.... Even though this is widely reported, we don't know. My colleague, Mr. Lucas, asked about LinkedIn and Microsoft data being shared. It's possible to totally integrate your LinkedIn data with your Microsoft tools, and a quick Google search can tell you exactly how to it.
I don't understand why companies are unwilling to talk openly about the tools they put in place. People may consent to use these tools, but do they understand the extent of the data they're sharing when they do? If it's as simple and straightforward as it seems, I'm always surprised that people are unwilling to talk about it. For me, these sessions are important because we get the chance to ask the questions that people won't ask and to continue to push for the answers we need.
I'll speak to the panellists first and then get into some closing comments.
I want to encourage you. You had promised, especially Mr. Ryland, about giving us a lot of the documents that you didn't.... Various commenters didn't have all the information that we were asking for. I would implore you to provide the information we requested to the clerk next to me so we can get a comprehensive answer for the committee. We'll provide it to all the delegates here.
Something that's really going to stick with me is a comment by Roger McNamee about the term "voodoo dolls”.
I watch my kids. I have four children. One is 21, one is 19, one is 17 and one is 15. I watch them becoming more and more addicted to these phones. I see work done by our colleagues in London about the addictive capabilities of these online devices. I wondered where are they going with this. You see that the whole drive from surveillance capitalism, the whole business model, is to keep them glued to that phone, despite the bad health it brings to those children, to our kids. It's all for a buck. We're responsible for doing something about that. We care about our kids, and we don't want to see them turned into voodoo dolls controlled by the almighty dollar and capitalism.
Since we like the devices so much, I think we still have some work to do to make sure we still provide access. We like technology and we've said that before. Technology is not the problem; it's the vehicle. We have to do something about what's causing these addictive practices.
I'll say thanks and offer some last comments.
Thanks to our clerk. We'll give him a round of applause for pulling it off.
He has that look on his face because events like this don't come off without their little issues. We deal with them on a real-time basis, so it's challenging. Again, I want to say a special thanks to Mike for getting it done.
Thanks also to my staff—over to my left, Kera, Cindy, Micah, Kaitlyn—for helping with the backroom stuff too. They're going to be very much de-stressing after this.
I'll give one shout-out before we finally close—oh, I forgot the analysts. Sorry. I'm always forgetting our poor analysts. Please stand.
Thank you for everything.
Thanks to the interpreters as well. There were three languages at the back, so thank you for being with us the whole week.
I'll give a little shout-out to our friend Christopher Wylie, despite being upstaged by sandwiches. I don't know if somebody saw the tweets from Christopher Wylie: “Democracy aside, Zuckerberg also missed out on some serious sandwich action.” He suggested that I mail the leftovers to Facebook HQ. Maybe that's the way we get the summons delivered into the right hands.
I want to thank all the media for giving this the attention we think it deserves. This is our future and our kids' future.
Again, thanks to all the panellists who flew across the globe, especially our U.K. members, who are our brothers and sisters across the water.
Singapore is still here as well. Thank you for coming.
Have a great day.
We'll see you in Ireland in November.
The meeting is adjourned.