--- Upon commencing on Wednesday, October 3,
2007 at 3:17 p.m.
MR.
VICKERY: I think we can start. We've now just mastered the technology.
We
are running about ten minutes behind, so we are not going to compress this
session.
My
name is Graham Vickery, OECD, by the way.
I'm acting as the emcee in the other room.
We
are not going to compress this session.
We are still going to have exactly the same amount of time for this
session as in the printed program, but we are running about ten minutes
late. So that means we will start ten
minutes later and we will finish ten minutes later.
I
will hand over to our very able Chair to begin the proceedings.
Thank
you very much.
MR.
STEVENSON: Thank you and good
afternoon. Welcome to Stream B, as in
bigger, better, boisterous. And the
subject is confidence, privacy and security.
We
are very fortunate to have a very fine panel to discuss these issues in the
context of the participative web.
I
was thinking about this event compared to the kinds of things that my agency
was doing about a decade ago. I work at
the U.S. Federal Trade Commission in the Consumer Protection side of things,
and we focus on consumer issues and privacy and security issues. And certainly then the paradigm, of course,
that we were looking at is the basic B-to-C consumer transactions.
As
several of the speakers this morning and otherwise have pointed out,
increasingly we see that a lot of the volume of activity on the Internet from a
consumer or individual perspective is increasingly in the context of social
networking sites a big issue in general.
It's a big issue in terms of younger people, teen and tween
interactions. It's a big issue in terms of
the volume of interactions that cross borders in the use of these sites.
And
certainly at the FTC this is an issue that we have looked at as a policy matter
in terms of our various conferences, including one called Tech Aid where this
was certainly a large issue that was flagged for the upcoming decade, and also
from an enforcement point of view where we have brought at least one matter
involving social networking, where we obtained a significant fine for
violations of the Children's Online Privacy Protection Act.
So
there are a cluster of issues here that are certainly of importance, both to
regulators and business and otherwise.
We are going to hear about several perspectives here.
We
will start with Jennifer Mardosz from Fox Interactive Media, which runs MySpace
or is part of the company MySpace.
I
turn it over to Jennifer.
MS
MARDOSZ: Thank you very much. I'm very pleased to be here on behalf of Fox
and MySpace. And thanks to the OECD for
coordinating this event and inviting us to participate.
Our
approach to online safety -- and that's basically what I wanted to cover today --
is really all about conversations like this: getting together with industry,
governmental agencies, non-governmental agencies and having a discussion about
what is best for implementing appropriate safety procedures and applications on
the Internet.
As
our lives move more and more online from the physical world to the online
world, at MySpace what we believe is we've got to look to the time honoured
safety ideas from the physical world and transfer them onto the Internet.
We've
done that. I mean, we all know now some
of the challenges that we had previously faced in our physical world. We know how to block a minor from buying
pornography at the local mini-mart. We
know how to explain to our kids not to talk to strangers at the mall and not to
talk to strangers at the park. We even
recognize the value of a well-lit community, where our neighbours and law
enforcement can keep an eye on what is happening.
It's
those principles that we've got to work together to transfer onto the Internet.
My
job at Fox Interactive is to work closely with MySpace. I have a background in law enforcement and
I'm in charge of the global law enforcement program. So we are implementing appropriate safety
features and then also working with law enforcement when necessary.
This
first slide outlines our approach. We
basically believe that all of these tenets are important components to an
effective online safety program.
The
first is technology. At MySpace we
believe that all of us in the online industry have an obligation to develop
processes and procedures to make the Internet a safer place for everyone,
especially teenagers.
Some
of the technology -- and I'll get into more examples in the next slide.
One
thing that we've been looking at is implementing a software program that we've
called Zephyr that will help parents to be more engaged on what their children
are doing on MySpace, where if you install it on your computer and your child
sets up a MySpace profile, the parent can monitor what age the child says that
they are. Then if they change the age,
the parent would be notified via the software.
So
that's an example of technology that we are looking at to help make the
Internet safer.
Education
is obviously a key component and we look very hard at MySpace to get the word
out to parents, to our users. We put
warnings up on our site when people are uploading content and we remind them
what it can mean.
We
have our safety tips available on every MySpace page so that again people are
aware of the potential implications of uploading personal information.
Education
also, we talk to schools. We have a
school administrators guide in the
And
educating law enforcement. We also have
a law enforcement guide, where again we are working to localize that for the
other countries that we have expanded into.
But
also educating law enforcement in terms of the functionality of the site. We spend a lot of time, I do personally,
reaching out to law enforcement, explaining how the site works and how they can
better investigate cases if necessary.
I
skipped over NGOs. We partner with NGOs
quite a lot to make sure that we are communicating with them, getting their
good ideas. One of our partnerships is
with the National Centre for Missing and Exploited Children in the
There
is a program called the Amber Alert System in the
So
what we have done at MySpace is partnered with them so that we can put amber
alerts on MySpace. We have done that
now. So if a child were to become
missing in a particular community, we can send out that notice and help find a
missing child.
Public
policy is obviously very important and looking at legislation. We obviously support stiff penalties for
predators on the Internet, and we work closely advocating certain things, such
as not only the actual victimization of a child but the actual grooming of a
child.
So
even that discussion, we are advocating throughout the
In
terms of industry relations, conferences like this, as I said, working
together, we believe that we can make the online community a safer place.
Then
international. I mentioned we are
expanding internationally. We are
opening offices throughout. You can see
some of the countries that we have entered into.
For
example, in
As
we open offices throughout the country, we are also looking to hire safety
personnel to help us localize our safety policies, reach out to schools, reach
out to law enforcement. Despite the fact
that we are a
So
our approach at MySpace is we build safety into MySpace features so whatever
functionality exists on the site we look at that and say to ourselves: How can we make that safer? What can we do better here?
We
build safety features into MySpace. Some
new safety features, which I will go into some of that in the next slide, and
then our partnerships.
You
can see our guiding principles, where we want to prevent teens from accessing
inappropriate content, protect teens from people with bad intentions, provide
the tools that empower all members to be safer, and provide support to law
enforcement to bring the perpetrators to justice.
We
basically look at this in these three paradigms: contact, content and
collaboration.
If
we break those down, on the contact side, what we do at MySpace is we put in
contact barriers between people over the age of 18 and people under the age of
18. And also then our younger users, you
do have to be 14 under our Terms of Service to sign up.
We,
for example, make 14 and 15-year-old profiles default private, which means that
you basically have to know someone in the physical world before they can
communicate with you on MySpace. They
have to know your last name or your e-mail address. So they have to get that independently.
We also make it
so that the under 18’s cannot access mature content on the site. For example, the groups, if there’s a group
or a forum that discusses mature issues, under 18’s are not able to access
that.
We
also have e-mail verification for new members.
And so what this means is that when you sign up for the service you have
to provide a valid e-mail address. And
you can’t use the service until you receive an e-mail at that valid e-mail
address and then respond back.
And
we think that that provides another level of accountability and also deters
potential predators because they actually have to provide some identity
information and then it would also be another tool for law enforcement to track
someone down if necessary.
We
have a program that we’ve instituted in the
And
basically how it works is we have partnered with a private company called
Sentinel Tech where they develop the first national searchable database of
registered sex offenders in the
And
I realize there’s different privacy laws in the various international countries
but at least in the U.S. what we are able to do is take that national database
now and search it and look for identifying information and try to match that up
with any of the MySpace users and then delete them and block them from
accessing the site in the future.
And
obviously what can be done, one piece of legislation that we support strongly
in the
And
we are advocating that they be required to also register their e-mail address
and IM handles so that there is more accountability. And if they do lie on the internet there
would be consequences up to 10 years in jail if they did lie about it. And then also enhanced sentencing and
enhanced charging.
I
can tell I’m over my time, so I will fly through the last slide. And these are some examples of what we’re
doing on the content side. We have a
team of hundreds and hundreds of people that actually review each and every
image and video that is uploaded to our site to make sure that it complies with
our terms of use.
We
also hash known bad images. So when they
see a bad image we hash it so that it can’t be uploaded again. We block bad URL’s. We also review the group images. But those are also subject to peer review by
the group founder.
An
important aspect of our site is the report abuse buttons. And so we make it really easy for our users
to report an inappropriate image or an inappropriate video. We make the button right there.
And
then we monitor the profiles and we’ll delete them for violations. And then this final thing is the CAT team,
it’s a Content Assurance Team that we have that monitors the site and looks for
underage users. And we’ll delete them if
we find that kids are on the site lying about their age.
So,
in closing, I just want to say, again, thank you for having us here. We’re delighted to be involved in this
discussion and again, we think that working together with industry, law
enforcement, parents, schools, we can all work together to make the internet
more of a brightly lit neighbourhood for our children.
Thank
you.
--- Applause/Applaudissements
MR.
STEVENSON: Thank you, Jennifer.
I’ll
now turn it over to Gary Davis from the Irish Internet Data Authority to give
one regulator’s perspective on these issues.
MR.
DAVIS: Thank you very much, Hugh.
And
I’m honoured actually to have the opportunity to offer the Irish perspective on
some of these issues at this forum. And
thank you very much to the OECD for inviting us along.
It
was put to me actually by a journalist over lunch hour that in fact there’s no
room for privacy at all on the participative web; so, in fact probably the
easiest thing to do would be to close social networking sites and we won’t have
a problem at all. But I don’t think
that’s really a realistic view. And
actually not one I would tend to support.
I
don’t come to these sort of issues with an initial negative view as perhaps
maybe I should do as a privacy regulator because clearly these sites do push at
the boundaries of what we all understand up till now to be a person’s
individual space.
But
in some respects I have a view that maybe our boundaries are skewed a little
bit by our own perspectives and our own generation. But we’ll try and step through them maybe in
a reasonable perspective.
The
issues as I see them going forward and I suppose one has to also understand
that as privacy regulators we’re trying to grapple with these issues as they
evolve. Social networking sites and
other such phenomena, such as content sharing sites, blog sites, various other
peer-to-peer sites are emerging and growing almost exponentially in terms of
their user base.
The
types of issues that they are creating give us cause to stop and think, well,
can we fix or fit our current legislative infrastructure to those spaces? By and large we can actually but here and
there it does cause us a certain amount of issues.
What’s
the biggest issues I see in terms of the information that’s placed on sites
such as these? It’s that of
consent. Consent will arise in many
respects.
It
will arise for a mature user in terms of the information that is provided in a
very clear manner by the sites themselves in terms of what happens to their
data, who is going to access it, who is it going to be sold on to, what are
their choices? That’s a clear enough
thing which most of us can, you know, read the privacy policies and come to a
view on.
There
is a particular issue there of consent in terms of underage users. And we do have sites that are extensively
used in Ireland whereby maybe it is the generational issue that I allude to in
the third point there, where some of the content on them is just plainly
shocking even to somebody of my, well, relatively younger years.
And
I can’t think that any 14 year old, 15 year old or even in some cases 13 year
old can be consenting in a reasonable manner to putting that information up in
a way in which one could say that, yes, they read the terms and conditions and
yes, they understood what they were doing.
That’s a challenge for us all and one which we’ll come to.
The
other issue is consent in relation to third party data. And that’s the issue which we see a lot of
here. And so maybe some of the presentations
we might listen to is about how the user is empowered, how the user knows what
they’re doing, the warnings which are given in relation to uploading their
content. But a big issue arises in
relation to third party content.
So,
a picture of a teacher in a classroom that’s taken using a mobile phone with a
camera on it, and is uploaded onto one of these sites and then used as a way in
which to I suppose bully that teacher from all the children in their class, we
have seen that in Ireland. And certainly
there’s no consent of the teacher for their image to go up there.
And
what rights does that person have?
Well they do have rights and it’s a way of
articulating them.
I
suppose the issue as I mentioned there in terms of who controls the data, and
there was some element of a discussion of it earlier. I did catch some of it even though I came in
a little bit late this morning, as to who’s actually ultimately responsible for
the content of these sites. And there
seems to me to be some element of what we might term in
But
from our perspective in terms of the law, if you provide the platform, you’re
responsible for the content on the site.
You’re responsible for any content that anybody uploads. And you need to be able to stand over that
content, not that, sorry, it was a user who put it in, it was there and you
know, it’s nothing to do with us. It’s
there. If you’re going to provide a
service well then you’re going to have responsibility for it.
That
line becomes a little bit more blurred as we get into some elements of blogging
sites. But however we’ll focus on what’s
more easily dealt with.
The
generational issue is one that I referred to.
And it’s one in which it would be easy for us to have the response that
we had, that I maybe articulated at the start there which is we ban them all
because what’s on them is actually outrageous and how could people be uploading
some of that type of detail. But that’s
a knee-jerk response which actually leads me on to the next point which is
disproportionate media response.
We
see that in
So,
there’s no school in
I
might suggest and maybe I’ll do it later, that education might be a better way
of informing all the pupils in the school.
But they decided the best way was to ban all access.
That’s
in response -- so you’re not actually getting a balanced debate at least in
And
then I suppose the big issue is what use the site is actually making in
relation to the personal data that I supply to them. And I suppose for a while that’s been the
elephant in the room that nobody wanted to address because the sites were
growing, their user base was developing, but how were they going to be
financed?
They’re
not -- and I’ll move on, they’re not as Mozelle has said recently at an event I
was that, public utilities. And maybe
you know, we have to have a think about that in terms of how we view them from
a privacy perspective.
So,
what are the confidence issues then because I say that as certainly what we’re
trying to do here. The main issue is
that identifiable persons on these sites have rights. And it doesn’t really matter who put up the
information.
If
I put up the information about myself I have rights under data protection
law. If somebody else put it up about me
I also have rights.
I
mightn’t know where the report abuse button is by the way, which is an
issue. If I’m not a user on the site and
somebody’s put up information about me, the report abuse button isn’t that much
good to me.
And
if these rights were asserted by a person, whether it be me as a user or a
third party, what actually happens within the companies themselves, how do they
respond to my assertion of my rights to say, there’s that about me being
processed that’s incorrect or which I didn’t consent to have up?
So,
the picture of the teacher in the classroom, does it go into some system and
you know, they’ll look at it in a couple of weeks time and you know, if they
have a think about it they might get back to it? Or do they actually have appropriate complaints
handling mechanisms in place that will freeze the images or freeze the
information pending an investigation into it?
And
certainly there was one site which we approached in
But
I suppose thankfully from a privacy perspective the trend is upwards in terms
of sites actually listening to privacy concerns. And the best corollary which I could draw on
this space is what has happened in relation to the retention of search engine
data. A debate arose in that area and
it’s going to come in this area as well and hopefully we’re all well geared up
for it, in relation to how long search engines hold search data for.
We
have gotten down from a period of indefinite holding of that data to at the
last count 13 months. That is where
privacy has actually been used as a point of commercial advantage. And we’ll continue to see that and we’ll see
it in this space now as well because are articulating it.
I
suppose for the sites themselves and I think they recognize it, confidence will
be destroyed by a single incident or issue and people will move to another
site. And they are fast developing.
So,
the points to be addressed then, upfront information to users is patchy in some
areas in relation to sites. I’m not
thinking of any in particular but certainly there are some sites which could be
better in terms of giving people full information in relation to what’s
happening to my information, what choices do I have, what do I do if I have a
problem?
And
there are certainly some other entities in the space, you know -- zero minutes
left, that’s fine -- who are deliberately establishing, I suppose from our
perspective to try and avoid some jurisdictional privacy issues. An issue which we might hear sometimes in
Europe is well we’re not actually based in
But,
you know, by and large that issue is moving along because thankfully users are
getting better at articulating their own rights. And as I said earlier, site owners have
responsibilities to all identifiable persons.
The
challenge then as I see it in relation to the younger age group more so, is to
actually work together with the sites insofar as we can and other voices in the
areas to try and educate users. Because
certainly there is a disconnect somewhere in relation to the data that’s being
put up by people in that younger age category and what our perspective would be
is what right-minded people might put up about themselves.
So,
there’s a challenge there in terms of trying to educate them a bit better,
trying to educate the operators also but you know, they’re here, they’re
talking. I congratulate them on
that. They’re certainly out front and
dealing with us which is a positive and not something that you wish to knock
them back on.
And
I suppose ultimately it’s about finding the right balance between freedom of
expression and other rights, specifically privacy.
So,
and I am definitely finished there (laughter).
So, the standards are communicating and empowering the user. If the user knows what’s happening to their
data and can take an informed choice in relation to it well then I think we’ve
gone a long way towards meeting a lot of the privacy concerns.
A
complaints handling mechanism which where if I make a complaint in relation to
my data somebody will do something about it and quickly and if somebody on the
site is misusing personal data or has uploaded that picture of the teacher in
the classroom well then there must be a clear penalty for them which I think in
most cases, the biggest one for them is to be removed from the site itself.
Thank
you very much.
--- Applause/Applaudissements
MR.
STEVENSON: We turn now, from Facebook we
have a pinch hitter, Mozelle Thompson, former Commissioner of the Federal Trade
Commission, former Chair of the OECD Consumer Policy Committee to talk to us
about Facebook’s perspective.
MR.
THOMPSON: Good afternoon.
As
Hugh pointed out that I’m sort of a last minute substitute, that Chris Kelly
wanted to be here but he had some things back in
But
that being said, I’m happy to be here, simply if not for any other reason, I
get to see a lot of old friends from the OECD and people who actually do a lot
of work with the OECD and that’s good.
And
what I thought I might begin by doing is talking to you a little bit about a
change in perspective. Hugh began by
talking a little bit about 10 years ago how we began to look at the internet
and how people used the internet. And I
thought of it more as a top-down approach, a more binary approach of
information or no information.
And
what’s happened now especially when we talk about Web 2.0 and sites like
MySpace or YouTube or Facebook is the more horizontal growth, the real
interactivity that we had talked about for a long time and we’d always hoped
would get here.
But
in that same vein it presents new challenges, not only to how we respond to
users and the public and how companies act but also for regulators who it may
challenge their traditional notions of how they think about information
sharing.
The
one thing I will say and I think that my colleague from MySpace can agree to
this is that at the very least we have new technology that empowers users to
exercise more control of information.
And what we have found is that there are a lot of people, most people,
who don’t want to be totally anonymous.
And in fact they want to have technological tools that will allow them
to share information with people.
Then
it brings the new challenges of who do they share it with and under what
circumstances and as the Commissioner said, do they understand what information
they’re sharing and the context under which they’re doing it.
And
to answer some of those questions, this is really the cutting edge of how we
think of information, this strategic management of information by
individuals. And where we spent a lot of
time with a lot of our colleagues, including folks from MySpace and others, we
all work together with industry and governments and users to try to talk about
what the future is going to look like and try to begin to define what we think
might be appropriate and inappropriate behaviour. Because one thing I will say is that
companies like ours stand out here and we’re in front and we’re talking to you;
there are a lot of companies who are not and may not be quite as transparent
about what they do or how they do it.
But
let me talk a little bit about Facebook.
How many people actually participate in a social networking site? Don’t be shy, you know, it’s okay, you can
come out. Okay.
You know and for me, you know I
consider myself one of the old people on Facebook, that one of the things
that’s interesting is that there are sites that are very segmented, that are geared towards children and some that are geared to
a little older.
But one of the
things we found at Facebook, we started as primarily a college and
university-based site and that we have grown exponentially so that our
demographic looks a lot different. The
fastest growing places on Facebook are people over 24 and people who are not in
colleges and universities, but are parts of regional networks.
And so we are here
in
And it is very
interesting because that is consistent with how Facebook believes its
philosophy runs. It is a real-name
culture, it is not for people who are anonymous, we take steps to make sure of
that because we think that people who know people in their community are people
who are more likely to participate and more likely to report people who are
engaged in abuse or other types of inappropriate activity.
It is also based on
real life. As I said, it is
horizontal. So you connect with people
who you want to connect with. And part
of the architecture is we have segmented communities. Even though I have a
Facebook profile that is not open to everybody, you can all be my friend for
today.
How many of you are
on Facebook? Okay. Would it help for the rest of you to walk you
through a little bit of Facebook and show you what it does? Okay.
This is the opening
page of Facebook. Everybody who is a
member of Facebook has a this item here called “News Feed,” which is your own
personal newsletter, that is how I view it.
The information here really deals with people who are your friends and
it tells you what they want you to know, whether they have added some pictures,
are there someplace and what they do.
Your profile, this
is mine.. Okay, what is the answer, tech
guy? I don’t know, so much for your
wireless network. Where is Mr. Simpson
when you need him?
--- Audio feed disconnected
Well,
let me keep talking while he is working.
One of the unique
parts about Facebook is we provide robust privacy tools. And what is interesting from a recent trip a
couple of weeks ago to Europe in talking to various privacy commissioners, some
people may think that we don’t provide enough, other think that we provide too
many, it might be confusing to people.
In any event, one of
the things that is a hallmark to what Facebook does is it has an array of
privacy settings so that -- okay, should I try it again or leave it to you --
that allows you to decide who is that scary guy, what kind of information you
want people to see.
So, for example,
these are my networks, you know, I went to Columbia and Princeton and I know
people at Facebook, and some people put a lot of personal information, I don’t.
If you want to know that you have to buy me a drink. And as we continue down the page, here are
some of my friends. I have information,
contact information, I have background information about work and education and
some of the groups that I am in. Not everybody
can see everything on my page. I get to
decide, based on this part up here when we go to privacy, who gets to see what.
What we have here is
in each section of my page I can decide how restrictive I want those settings
to be. And what you will see here is a
barcode, it actually tells you whether I am more restrictive or less
restrictive. This is less, this is
more. And you can edit that by
determining, for example, on my basic profile whether all of my friends and all
of my networks can see it, only some of my friends, only my friends and only my
networks and all of my friends. So you
can get to be very granular with this.
Now, one of the
challenges that we have is what are our defaults? Are all our defaults open? Some of them are not quite as
transparent. When I say that, for people
who are under 18 we have certain kinds of defaults that you can’t get
around. If you are over 18, for example,
you cannot prowl high school networks looking for people, you cannot search for
people under 18. There is a hard
firewall there, unless you know a particular person. We don’t want to stop a parent from
befriending their kids, okay.
But this is some of
the challenges that we have. So we are
probably more granular about this and people find this very attractive. And, in fact, I will tell you something that is
not reported very often, is that our experience is that this is something that
people actually like a lot. Somewhere
between 20 and 30 per cent of our users actually change default settings and
come in here and actually change their privacy settings, some more open, some
less open.
Now, to give you
some background. On most websites and studies I have seen you are lucky if you
get more than a quarter of a per cent actually visiting a privacy policy. So what this showed me was people actually care
about this. And so I want to answer your
questions, thank you.
--- Applause
MR. STEVENSON: Thank you, Mozelle, for being our friend
today, we appreciate it.
MR. THOMPSON: Not you.
--- Laughter
MR. STEVENSON: Oh.
Well, we move onto John Lawford from the Public Interest Advocacy Centre
to give us his views about the concerns that he has on the necessity of social
networking.
Thanks.
MR. LAWFORD: Thank you very much.
The comic, if you
can’t read it, says this is a bank robber in a bank saying, “You know, you can
do this just as easily online.” That is
the teller and that is the viewpoint that I am bringing today, it is from the
user point of view from a privacy perspective.
And this is the only security slide I have, but you will see what I mean
when I say that security and privacy are linked.
All right, it has
been 10 years since the first go around here in Ottawa and out of that OECD
meeting we ended up with what I will call was Privacy 1.0 in terms of acts, in
Canada at least, the PIPEDA legislation.
We think the Act is
very good, but it is definitely sort of a first light version of
legislation. And there has been nothing
in the last two or three years that has really brought this to light more than
social networking sites, which I will talk more about in just a few minutes.
But Web 2.0 is
really putting stress on this vision and on the OECD principles from 1980,
which were reflected in the PIPEDA Act. What we really see at this time, I
think, is an externalization of the costs of privacy to users. And I say that
because we are starting to see huge consumer problems in the areas that I work
in with identity theft, with spam and with Spyware and they all linked.
The
link that I see in working in this area is personal information loss, personal
information selling and personal information sharing. And that's where the majority of these
problems come from. The problem is that
the Privacy 1.0 laws just can't keep up.
At
the moment we are at an historic point -- and hopefully the OECD can turn their
minds to this -- where Google, for example, is now saying that we need to have
international rules, a set of rules for privacy across the entire world. That is a huge development but it is one that
is being led by a private company, because these are the people who are in
control of our personal information at the moment.
That
is a problem because, as I said, we are seeing all these costs of the way
personal information is being handled.
In
my view and in the view of PIAC, consent is not working any more. It is not adequate. We need control of our personal information
as users.
It
is not just enough to have a Privacy 1.0 act; we need a Privacy 2.0 type
act. That is going to require two things
to be done.
First
of all, that citizens get involved in helping to design a new version of
privacy, a new understanding of privacy because I do accept, as the MySpace and
Facebook people say, that the younger users are more comfortable with putting
out certain details of their life on the Internet.
People
of all ages are happy to put certain details on social network and websites,
and they are perfectly willing to give certain information to certain retailers
to use for certain transactions. But
they are not willing to have that shared across companies and for other
purposes necessarily.
The
other thing that we need to do is involve governments in this. If we leave it to companies to set the
standard, what we are going to get is a standard which looks a lot like Privacy
1.0 but is actually perhaps even the lowest common denominator version and will
be voluntary. It will not be legislated.
To
this end, I would like to outline some of the rights that I think are missing
in the Privacy 1.0 legislation and that need to be in a new upgraded version of
privacy with consumers and individuals having more control over their personal
information.
One
thing that came up in
Plain
vanilla transactions, what I mean by this is there should be a right in the
user to conduct an electronic commerce transaction with a company and not
provide all that extra information which is not required for the transaction.
At
the moment there is a provision in our legislation that says that that is not
required and that you can refuse the transaction. But your choice is between taking the
transaction or not taking the transaction.
What
we need is a right where companies are required to give you the product or
service with the minimum personal information required or the more privacy
requesting version, if you like.
The
second one which we have noticed, and just is the bane of people's existence
now, is data breach notification. There
have been millions and millions of data records lost in the
We
need to be told when our personal information is lost by companies. This is not going to happen by voluntary
guidelines. We feel that the issue needs
to be brought forth in a new version of privacy law because the incentives for
companies are not there to reveal it.
Incentive is of course to hide it, minimize it, because it affects share
prices. It brings lawsuits.
If
everyone is on the same legal ground, they will be required to report all these
breaches.
We
will also have a better idea of how much identify theft is going on. We will get a better idea how much
externalization again of this cost is going to users and individuals.
Although
we haven't fleshed this one out so much, there is some interesting work being
done by Ian Kerr at the
We
also think there should be a tracing right, and that is you don't know where
your personal information goes at the moment.
There
is a provision in our legislation that says you can ask a company to tell you
if they have disclosed the information, but it doesn't go on to require them to
tell you the next company and tell you where that information got shared to,
and so on down the line.
The
fact is that information gets put into data brokers' databases and data
aggregators and at the end of the day you don't know where that information has
gone and you don't know the accuracy of it, and yet it can be used for all
sorts of purposes, whether that is government use or use by private parties.
We
also think there should be a fair and safe way to do authentication. For electronic commerce, of course, you have
to identify yourself to make sure that you are not impersonating someone with
bank accounts or credit cards, that sort of thing.
But
lots of times in meetings that we have on authentication, for example, with
Industry
So
they are collecting more information and thereby creating more of a data cloud,
if you will, on you out there.
The
last thing is probably the most difficult but probably the most exciting from
our point of view.
Can
we come up with a new way to enforce privacy acts in a Privacy 2.0 type
legislation?
At
the moment data commissioners often don't have powers to investigate or fine
people and the end result is companies just ignore them.
What
we have to do is come up with new tools.
I'm not sure what those will be, whether they will be user-generated
wikis on bad practices by companies, whether we can have a rating system for
companies, again from the ground up, rating different companies' privacy
practices.
There
may be more ways of doing this, but we need to research ways to get users
involved in punishing companies or in bringing them back into line when they go
past the Privacy 1.0 or 1.2 acts that are in place in their jurisdiction.
I
will just close by saying the future, it is up to this organization and other
international organizations and domestic governments to come up with new
versions of privacy that actually are effective for individuals. If not, we are going to get the lowest common
denominator version coming out of either the private sector or a very weak
international agreement, which will not be productive, and we will be stuck in
exactly the same situation which we have been here in Canada.
The
last bullet point: Just think of a
future where Yahoogle buys my Second Face.
You can laugh but think about it.
We've got the world's biggest search engine which has all your
searches. It's linked to all your IP
addresses you have ever been at, and now they've got all your personal
information which has been linked to all the IP addresses that you have ever
used on social networking sites.
Thank
you.
--- Applause
MR.
STEVENSON: Thank you very much to our
panellists. I thought those were really
provoking thoughtful presentations.
We
have some time for questions, and I would really encourage folks to step up to
the microphones, if you have some questions to put to our panellists.
We
have two right in the middle here.
While
you are composing those thoughts, maybe I would just pose the question: One of the things that John just put out
there is do we need Privacy Laws 2.0 to deal with Web 2.0?
I
wonder if any of our other panellists would like to respond to that, and
particularly in the context of social networking obviously there are a broad
range of issues of these kinds of sites.
What,
if anything, in the legal environment might need to be addressed?
MR.
THOMPSON: Well, I can begin, then you
can...
I
do think one of the things that I think industry is concerned with is a
multiplicity of different standards and especially because there are some
countries and some jurisdictions where they’re pretty well knowledgeable about
some of the issues dealing with social networking and some where they’re not at
all.
At
the very least I think one of the challenges is to take a look at what I think
are pretty fixed standards and to see if they’re appropriate in a rapidly
moving and changing environment.
Some
of the issues that I know that you outlined as challenges particularly in
Canada, I know that in the U.S. people are looking at and there is some pending
legislation on it and that I would agree on like breach notification et
cetera. And that’s important.
But
what I think would be helpful is to the extent that we can talk about some of
those elements so that in recognition that information travels all around the
world. And for companies to know what to
expect, but more importantly for consumers to have a reasonable expectation of
what’s going to happen to them no matter where they’re located is also very
important.
MS
MARDOSZ: Yeah, I agree. You know and I think that’s why sites like
ours and like Facebook, MySpace has similar privacy options. I didn’t go into those today but it’s a
similar system.
And
so offering those options to consumers directly, you know I would say we’re
ahead of the curve at offering options and notice and choice.
So,
I agree that the issues are really global.
And they need to be considered in a global fashion. But I think that industry really, you know,
is listening and responding.
MR.
DAVIS: Just to offer a European
perspective, the data protection directive which was finalized in 1995 has
recently undergone a review and we’ve clapped ourselves on the back and decided
that, yes, it was actually technologically neutral and can be applied to new
technology. And I think it can also --
it can be applied to social networking sites.
We’ve had a look at in terms of the issues that have arisen and
certainly it does.
In
terms of the standards, yes
And
I suppose I don’t have any difficulty with the debate that has started over
recognizing the difficulties that internet based companies such as the Googles
of this world and MySpace and Facebook have in terms of trying to meet their
multi-jurisdictional regulatory requirements.
And I think that’s a good debate.
But
actually as along as that debate still recognizes the uniqueness from our
perspective of the European requirements, which actually they are broadly
meeting in terms of giving people their rights, we we look forward to that.
And
I suppose the way I see it is no difficulty at all with a rise in tide lifting
all boats up to a higher standard in terms of privacy.
MR.
STEVENSON: I think we had a question at
the back mike and then the front mike.
QUESTION: Thank you very much. Thank you to the panel, that was very
interesting to listen to you.
I
have a general question and then a more specific one. The general question is, do you think that we
need to revisit previous data protection principles or do you think that we need
first to try to see how we can better ensure compliance and enforcement across
regions? That’s the general
question.
The
more specific question has to do with the privacy policy of MySpace or Facebook
versus their customers. You address
something which is very important which is the privacy options that each person
participating in Facebook or MySpace can do to limit or to control who has
access to the information. But what
about the relationship between the company providing the service and all those
who are using it?
Thank
you.
MS
MARDOSZ: Just so I understand the more
specific, I think what you’re asking is users that visit the sites that aren’t
necessarily members. Is that what you
mean? Because our privacy policy --
sorry.
QUESTION: I’m not yet maybe a user but if I --
MS
MARDOSZ: A visitor to the site.
QUESTION: Yeah.
MS
MARDOSZ: Okay.
QUESTION: If I participate in Facebook or MySpace and I
provide a number of information and I decide who access it, you store this
information for me so what do you do with my information which I decide to give
access to or not to give access to, to third parties?
MS
MARDOSZ: In terms of sharing, okay.
Well, to answer your first
question I think we petty much covered that in terms of revisiting privacy
principles. I think that has to happen
on an ongoing basis and it is.
And
that’s actually what we’re doing here today is talking about that and also as,
at least for MySpace does, we expand internationally. You know, we’re looking and considering all
the laws.
And
then in terms of collection of that information what we do is we have teams in
place, like in terms of an imposter profile.
For example, I mean that was referenced earlier, if a head mistress or
something like that, if that were to happen we do have resources in place to
take those profiles down in terms of a non-user.
And
then in terms of the actual user data we do not share -- I mean our privacy
policy says we do not share that with third parties.
MR.
LAWFORD: I beg to differ on the don’t
share it with third parties.
What
MySpace and Facebook and SecondLife say are, we don’t consider your internet
protocol address to be your personal information so we’re going to collect that
and send it around to third parties.
It’s right here.
The
other thing they say is that with third party cookies, we can’t control what
people do with third party cookies. And
if we have advertisers who put cookies from other sites on your computer and
you come to our site and start clicking on their web ads and then play around
in our site, well too bad. Because
they’ve got it and they have their own privacy policy.
So
it’s not quite accurate. I understand
that the policy is mainly not to share it with third parties. But there are two holes there.
And
the last thing is these guys can get bought.
And when -- no, it says right in their privacy policy, when we’re bought
we can sell your personal information and you have nothing to say about it. And then you’ll be under the new privacy
policy of the new company.
And
these guys seem big now but they’re going to be small fry compared to Google or
Yahoo or someone who wants to buy them.
MR.
THOMPSON: I might be a little less
provocative.
--- Laughter/Rires
MR.
THOMPSON: But let me first thank you Anne,
for your questions.
On
the general question, I think the privacy principles that are not only the
basic privacy principles that we see from the OECD and manifested in the
European directive and we see it in various forms in the
And
I think that that’s an interesting challenge.
So, I don’t think we’re talking about the principles, we’re talking about
the specifics. And that’s going to be a
little bit more of a challenge.
And
I think we all need to take a step back.
And when I say that it’s not just governments alone but it’s also
consumers, it’s also industry to think about what does that mean.
Now
on specifics I know that you want to be provocative John, but I’m going to tell
you that we have a line in the sand. And
we’ve taken a lot of criticism for it in industry, that we do not provide your
personal information to other people.
Because it would be counter-- it would also be counter to the business
model. Because we tell people that if
you’re an advertiser and you want to reach people on Facebook, you have to
advertise through Facebook.
If
we were going to give that away, that would be giving away one of our most
important assets. So we just don’t do
that. And that’s a line that we draw in
the sand.
And we have had numerous requests
from advertisers, people who provide applications, all sorts of things who want
to skim our database. We don’t do it, it is just that simple.
MR. STEVENSON: All right, thank you.
Why don’t we take
another question. If you could identify
yourself just for the record.
QUESTION: Philippa Lawson, I am a Director of the
Canadian Internet Policy and Public Interest Clinic, CIPPIC, at the
I have a question,
but I also would like to hear Mozelle’s and Jennifer’s response to I guess
John’s two main points; one is about IP addresses as personal information and
the other is about acquisitions down the road, selling a business down the
road. But my question was a more
specific one about defaults and I am --
MR. THOMPSON: Is Rupert selling MySpace?
---Laughter
QUESTION: Not about whether you are planning to sell,
obviously, but about your policy in the event of a sale. My question is about defaults and, Mozelle, I
think you raised that issue and, obviously, defaults are extremely
important. I have forgotten the exact
statistic, but it was a large proportion of your users don’t change the
default, right.
So my question is
what are your policies, what are the default settings in MySpace and Facebook, the
most restrictive from a privacy perspective?
If not, why not? And is it not
the case that a best practice from a privacy perspective would be to make those
defaults the most privacy respectful?
MR. THOMPSON: I would answer the question, no, and I will
tell you why. Because the most
restrictive would be no one can see anything and that is not the reason to be
on a social network, it is just that simple.
Now, I don’t know
enough about what MySpace does, but I can tell you that there is a couple of things
going on, some are apparent and some are not apparent that mitigate the sense
that everything is open.
First of all, we
have hard firewalls between over 18 and under 18 and those aren’t readily
apparent. But if you are under 18 you
will know it or if you are over 18 trying to troll for people under 18 you
would know it.
Second is that we
have segmented networks so you can’t get -- if you are in one regional network
you can’t join another regional network.
If you are in one university or one college you cannot join another
college network without being a member of that, having a .edu address, for
example, that limits exposure. And at
the same time, not all of our defaults are marked as open, that doesn’t happen.
So it is what I call
layered privacy protection and we give you an opportunity to change that. Now, what you could say is, and I think you sort
of imply, is that well there are a lot of people who don’t change their default
settings. And I am not embarrassed to
say, that more people use the privacy tools that we offer than any other
website period.
Second, is there are
also larger questions that I think MySpace and we and everybody else,
regulators too, about talking to people and educating them about how to use
information in a way that is wise, in a way that is effective, it is something
that is still a challenge and it has been a challenge for a long time.
And finally, you
also have to think of what the control is, because a lot of the people who are
also are using our site and using the privacy tools, some of their alternatives
are really wide open, whether it is blogs, chat rooms, IM, ISPs, open networks
where there are no protections whatsoever.
And to say nothing about the number of people who give their information
on the telephone or throw it out in the dumpster all the time, which is the
principal source of identity theft.
So I think that what
I would like to see is a race to the top.
I think that, to the extent that if there is a healthy rivalry between
MySpace and Facebook on this issue, I think that is great.
MS MARDOSZ: Yes, I agree.
You know, it really is a balance.
And, you know, what we are trying to do is be upfront and be at really
the forefront. And I agree with Mozelle,
that the options that we put in place are there for a reason. We are trying to get them out in front of
people, we are out educating, we are out with parents, with schools, I am sure
Facebooks is doing the same thing. It is
understanding and it is educating people and we are trying to do that as best
as we can. And to put those privacy
options and those settings, ours are used as well, and so it is really a
balance between the two.
MR. STEVENSON: Thank you.
The question was
also raised, I think by John and Pippa about the IP address and then the issue
involving the sale. And I wondered
whether someone wanted to address that?
MR. DAVIS: I was just interested in the points, because
certainly an IP address is clearly personal data. There is no hole there now. If the privacy policies say personal data is
not being sold down to third parties, well then that is fine. If IP addresses are being exchanged to third
parties well then there clearly is a hole in the privacy policy.
So I would
encourage, I suppose just to put it to bed because I don’t think anybody is
denying that an IP address is personal data.
MS MARDOSZ: I think Mozelle has already answered it and I
have too. I mean, we do not sell that
information to third parties.
MR. LAWFORD: I am just going to read this part of this
privacy policy from MySpace, it says the following. It says, IP addresses, “This non-personally
identifiable information..” that is IP addresses, “..may be shared with third
parties to provide for more relevant services and advertisement to
members.” So what does that mean?
MR. STEVENSON: We will have that question.. I think in the interim I am going to --
MR. LAWFORD: (off microphone)
MR. STEVENSON: Okay, why don’t we go to the gentleman in
front.
QUESTION: Thanks, hi, Michael Geist,
So John presents a
vision of essentially a participant of web to expose companies or just to bring
to light companies whose privacy policies aren’t the best or aren’t compliant
with some of their undertakings.
And yet we hear from
Mozelle that Facebook is the best of the sites in terms of having people
actively using and yet, by your numbers, 70 to 80 per cent of your users don’t
touch their defaults. In other words, 7
to 8 per cent of Canadians have Facebook identities and have never touched
their defaults.
Now, it may be --
MR. THOMPSON: Wait a minute. I am not going to allow you to go from a
general and talk about a specific in
QUESTION: Okay.
That is all right, that is fine.
Seventy to 80 per cent of your users haven’t changed their defaults, 10
per cent of the Canadian population has a Facebook page, some percentage of
Canadian users, perhaps between that 70 and 80 per cent, perhaps somewhat
different, haven’t adjusted their defaults.
We don’t know the precise numbers, that is fine.
MR. THOMPSON: Sure.
QUESTION: But skewing on your general numbers, it is in
that ballpark. There is clearly large
numbers of Canadians that presumably have not changed their defaults unless we
are just completely different from the rest of the world, which maybe we are.
But the question
isn’t really so much about Canadians, it is notwithstanding the education and
notwithstanding even sort of we have got a privacy commissioner actively out
there, clearly education isn’t doing as much from the corporation education,
the commissioner of education isn’t doing all that much. And I am pessimistic on a participant of web
for exposing anybody since, frankly, the majority of people, best case is only
25 per cent let us say roughly are even thinking about this issue, that means
most aren’t.
Is there a role to
bring it back into sort of the policy issues of this entire day, is there a
role from either a legislative or policy perspective for groups like the OECD
or for other governments or data protection commissioners to find a way to up
the anti a little bit so that more people do at least think about some of the
defaults that they are not choosing or choosing?
MR. THOMPSON: Look, I think more information is always
better. But you also forget one other
part of that equation, there may also be a large group of people who think the
defaults are okay, okay? So you are
coming at it with a presumption. I don’t
make that judgment, I do think more information is better than less information
and if people have more information they like us more. I don’t have a problem with that.
So the question is
does the OECD have a role? I think everybody has a role. I think everybody in this room should create
opportunities to talk to people about how they use information. And that's not just whether they participate
in Facebook or MySpace or YouTube or Google but it's the stuff they throw in
the garbage, it's the stuff that they provide people when they pick up the
telephone, which is absolutely amazing.
I do think that
there is an opportunity. But what I have
learned in my years at the FTC and everywhere else is that no one side can do
it by themselves.
MR. STEVENSON: Okay.
I think we have a gentleman in the green shirt and then the woman behind
him.
QUESTION: Hi, Richard Akerman from the National Science
Library of
One of the things
that I've seen in the discussion is we are talking mostly about silos, but Web
2.0 is about mashing sites up, about linking sites together, about crossing
between sites and combining them together.
Not to pick on
Facebook, but Facebook has a fabulous feature, which is Facebook
Applications. However, in order for me
to give my informed consent, I have only one choice. To use this application, I share my
information with a third party.
I think that is a
valid option, but the question, the broader question, the policy question
is: How do we deal with privacy when we
expect that sites will want to interlink like this, that people will want to
connect their information like this? How
do we control the spread of the information?
Are there
technological ways to do that? Are there
policy ways to manage it? If I share
with a third party, how do I stop the third party from sharing on?
So I'm interested
obviously particularly in the Facebook experience but the broader panel as
well.
Thank you.
MR. THOMPSON: I think that question is there for a
reason. I mean, when I say that, when it
warns you that in order to use this application, you have to share some
information with that application, it's because if you don't want to share your
information with that application, you should not download that application.
One of the things,
you are absolutely correct ‑‑ we have over 5,000
applications. And aside from the
applications that are created by Facebook itself, it is very difficult to
police every single other one for what everybody else does.
For example, if
Amazon has an application that you can download on Facebook, then you are going
to have to be guided by Amazon's policy.
That being said, do
we have certain standards about data mining and other things? Absolutely.
We tell sites that
if they want to create an application and they want to ask you for information,
that's great. We are not going to give
you information about our users. We
leave it then up to the user to determine whether they want to use this
application or not. And that has to do
with a trusted site relationship.
MR. STEVENSON: Thank you.
John, I think you
wanted to get on this, and then
MR. LAWFORD: The way you dealt with that in legislation,
you just ask for someone's consent, right, and that should be the end of
it. If you don't want to use that
program, you don't consent, except that what you are getting for that
application is they are asking for more personal information probably in your
sign‑up than they need to to provide that application to you.
They've already got
the fact that you have been referred from Facebook and now they are asking for
additional personal information.
That's where we are
saying that for a Web 2.0 type statute, whether internationally or nationally,
you should be able to ask for the plain vanilla transaction. So you have name, address, if you need it,
and I get my application, not all this other stuff.
MR. THOMPSON: That's a little bit misleading in the
following sense: that is you are Amazon and you have an application on Facebook
or some other company has an application on Facebook, if it's Expedia or
Travelocity, they are going to need some information from you in order for them
to do a transaction with you. That's
your relationship with them.
We are not
collecting that information. That third
party is collecting that information.
That's the purpose of the warning.
Not because we need that information.
We already know what we need to know because you are our user. You are absolutely right.
But we put the
warning there so that if you are using a third party application, you know that
they are collecting information about you.
It's a benefit to consumers.
MR. STEVENSON: Thank you.
Let's give
MR. DAVIS: Just from a data protection perspective, I
don't know the actual characteristics of Facebook applications and there could
be anything else.
One of the
principles is the purpose limitations.
So if I give my information for one purpose, which is to sign up to
that, the third party, then if they anything else with it other than the reason
for which you gave it, then you would have a valid complaint to us as the Data
Protection Commissioner's Office and we would investigate it.
Also, and again
understanding the nature of the relationship that exists, if Facebook
applications could be deemed to be handling the information on behalf of
Facebook, well then there's a contractual obligation there. And one might say that a privacy standard
would be that the contract that is entered into would specify between Facebook
and whoever manages Facebook applications, that they may not use the
information for any other purpose.
I would expect to
see that. If you weren't seeing that
going forward, well then that's a privacy point that one would expect to be
articulated.
MR. STEVENSON: Thank you.
The last question.
QUESTION: It's Jennifer Creole. I'm actually asking this question to you,
Facebook, from a user perspective who has several hundred friends and who has
many requests for friends and feels an obligation to accept out of the spirit
of friendship.
I don't know if this
is really a policy concern or a very specific recommendation for Facebook,
which is that friends are grouped all as one.
A lot of my friends have hundreds of friends as well, one who is the
daughter of someone, who is quite young.
She is 14 and she has 250‑or‑so friends, again all grouped
as friends, who has posted a lot of images that I think as she grows older will
not want those images there. And she may
be able to take the time to take her tag off the images, but that doesn't take
the images off for the friends who have posted things about her. And they are all there.
And a lot of them
share friends. Let's say 50 of them,
they are all friends. If a lot of them
are in the group, they can see them.
So I guess my
question is one recommendation ‑‑ I don't know if it's a
policy issue or a recommendation to group friends differently, because if it's
all just one cluster of friends, I might be comfortable sharing certain types
of things with certain types of friends from certain social circles but not
with like all friends all the time.
The other issue is
actually around history, which was raised in our earlier session just previous
to this one, which is people might be comfortable sharing something at 14 years
old but when they are 20 or 30 or 40, is that archive carrying with them
forever?
I don't know what
you can say to that.
MR. STEVENSON: Thank you for that friendly suggestion.
Perhaps you would
like to respond and then anyone else for a final word.
MR. THOMPSON: Thank you for your helpful intervention.
First of all, we are
always working on ways to improve the site and we are thinking about whether we
want to add some granularity to the friends: fair weather friends, not so good
friends.
But we are thinking
about that.
I can tell you from
myself, I don't have that many friends.
‑‑‑ Laughter
UNIDENTIFIED
SPEAKER: Most kids have a lot of
friends.
MR. THOMPSON: That's right.
They want to be really popular. I
think for some people I'm a scary friend to have.
‑‑‑ Laughter
MR. THOMPSON: The second question about tagging, right now
you are right. We can take you off the
tag so that you are invisible, but you are not invisible to your friends,
especially if they put the picture up for you.
So that's a bigger
challenge because it's not like it's not a valid picture that someone else has
that they want to have. If you are with
a group of 25 people and you don't want it there but everybody else wants it
there, that's more of a challenge for us.
I don't know what
the easy answer to that is. If you have
another suggestion, then we would like to hear it too. I will take it back.
MR. STEVENSON: Thank you.
Friends, we are
unfortunately out of time. We have just
begun to scratch the surface of the many issues that this raised.
I would like you to
join me in thanking all of our excellent panellists for all of their
interventions.
Thank you.
‑‑‑ Applause
MR. THOMPSON: And I take back that friends thing. I don't want to hear from any of you.
‑‑‑ Laughter
‑‑‑ Upon
recessing at 1640