OECD - Session 4, Stream B

Ottawa, ON

--- Upon commencing on Wednesday, October 3, 2007 at 3:17 p.m.

MR. VICKERY: I think we can start. We've now just mastered the technology.

We are running about ten minutes behind, so we are not going to compress this session.

My name is Graham Vickery, OECD, by the way. I'm acting as the emcee in the other room.

We are not going to compress this session. We are still going to have exactly the same amount of time for this session as in the printed program, but we are running about ten minutes late. So that means we will start ten minutes later and we will finish ten minutes later.

I will hand over to our very able Chair to begin the proceedings.

Thank you very much.

MR. STEVENSON: Thank you and good afternoon. Welcome to Stream B, as in bigger, better, boisterous. And the subject is confidence, privacy and security.

We are very fortunate to have a very fine panel to discuss these issues in the context of the participative web.

I was thinking about this event compared to the kinds of things that my agency was doing about a decade ago. I work at the U.S. Federal Trade Commission in the Consumer Protection side of things, and we focus on consumer issues and privacy and security issues. And certainly then the paradigm, of course, that we were looking at is the basic B-to-C consumer transactions.

As several of the speakers this morning and otherwise have pointed out, increasingly we see that a lot of the volume of activity on the Internet from a consumer or individual perspective is increasingly in the context of social networking sites a big issue in general. It's a big issue in terms of younger people, teen and tween interactions. It's a big issue in terms of the volume of interactions that cross borders in the use of these sites.

And certainly at the FTC this is an issue that we have looked at as a policy matter in terms of our various conferences, including one called Tech Aid where this was certainly a large issue that was flagged for the upcoming decade, and also from an enforcement point of view where we have brought at least one matter involving social networking, where we obtained a significant fine for violations of the Children's Online Privacy Protection Act.

So there are a cluster of issues here that are certainly of importance, both to regulators and business and otherwise. We are going to hear about several perspectives here.

We will start with Jennifer Mardosz from Fox Interactive Media, which runs MySpace or is part of the company MySpace.

I turn it over to Jennifer.

MS MARDOSZ: Thank you very much. I'm very pleased to be here on behalf of Fox and MySpace. And thanks to the OECD for coordinating this event and inviting us to participate.

Our approach to online safety -- and that's basically what I wanted to cover today -- is really all about conversations like this: getting together with industry, governmental agencies, non-governmental agencies and having a discussion about what is best for implementing appropriate safety procedures and applications on the Internet.

As our lives move more and more online from the physical world to the online world, at MySpace what we believe is we've got to look to the time honoured safety ideas from the physical world and transfer them onto the Internet.

We've done that. I mean, we all know now some of the challenges that we had previously faced in our physical world. We know how to block a minor from buying pornography at the local mini-mart. We know how to explain to our kids not to talk to strangers at the mall and not to talk to strangers at the park. We even recognize the value of a well-lit community, where our neighbours and law enforcement can keep an eye on what is happening.

It's those principles that we've got to work together to transfer onto the Internet.

My job at Fox Interactive is to work closely with MySpace. I have a background in law enforcement and I'm in charge of the global law enforcement program. So we are implementing appropriate safety features and then also working with law enforcement when necessary.

This first slide outlines our approach. We basically believe that all of these tenets are important components to an effective online safety program.

The first is technology. At MySpace we believe that all of us in the online industry have an obligation to develop processes and procedures to make the Internet a safer place for everyone, especially teenagers.

Some of the technology -- and I'll get into more examples in the next slide.

One thing that we've been looking at is implementing a software program that we've called Zephyr that will help parents to be more engaged on what their children are doing on MySpace, where if you install it on your computer and your child sets up a MySpace profile, the parent can monitor what age the child says that they are. Then if they change the age, the parent would be notified via the software.

So that's an example of technology that we are looking at to help make the Internet safer.

Education is obviously a key component and we look very hard at MySpace to get the word out to parents, to our users. We put warnings up on our site when people are uploading content and we remind them what it can mean.

We have our safety tips available on every MySpace page so that again people are aware of the potential implications of uploading personal information.

Education also, we talk to schools. We have a school administrators guide in the U.S. right now we've sent to 55,000 schools. We are working on localizing that guide as we expand into international territories and to localize that for other countries.

And educating law enforcement. We also have a law enforcement guide, where again we are working to localize that for the other countries that we have expanded into.

But also educating law enforcement in terms of the functionality of the site. We spend a lot of time, I do personally, reaching out to law enforcement, explaining how the site works and how they can better investigate cases if necessary.

I skipped over NGOs. We partner with NGOs quite a lot to make sure that we are communicating with them, getting their good ideas. One of our partnerships is with the National Centre for Missing and Exploited Children in the U.S. That's another great example of how we have taken the physical safety concepts and transferred them onto MySpace.

There is a program called the Amber Alert System in the United States where the national centre, when there is a missing child in a community, years ago they would send out notices to community members. They would even put the image of a child on a milk carton that you would buy at the grocery store, to try to get everyone to help find that missing child.

So what we have done at MySpace is partnered with them so that we can put amber alerts on MySpace. We have done that now. So if a child were to become missing in a particular community, we can send out that notice and help find a missing child.

Public policy is obviously very important and looking at legislation. We obviously support stiff penalties for predators on the Internet, and we work closely advocating certain things, such as not only the actual victimization of a child but the actual grooming of a child.

So even that discussion, we are advocating throughout the United States and internationally that that should be a crime as well.

In terms of industry relations, conferences like this, as I said, working together, we believe that we can make the online community a safer place.

Then international. I mentioned we are expanding internationally. We are opening offices throughout. You can see some of the countries that we have entered into.

For example, in Canada, we have approximately 5 million users now. We have opened an office in Canada.

As we open offices throughout the country, we are also looking to hire safety personnel to help us localize our safety policies, reach out to schools, reach out to law enforcement. Despite the fact that we are a U.S. based company, we do want to remain cognizant of the local laws and work with the local governments and law enforcement agencies.

So our approach at MySpace is we build safety into MySpace features so whatever functionality exists on the site we look at that and say to ourselves: How can we make that safer? What can we do better here?

We build safety features into MySpace. Some new safety features, which I will go into some of that in the next slide, and then our partnerships.

You can see our guiding principles, where we want to prevent teens from accessing inappropriate content, protect teens from people with bad intentions, provide the tools that empower all members to be safer, and provide support to law enforcement to bring the perpetrators to justice.

We basically look at this in these three paradigms: contact, content and collaboration.

If we break those down, on the contact side, what we do at MySpace is we put in contact barriers between people over the age of 18 and people under the age of 18. And also then our younger users, you do have to be 14 under our Terms of Service to sign up.

We, for example, make 14 and 15-year-old profiles default private, which means that you basically have to know someone in the physical world before they can communicate with you on MySpace. They have to know your last name or your e-mail address. So they have to get that independently.

We also make it so that the under 18’s cannot access mature content on the site. For example, the groups, if there’s a group or a forum that discusses mature issues, under 18’s are not able to access that.

We also have e-mail verification for new members. And so what this means is that when you sign up for the service you have to provide a valid e-mail address. And you can’t use the service until you receive an e-mail at that valid e-mail address and then respond back.

And we think that that provides another level of accountability and also deters potential predators because they actually have to provide some identity information and then it would also be another tool for law enforcement to track someone down if necessary.

We have a program that we’ve instituted in the U.S. called Sentinel Safe which has received a lot of media attention. You may have heard about it. Right now it’s deployed only in the U.S. but we are looking to work with other countries to see if we can implement it in some of the other countries.

And basically how it works is we have partnered with a private company called Sentinel Tech where they develop the first national searchable database of registered sex offenders in the U.S. of whom there’s approximately 600,000.

And I realize there’s different privacy laws in the various international countries but at least in the U.S. what we are able to do is take that national database now and search it and look for identifying information and try to match that up with any of the MySpace users and then delete them and block them from accessing the site in the future.

And obviously what can be done, one piece of legislation that we support strongly in the United States and in the other countries is to make convicted sex offenders have to register their e-mail addresses. In the United States when a sex offender goes to prison and then when they get out they have to -- they’re required by law to register their home address, their physical address.

And we are advocating that they be required to also register their e-mail address and IM handles so that there is more accountability. And if they do lie on the internet there would be consequences up to 10 years in jail if they did lie about it. And then also enhanced sentencing and enhanced charging.

I can tell I’m over my time, so I will fly through the last slide. And these are some examples of what we’re doing on the content side. We have a team of hundreds and hundreds of people that actually review each and every image and video that is uploaded to our site to make sure that it complies with our terms of use.

We also hash known bad images. So when they see a bad image we hash it so that it can’t be uploaded again. We block bad URL’s. We also review the group images. But those are also subject to peer review by the group founder.

An important aspect of our site is the report abuse buttons. And so we make it really easy for our users to report an inappropriate image or an inappropriate video. We make the button right there.

And then we monitor the profiles and we’ll delete them for violations. And then this final thing is the CAT team, it’s a Content Assurance Team that we have that monitors the site and looks for underage users. And we’ll delete them if we find that kids are on the site lying about their age.

So, in closing, I just want to say, again, thank you for having us here. We’re delighted to be involved in this discussion and again, we think that working together with industry, law enforcement, parents, schools, we can all work together to make the internet more of a brightly lit neighbourhood for our children.

Thank you.

--- Applause/Applaudissements

MR. STEVENSON: Thank you, Jennifer.

I’ll now turn it over to Gary Davis from the Irish Internet Data Authority to give one regulator’s perspective on these issues.

MR. DAVIS: Thank you very much, Hugh.

And I’m honoured actually to have the opportunity to offer the Irish perspective on some of these issues at this forum. And thank you very much to the OECD for inviting us along.

It was put to me actually by a journalist over lunch hour that in fact there’s no room for privacy at all on the participative web; so, in fact probably the easiest thing to do would be to close social networking sites and we won’t have a problem at all. But I don’t think that’s really a realistic view. And actually not one I would tend to support.

I don’t come to these sort of issues with an initial negative view as perhaps maybe I should do as a privacy regulator because clearly these sites do push at the boundaries of what we all understand up till now to be a person’s individual space.

But in some respects I have a view that maybe our boundaries are skewed a little bit by our own perspectives and our own generation. But we’ll try and step through them maybe in a reasonable perspective.

The issues as I see them going forward and I suppose one has to also understand that as privacy regulators we’re trying to grapple with these issues as they evolve. Social networking sites and other such phenomena, such as content sharing sites, blog sites, various other peer-to-peer sites are emerging and growing almost exponentially in terms of their user base.

The types of issues that they are creating give us cause to stop and think, well, can we fix or fit our current legislative infrastructure to those spaces? By and large we can actually but here and there it does cause us a certain amount of issues.

What’s the biggest issues I see in terms of the information that’s placed on sites such as these? It’s that of consent. Consent will arise in many respects.

It will arise for a mature user in terms of the information that is provided in a very clear manner by the sites themselves in terms of what happens to their data, who is going to access it, who is it going to be sold on to, what are their choices? That’s a clear enough thing which most of us can, you know, read the privacy policies and come to a view on.

There is a particular issue there of consent in terms of underage users. And we do have sites that are extensively used in Ireland whereby maybe it is the generational issue that I allude to in the third point there, where some of the content on them is just plainly shocking even to somebody of my, well, relatively younger years.

And I can’t think that any 14 year old, 15 year old or even in some cases 13 year old can be consenting in a reasonable manner to putting that information up in a way in which one could say that, yes, they read the terms and conditions and yes, they understood what they were doing. That’s a challenge for us all and one which we’ll come to.

The other issue is consent in relation to third party data. And that’s the issue which we see a lot of here. And so maybe some of the presentations we might listen to is about how the user is empowered, how the user knows what they’re doing, the warnings which are given in relation to uploading their content. But a big issue arises in relation to third party content.

So, a picture of a teacher in a classroom that’s taken using a mobile phone with a camera on it, and is uploaded onto one of these sites and then used as a way in which to I suppose bully that teacher from all the children in their class, we have seen that in Ireland. And certainly there’s no consent of the teacher for their image to go up there.

And what rights does that person have?

Well they do have rights and it’s a way of articulating them.

I suppose the issue as I mentioned there in terms of who controls the data, and there was some element of a discussion of it earlier. I did catch some of it even though I came in a little bit late this morning, as to who’s actually ultimately responsible for the content of these sites. And there seems to me to be some element of what we might term in Ireland, shimmying on the issue as to whether or not you’re actually responsible.

But from our perspective in terms of the law, if you provide the platform, you’re responsible for the content on the site. You’re responsible for any content that anybody uploads. And you need to be able to stand over that content, not that, sorry, it was a user who put it in, it was there and you know, it’s nothing to do with us. It’s there. If you’re going to provide a service well then you’re going to have responsibility for it.

That line becomes a little bit more blurred as we get into some elements of blogging sites. But however we’ll focus on what’s more easily dealt with.

The generational issue is one that I referred to. And it’s one in which it would be easy for us to have the response that we had, that I maybe articulated at the start there which is we ban them all because what’s on them is actually outrageous and how could people be uploading some of that type of detail. But that’s a knee-jerk response which actually leads me on to the next point which is disproportionate media response.

We see that in Ireland actually in that often these sites will get coverage in the media. But it’s only in response to some issue at a point in time. And usually the type of response that you will get is that you know what’s going on them should be stopped. And they should be banned from going into schools.

So, there’s no school in Ireland currently that will allow access to a social networking site from within the school computers because they’ve deemed that’s the best way to deal with the problem which is actually to shut off access to it.

I might suggest and maybe I’ll do it later, that education might be a better way of informing all the pupils in the school. But they decided the best way was to ban all access.

That’s in response -- so you’re not actually getting a balanced debate at least in Ireland in relation to the good and the bad of these sites. And certainly there is good. But it’s not for me to come along here and articulate that. We have two sides to do it for themselves.

And then I suppose the big issue is what use the site is actually making in relation to the personal data that I supply to them. And I suppose for a while that’s been the elephant in the room that nobody wanted to address because the sites were growing, their user base was developing, but how were they going to be financed?

They’re not -- and I’ll move on, they’re not as Mozelle has said recently at an event I was that, public utilities. And maybe you know, we have to have a think about that in terms of how we view them from a privacy perspective.

So, what are the confidence issues then because I say that as certainly what we’re trying to do here. The main issue is that identifiable persons on these sites have rights. And it doesn’t really matter who put up the information.

If I put up the information about myself I have rights under data protection law. If somebody else put it up about me I also have rights.

I mightn’t know where the report abuse button is by the way, which is an issue. If I’m not a user on the site and somebody’s put up information about me, the report abuse button isn’t that much good to me.

And if these rights were asserted by a person, whether it be me as a user or a third party, what actually happens within the companies themselves, how do they respond to my assertion of my rights to say, there’s that about me being processed that’s incorrect or which I didn’t consent to have up?

So, the picture of the teacher in the classroom, does it go into some system and you know, they’ll look at it in a couple of weeks time and you know, if they have a think about it they might get back to it? Or do they actually have appropriate complaints handling mechanisms in place that will freeze the images or freeze the information pending an investigation into it?

And certainly there was one site which we approached in Ireland a couple of weeks ago and it took a full three weeks for anything to happen. At various points during that process we got some great automated responses to our concerns which certainly reassured us no end that something was happening.

But I suppose thankfully from a privacy perspective the trend is upwards in terms of sites actually listening to privacy concerns. And the best corollary which I could draw on this space is what has happened in relation to the retention of search engine data. A debate arose in that area and it’s going to come in this area as well and hopefully we’re all well geared up for it, in relation to how long search engines hold search data for.

We have gotten down from a period of indefinite holding of that data to at the last count 13 months. That is where privacy has actually been used as a point of commercial advantage. And we’ll continue to see that and we’ll see it in this space now as well because are articulating it.

I suppose for the sites themselves and I think they recognize it, confidence will be destroyed by a single incident or issue and people will move to another site. And they are fast developing.

So, the points to be addressed then, upfront information to users is patchy in some areas in relation to sites. I’m not thinking of any in particular but certainly there are some sites which could be better in terms of giving people full information in relation to what’s happening to my information, what choices do I have, what do I do if I have a problem?

And there are certainly some other entities in the space, you know -- zero minutes left, that’s fine -- who are deliberately establishing, I suppose from our perspective to try and avoid some jurisdictional privacy issues. An issue which we might hear sometimes in Europe is well we’re not actually based in Europe so, you know, we don’t have to worry about what the rights of European users are.

But, you know, by and large that issue is moving along because thankfully users are getting better at articulating their own rights. And as I said earlier, site owners have responsibilities to all identifiable persons.

The challenge then as I see it in relation to the younger age group more so, is to actually work together with the sites insofar as we can and other voices in the areas to try and educate users. Because certainly there is a disconnect somewhere in relation to the data that’s being put up by people in that younger age category and what our perspective would be is what right-minded people might put up about themselves.

So, there’s a challenge there in terms of trying to educate them a bit better, trying to educate the operators also but you know, they’re here, they’re talking. I congratulate them on that. They’re certainly out front and dealing with us which is a positive and not something that you wish to knock them back on.

And I suppose ultimately it’s about finding the right balance between freedom of expression and other rights, specifically privacy.

So, and I am definitely finished there (laughter). So, the standards are communicating and empowering the user. If the user knows what’s happening to their data and can take an informed choice in relation to it well then I think we’ve gone a long way towards meeting a lot of the privacy concerns.

A complaints handling mechanism which where if I make a complaint in relation to my data somebody will do something about it and quickly and if somebody on the site is misusing personal data or has uploaded that picture of the teacher in the classroom well then there must be a clear penalty for them which I think in most cases, the biggest one for them is to be removed from the site itself.

Thank you very much.

--- Applause/Applaudissements

MR. STEVENSON: We turn now, from Facebook we have a pinch hitter, Mozelle Thompson, former Commissioner of the Federal Trade Commission, former Chair of the OECD Consumer Policy Committee to talk to us about Facebook’s perspective.

MR. THOMPSON: Good afternoon.

As Hugh pointed out that I’m sort of a last minute substitute, that Chris Kelly wanted to be here but he had some things back in Palo Alto. Of course that didn’t stop him from asking me to do it even though I was giving a speech in Palo Alto yesterday and I had to fly the redeye out here to come out and see you.

But that being said, I’m happy to be here, simply if not for any other reason, I get to see a lot of old friends from the OECD and people who actually do a lot of work with the OECD and that’s good.

And what I thought I might begin by doing is talking to you a little bit about a change in perspective. Hugh began by talking a little bit about 10 years ago how we began to look at the internet and how people used the internet. And I thought of it more as a top-down approach, a more binary approach of information or no information.

And what’s happened now especially when we talk about Web 2.0 and sites like MySpace or YouTube or Facebook is the more horizontal growth, the real interactivity that we had talked about for a long time and we’d always hoped would get here.

But in that same vein it presents new challenges, not only to how we respond to users and the public and how companies act but also for regulators who it may challenge their traditional notions of how they think about information sharing.

The one thing I will say and I think that my colleague from MySpace can agree to this is that at the very least we have new technology that empowers users to exercise more control of information. And what we have found is that there are a lot of people, most people, who don’t want to be totally anonymous. And in fact they want to have technological tools that will allow them to share information with people.

Then it brings the new challenges of who do they share it with and under what circumstances and as the Commissioner said, do they understand what information they’re sharing and the context under which they’re doing it.

And to answer some of those questions, this is really the cutting edge of how we think of information, this strategic management of information by individuals. And where we spent a lot of time with a lot of our colleagues, including folks from MySpace and others, we all work together with industry and governments and users to try to talk about what the future is going to look like and try to begin to define what we think might be appropriate and inappropriate behaviour. Because one thing I will say is that companies like ours stand out here and we’re in front and we’re talking to you; there are a lot of companies who are not and may not be quite as transparent about what they do or how they do it.

But let me talk a little bit about Facebook. How many people actually participate in a social networking site? Don’t be shy, you know, it’s okay, you can come out. Okay.

You know and for me, you know I consider myself one of the old people on Facebook, that one of the things that’s interesting is that there are sites that are very segmented, that are geared towards children and some that are geared to a little older.

But one of the things we found at Facebook, we started as primarily a college and university-based site and that we have grown exponentially so that our demographic looks a lot different. The fastest growing places on Facebook are people over 24 and people who are not in colleges and universities, but are parts of regional networks.

And so we are here in Canada, the second largest regional network is in Toronto. Canada is an interesting example, over 10 per cent of the population of Canada is on Facebook and people use it for all sorts of different reasons, not only to talk with the people who live in their neighbourhood or their interests, people who have the same football interests as them, but also politicians who want to communicate with constituents, people who want to get involved with local causes and charities.

And it is very interesting because that is consistent with how Facebook believes its philosophy runs. It is a real-name culture, it is not for people who are anonymous, we take steps to make sure of that because we think that people who know people in their community are people who are more likely to participate and more likely to report people who are engaged in abuse or other types of inappropriate activity.

It is also based on real life. As I said, it is horizontal. So you connect with people who you want to connect with. And part of the architecture is we have segmented communities. Even though I have a Facebook profile that is not open to everybody, you can all be my friend for today.

How many of you are on Facebook? Okay. Would it help for the rest of you to walk you through a little bit of Facebook and show you what it does? Okay.

This is the opening page of Facebook. Everybody who is a member of Facebook has a this item here called “News Feed,” which is your own personal newsletter, that is how I view it. The information here really deals with people who are your friends and it tells you what they want you to know, whether they have added some pictures, are there someplace and what they do.

Your profile, this is mine.. Okay, what is the answer, tech guy? I don’t know, so much for your wireless network. Where is Mr. Simpson when you need him?

--- Audio feed disconnected

Well, let me keep talking while he is working.

One of the unique parts about Facebook is we provide robust privacy tools. And what is interesting from a recent trip a couple of weeks ago to Europe in talking to various privacy commissioners, some people may think that we don’t provide enough, other think that we provide too many, it might be confusing to people.

In any event, one of the things that is a hallmark to what Facebook does is it has an array of privacy settings so that -- okay, should I try it again or leave it to you -- that allows you to decide who is that scary guy, what kind of information you want people to see.

So, for example, these are my networks, you know, I went to Columbia and Princeton and I know people at Facebook, and some people put a lot of personal information, I don’t. If you want to know that you have to buy me a drink. And as we continue down the page, here are some of my friends. I have information, contact information, I have background information about work and education and some of the groups that I am in. Not everybody can see everything on my page. I get to decide, based on this part up here when we go to privacy, who gets to see what.

What we have here is in each section of my page I can decide how restrictive I want those settings to be. And what you will see here is a barcode, it actually tells you whether I am more restrictive or less restrictive. This is less, this is more. And you can edit that by determining, for example, on my basic profile whether all of my friends and all of my networks can see it, only some of my friends, only my friends and only my networks and all of my friends. So you can get to be very granular with this.

Now, one of the challenges that we have is what are our defaults? Are all our defaults open? Some of them are not quite as transparent. When I say that, for people who are under 18 we have certain kinds of defaults that you can’t get around. If you are over 18, for example, you cannot prowl high school networks looking for people, you cannot search for people under 18. There is a hard firewall there, unless you know a particular person. We don’t want to stop a parent from befriending their kids, okay.

But this is some of the challenges that we have. So we are probably more granular about this and people find this very attractive. And, in fact, I will tell you something that is not reported very often, is that our experience is that this is something that people actually like a lot. Somewhere between 20 and 30 per cent of our users actually change default settings and come in here and actually change their privacy settings, some more open, some less open.

Now, to give you some background. On most websites and studies I have seen you are lucky if you get more than a quarter of a per cent actually visiting a privacy policy. So what this showed me was people actually care about this. And so I want to answer your questions, thank you.

--- Applause

MR. STEVENSON: Thank you, Mozelle, for being our friend today, we appreciate it.

MR. THOMPSON: Not you.

--- Laughter

MR. STEVENSON: Oh. Well, we move onto John Lawford from the Public Interest Advocacy Centre to give us his views about the concerns that he has on the necessity of social networking.

Thanks.

MR. LAWFORD: Thank you very much.

The comic, if you can’t read it, says this is a bank robber in a bank saying, “You know, you can do this just as easily online.” That is the teller and that is the viewpoint that I am bringing today, it is from the user point of view from a privacy perspective. And this is the only security slide I have, but you will see what I mean when I say that security and privacy are linked.

All right, it has been 10 years since the first go around here in Ottawa and out of that OECD meeting we ended up with what I will call was Privacy 1.0 in terms of acts, in Canada at least, the PIPEDA legislation.