Evidence of meeting #102 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st session. (The original version is on Parliament’s site, as are the minutes.) The winning word was election.

A video is available from Parliament.

On the agenda

Members speaking

Before the committee

Colin Bennett  Professor, Department of Political Science, University of Victoria, As an Individual
Thierry Giasson  Full Professor, Department of Political Science, Université Laval, As an Individual
Maxime Bernier  Beauce, CPC
Marshall Erwin  Director, Trust and Security, Mozilla Corporation

10:20 a.m.

Director, Trust and Security, Mozilla Corporation

Marshall Erwin

In Canada, if this committee really wants to make an impact here, it would be in that enforcement piece. Again, I think PIPEDA provides a good framework that you might want to make some changes to, but then really strengthening the enforcement part is a useful—

10:20 a.m.

Conservative

Peter Kent Conservative Thornhill, ON

I have one minute to go.

With regard to the ownership of browsing data, Mr. Zuckerberg didn't make it absolutely clear, but in his testimony in Washington he said that the content generated by a user is owned by the user. However, he was very fuzzy with regard to browsing history. Is the browsing history on Mozilla absolutely protected, or are there ways that third parties could track it and use it?

10:20 a.m.

Director, Trust and Security, Mozilla Corporation

Marshall Erwin

Again, we do not collect that browsing history. It remains on your computer. That means it's protected from Mozilla, essentially. We could always change the browser, but we've made a commitment that we are not going to do that.

I mentioned that the cross-site tracking that occurs across the industry does provide many different parties with access to people's browsing activity. Those third parties can't access your expansive web browsing history in the Firefox browser. If you are on a particular page and then you navigate to another page, and if those cross-site tracking technologies exist on both pages, third parties can collect information about the fact that you visited both of those pages. Over time, that allows those parties to build a fairly expansive data set of people's browsing activity.

10:20 a.m.

Conservative

Peter Kent Conservative Thornhill, ON

Thank you.

10:20 a.m.

Conservative

The Chair Conservative Bob Zimmer

Thank you, Mr. Kent.

Next up is Mr. Masse, for seven minutes.

Brian Masse NDP Windsor West, ON

Your decision to go with the model that you have right now with regard to not collecting that expansive data and not using that from your product is a business decision, for a variety of reasons—for ethics, and for those who would be more concerned about privacy. Is that accurate? Is it less about capability, and more about a business decision to restrict that?

10:20 a.m.

Director, Trust and Security, Mozilla Corporation

Marshall Erwin

I would think about it a little differently. What are the incentives we have to do the right thing? Those incentives aren't just limited to business issues. Mozilla Corporation is a public benefit company. We do not have a set of stockholders for whom we need to maximize revenue. That's a critical component of why, in the end, we make the decisions that we make.

We also have a user base that really cares about its privacy, and a set of developers who work with us who also care a lot about its privacy. That factor really influences our decisions.

In the end, one of the biggest challenges we face as an industry is that, thus far, not enough of the user base really makes decisions based on its privacy. That is a little less true of us, because we have a user base that I think has demonstrated, through using Firefox, that this is something it cares about. In the rest of the industry, that hasn't proven to be the case thus far, and we might be at a tipping point where it might be changing. I think we'd all like that to change.

However, regarding the incentives for a company such as Facebook, until Facebook users really demand something better, it's going to be hard for Facebook to deliver something better in terms of privacy. Our users do demand something better. They expect something better, and that allows us to deliver that.

Brian Masse NDP Windsor West, ON

It's less about the capability than it is about everything else.

When working on microbead issues, one of the things we found right away was that a lot of companies wanted to do the right thing in terms of restricting the size of microbeads. Those are the small plastic additives to shampoo, toothpaste, and so forth. A lot of companies wanted to make the right decisions, but the regulatory body didn't provide a set of standard rules, which then allowed for the subsidization model to actually increase the profit margin at the expense of the environment. How do you compete in that environment?

In the same context, is the reluctance of companies to subscribe to the GDPR partly because, in moving toward that model, we have no enforcement of it? Some of them might say, in principle, “Yes, we're going to follow it”, but the reality is that a lack of an incentive model would restrict their capabilities for third party source advertising, selling, data mining, and data management, which wouldn't make economic sense for them in that realm. Would others comply and fall in line if there was actually an enforcement model that made sure there was standardization?

10:25 a.m.

Director, Trust and Security, Mozilla Corporation

Marshall Erwin

That's a useful way to think about it. What are the incentives that a company faces to get to a better place? Again, we have a user base that really cares about these issues. We have a model. We are a public benefit company. Those factors really anchor our decisions.

Your question is, what are the incentives that other companies are going to face? Again, there are two incentives that you can create that might not have existed thus far. One, if users demand it, that's going to change the incentives a lot. Two, if there is a regulatory regime, coupled with enforcement that actually has teeth, that's going to be something that companies will really pay attention to.

There is a lot of unease about the GDPR. The bottom line is that companies are very concerned about the levy of a 4% fine, which is baked into the GDPR. Some of that concern is probably healthy and is going to force companies to get to a better place. The challenge with respect to GDPR that I think a lot of companies are facing is just a lack of clarity right now and unease in terms of what companies should really be doing to comply so that they're not going to be subject to those fines. The actual motivating premise of that fine is healthy, and it's useful for the industry to have that.

Brian Masse NDP Windsor West, ON

Lastly, with regard to Firefox in particular, you've articulated that the development, the implementation, and the corporate culture around that element are what grounds it in terms of protecting privacy, and it's actually rated fairly well for those things. I want to be clear on this: It could be altered at any time should somebody else purchase Firefox or decide to go in a different direction, or whatever. It's a chosen direction of company policy and culture to provide the service in the way it does now, versus out of technological capabilities.

Is that correct?

10:25 a.m.

Director, Trust and Security, Mozilla Corporation

Marshall Erwin

Again, there are a number of factors that ground our approach. Your question is, how easy is it to change those?

Brian Masse NDP Windsor West, ON

You're good at summarizing.

10:25 a.m.

Director, Trust and Security, Mozilla Corporation

Marshall Erwin

Some are simply a matter of policy; others are a matter of law. The corporate culture piece is remarkably difficult to change. It's not easy. Mozilla has two decades now of commitment to that culture. Even if we wanted to, it would not be a marginal effort to change the company's thinking on this. That's good. That's the way we like it, and we have a user base that really cares. That's actually the most critical incentive we face, the fact that this is a commitment that our users know we've made and they hold us accountable to that.

Brian Masse NDP Windsor West, ON

Void of that commitment—

Sorry, I don't know if I have any time left.

10:25 a.m.

Conservative

The Chair Conservative Bob Zimmer

You have 30 seconds.

Brian Masse NDP Windsor West, ON

The most important part of your testimony was that you noted the default settings and decided not to exploit that. You had the capability to do so, but you chose not to.

Is that correct?

April 26th, 2018 / 10:25 a.m.

Director, Trust and Security, Mozilla Corporation

Marshall Erwin

Do you mean the default settings in the Firefox browser?

Brian Masse NDP Windsor West, ON

You said at the beginning of your testimony that you noted that there were some open default settings that you could have taken advantage of with the data breach, and you decided not to.

10:25 a.m.

Director, Trust and Security, Mozilla Corporation

Marshall Erwin

More generally, we were looking at the default settings. The reason we paused our advertising was that we looked at the default settings provided to third party developers. We said that these were simply not accurate and the default seemed to provide data to those developers. That was a judgment we made about the Facebook platform. We were not in a position to collect that data, ever. It was not a question of whether we should access that data or not; it was just a question of whether the approach that Facebook was taking for its users was the right one.

Brian Masse NDP Windsor West, ON

Thank you.

10:30 a.m.

Conservative

The Chair Conservative Bob Zimmer

Thank you, Mr. Masse.

Mr. Erwin, I especially want to thank you for your testimony this morning, and I appreciate your trip out here.

10:30 a.m.

Director, Trust and Security, Mozilla Corporation

Marshall Erwin

Thank you.

10:30 a.m.

Conservative

The Chair Conservative Bob Zimmer

We'll suspend again for just a few minutes until our guests exit, and then we'll go in camera and talk committee business for about 15 minutes.

[Proceedings continue in camera]