Senior members of the Facebook leadership team faced a rough ride from MPs at a Commons committee hearing Thursday over their failure to inform more than 600,000 Canadians that their privacy might have been compromised.
For more than two years, Facebook knew that the personal information of thousands of Canadians may have been in the hands of a third party — without their consent, and in contravention of Canadian privacy law. The social media executives offered little explanation as to why the company sat on this knowledge — and only copped to its role in the affair after it was made public in media reports.
Robert Sherman, deputy privacy officer for Facebook, conceded the company should have been more proactive in informing users that their raw data might have been used by Cambridge Analytica, a political consulting firm that helped the Leave campaign in the Brexit vote and the candidacy of U.S. President Donald Trump.
When asked why Facebook didn't notify Canadians whose personal information was breached in 2016, Sherman said: "In retrospect, we should have done that."
'Huge breach of trust'
Kevin Chan, head of public policy for Facebook in Canada, offered an apology to Canadians whose profiles might have been compromised. Chan said Facebook was too idealistic — and "naive" — about how its technology is used, and didn't focus enough on abuse.
"What is alleged to have occurred is a huge breach of trust to our users, and for that we are sorry," Chan, ex-policy director for former Liberal leader Michael Ignatieff, told MPs on the House of Commons privacy committee.
According to Christopher Wylie, the Cambridge Analytica former employee who blew the whistle on the privacy abuse, the firm had access to data from more than 80 million Facebook profiles globally.
Wylie alleges the firm acquired the information from Aleksandr Kogan, a Russian-American who developed a quiz app called "ThisIsYourDigitalLife." Wylie said that, while at the firm, he hijacked the profiles of millions of Facebook users in order to target the U.S. electorate during the last presidential campaign.
The firm had access to information on what pages users liked, their marital status, dates of birth, home cities, professed religious beliefs and other facts included in their profiles, Sherman said Thursday. He said it's also "possible" private messages were shared in "small amounts."
The company recently started circulating a notice to users who may have been affected.
The Menlo Park, Calif.-based Sherman added it's "certainly a possibility there are other incidents out there" of privacy breaches beyond the Cambridge Analytica affair.
Cambridge Analytica has denied it used data scraped from an app that obtained material from Facebook users in its work with the Trump campaign during the U.S. presidential election.
The Facebook executives sought to reassure legislators that the platform has changed since Kogan allegedly shopped user data to willing buyers, with Sherman saying it has restricted access to information and changed its policies.
When asked if Facebook would voluntarily implement in Canada the principles the European Union is about to enact through its General Data Protection Regulation (GDPR), the Facebook executives waffled. Sherman and Chan said the company was open to sensible regulations and is currently working with Canada's privacy commissioner.
Conservative MP Peter Kent questioned Facebook's professed openness to tighter regulations or a strengthened Personal Information Protection and Electronic Documents Act (PIPEDA), saying Canadian MPs were recently warned by Facebook officials in Washington, D.C. that such a move could result in Facebook dialling back its investments in Canada — notably its $7 million financial commitment to the artificial intelligence (AI) research hub in Montreal.
"We were told, almost in passing, that any new Canadian regulations might well put at risk Facebook investments in Canada," Kent said. "I'm wondering if that same caution would still be made?"
Chan strenuously denied investment decisions are being tied to a country's regulatory burden. "That is not our view, that is not the representation we would have made. In fact, we're quite proud to be supporters of AI in Canada."
Reached for comment later, Kent stood by his description of the initial warning from Facebook officials.
The question about GDPR came after a report in the U.K. newspaper The Guardian Thursday that Facebook has moved more than 1.5 billion users out of reach of European privacy law, despite a vow by company CEO Mark Zuckerberg that Facebook would apply the "spirit" of the legislation globally.
According to the Guardian, Facebook is shifting the responsibility for all users outside the U.S., Canada and the EU from its international headquarters in Ireland to its main offices in California — which means those users will now be on a site governed by U.S. law rather than Irish law.
Chan also was questioned by NDP MP Charlie Angus about why he hadn't yet registered as a lobbyist, given the fact that he's met with senior cabinet members, including Finance Minister Bill Morneau.
The former Liberal aide said it wasn't necessary for him to register since the portion of his work that could be classified as lobbying falls short of the Lobbying Act's 20 per cent minimum threshold.
He added that the meeting with Morneau was simply to show him how best to use the Facebook Live function of the platform after the release of the federal budget. That prompted Angus to ask if Chan thought that sort of activity was a good use of his time.
Duff Conacher, the co-founder of Democracy Watch, said Thursday he'd be filing an official complaint with the lobbying commissioner over Chan's failure to register, asking that an investigation be launched into Facebook's activities in Ottawa.
After preaching the virtues of openness and transparency while before MPs, Chan walked away from the committee room refusing to answer questions from reporters.