Evidence of meeting #33 for Access to Information, Privacy and Ethics in the 40th Parliament, 3rd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was environment.
A recording is available from Parliament.
4:55 p.m.
Associate Deputy Minister, Department of the Environment
I'll leave it to my colleagues if they would like to. Otherwise, I would just like to say thank you. We appreciate the opportunity to come here. It's not always pleasant to come in front of a committee when you receive an F, but I hope that through the course of the discussion you've given us an opportunity to explain what we're doing and how we're trying to fix that situation and become the most improved player in the game. We're looking forward to success on that.
Thank you for your time.
4:55 p.m.
Liberal
The Chair Liberal Shawn Murphy
Monsieur Bernier or Ms. Emmerson, do you want to comment? Okay.
On behalf of all committee members, I want to thank you and wish you all the best as you deal with this very important issue going forward.
The next item on the agenda is to hear from the Privacy Commissioner on her supplementary estimates. I will suspend for two minutes so that we can set up.
4:57 p.m.
Liberal
The Chair Liberal Shawn Murphy
I'm going to resume the meeting.
The second matter to come before the committee today is a request from the Office of the Privacy Commissioner for a supplementary estimate in the amount of $694,000.
As everyone on the committee is aware, the original estimates are the appropriations of the office. They were approved by this committee in May of this year, and this is an additional amount that the office is requesting. All appropriations, of course, have to be approved by Parliament, and this committee acts as the interface for Parliament on this particular issue. This should be a very brief meeting.
We are very pleased to have with us the Privacy Commissioner, Ms. Jennifer Stoddart. She's accompanied by Tom Pulcine, director general and chief financial officer, and Carman Baggaley, senior strategic international policy analyst, legal services, policy and parliamentary affairs. That must be the longest title in Ottawa, is it not? Welcome.
Ms. Stoddart, I understand you have brief opening remarks, and then we will ask some very brief questions.
November 23rd, 2010 / 4:57 p.m.
Jennifer Stoddart Privacy Commissioner, Office of the Privacy Commissioner of Canada
Yes, thank you. I understand you've had a very busy day, so I will try to be very economical with your time.
As you said, Mr. Chair and honourable members, we're here to discuss the supplementary estimates relating to our oversight role in relation to Bill C-28, known as the anti-spam legislation. I'll just remind you that the overarching purpose of Bill C-28 is to combat spam in order to provide for a safer Internet. Spam is a serious problem that has had a significant impact on the economy. I should point out that Canada is currently the only G-8 country without such legislation.
Three federal agencies will share the oversight: the CRTC, the Competition Bureau, and the Office of the Privacy Commissioner of Canada. I thought I might take a few minutes to describe our role regarding the legislation.
Our role will be to investigate the unauthorized collection and use of personal information through a variety of different techniques: harvesting of email addresses, dictionary attacks, and malware or spyware.
The legislation does not change our existing enforcement powers. However, we will play an important enforcement role. To fulfill this role, we will need to explain this new law to our stakeholders and the public, and undertake compliance education. The investigations themselves are likely to require technical expertise, as well as collaboration with domestic and international enforcement bodies, and legal enforcement action in some cases.
The legislation also imported some amendments to PIPEDA that are familiar to many members of this committee. Number one is to give our office discretion to decline to investigate a complaint, to discontinue a complaint or to refer it elsewhere. It also allows for collaboration and the exchange of information with provincial and foreign counterparts who oversee and enforce laws that are similar to PIPEDA. These are general amendments to PIPEDA and would therefore apply to all of our activities, not just those activities related to spam.
Assuming, Mr. Chairman, that the bill receives royal assent this fiscal year, we will receive approximately $700,000 this year and then $2 million as on ongoing sum in future years.
We plan to hire a modest number of additional staff that will amount to six FTEs. The focus this year will be on educating the public on the new legislation. We will be hiring technical expertise, acquiring knowledge to deepen our understanding of the many facets of spam, and collaborating with the other stakeholders.
In future years we envisage significant work in responding to public inquiries, providing increased education, and carrying out compliance activities. We need to prepare for public inquiries and inquiries from businesses. We've already started to ramp up the technical expertise that will be needed for investigations dealing with spyware and malware under Bill C-28, and we've invested in software for these online investigations.
Perhaps that's enough to give you some context for our request for additional money here today. I would be very happy to answer the questions of the honourable members.
5 p.m.
Liberal
The Chair Liberal Shawn Murphy
Thank you very much, Ms. Stoddart.
We're going to have one round of three minutes each. There will be only the one round.
Go ahead, Mr. Easter, for three minutes.
5 p.m.
Liberal
Wayne Easter Liberal Malpeque, PE
Thank you, witnesses, and thank you, Mr. Chair.
What's the process for doing compliance education? As with spyware, on a couple of these they're not going to comply anyway. I can see them complying in some areas, such as spam, but spyware is a huge issue. How do you undertake that compliance education? Who are you dealing with?
5 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
I would put anti-spam enforcement in two different buckets. There are compliance efforts, and then there's education of the broad public and education of other stakeholders that we work with. There's education so that people know how to recognize spam. One of the problems is that spam is becoming so sophisticated that it continues to draw in more and more people, or at least the same number of people, so just keeping the public up to date on the latest kinds of spam attacks is going to be an ongoing effort.
Because we haven't had spam legislation before, we want to encourage them to come forward and give us information about where and how, information about who is suffering from spam attacks in Canada and what kind of damage these attacks are causing. Some of this information will then go into what is colloquially called the spam freezer, which I think is a spam research centre that will provide forward-looking research and compliance information.
5 p.m.
Liberal
Wayne Easter Liberal Malpeque, PE
The “they” you are talking about, then, is the public. Do you mean you will be educating the public so that John and Jane Doe will send you information that they've got something on their computer screen that is causing a problem?
5 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
That's partly it, but it's also other stakeholders. I've appeared before this committee on anti-spam issues quite frequently, and there's a whole network of stakeholders, ranging from those who work on anti-spam devices such as firewalls and technological ways of combatting spam to various police forces. I believe there's a special branch of the RCMP, and so on. I think we all have to work together on this issue to see where the spam is coming from and how it changes, because these things are constantly changing.
Educating other stakeholders to our role while we ourselves learn their particular roles will help Canadians to be more spam-free, I think.
5:05 p.m.
Liberal
5:05 p.m.
Bloc
Bernard Bigras Bloc Rosemont—La Petite-Patrie, QC
Thank you, Mr. Chair.
I want to thank the commissioner and her colleagues for being here.
Essentially, you just told us that there are two key components to this new challenge.
First of all, you talked about compliance efforts. And then you have all the activities related to education. On page 3 of your brief, you say that your role will be to investigate the unauthorized collection and use of personal information through a variety of different techniques. You are asking for new appropriations.
Did you do a needs and volume assessment to arrive at that figure? Do you have the exact details? Perhaps you consulted someone. Currently, investigation requests must be directed to law enforcement, the RCMP or other police force. Can you provide us with a needs and volume assessment?
5:05 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
I do not have the numbers with me, but Mr. Baggaley, who sat on an interagency committee with Industry Canada, may be able to provide more details on that. Generally speaking, I think we can estimate with a fair bit of accuracy the number of spam emails entering and leaving Canada. I do not have the exact figures with me, but I can provide them at a later date.
In fact, Canada is still one of the top ten spam-producing countries in the world. So it is important to do whatever we can to stop Canadian-produced spam from going to other countries.
5:05 p.m.
Bloc
Bernard Bigras Bloc Rosemont—La Petite-Patrie, QC
I read your report on social networks very carefully, especially the part about Facebook. I was quite shocked to learn how many Canadian users there are. No doubt, you will probably be called upon, at some point, to receive and handle complaints.
Further to your study, would you be able to paint us a picture of the type and quantity of complaints arising from the use of those social networks? As a parliamentary committee, we need to be able to anticipate requests. Do you foresee the need for additional funding to carry out these activities, based on your investigation to date?
5:05 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
That is an excellent question, sir, but personally, I prefer to use as little public money as possible. We are very aware of the need to be as mindful as possible of taxpayer dollars these days.
There have already been spam attacks on certain sites, including Facebook and other social networking sites on the web. We are doing more and more to encourage companies. A giant like Facebook is well organized and has the necessary expertise to protect its network and to respond to any user complaints.
But we have not had enough experience yet. I think we need to wait at least another year and a half before we start to draw any conclusions regarding these efforts to combat spam.
5:05 p.m.
Liberal
The Chair Liberal Shawn Murphy
Thank you, Monsieur Bigras.
Before we go to Mr. Siksay, I want to point out that some of the members may think this is a very short or abbreviated portion of the meeting, but this is to deal with the request for the supplementary estimates only. When Bill C-29 comes to the committee, which we expect will be soon, the committee probably will or may decide to bring Ms. Stoddart back to talk about the bill, and we'll have a more fulsome discussion at that time.
That's why we only allocated this short period of time: it's to deal with the request for the additional appropriation.
Mr. Siksay.
5:05 p.m.
NDP
Bill Siksay NDP Burnaby—Douglas, BC
Thank you, Chair.
I think it's actually Bill C-28 that corresponds to what this request is about; Bill C-29 is something else again.
5:05 p.m.
Liberal
The Chair Liberal Shawn Murphy
Yes, and it's going to a different committee, isn't it? I guess it will be going to the industry committee, perhaps?
5:10 p.m.
NDP
Bill Siksay NDP Burnaby—Douglas, BC
Yes, it's industry I think.
Thank you for being here again, Commissioner, with your colleagues.
Commissioner, this isn't the first time there's been a request for extra funding around the implementation of ECPA. I think you came once before for $100,000 in a supplementary estimate in 2009, I think again anticipating the implementation or the passage of the bill.
Am I correct about that?
5:10 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
You're quite right, honourable member. In fact, I believe I had another engagement. It was my colleague, then-assistant commissioner Elizabeth Denham, now the commissioner for British Columbia, who came several days. It was a very difficult situation for everybody to understand, because it was a few days before the end of the fiscal year.
But we never got that money, and it lapsed.
5:10 p.m.
NDP
Bill Siksay NDP Burnaby—Douglas, BC
Okay, so that money lapsed, and it is rolled into this request now.
I guess we're a bit closer. We're hoping that this bill finally makes it through. It almost made it through last time.
So the request for the $694,000 includes whatever was planned with that $100,000 from the previous round of estimates?
5:10 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
That's right.
5:10 p.m.
NDP
Bill Siksay NDP Burnaby—Douglas, BC
That's basically my only question. I think we have to get prepared for this. It sounds as though it's long overdue. We need this legislation; I'm hoping it moves through Parliament.
I have one other question. I don't know what dictionary attacks are, or don't remember what they are. Can you remind me?
5:10 p.m.
Privacy Commissioner, Office of the Privacy Commissioner of Canada
I'm not a huge specialist on this, but I think basically it's like the expression that somebody “throws the dictionary” at you. In the virtual world you just go through all the known forms of words, addresses, symbols, and so on that you can. It's just an all-out blanket attack at every kind of known, recognizable...I won't even say word, but phoneme or something, that is known to these computers.
I can bring people who can explain this and know a lot more about it than I do. My understanding is that if, let's say, your password is “fish” or something, if there's one of these dictionary attacks, you're a dead duck—or a dead fish—because the computer will recognize it.