Information & Ethics Committee on May 6th, 2014

Your premise is quite right. I believe it characterizes our office. Because technology and society are moving so fast in relation to privacy and personal information, indeed we never know what's going to come at us.

Turning to Heartbleed, immediately when we heard about it, our technological analysis unit examined the issue, briefed me on it, and explained to me that in fact it was an Internet-wide issue that was probably not malicious, and that it was probably an honest mistake that created a vulnerability that data holders did not know about because no one knew about it. As well, as we now know, it was unfortunately exploited by some hackers.

What we see in front of us now is a situation in which the vulnerability of the Internet was exposed. More than the deficiencies of any data holder, it was the vulnerability of the Internet that was exposed.

We also saw that these vulnerabilities can be exploited with malicious intent either for personal gain or perhaps just for fun. Sadly, we see a lot of hacking just for fun.

At this point, we have no investigation related to Heartbleed, probably due to the fact that the only instance has been very quickly contained. I am speaking based only on the facts I know so far. I reserve my position on it in case I should get more information. But on the basis of what we know so far, there has been no management failing. It was a vulnerability in the Internet and what had to be done to contain it has been done.

It's only CRA. I was informed of all the measures they were taking, including notification of the individuals concerned, and all the measures they had taken technologically. As you know, we have posted a statement on that on our website.

You're referring to our January 28, 2014, special report to Parliament on checks and controls where we make a specific recommendation precisely to address the accountability gap, which would be for the private entities to annually report on how many requests they answer, with some specificity as to whether it is with a warrant or without a warrant.

I have, in front of me, the answer that we received from the telcos, and it allows me to make a few clarifications. The 1.2 million that we received as the figure was in answer to a question that refers to government authorities in general. It could be municipal, provincial, or federal. It is very, very broad. It does not give any specificity of detail as to the circumstances, which is why in May 2013 we made first the recommendation in relation to reform of PIPEDA, the private sector legislation, to create an obligation for private entities to disclose the statistics as to how often they answer requests and under what circumstances, and we picked up that recommendation again in our January 28 report. We believe that it would give a sense of the scope of the phenomenon.

We have done research precisely on that. We have “What an IP address can reveal about you” posted on our website. It sought precisely to address this question. When an IP address and the customer information behind it is revealed, is it really sensitive or is it innocuous information? You will see in that technical analysis that in fact it is not innocuous, because it reveals Internet searches. Internet searches will reveal a person's interests, preoccupations, opinions, allegiances. So that in itself should be protected.

That is precisely what we looked at. We found—it is well described in that technical analysis—that the envelope is in itself revealing.

That is basic subscriber information linked to the Internet activity.

The overall budget is $24 million.

Yes. Last year it was $29 million. The reason for the discrepancy is what I've explained.

Certainly.

Or perhaps I can ask Daniel—