Evidence of meeting #112 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was software.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Chris Vickery  Director of Cyber Risk Research, UpGuard, As an Individual

9:15 a.m.

Conservative

Ziad Aboultaif Conservative Edmonton Manning, AB

Thank you.

I will stay on this topic a little bit, Chris. Good morning, first.

There is customization in building software for a specific reason in those specific cases that we're discussing right now. If someone builds a code for specific software to be used as a political campaign management tool, and for that they have to use certain data provided to the software builder in order to give them the tools needed for the aim of that software, will whoever is building that software be able to build it without having the data provenance available? In other words, where are the security measures here, and will these people be able to build that software without any provenance of the data?

9:15 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

Theoretically in the most fantastical of worlds you could build software to handle a dataset you don't have. That's just hypothetical, though. That's not reality. That's not what happens in software development. If you want to develop something quickly, profitably, on time, and to please your clients, chances are you're going to have access to a fair deal of the actual raw data.

The claims that AggregateIQ didn't have access to raw datasets, I believe, are disproven simply by what's present in the GitLab files, because there are user names, passwords, network locations to what are labelled actual databases, not fake databases.

I believe it's highly unlikely that AggregateIQ didn't have access to very large raw datasets.

9:15 a.m.

Conservative

Ziad Aboultaif Conservative Edmonton Manning, AB

So chances are actually very high that availability of data and a breach of private information can never be avoided when getting into this business.

9:20 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

It can be avoided. You just have to be extremely careful and use some pre-planning to develop software carefully or have agreements in place that are strictly followed and that are audited after the fact to make sure there wasn't any unauthorized third party access.

9:20 a.m.

Conservative

Ziad Aboultaif Conservative Edmonton Manning, AB

Thank you.

9:20 a.m.

Conservative

Jacques Gourde Conservative Lévis—Lotbinière, QC

It's like the chicken and egg paradox. This software was put in place because there was a potential market. Surely there is someone who has seen a potential market or orders have been given in a specific way to achieve a certain goal.

In your opinion, was it someone who saw a potential market who designed the software in question or was it the other way around, that the software was designed to order?

9:20 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

In this situation, it's my belief and understanding that there was a desired outcome and that this software was developed in response to a desired outcome. Some very powerful people wanted to influence others, win elections, and bring people's opinions and behaviours into a certain pattern. Tools were needed to accomplish that, so these tools were created for that purpose. That's my understanding, and what I believe is the most likely scenario.

9:20 a.m.

Conservative

Jacques Gourde Conservative Lévis—Lotbinière, QC

In your opinion, how many more people, percentage-wise, were reached, influenced, changed their minds or encouraged to vote than in a normal election?

9:20 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

The percentage of people in which nation?

9:20 a.m.

Conservative

Jacques Gourde Conservative Lévis—Lotbinière, QC

Other witnesses seemed to say that, regardless of the country, this system could influence an additional mass of people to vote for a different option. In percentage terms, is that a significant increase? Can it play between 2% and 7%, or is it a little less or a little more, in your opinion?

9:20 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

I believe the influence operation would not necessarily target an entire populace, but a very large percentage of people would be affected by it. That's why companies like SCL have contracts with psychological operations groups in the U.K. They affect a very large percentage of the populace and are able to change the opinions of, yes, definitely the 2% to 7%. They definitely attempted to change them, if they aren't actually changed. There is an effect on at least that small amount, yes.

9:20 a.m.

Conservative

Jacques Gourde Conservative Lévis—Lotbinière, QC

Was it profiling that targeted a portion of the population that was deemed very susceptible to the various options, that is, quite simply people who, in normal times, know more or less who to vote for, but who will make a decision at the very end of the election campaign, to the point where, if the parties repeatedly place advertising during the last 10 days of a campaign, these people can really change the game?

9:20 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

From seeing more than just this data breach and seeing other ones related to elections, I can tell you that figuring out the targets takes place well in advance of the 10 days before an election. Within the final 10 days, apps were developed specifically by AIQ to get people to make a plan to vote and follow through with that on voting day.

I'm sorry; what is the exact question there?

9:20 a.m.

Conservative

The Chair Conservative Bob Zimmer

Sorry, we're well past time.

I'll have to move on.

Next up for five minutes is Mr. Baylis.

9:25 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

Thank you, Mr. Chair.

Mr. Vickery, first of all, I'd like to thank you for this heavy lifting that you're doing and for coming back to help us understand all this. It's greatly appreciated.

You had prepared a set of notes regarding AIQ's testimony and where they were both lying and misleading. I, first of all, would ask that you submit those notes formally to our clerk, if you could.

9:25 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

I definitely can. I believe I did submit it to you specifically, but, yes, I can submit it to the clerk.

9:25 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

I want to delve into some of those lies and some of those misstatements.

First of all, Mr. Massingham stated that they had not broken any laws where they operate. That was a clear statement. You have given me examples of three places where they have broken laws. First of all, there is the way they were running U.K. data collection laws. You mentioned that they had actually written notes to themselves in their code that this was breaking the law and that they had to clear this up.

Could you expand on that?

9:25 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

The line in the code says where they may have broken U.K. privacy law. They don't specifically say that they did break it, but that this code, in case they did, fixes it. It's in a file called “salt the earth”.

9:25 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

They're aware that if they're not breaking the law, they're going close to the law and that they're going to have remove this. That's right.

9:25 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

That's my understanding, yes. That's how I would interpret that line, yes.

9:25 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

With respect to caller ID spoofing, which they were doing for Americans, that is against American law. I know that you're not a lawyer, but they were aware of that and they were doing it. Is that correct?

9:25 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

That is my understanding, and there's even further commentary where they state that “there's no reason” that somebody halfway across the world couldn't call and influence voters. There is actually a reason why. It's illegal to have a call centre halfway across the world calling American voters to influence their opinions.

9:25 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

You mentioned one other area that is a great concern. They made the argument that they just had the Republican database given to them. However, when you examined this database, it was far more comprehensive, and it included a number of people such as police officers, judges, and federal agents—things that are not in the Republican data trust. Is that correct?

9:25 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

Let me clarify that. Those are in the Republican data trust. However, those are outside the bounds of what a normal campaign would receive. I know that because a couple of years ago I found a copy of the Republican data trust database. I have seen the contents and verified that, yes, judges, federal agents, and police officers are in there. The regular political campaign running in one of the states would not have access to those people's information.

June 7th, 2018 / 9:25 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

I had asked Mr. Silvester a number of questions where he misled us with respect to a lack of coordination, or a coordination, between all these different Leave campaigners in the U.K. When I asked how they all knew about his group, he said that there was no collusion, there was no nothing. He was very clear on that. However, when I asked how would they know in the U.K., halfway around the world, about a small operation in B.C., he mentioned the website.

You did some work during the Brexit vote. You mentioned that their website—I want to just confirm this—said, “AggregateIQ: Changing the way you work with your data”. Is that correct?