Evidence of meeting #112 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was software.
A recording is available from Parliament.
8:50 a.m.
Conservative
The Chair Conservative Bob Zimmer
I call to order meeting 112 of the Standing Committee on Access to Information, Privacy and Ethics, pursuant to Standing Order 108(3)(h)(vii), study of breach of personal information involving Cambridge Analytica and Facebook.
Mr. Vickery, welcome back. Thanks for appearing at our committee again today.
8:50 a.m.
Chris Vickery Director of Cyber Risk Research, UpGuard, As an Individual
It's a pleasure to participate here.
8:50 a.m.
Conservative
The Chair Conservative Bob Zimmer
We'll start our first round with Mr. Erskine-Smith for seven minutes.
8:50 a.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
Thanks, Mr. Vickery.
I really have one fundamental question. Have you reviewed the hard drive that you mentioned to us at your last attendance?
8:50 a.m.
Director of Cyber Risk Research, UpGuard, As an Individual
There's so much there that I'm sure there are still a few nooks and crannies that I have not peered at, but yes, I have reviewed a very large amount of it.
8:50 a.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
You certainly have expertise that this committee does not have in reviewing that material. To the extent that you haven't reviewed the whole thing, you've reviewed a large portion of it, and upon that review, can you provide us the highlights of what you discovered in that review that you think is relevant for this committee, particularly in light of the fact that we are to have AIQ before us next week?
8:50 a.m.
Director of Cyber Risk Research, UpGuard, As an Individual
Yes. The fundamental overriding theme that hits me as I think back upon the overall bird's eye view of it is that there appear to be considerable efforts expended to make things not easily reviewable as far as Internet history goes and transaction history and data: where it goes, where it gets compiled, aggregated, and attributing the sources to everything. There seems to be a common theme of bringing lots of little things together and then letting them fall apart in a way that is not easily auditable. That could be done for security purposes. That could be done for obfuscation purposes. It makes me very suspicious, however.
For example, there is an underlying theme in the Ephemeral project—the name “ephemeral” sort of gives you an idea—and it utilizes channels and web sockets in ways that can communicate very covertly. That's not to say that it's necessarily something that is malicious on its face, but it is done in such a way that it's considerably difficult to prove beyond any doubt that a certain transaction has taken place in regular forensic means.
8:50 a.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
I see some of your tweets indicating that AIQ had a Facebook app, that AIQ was spoofing U.S. phone numbers and contacting American voters. Those are two examples that I saw from some of your public comments. Are there other examples that we ought to know about that you've drawn from the material?
8:50 a.m.
Director of Cyber Risk Research, UpGuard, As an Individual
Yes. I would ask them very specifically why a developer commented that they needed to remove data that may have been gathered in violation of U.K. privacy laws. That is clearly almost an admission of guilt there. If you've collected something in violation of U.K. privacy laws and then you're getting rid of it, why did you do it in the first place?
8:50 a.m.
Director of Cyber Risk Research, UpGuard, As an Individual
I believe it was an anonymous comment, as far as I can tell. I may be able to look back and see who was working on that project, who would have probably commented that, but that would take a bit of looking on my part.
8:50 a.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
When you first attended, your first reaction had been that there was information compiled from a number of different sources, and you referenced the RNC trust. I think you referenced even the Koch brothers. Upon further review, do you have a total sense of where all the information was gleaned from?
8:50 a.m.
Director of Cyber Risk Research, UpGuard, As an Individual
I know a lot of sources. I can't say for sure this is comprehensive because, of course, the sources have sources themselves. i360 is the name of the Koch brothers-funded or -run company that supplies lots and lots of data. The RNC data trust is clearly a large foundation where they're getting information or data from. There are indicators as far as field names go that L2 Political provided information, and I believe on Cambridge Analytica's website—not AIQ's website—they admit on their blog that L2 was the source.
Axiom was a source, I believe, that came out yesterday in Alexander Nix's testimony. When I group the AIQ and the Cambridge Analytica data together, there's so much interplay between the two that it's just intuitive that the datasets are intertwined, not to mention that clearly SCL IDs are in the field names of many of the imports.
8:50 a.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
That's what I want to get at next with my question. What prompted this investigation at our end and around the world is the improper collection and sharing of information among Facebook, Kogan, and SCL. We're talking now of at least 87 million users around the world and over 600,000 in Canada. In your view, based upon your review of the database, it's clear that this information was accessed by AIQ and was part of this master dataset.
8:50 a.m.
Director of Cyber Risk Research, UpGuard, As an Individual
There's the possibility, and let me explain why that's a possibility. In the Ripon project, there are a few residual error logs of sorts where something went wrong during an import, and it logged what was happening. This import error log, as far as I can tell, has some examples of what it was importing from servers called SCLCruiseRipon.com scoring, I believe.
In there it has OCEAN psychographic scores, and it was pulling from a domain that is registered to Alexander Nix. I don't know where they were getting these psychographic scores from. Not every single entry had them, but many of them did. In the scripts that are pulling it, the scripts have a little field that says “if available” next to the psychographic scoring. If many of them have the psychographic scoring and many of them do not, it raises the question of whether they were pulling from that 87 million, and whether those were the ones that had the psychographic scores.
8:55 a.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
If SCL and Nix are involved, far from being a possibility, it would appear likely that this database is drawn from that information.
8:55 a.m.
Director of Cyber Risk Research, UpGuard, As an Individual
I would agree. It is likely. I don't have any special communications from them confirming it, but I'm highly suspicious.
8:55 a.m.
Conservative
Jacques Gourde Conservative Lévis—Lotbinière, QC
Thank you, Mr. Chair.
Mr. Vickery, you talked about data collection. What kind of data about people's private lives can be found in this software?
8:55 a.m.
Director of Cyber Risk Research, UpGuard, As an Individual
What types of fields? Is that the question?
8:55 a.m.
Conservative
Jacques Gourde Conservative Lévis—Lotbinière, QC
Earlier, you said that privacy data had been deleted. What did the data consist of? Was it phone numbers, dates of birth, bank account numbers?
8:55 a.m.
Director of Cyber Risk Research, UpGuard, As an Individual
I would have to go back and review that script. It was titled “salt the earth”, and I remember the comment that was made in there because it stands out in my head, somebody's comment that it may have been in violation of U.K. privacy laws, but the exact fields that were then being stripped out, I don't have in my head.
8:55 a.m.
Conservative
Jacques Gourde Conservative Lévis—Lotbinière, QC
What you have provided to us seems rather complicated to understand. Is it the coding or how it's organized that makes it harder to understand?
8:55 a.m.
Director of Cyber Risk Research, UpGuard, As an Individual
It partially may be difficult to understand because it's the exact hard drive, or a copy of it, that I gave to the U.K. committee. In the U.K. committee private session, I was able to explain things a little and give some context. That may be where some of the confusion is coming from as I haven't sat with you guys and given any context to it. It also may be a bit confusing because this is not an unnecessarily intuitive click-click-click, window-window-window type of software. You have to be somewhat familiar with Git and decompression software and web development to have an idea of the interplay between many of these files and the way it commits and builds work.