Information & Ethics Committee on June 7th, 2018

Yes, they are free, open-source software. I can give you a list of them. If you have a tech team at all set up, I'm sure they will be able to dive right in.

I think we're getting into a bit of a dual answer here. There is software that are frameworks, that are open source and available to everyone in the world, and then there are projects that are made from that open-source software that AIQ tailored.

Are you talking about the AIQ-tailored ones, built from the frameworks, or the ones that are open source and available to the world?

The hard drive that you have is pulled directly from the GitLab instance at gitlab.aggregateiq.com. That would have been data held by AggregateIQ. However, they did incorporate a lot of scripting and software that is available on the open Internet.

I think the answer to your question is that this is internal AggregateIQ data. The overall philosophical answer is that anybody in the world could have accessed it, both because it was open and exposed on AIQ's side, and because they built it using software, primarily frameworks, that are available to the public. It's a bifurcated answer.

As far as what I gave to you guys, the amount of security that was present was nothing. There was no security whatsoever guarding it. I wouldn't assign any level of security. There are user names, passwords, and network locations present, which could have been seen by anybody in the entire world.

Exactly. Yes, that is the very disturbing truth.

It is my belief that what you just said there is most likely the truth, that this is a beginning to something much larger. Even though it's a very big beginning, I believe there is a fairly good chance that before this is over, we will find ties to additional countries that have not really been recognized in the media, as well as various special interest groups in the United States—perhaps in Canada, but definitely within the United States—that have been taking advantage of this set of data, maybe not knowing exactly where it comes from. I believe there is a very large machine at work here, and we have not seen all sides of it.

I believe that perhaps the best way to go at this is much the same way that classically the United States has worked to rout out mob families. You put pressure on the people that you have strong evidence against, get them to turn on their co-conspirators and get the inside information, and keep flipping the dominoes down the chain until all the truth comes out. This is being done in such a way that it's hard, unless you have inside information or there's a huge mistake like what I discovered. It's hard to get inside information into investigators' hands.

I believe we have a beachhead, if that's what you're talking about, to begin a foothold, in another way to phrase it, to start really digging in. Yes, I believe we have established a foothold.

One angle that I believe, specific to the Canadian side of things, you have an advantage on really is that AggregateIQ is under Canadian jurisdiction. If you can get to the bottom of the AggregateIQ involvement in this whole situation, you can have some very good inside insight into, “Okay, they did this. How could we have seen this coming? How could we have seen some red flags? What did they do, and how did they get to this level of involvement without our knowing?” and put in place some stopgaps to prevent that sort of thing from happening in the future.

I believe you actually are in a power position, as far as that goes.

I believe regulation, such as [Technical difficulty—Editor] is going to be very useful in protecting the public from abuses happening. If Canada wants to look into the GDPR model and you subscribe to it and pass something of your own, I'm very much in favour of regulation that has teeth behind it, so that it can be enforced. When there is an egregious violation of whatever law gets put in place, make an example of the companies that are the egregious violators and make others afraid to do it.