Evidence of meeting #112 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was software.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Chris Vickery  Director of Cyber Risk Research, UpGuard, As an Individual

9:25 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

I believe they had nine words on their website, and those were them. They had that nine-word phrase plus a contact email address. I think it's highly unlikely that the Leave campaigners found them and decided to use their services based upon nine words on an otherwise blank website.

9:25 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

That's what they would lead us to believe: that they looked up and found this website, read these nine words, and emailed them, and it was all independently set up.

9:25 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

It seems unlikely to me.

9:25 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

It seems more than unlikely to me.

I have another point. Mr. Silvester mentioned that they are not data harvesters, but you did some looking at the coding. If I understand it, some of the coding undertaken by AIQ is specifically for data harvesting. Is that correct?

9:25 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

Yes, it is a complete fabrication to say that they are not data harvesters. They are very much data harvesters. I guess if you want to play with semantics, you could say that they were hired at points to do data harvesting, but don't consider themselves data harvesters. That doesn't mean that they're not data harvesters. They certainly have harvested data. It's a lie to say that they have not harvested data.

9:25 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

It's a straight-out lie, and they're playing with semantics when they say.... Whatever way they want to play it, they are doing it. They've done it. They do it. They've clearly said that they don't do it.

9:30 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

9:30 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

If they say, “We ourselves aren't data harvesters, but someone hires us to do the data harvesting,” that is just playing games. That is just what we call lying.

9:30 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

Yes.

Word games, weasel words, whatever—it's a lie.

9:30 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

Thank you.

9:30 a.m.

Conservative

The Chair Conservative Bob Zimmer

Next up is Monsieur Gourde.

9:30 a.m.

Conservative

Jacques Gourde Conservative Lévis—Lotbinière, QC

I will come back to the issue that Mr. Boulerice raised when he talked about the tip of the iceberg.

We know that there has been profiling and that software has been developed to try to categorize the population. To your knowledge, are there things that the committee didn't mention, but that should be brought to its attention? Should it be made aware of what some people intend to do in the future? Is there software being developed that we don't know why it's being developed, but could be used in an election?

9:30 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

There is election software in there. I don't know if it was ever used anywhere.

If you look in the hard drive, there's one area called vb9k and vb9k admin, something like that. It contains the skeleton if not the working prototype of a voting system, so much so that there are scripts to email people that say, “Our records indicate that you can vote by email, and here's how you would do it.” I don't know if these were ever used anywhere.

There are references to the Canadian government in there. That's part of why I asked earlier whether you've ever considered using phone, email, or whatever, for voting. It appears that there was some sort of proposal made at some point, using this direct vote system.

9:30 a.m.

Conservative

Jacques Gourde Conservative Lévis—Lotbinière, QC

The further we go, the more we discover. Do you think that our electoral legislation will have to be adapted to today's new reality? What changes should we make to our legislation to protect personal information and our democracy? Should the use of these new tools be outright prohibited since, given the international context, it would be too easy to circumvent the guidelines that we could set to protect our democracy from using these tools?

9:30 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

Let's just ban the software—it's too easy to go around bans and too arbitrary to try to ban software.

I believe the answer, ultimately, will be transparency. To not allow people to hide in the shadows when they're attempting to influence populaces in ways that may or may not be unsavoury. Making it very easy to figure out who's behind a particular ad or campaign is vitally important, and the traceability of the money that paid for that campaign or ad is extremely important.

Other than that, I don't know the specifics of Canadian law on elections very well, to be honest, so I don't know what other improvements could be made.

9:30 a.m.

Conservative

Jacques Gourde Conservative Lévis—Lotbinière, QC

Do the people who use this software and all the information on the Internet really have a significant advantage over those who use only conventional tools and information provided by government agencies, in this case Elections Canada?

9:30 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

I have always believed that taking advantage of technology will give you an edge just about everywhere. It would be a philosophical belief of mine that people do have an advantage when they use the latest and greatest in software development and technology. That's just a concept I would agree with.

There are layers of taking advantage. You can use a hammer to build a house, or you can use a hammer to assault somebody. That doesn't mean you should get rid of hammers altogether.

June 7th, 2018 / 9:30 a.m.

Conservative

Jacques Gourde Conservative Lévis—Lotbinière, QC

However, those who use this software have access to more advanced information, and even to information concerning people's private lives. If some people have access to such information, but others, who do not have the financial means to use this type of technology, use only the information provided by Elections Canada, this creates a certain injustice. You have to pay to get that information. Not all parties or all candidates can afford it. There are election spending limits, but in many cases they are never reached, simply because people can't afford them. So an injustice is being created. They are not on an equal footing in an election or in our democracy. The more this software is somewhat allowed to make progress, the more there will be a two-tier democracy.

9:35 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

I would say that it's a concept that can be applied to a lot of different things, and yes, it is true that the people who have more money do tend to have an advantage in elections. It's a problem that America wrestles with a lot. The Supreme Court in America has decided that money is equal to free speech, which is sacrosanct to our basic underpinnings.

It is something that is being struggled with. I don't think there's an easy answer as to how to regulate how much money and how much advantage the people with money have over the people who do not have money in an election. I don't know an easy answer to that.

9:35 a.m.

Conservative

Jacques Gourde Conservative Lévis—Lotbinière, QC

Thank you.

9:35 a.m.

Conservative

The Chair Conservative Bob Zimmer

Thank you, Mr. Gourde.

Next up is Ms. Vandenbeld.

9:35 a.m.

Liberal

Anita Vandenbeld Liberal Ottawa West—Nepean, ON

Thank you very much for being here again. I think your testimony the last time informed much of our study and we have a much better sense of the enormity of what we're dealing with here.

After we heard from you, we did have Mr. Silvester here. I asked him about what you said about the code base having certain fingerprints. I think you mentioned that it was listed as a client. There were ID numbers that showed that SCL and AIQ were using the same code base.

What Mr. Silvester answered was, “I don't know what the researcher”—referring to you—“was referring to there, but I can say that the only information we received from SCL in the provisioning of services for SCL was specifically for those campaigns that we were assisting with.” He went on to say “we don't retain any personal information from one campaign” to the other. Then he said, “we don't transfer that information to anyone, other than back to the people who provided it”.

With regard to the Ripon psychosocial scoring, he said they had a “turnout score” but they didn't transfer it to anyone and also, it couldn't have gotten to anyone else through them. Also, he said that they don't keep any of the data. I'm quoting here: “We're not a data company, so we have no interest in...that.”

What do you think of the credibility of his answers?

9:35 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

It strains the imagination to believe that somebody could state those things. They have a great deal of interest in data. There's data within that hard drive I provided you guys that proves many of his statements there incorrect. I really am surprised that he would state those things. He must have thought that I wasn't going to give the Canadian committee copies of what was present there, or he must have been at least hoping that I wouldn't, because it's simply incorrect.

9:35 a.m.

Liberal

Anita Vandenbeld Liberal Ottawa West—Nepean, ON

Thank you for having done that.

If you could send to the committee specifically—because we will be bringing them back—the things that would refute what he said, that would be very useful.

Thank you.

9:35 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

Mr. Baylis has copy of that, but I will send it to the whole committee.