Evidence of meeting #112 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was software.
A recording is available from Parliament.
9:35 a.m.
Liberal
June 7th, 2018 / 9:35 a.m.
Liberal
9:35 a.m.
Liberal
Michel Picard Liberal Montarville, QC
I have two short questions, but they're bit complicated.
I'll start with a comparison. When we look at money laundering schemes, we see that in some cases you have a bunch of companies whose structure doesn't explain the commercial activities. It's not illegal to incorporate companies, but to find 10, 15, or 20 companies in a structure that does not need that many companies is an indicator of something. It's not proof. It's an indicator.
If we look at what we have in the data you looked at, it's not illegal to have code. It's normal for a marketing company to develop code to better know their client base. What are the indicators that suggest, yes, it makes sense in certain cases, but in our case it doesn't make sense because these are the indicators that suggest, let's say, that something is fishy?
I'm asking the question because the former head of the FBI, Mr. Comey, said this week that Canada is likely to be the next target of Russian hackers. It's not an operation that you start the day after you wake up and say that it's a good idea. You have to put in place a number of things, a number of indicators that we have to look at. What would be those indicators?
9:40 a.m.
Director of Cyber Risk Research, UpGuard, As an Individual
I want to be clear that I am not an expert on international espionage by any stretch of the imagination. For the indicators that would show activity like what Mr. Comey has described, you probably are better off speaking to an expert in that field.
I can speak very clearly to and in depth upon the data that is present in the AIQ GitLab, definitely, but I wouldn't want to appear as a charlatan and make guesses at international espionage flags or indicators. I don't think I'm qualified right now to answer that.
9:40 a.m.
Liberal
Michel Picard Liberal Montarville, QC
Let me relieve the pressure on your shoulders a little bit. The idea is not to see whether they are spying on us or not. If I go back to my money laundering example, from a corporate standpoint, from a financial standpoint, everyone who knows their field of work, financial experts, will say that incorporation is good and that they have to incorporate for certain activities. In this case, I find it awkward that this person, or group of persons, incorporated 15 companies. For this company, it's complicated for nothing.
When you look at what you find in your data, chances are that marketing companies do use these codes for their purposes. What suggests that it's fine in one field of work but not in another? One of the biases we have when we try to investigate something is that we put intent when there is none, but we don't see the intention when there should be one.
By practical analysis of the data, we can say that those data make sense, but in this case we don't understand why those persons use these types of data, because the context doesn't follow the purpose of the company.
9:40 a.m.
Director of Cyber Risk Research, UpGuard, As an Individual
Okay. I think I understand what you're getting at.
One of the original things that caught my eye when I visited the aggregateiq.com website for the first time—I didn't know who they were—was that they seemed to be in the same business, industry, or field as Cambridge Analytica. I had seen code on GitHub—different from GitLab—referencing aggregateiq.com, which had Cambridge Analytica written as a client of SCL. It all tended to be like, why are there companies in the same field all co-operating together? Don't they step on each others toes? It didn't make a lot of sense to me. That's one of the things that originally got my antenna perked up.
Another relevant item from the GitHub or GitLab files is that a U.S. politician, whose last name is “McSally”, appears to have been an AIQ client—or AIQ did work on her campaign—while at the same time, I believe, being a client of Deep Root Analytics, which is another data analysis company I have found a data breach for. If there is a connection there, is it likely that the two companies were coordinating in some way to help her campaign? It seems weird to me that a campaign would use two similar companies and not have the companies talking to each other to work towards a common goal, so it further elaborates on the idea of a larger machine at work here.
9:40 a.m.
Conservative
9:40 a.m.
NDP
Alexandre Boulerice NDP Rosemont—La Petite-Patrie, QC
Thank you again, Mr. Vickery.
You've had some interesting interactions with the Facebook people over the past few weeks through Twitter. You raised the fact that, despite Facebook's reassuring statements, 14 AIQ applications were still active, even though they had been officially suspended by Facebook. The Facebook people answered you on Twitter, thanking you and saying they had finally suspended all 14 applications. They even dared to tell you not to hesitate to use their bounty program to report data misuse, which I find quite ironic. I don't know if you used that bounty program.
Are you less concerned now about the inappropriate way some applications use Facebook?
9:45 a.m.
Director of Cyber Risk Research, UpGuard, As an Individual
I am glad Facebook seems to be [Technical difficulty—Editor] in a good direction. I am not at all confident the infection has been totally removed. There are likely to be more apps found that are simply doing a sort of reputation laundering in that it's the same bad app under a different name and a different skin. I think that is very likely, and it will take some efforts on Facebook's part to completely rout all of the bad actors that seek to abuse the platform.
9:45 a.m.
NDP
Alexandre Boulerice NDP Rosemont—La Petite-Patrie, QC
As public figures, we all engage in political communication to varying degrees. We use social media for this. Most of us have accounts with many of these media. Besides, some of us are related. For my part, I have teenagers at home who are also on certain platforms.
In terms of protecting the privacy of individuals and personal information, I would like to know which of these tools, whether Facebook, Twitter, Snapchat, Instagram or others, you think is the most secure or the least likely to be used to collect data that will be used for political purposes in the future.
9:45 a.m.
Director of Cyber Risk Research, UpGuard, As an Individual
Any company that is driven by profit, which is not inherently a bad thing, is going to have an incentive to maximize that profit for their shareholders. Some would even say they have a duty to do so. Advertising and doing deep profiling and selling data are ways to maximize those profits. I don't think any of those that you mentioned are necessarily better than the other, or more privacy-centric.
I think we need to alter the industry's behaviour, and kind of change the priorities or incentives they prioritize in their heads, from just “profit, profit, profit” to “If I am less strict on privacy, I might end up getting fined by the regulators, and my profits will not be so high. I'd better protect people's information.”
There's just a different carrot-and-stick dynamic that is way out of whack right now.
9:45 a.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
Mr. Chair, we had originally planned to go in camera to discuss committee business. My one worry is that Peter and Charlie are not here. We're to do committee work in terms of recommendations, and I don't feel that comfortable, given that we've been working in a pretty non-partisan way, not having them here to do that work.
We do have some time at the moment. Perhaps Mr. Vickery has some additional time. He has indicated that he's gone in camera with the U.K. committee, and that's been helpful, to some extent. I wonder if we might take at least a half-hour and see where it goes. If Mr. Vickery is able to go in camera, we could spend some time doing that. We could also have a further discussion afterwards, if we can do any committee work otherwise.
9:45 a.m.
Conservative
The Chair Conservative Bob Zimmer
Yes. I was just going to bring it up about going in camera with Mr. Vickery for a certain period of time. We'll go where that takes us, I guess, and use up the time the committee wants to use up there.
9:45 a.m.
Conservative
The Chair Conservative Bob Zimmer
As for the recommendations, the recommendations have been given by all parties. We all have them. We don't necessarily need to have them here in person to go over those, but if there are any disagreements about those recommendations—
9:50 a.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
Assuming there are no conflicts...yes, exactly.
9:50 a.m.
Conservative
9:50 a.m.
Conservative
The Chair Conservative Bob Zimmer
To my understanding, though, it's fairly straightforward.
Mr. Vickery, you do have time, we understand, to go in camera with us in a few minutes?
9:50 a.m.
Conservative
The Chair Conservative Bob Zimmer
I have a question for you just for the sake of the public. Have you been watching what's going on with the U.K. committee, including yesterday with Mr. Collins and the witness Mr. Nix? Did you have a chance to see the testimony?
9:50 a.m.
Director of Cyber Risk Research, UpGuard, As an Individual
I did view Mr. Nix's testimony yesterday. I had to take a few breaks to get some work done and attend a few conferences and stuff, but I did substantially view his testimony.
As to the first person you mentioned, I believe I read some of the coverage, but I don't have any special insight.
