Evidence of meeting #112 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was software.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Chris Vickery  Director of Cyber Risk Research, UpGuard, As an Individual

9:05 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

I have a quick question. Is Canada considering either phone-in or Internet voting?

9:05 a.m.

NDP

Alexandre Boulerice NDP Rosemont—La Petite-Patrie, QC

No, not yet.

9:05 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

Okay. Stay away from that. Use paper ballots with audit trails. As long as you're using paper ballots with audit trails, you're relatively on the right track.

9:05 a.m.

NDP

Alexandre Boulerice NDP Rosemont—La Petite-Patrie, QC

Thank you very much, Mr. Vickery.

9:05 a.m.

Conservative

The Chair Conservative Bob Zimmer

Next up for seven minutes is Mr. Saini.

9:05 a.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

Good morning, Mr. Vickery. I want to follow up on some questioning from my colleague, Mr. Erskine-Smith, just to be clear.

You have discovered evidence that AIQ has been spoofing caller ID numbers in calls to American voters. Can you please explain to us what the evidence is and why that's a problem for them?

9:10 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

In the commentary of the developers writing to each other, they state that they are setting the caller ID differently from the truth, because if they call somebody it gives them the ability to have the person calling back on that number be routed to a different line. That could either be a voice mail message or something else—just not the same number that actually called them.

That is a problem as far as the U.S. side of things is concerned, because it is my understanding that the ability to do that is highly restricted to law enforcement situations, at least here in the U.S. Here, anybody spoofing caller ID information could face a lot of penalties, at least if it's aimed towards Americans. I'm not an attorney or a prosecutor, but that's my understanding.

9:10 a.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

I'm going to quote your recent tweet that Chris Wilson, who I believe is a volunteer at the Leadership Institute, “has a huge AggregateIQ involvement”. Can you explain what you mean by that?

9:10 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

Chris Wilson is the head of WPA Intelligence, formerly known as WPA Opinion Research. The WP is Wilson Perkins, I believe, and he's the “W” in WPA. They worked very closely with AggregateIQ, from what I can tell from the GitLab files.

I believe if you spoke with WPA they would claim the situation was more like WPA hired AggregateIQ as developers. They worked very closely on phone applications. The Ephemeral project has heavy ties to WPA, in that some of the web-based files that would have been served up to people dialling in claimed that it was the WPA voter database. Clearly, WPA has a strong involvement with AIQ, with AIQ being either some sort of partner or a hired developer, but there is a relationship there that I believe should be looked at.

9:10 a.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

Mr. Wilson noted in his biography that he has some experience as a campaign adviser in Russia, Ukraine, and Turkey. Do you have any information about AIQ's involvement in any of those countries, and what roles they might have played?

9:10 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

Mr. Wilson replied on that tweet string, actually, and claimed that the Russian and Turkish involvements were 20 years ago. I personally just recently found out about the Russia and Turkey involvements in his past, so I can't confirm or deny his 20 years ago claim. I know he is currently involved in a Ukrainian party, the Osnova party, and AIQ actually developed the phone app that Osnova is using right now. I don't know of direct Russian ties to AIQ, but I know of direct Ukrainian ties.

9:10 a.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

One of the things we've heard in testimony is that AIQ and SCL and Cambridge Analytica have been involved in many, many elections around the world. The question I have is this, and please correct me if I'm wrong. The software that was developed was Ripon. Is that the same software that was used throughout the world, or were there different iterations or different software that was developed for different countries or places that they wanted to work in?

9:10 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

To be clear, Ripon is only one of the projects. However, Ripon was an early project, and I believe that many of the projects that are present on the hard drive I gave you, for example, have grown out of Ripon and sort of evolved into little ecosystems of their own. One of the themes—

9:10 a.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

There may have been different iterations of that software, with a little bit of tweaking depending on where they're working and what information they had to gather, but that software is the pre-eminent software that AIQ developed for Cambridge Analytica. Is that a fair statement?

9:10 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

I believe that is a fair statement. I believe one of the running themes we keep running into is that much of the software is reskinned, but the engine is still significantly the same. It is something in new clothing.

9:10 a.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

Okay.

In your analysis of the hard drive, have you found any evidence or indication of exactly where or what jurisdictions this software or this company was involved in anywhere?

9:10 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

There are definitely indicators about the U.S., Canada, the U.K., Trinidad and Tobago. There's mention of Australia. I don't know how deeply, or if there was much going on in Australia, but it's definitely mentioned.

9:10 a.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

Okay.

9:10 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

I can't come up with any just off the top of my head in addition to those without looking more specifically for that.

Normally when I'm looking at data breaches, I try to focus on things that will resonate with North Americans because it's hard to get North Americans to care too much about very distant locales.

9:15 a.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

Also, you recently discovered a number of apps that AIQ was running on Facebook even though they had supposedly been banned from the platform.

Do you know what these apps were? Were you given a reason that Facebook hadn't taken them down? Do you think there are still AIQ apps running on Facebook?

9:15 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

I believe there are probably still AIQ-influenced if not AIQ-developed apps present on Facebook under different names. I believe that's likely.

9:15 a.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

You also discovered some information linking AIQ to Alex Jones and Infowars. Can you tell us what you found and what this connection means?

9:15 a.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

To be very clear, the only connection really was one image file that was right next to another image for an organization called For America. I know that AIQ developed a platform for For America that involved the ability to see various things the Facebook followers were saying and to recruit them. If they did the same thing for For America as they did for Breitbart, which they did do, then it stands to reason they might have done the same thing for Infowars, the website. I don't know. Other than that one image file, which I can't explain as to why it's there, I really don't know the exact relationship.

9:15 a.m.

Liberal

Raj Saini Liberal Kitchener Centre, ON

Thank you very much.

9:15 a.m.

Conservative

The Chair Conservative Bob Zimmer

Next up for five minutes is Mr. Aboultaif.