Hello. It is a pleasure to appear once again before the committee. I've always enjoyed speaking with you, and feel that I can bring a lot to the table.
I reviewed the previous meetings' recordings for this specific subcommittee, talking about data and privacy along the pathway of moving Canada to digital online government services, and where things are now and where they are going to be, as well as different concerns the committee has. While I am open to answering questions about the AggregateIQ/Cambridge Analytica situation, I will not focus on that in my opening remarks. I am going to address some issues that were brought up in those previous meetings that I listened to and reviewed just recently.
Right now, it feels that Canada needs to make a decision on which direction the tech strategy needs to go in, or wants to go in. There is an opportunity to jump headlong into the game with all of the other big players and to try to be on the leading edge of the government digital crossroads, but it seems to me that the most natural position from what I heard in the previous discussions is to take a stance of, okay, let the other guys make the mistakes and do the advance running, sprinting at the head of the crowd, and then incorporate the things that work into your systems, and not the things that don't work. That seems to be the most advantageous position that I heard.
Another contention was on whether or not it should be mandatory to bring people into this digital environment, whether Canadians feel wary or not or trusting enough to give all of their personal data, medical data, over to a Big Brother type of situation. If you make it mandatory, then when there is, or if there is, any sort of data breach or vulnerability or problem that's taken advantage of, you risk a huge hit in public confidence in the system.
I would recommend that Canada try to have it be adopted by success, rather than being forced upon people, so that if a neighbour, by word of mouth, tells somebody else, “I made an appointment with my doctor; it was so easy, you should get online and do this, too”, that would be a lot better than if there were a data breach and those two neighbours were then talking about how much they hated being forced into the situation.
I heard a lot of discussion about blockchain, and some people trying to float the opinion that blockchain is going to solve things. I would be very wary of blockchain technology in its current state, and even in the future. Blockchains are basically where everybody has everything. It's a distributed ledger. It's not necessarily a secret key thing, or technology. I believe the great many failures of various coins on blockchains have indicated the somewhat inevitable issues that can crop up, and it's just not mature enough to be handling medical data and personal data, and especially for voting. That's a nightmare.
Another issue that was brought up was anonymizing data, and how important it is to have these pools of data so they can be studied and shared among the government departments and easily ported from one database to another, and how great that can be. Yes, you can get some great insights from that sort of study and looking at everything from a meta, overall angle, but there really is no such thing as anonymized data. It's a little bit of a misnomer. You can have data that you redact certain elements from, or drop certain things and try to make it hard to re-identify the people, but all you actually do when you anonymize data is that you make it harder and harder for the little players to re-identify folks. I guarantee that the big data brokers and the banks and the insurance companies can re-identify the data in most anonymized datasets simply based upon what they have already and are able to reference. It's just a matter of how much data the entity has that determines how long it takes them to re-identify it, so be very careful with anonymized data and thinking it's foolproof.
I don't just want to bring up issues or problems. I also want to bring forward some ideas, some brainstorming, of different ways to implement secure data-sharing among various government departments. The idea that privacy and security is built in by design is very powerful.
I think there is an opportunity for you to take the mindset of asking, if you were creating all of existence and you could create the laws of physics, the fundamental building blocks of the ecosystem that your data is going to live in, how you would do it so that it's secure.
I would do it in a way that database A and database B don't even speak the same language, can't communicate with each other, cannot pool data together, and I'd have a translator in the middle that they pass the data to, which would then translate it to each other.
That's just an idea I had. The advantage there is that you can have the translator be not available 24 hours a day, seven days a week, so that when everybody is asleep on a Saturday night, you don't have to worry about a bad guy getting into one and being able to access all of the others. It's all about segmentation, breaking things into pieces, compartmentalizing. Even though that makes it a little bit harder on the programming end of things, I think you'll get a much better outcome if you plan this sort of thing ahead of time, do it the right way and make sure everybody involved is of the right mindset.
Finally, I want to say that if there's one thing that needs to be done the old-fashioned way, it's voting. Digital voting is laden with all sorts of problems, with corruption. If there's one thing we need to do with hand-marked papers, it is voting. I'm very disappointed in how the United States has come to handle voting, and I wish much better for your country.
Thank you.