Information & Ethics Committee on Feb. 7th, 2019

For me, there is not really a big choice here. The foreign actors are already very interested in our systems, and there is a long history of them penetrating our systems already. I believe that five, six or seven years ago, Treasury Board was very compromised, to a degree where I think they had to throw out almost all the computers in the entire department.

I want to be really clear. It's not like the current system is somehow secure and we want to move to a new system that has kind of dipped into the unsecure. What we have to be thinking about is the types of threats and what they mean for us.

Under our current model, maybe one of the advantages is that, because it's disorganized for us, it's also disorganized for an attacker. So if they penetrate a system, they may penetrate only a single system and learn so much. But in a system where, say, it's very easy to identify my unique identity and the systems are more connected, they may, too, now be able to penetrate the system and get a more global view. So that poses a new type of threat.

The flip side of that is that it may also be easier to defend. Right now, your information is only as well protected as the weakest database it happens to be in, if it's in five different databases. In America, that turns out to be Equifax or some other poor databases that get widely used. It may be that some consolidation would actually allow us to bring in our defensive resources and concentrate them.

But there are real risks here either way.

For me, the key issue here is one of resilience and openness. When you go back to the Estonian model—which I appreciate everybody is getting a little fatigued hearing about—when they started using e-voting in that country, they put out their source code as open source and challenged people to find shortcomings in it, and a group of researchers found shortcomings and published them online. But that did not shake the confidence of Estonians to continue to use e-voting. It simply led to corrections. If you think about Apple in the past week, notwithstanding their justified criticisms of Facebook and Google, as Mr. Angus rightly referred to, they, too, had a privacy breach with respect to FaceTime that they had to apologize for.

Governments traditionally, especially with respect to IT architectures, have tended to be very inward in terms of thinking about proprietary systems, proprietary controls, of course wanting to minimize the notion of breaches and the information that gets out around breaches. On the other hand, I think we need to kind of turn that around and think more and more about being outward and open about admitting the vulnerabilities and looking more at how we can address them collectively and adapt in ways that improve the resilience of our systems in both technical and social ways, going forward.

I think that's an excellent point that I'll echo. One of the conditions that need to be in place for all of this to work is citizen trust in the system, and that's also going to be about generating a certain tolerance for failure amongst the public. I'm not talking about the public kind of smiling and shrugging off large-scale data breaches or anything like that. One of the things I constantly hear when I speak to governments that are doing very innovative things on digital is that part of it is that they have a licence to innovate. They have a population that trusts that their state has their best interests at heart, that their state will be open and honest about mistakes when they happen, and that their state has appropriate systems in place to manage those errors so they're not large-scale.

I don't think we have that culture right now in the Government of Canada. One of the previous witnesses—I believe it was Mr. Fishenden—suggested that one way we could improve the culture of privacy and the accountability around privacy would be to institute a new extra-governmental oversight body. I would strongly disagree with that. We have a history, in the federal government in particular, of looking at all accountability issues as ones where we need to create more oversight, more rules, more top-down punishments.

What this creates in the civil service is this absolute fear that in trying anything new and different, if it doesn't go right, you're going to be smacked down so hard that, first, you should lie about it when it happens, and second, you just shouldn't even try it in the first place. It's incredibly frustrating for employees who are trying to do things that are different, but it also just puts a full stop on a lot of the innovations that we're talking about here, which will in many cases rest on work from within the civil service. There will be parliamentary leadership, and we will need to have ministers behind it, but civil servants are going to do the grunt work, if we're planning on moving towards any of these sorts of models.

I think a model that focuses on accountability for learning could be a really important part of generating a culture in the Government of Canada that respects privacy but also allows us to be more innovative in our services.

Yes, I think that's something we need.

If I could, I will begin. To go back to the issue of cloud providers and Amazon, I believe the Government of Ontario, under the prior government, has already outsourced a number of its database servers to Amazon web services. From a privacy and security point of view, I think it's setting the bar much too high for the public sector to be building the databases of the future. It's very clear that Shared Services Canada has struggled. That's no secret. A lot of problems have arisen from that. A member referred to Phoenix a short time ago.

There are, of course, imperfections and challenges in working with private actors, as has been discussed. It seems to me that the better route is to work with the most sophisticated technology companies in the world. They have the security capacities to enshrine privacy, as Apple tries to do—perhaps more than social media companies today. Certainly, Amazon and Microsoft are very focused on security in terms of their cloud offerings. We should also be engaging the private sector in a dialogue about the privacy implications of that and ensuring there is robust accountability for how they partake in public infrastructure and what the implications are. I don't really see an alternative.

That's why, despite this notion of the cloud that is very porous with server farms all over the world, many countries have negotiated agreements where data centres for certain types of data need to be located within national boundaries.

That really shouldn't be a limitation for Canada, which has a number of data farms from large entities that have set up here. Quite often, they are very much under the radar screen because they don't want the locations overly publicized. I think that's not necessarily a limitation. For this meeting, however, I was just reading through my privacy policy for the PC Optimum online program, and they very clearly state in their program that they can't guarantee that data is not shared on servers in other countries as well.

It is a challenge; I grant you that. I'm not saying that it's not, but I do think there are ways in which governments have stipulated.... For example, even Apple has to store iCloud data in China, according to Chinese law. Most countries are going in that direction. There's some flexibility in having certain datasets located only within the country under certain regulations but having other datasets that are perhaps less sensitive, less critical, in different layers of the cloud, while still demanding that these private actors be transparent in different forums, in terms of explaining how that data is being used.

I tried to surface this earlier, and I said that I think you guys need to be engaged in a dialogue with the public, because I had the exact same example with my health care records. I don't want someone to see them on any given day, but if I'm lying in the street dying, I definitely want people to have access to them.

The honest truth is that there are no simple answers to these questions.

One of the key things I am trying to convey to you—and I think Professor Clarke is as well— is that we need to be thinking about what culture and what norm we want to build in this country around how we are going to manage these things. The opportunity space for us to do something different is there, but if the public doesn't come along and we don't move, then there's going to be an efficiency tax, an opportunity tax that we all pay as Canadians but that other countries won't be paying as they do things differently.

How are we going to not just build this infrastructure, but bring the public along and build something that they have trust and confidence in, and that they see as infrastructure they can rely on, not just from a technical perspective but from a trust and privacy perspective?

I'm sorry, but I don't have a better answer for you.

I think you're exactly right to note that people sort of want it all.

On this point, I think the committee should be really careful with how it interprets a lot of the data we currently have on citizens' preferences with regard to government data collection and use, because most of these surveys don't actually present the realistic trade-offs to citizens.

You'll find countless surveys that suggest that Canadians are very uncomfortable with certain types of data being collected, used in certain ways and combined with other datasets. There's a line around whether people would want government to collect data and then use it for purposes other than what it was originally collected for. Of course people reply “no” when the situation is presented like that.

We need to move to surveys and studies that, instead, say that data may be used for purposes other than that for which it was collected “if it means that wait times are shorter at hospitals” or “if it means that you could be made aware of all the tax benefits you're not claiming right now that could save you thousands of dollars per year”.

We have to put forward that value proposition, because right now most of our data only asks citizens if, essentially, they want to be surveilled and have their data abused. Everyone's going to say no to that. That's not what we're talking about here. These are really important trade-offs in the efficiency of government and the quality of the services it provides, with questions around data use, some of which are privacy-related but many more of which get into questions of broader governance issues.

I think it's important to be careful with how you're interpreting the data from those surveys because they're actually not very helpful. They would suggest to you that we should not move forward with many of the reforms that we're putting on the table because they essentially say that citizens care only about privacy, and I'm not sure that those surveys actually capture the real trade-off.