Evidence of meeting #139 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was identity.
A recording is available from Parliament.
Chief Information Officer, SecureKey Technologies Inc.
The first part is the identity question: who are you? The second question is authentication: are you the person who showed up the first time? The third thing is authorization: what can I do inside your service?
That third domain is mostly what you've been talking about today. The first two questions are what we're arguing: it should be both a public and private service across the economy. We need all of these organizations to participate.
NDP
NDP
Liberal
David Graham Liberal Laurentides—Labelle, QC
That's fair.
I don't have a lot of time, so I'll ask you to use...I'll call it “lossy compression” on your answers.
Liberal
David Graham Liberal Laurentides—Labelle, QC
In the digital world, is there privacy without security?
Vice-President, Security Remediation Services, Herjavec Group
Well it depends on how you think about that question. It deals with access, so a record can be kept private. You can talk about making it secure, but you don't.... It's a complicated question.
Ultimately, every aspect of privacy is expressed as a security control of some type. I think academically the answer is yes, but practically, no.
Senior Vice-President, Corporate Development, Herjavec Group
I think if you flip that around and say that you can have security with varying levels of privacy, it's more aligned to what we're talking about here.
The reason that companies driven by advertising revenue are so popular is that it allows them to be better at the provision of services or selling you more things. The government should take a page from that book—with respect, obviously, to citizens' privacy—to say that the future of government is going to be a more directed and precise provision of services, and that can be secured at the level of privacy that the citizen is willing to participate in.
If we give citizens a trade-off to say that can do much more with government with the existing information we have if we can derive analysis from that, like the private sector does, and ask whether they are in, I think the overall answer from Canadians is going to be yes, if they understand what we're talking about here.
Liberal
David Graham Liberal Laurentides—Labelle, QC
Okay.
Mr. Anthony, when you started answering the first question from Ms. Fortier, you had trouble hearing because the microphone was on and therefore your speaker was off. It was causing a problem. It ties to a point that I want to make about non-intuitive interfaces and that the biggest problem we have in security is the user. I checked and it's not on the record, and perhaps it should be.
Who is Kevin Mitnick, and could we talk a bit about that?
Vice-President, Security Remediation Services, Herjavec Group
Do you want to talk about Kevin Mitnick?
Liberal
David Graham Liberal Laurentides—Labelle, QC
I think it's a really important point. He hacked a massive number of systems. He wasn't really using a computer to do it; he was using social engineering.
Vice-President, Security Remediation Services, Herjavec Group
Yes. In the industry sometimes, we don't like to talk about Kevin Mitnick being a hacker. He was a social engineer at heart, which meant he was working human and offline systems to get information, and then replaying that into trust relationships with other people and to some extent other computer systems. He got famous. He went to jail. He's now making a career from getting famous and going to jail.
When we look at the entirety of accessing computer information systems and stored data, if you're attacking that, you're going to naturally use the least effort. The least effort is almost always people. So it's not enough just to secure the technologies, you also have to help secure the people.
Chief Security Officer, SecureKey Technologies Inc.
Sorry, I just want to add that we have to get to a point where we make the data almost useless. What is important is the validation that comes with the data. Therefore, if there is an attack—a social engineering attack or otherwise—where the data is collected by the attackers and somehow attempted to be invoked into the system, it's rejected because it's not coming from a validated source.
We want to make our personal information, on its own, useless. Give it to the attackers. Fine. They can't do anything with it it because they can't validate it properly.
Chief Information Officer, SecureKey Technologies Inc.
That's the card-present identity idea. The only person who could have done this is somebody who had something that belonged to the real user, and the real user will turn it off when they lose it.
That's where trust and integrity will come from.
Liberal
David Graham Liberal Laurentides—Labelle, QC
Another weakness I see is that when you're processing encrypted data, at some point you have to decrypt data to figure out what you're doing with it.
Is there any way around that? Can we process data without decrypting it? I know the EFF has worked on it a bit, but I don't know if there's been an answer to that.
Chief Security Officer, SecureKey Technologies Inc.
I think there are a couple of things there. It depends on who the “we” are.
In the service where there's an identity network, the network never needs to see the protected information, right? Sure, it has to send it. It has to hold it temporarily until the receiver of the information picks it up, but the network doesn't need to see the personal information. So, yes, you can process data without having to decrypt it.
Really, the encryption happens at the provider. The receiver of the information should decrypt it.
The other thing is about data minimization. We also need to get to a point where I'm not sending my birthdate to say how old I am or that I'm the age of majority; I'm sending a validated, “Yes, this person is over 19.”
Those two things together can add the security we need from a data-minimizing point and reducing the exposure of personal information.
February 28th, 2019 / 4:30 p.m.
Liberal
