Evidence of meeting #155 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was apple.
A video is available from Parliament.
9:25 a.m.
Director, Security Engineering, Office of the Chief Information Security Officer for Amazon Web Services, Amazon.com
It doesn't sound familiar to me at all, but I'd be happy to double-check. No, I'm not familiar with that.
9:25 a.m.
Chair, Joint Committee on Communications, Climate Action and Environment, Houses of the Oireachtas
In relation to GDPR and data protection, from what my colleagues asked you earlier, you're saying you would be in favour of some form of GDPR being rolled out globally.
9:25 a.m.
Director, Security Engineering, Office of the Chief Information Security Officer for Amazon Web Services, Amazon.com
Again, we believe that the principles of consumer trust—putting customers first, giving them control over their data and getting their consent for usage of data—make sense. The specific ways in which that is done and the amount of record-keeping and the bureaucracy involved sometimes seem to outweigh the benefit to consumers, so we really think we need to work together as a community to find a right balance that's not too onerous.
For example, a large company like ours might be able to comply with a very onerous regulation that's very expensive to implement, but a small business might not. We have to find ways in which those principles can be implemented in a way that's efficient and relatively simple and straightforward.
Yes, we definitely support the principles behind GDPR. We think the actual legislation is still a bit of a work in progress, in the sense that we don't know exactly what the meaning of some of the legislation will be once it gets to the regulatory or judicial level—what exactly constitutes reasonable care, for example, on the part of a company.
9:25 a.m.
Chair, Joint Committee on Communications, Climate Action and Environment, Houses of the Oireachtas
Okay, so are you open to that, or maybe to a different version of it across the world?
9:25 a.m.
Director, Security Engineering, Office of the Chief Information Security Officer for Amazon Web Services, Amazon.com
Yes.
9:25 a.m.
Chair, Joint Committee on Communications, Climate Action and Environment, Houses of the Oireachtas
As you know, in the GDPR as it's currently working, there are those obstacles for some companies, but that has been worked through across the European Union.
9:25 a.m.
Director, Security Engineering, Office of the Chief Information Security Officer for Amazon Web Services, Amazon.com
Yes.
9:25 a.m.
Chair, Joint Committee on Communications, Climate Action and Environment, Houses of the Oireachtas
I suppose you're waiting to see how that works out—
9:25 a.m.
Director, Security Engineering, Office of the Chief Information Security Officer for Amazon Web Services, Amazon.com
We think there will be a lot of good learnings from that experience. We can do better in the future, whether it's in Europe or in other places, but again, the principles make sense.
9:30 a.m.
Chair, Joint Committee on Communications, Climate Action and Environment, Houses of the Oireachtas
Okay.
This is a question for Microsoft: Earlier this year, I understand a hacker compromised the account of a Microsoft support agent. Is that correct?
9:30 a.m.
National Technology Officer, Microsoft Canada Inc.
That's correct. There was a disclosure of credentials.
9:30 a.m.
Chair, Joint Committee on Communications, Climate Action and Environment, Houses of the Oireachtas
I understand at the time Microsoft was saying there was a possibility the hacker accessed and viewed the content of some Outlook users. Did that actually happen? Did they access the content of Microsoft users?
9:30 a.m.
National Technology Officer, Microsoft Canada Inc.
Having that access from the support side gave them the possibility to be able to do so.
9:30 a.m.
Chair, Joint Committee on Communications, Climate Action and Environment, Houses of the Oireachtas
How was it that a hacker was able to, I suppose, compromise your own security or data security features?
9:30 a.m.
National Technology Officer, Microsoft Canada Inc.
That whole environment is an end-to-end trust-type model, so all you have to find is the weakest chain in the link. In this case, it was unfortunate that the administrative worker had a password that the hacker community was able to guess to get into that system.
9:30 a.m.
Chair, Joint Committee on Communications, Climate Action and Environment, Houses of the Oireachtas
What have you done to ensure this doesn't happen again? It seems like kind of a basic breach of data security for your users.
9:30 a.m.
National Technology Officer, Microsoft Canada Inc.
Absolutely. Any time there's an incident within our environment, we bring the Microsoft security response team together with our engineering teams to see how we can do better. We took a look at the environment to see what happened and to make sure we could put in place tools such as multi-factor controls, which would require two things to log in—something you know, something you have. We've been looking at things like two-person controls and tools like that, so that we can ensure we maintain our customers' trust and confidence.
9:30 a.m.
Chair, Joint Committee on Communications, Climate Action and Environment, Houses of the Oireachtas
You're on record for having put these changes in place. Have you had a report? Did you do a report in relation to how many users' information was accessed, or the content?
9:30 a.m.
National Technology Officer, Microsoft Canada Inc.
We'd have to come back to the committee on the report and its findings. I'm not aware of that report. I had not searched it out myself.
9:30 a.m.
Chair, Joint Committee on Communications, Climate Action and Environment, Houses of the Oireachtas
Okay.
In relation to the measures taken following that.... Again, this is about the trust of users online and what your company has done. Would it be possible to get feedback about that?
9:30 a.m.
Chair, Joint Committee on Communications, Climate Action and Environment, Houses of the Oireachtas
Thank you.
9:30 a.m.
James Lawless Member, Joint Committee on Communications, Climate Action and Environment, Houses of the Oireachtas
Thank you, Chair.
To Amazon, first of all, Is Alexa listening? I guess it is. What's it doing with that information?
9:30 a.m.
Director, Security Engineering, Office of the Chief Information Security Officer for Amazon Web Services, Amazon.com
Alexa is listening for a keyword, the wake word, which alerts the system that you want to interact with it in some fashion. That information is not locally stored. There's nothing stored locally on the device. Once the keyword is recognized, it follows that. There's a light on the device that tells you that the device is now active, and the subsequent sound in the room is then streamed to the cloud.
The first thing the cloud does is to double-check the wake word. The software on the device often isn't sophisticated, so it occasionally makes mistakes. The cloud will then recognize that it wasn't a wake word, and then it will shut off the stream. However, if the cloud confirms that the wake word was used, that stream is then taken through a natural language processing system, which essentially produces a text output of it. From there, the systems take the next action that the user was asking for.
