Information & Ethics Committee on Sept. 20th, 2016

There is a regime now adopted in PIPEDA that could probably work very effectively in the Privacy Act as well. It focuses on notifying individuals where there is a risk of harm, and harm is defined as a way that entails there are mitigation efforts the individual could take so they should be notified in a timely manner so they can take those measures.

It also entails record keeping at the institutional level of even less harmful breaches so that we have a better picture of what's happening in security breaches, which again is going to be important moving forward so entities like the Privacy Commissioner and whatever entities become responsible for cybersecurity can look and get a clearer picture of what's happening. If there's no record keeping, if every agency is just dealing with these on their own, you don't have that holistic picture, and we're not able to keep these standards going forward.

Again, we'll try to address that more comprehensively in our written brief. Our thinking right now is that mechanism in PIPEDA roughly works in the Privacy Act context as well, but we're still trying to see if there are any specific peculiarities in the public sector context that should be addressed, if that helps.

I think it's important, but I think expanding his investigative powers—that's his main job—is even more important, because right now he doesn't have all the tools in place to go to court or to make recommendations on metadata, biometric data, and all the rest.

If you don't mind, to go back to your earlier item, here's the act and you ask, why do we need it done? It's the purpose clause. When you look at the purpose clause, it doesn't talk about the right to privacy. It talks about the right of access to personal information, and that's a totally different thing. When you get to the sections on collection and retention disposal, it's a page and a half, and it doesn't say anything. It's out of date.

I think we need more than giving the commissioner more powers and explicit powers. He already does education and so on. He needs to do more audits. He needs to do more technological assessments.

In terms of the act, I think it does need updating, and I'm sorry if I'm going beyond what your question was.

I want to say, and just underpin, without mitigating it we do feel that in the investigative area there are shortcomings in the substantive elements of the act that need to be addressed from a public policy perspective, as well as to ensure public confidence moving forward.

I also think the education component is important on both fronts. A lot of what we do is explain to people what is happening. Sometimes there is a tendency to overreact or under-react because the technology is so sophisticated and it's hard to understand what it's doing on the ground. An education mandate would help a lot on both those fronts, as it does already on the private sector side with PIPEDA.

In my book the good ones are the ones who expose vulnerabilities and talk about it. A guy called me over and said, “Hey, let me show you something.“ About half the buildings in Canada are locked with a key proximity card called HID. He has discovered a way to hack it remotely. He works for a big company. He's disclosed that to the manufacturer of this card, just like a year ago when people disclosed vulnerabilities in cars like the Jeep Grand Cherokee that could be remotely hacked.

I did learn something interesting. Although General Motors and the companies behind it have put out fixes, major car rental companies haven't bothered to implement those fixes yet. You may be renting a car in the U.S. that's still hackable because they don't want to lose the revenue and take it off the line.

My point is that things have to be done. The hackers provide the information, but then it's up to whoever's responsible for the data, or the car in this case, to do something about it.

Can you guys recommend amnesty, or is that outside the scope of this?

I would say that having worked in this space pre-Snowden, we anticipated a lot of the activities he exposed and many found to be a bit disproportionate. It at least kicked off a robust conversation around the appropriate parameters of these activities.

There was no way of getting any sort of evidence, even though it was known what was happening by us, as well as by bad actors. There was no way to get the policy debate going, and having this trove of direct and credible information on what's happening on the ground, to us, was useful as a civil society organization.

My understanding was that he tried to be cautious in ensuring that the information that made it into the public record was contained and redacted in ways that didn't undermine security capabilities too much. I put that to his credit, but everyone can judge for themselves.

I think he's performed a very valuable service. When you're talking about how we should expand the education mandate of the Privacy Commissioner, I think everybody, whether they're in the workplace or citizens, has to be vigilant or call to account things that they know about, and talk about them. These are problems that we all have to face, and so I think it's very important that a guy like that has exposed a whole set of technology and confirmed it, which otherwise wouldn't be there.

I think you should offer incentives for people—call them whistle-blowers—and some protection, for sure, for good hackers or whatnot, who are doing this kind of thing. We need more than just another educational paper on metadata. We need people who are on the front lines and are telling us what is there. This was major.

If President Obama wants to pardon him, I would not object.

I know Snowden's parents, and his mother sent a copy of my book. I said, “Do you want it in digital form?” She said, “No, I can get stuff to him in Russia.”

He definitely did a service, there's no question about that, and in some subtle ways. For example, last year the United States Department of Defense had a “hack the Pentagon” contest. You had to be an American. You had to be a certified white hat hacker. They actually got bug reports about their own system. It's an admission that nothing can be fully secured, and there was the U.S. Pentagon admitting that. I'm not sure if that would have happened if it hadn't been for Snowden.

I'm in alignment with my fellow panellists when I say I would come closer on the hero side than the villain. I think that, even if you just look at the conversations we've started to have now about mass surveillance, about what limits there should be, about whether it's effective, whether it's useful, all of those kinds of conversations were started once we knew exactly some of the things that were happening in the world.

I'm part of an international civil liberties group. I can tell you that people engaged in civil society work from every country have been using the information that he put out in order to start conversations in their societies about the appropriate limits of surveillance, and about the appropriate ways that we weigh privacy rights and security rights in democratic societies. I think he made a very valuable contribution.

I'll just say I brought up the EU GDPR, general data protection regulation. Some people say it's the reason for Brexit, that it's 88 pages of rules. It does look a bit bureaucratic. I think it should be mined by us to look for the very good ideas that are within it, but not adopt it holus-bolus.

There are a number of regional documents. The OECD has a set of privacy guidelines, which Canada actually took a very active role in updating a year or two back. The Council of Europe has a comparable overarching data protection framework that is inspired by the European framework but is actually a little more universal and less steeped in the 85 pages of details; it's a much shorter document. That's also being updated right now, so I would keep an eye on that.

One of their recommendations in particular has to do with how to deal with transparency around algorithm decision-making, which I touched on very briefly in my comments. It's something that is going to be a problem moving down the road as governments adopt automated processes as shorthand for making various decisions. The challenge there is how you get transparency around the decision-making process without giving away the actual math, because then it could be gamed. They're working to find a way to address that, so I would keep an eye on that. We could provide some others in our written comments as well.

Thank you.