Evidence of meeting #97 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was identity.
A video is available from Parliament.
March 27th, 2018 / 8:45 a.m.
Conservative
The Chair Conservative Bob Zimmer
I call to order meeting number 97 of the Standing Committee on Access to Information, Privacy and Ethics. Pursuant to Standing Order 108(3)(h)(vii), we are studying privacy of digital government services.
Today we have with us Jerry Fishenden, a technologist and government adviser, as an individual.
Go ahead, Mr. Angus.
8:45 a.m.
NDP
Charlie Angus NDP Timmins—James Bay, ON
I know we're later going to be discussing the witness list for the study of the growing Facebook scandal. I am concerned, and want to put it on the record for my colleagues to think about it. Right now in the United Kingdom, the question of whether the Facebook platform was used illegally to undermine the Brexit vote, and possibly change the Brexit vote, may have a direct Canadian link to Jeff Silvester and the work that AIQ did. It's my understanding that Mr. Silvester, because of jurisdictional limitations, is refusing to testify before the U.K. committee.
However, it would be well within the mandate of our committee to call Mr. Silvester to testify because of the power of the third party operators to misuse personal data and possibly undermine the Brexit leave vote. To that end, if we agree to bring him to testify, which we could by subpoena if necessary, we should make the U.K. committee aware of our work so that the U.K. committee, if it has questions about how the referendum was undermined by this misuse of the Facebook platform, could provide us with briefing notes as well, so that we could get this thing done.
We're talking about something that's much broader in terms of potential impact on the democratic process than we've looked at in the past. There would be an urgency to it, and I would certainly be looking to my colleagues to say it would be well worth our while to reach out to the U.K. committee at this time.
8:45 a.m.
Conservative
The Chair Conservative Bob Zimmer
Mr. Angus, are you making a motion to that effect, or are you just making the request to the chair that I look into it?
8:45 a.m.
NDP
Charlie Angus NDP Timmins—James Bay, ON
We can handle this a number of ways. I could do it as a motion now. We could do it in camera, but we have to apprise ourselves of the seriousness of this situation, because the United States is looking at it. The U.K. is looking at it, and two of the main players are Canadian. We should be taking account of the seriousness of this situation and making it clear that we will address it.
I know there are a number of witnesses we are going to talk about and I don't want to take time out from the witness that we have, but in the case of Mr. Silvester, we should say he is definitely someone who's going to be appearing before our committee.
8:45 a.m.
Conservative
The Chair Conservative Bob Zimmer
Would you like to open up the discussion now, or would you like to talk about it?
8:45 a.m.
NDP
Charlie Angus NDP Timmins—James Bay, ON
I'll turn it over to Mr. Erskine-Smith and see what he thinks.
8:45 a.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
I'm certainly open to this conversation, but we should have a conversation later after our witness has presented. Obviously the analysts prepared a briefing note, and this was not in the briefing note.
I listened with interest to Chris Wylie's testimony at the U.K. committee this morning, so I am open to all potential witnesses and the conversation to that end. We're going to deal with this, as I understood it, after we hear from this witness, and we're going to be dealing with this as we ordinarily do, dealing with potential witnesses after our committee business. Let's have this discussion at that time.
8:45 a.m.
Conservative
The Chair Conservative Bob Zimmer
I watched the testimony this morning with interest as well, so we'll do that following this testimony.
Go ahead, Mr. Fishenden.
8:45 a.m.
Dr. Jerry Fishenden Technologist and Government Advisor, As an Individual
Good morning. Thank you for the opportunity to provide evidence. I'm doing so in a personal capacity, as you've mentioned.
Consumer and citizen trust is essential if governments and businesses alike are to use technology to the benefit of us all, yet all too often we are seeing personal data being taken and misused. It's either by intent or as a consequence of poor security and privacy. Topically, the Facebook and Cambridge Analytica revelations are obviously highly pertinent to that.
We need to improve the general level of understanding about data and computing. Equally clear, there is a need to increase the understanding of the important difference between public or open data and private or personal data, which citizens wish to see better protected. In particular, we need to ensure that sensitive data, which covers everyone from vulnerable children to undercover law enforcement, is much better protected.
Much government data quality is often poor, since many people only deal with central government occasionally. It's also duplicated in many places. Government generally lacks well-developed data architectures. There's a need to map and better understand the use of data and stop believing that data sharing is a way to fix poor design.
In computing, we already have better approaches that can be used, such as zero knowledge proof, use of interfaces, encryption, authentication and authorization, and attribute or claim confirmation. Zero knowledge proof, for example, enables one party to prove to another party that a given statement is true without conveying any information apart from the fact that the statement is indeed true—for example, that I am over 21 or that I'm entitled to a particular welfare benefit.
Such computational techniques need to be embedded in the way we design systems. If they're not, the more the paper age data-sharing legacy persists in an age where computer systems operate on a scale and at a pace previously unknown, the quicker security, privacy, and trust will be degraded and fraud increased. The human and financial suffering data misuse causes is only likely to increase unless governments adopt stronger legal and technical means of protection.
One country in particular that the U.K. has looked to and learned from is Estonia. They have a good set of principles, particularly in terms of putting the citizen at the centre and organizing around them, even to the extent that citizens can see which officials have had access to their data. Transparency is I think essential to help build and maintain public trust.
In 2011 Francis Maude, MP, the then Minister for the Cabinet Office in the U.K., established the Privacy and Consumer Advisory Group. It comprised academics, privacy and security advocates, and representatives of consumer groups. Its remit was to ensure that government programs address citizen privacy, trust, and confidence, from initial policy planning to requirement specifications and through to delivery.
The group worked very well when it had the direct backing of a strong minister like Francis Maude, but after his departure some officials no longer responded to or attended the group. My recommendation would be to establish a similar expert group but have it report directly to Parliament, perhaps via a committee such as yours, so that it cannot be marginalized or ignored.
The Government Digital Service—GDS—technology code of practice is important. They set out criteria to help government design, build, and buy better technology, and it emphasizes privacy in particular, including explicitly that citizens should have access to and control over their personal data. The code still has a principle that privacy should be integral.
The prevention of cyber-attacks and the protection of data is a constant challenge, from external attacks to insider abuse, whether that's an official inappropriately accessing or using data or indeed a developer putting in place rogue code that can later be exploited. The U.K. has expert help and guidance in this regard from the National Cyber Security Centre, which is part of GCHQ.
I do have, however, a concern about inadequate privacy by design and security engineering.
Many government departments and agencies have set up their own bespoke development programs using web developers, many of whom are not trained or experienced in writing secure code. The requirement of minimal standards for software engineering quality should be considered, such as the ISO standards, the application of the Consortium for IT Software Quality, and specialist advice such as that available from the NCSC.
At the infrastructure level, there is better practice around the protection of data, both in motion and at rest. There are also strong access controls and auditing, including protective monitoring of the most sensitive systems.
A lack of understanding of technology, both the good and the bad, at the most senior levels can create gaps in policy and between intent, outcome, and legislation. Sometimes existing legislation can be a blocker to effective improvements in services and their outcomes. It's important to have a process for highlighting where legislation needs to be simplified or updated.
There can be a naive tendency amongst some politicians and officials to assume that technology can somehow magically solve complex policy or socio-economic problems. I wish that were true. The idea that technology can be a solution for everything does need to be challenged. It must never be about websites and online services, but how better digital infrastructure helps those who need face-to-face services too, and those who don't have access to modern technology.
Government can lead by example in the secure, consent-based use of data and the establishment of principles to be applied to the ethical use of data and software that acquires, processes, and utilizes it.
One of the key issues on which government should be playing a leading role is user consent: engaging and educating users to ensure their consensual participation and understanding, including of the data they are revealing, what's being done with that data, and how they can provide or indeed revoke consent.
Another key role is in the legal aspects, by ensuring legislation is adequate or by identifying work that needs to be updated to keep pace with changing technology.
Government can also play a role on the economic issues, meaning understanding the impact that better use of data and techniques such as artificial intelligence and machine learning are likely to have, both at microeconomic and macroeconomic levels, including on the potential future configuration of public services as the Internet of things and embedded health sensors become more ubiquitous.
Then there are the access and control issues of establishing a trust framework, one that spans anonymization, pseudonymization, and strong identity proofing.
I've already mentioned data quality. It's to ensure data is of sufficient accuracy and veracity to ensure that resulting decisions are coherent, particularly before building analytics and machine learning on top of unknown data quality. Users need to be provided with access to their own data to ensure their records are accurate.
Data de-identification and anonymity are known problems that already exist with anonymizing personal data successfully. This is becoming an increasingly significant and complex issue. De-identification is not the same as anonymization, and more research is needed in this area.
On data access, we need to ensure that appropriate control mechanisms for public, private, or personal data accessed by systems are in place. This includes appropriate protections ranging across security, privacy, audit, accountability, and protective monitoring.
On data veracity and integrity, how do we know that data being used by such systems can be trusted? How do we know all data have been released from the systems when we attempt to regulate or ensure they're compliant with laws of non-discrimination?
Concerning code jurisdiction, code and data are increasingly operating in the cloud or serverless environment in systems scattered across the planet. There is a need to clarify how they meet the standards required—for example, not exhibiting biased, illegal, or discriminatory behaviour or being compromised by hostile actors.
Finally, on resilience, as many services become ever more reliant upon the new generation of interconnected systems, the potential resilience to failure, whether that's caused by accidental or malicious purposes, is a significant issue. More research is required into the potential interactions, vulnerabilities, and risks of the emergent systems of systems.
If the best legal, ethical, and trust frameworks are not in place, the poorly designed acquisition and use of personal data will be discriminatory, wrong or inaccurate, biased, unaccountable, manipulative, and they will create significant security, privacy, legal, and trust issues.
However, if well applied, there is certainly an upside, which is that they can help support better policy-making, health care, education, and transport, for example, through responsive and more efficient systems.
Consistent standards of security, privacy, and software engineering, together with transparency, are required. To be successful, any digital or e-government initiative first needs to determine what it wants to achieve by going digital. Is it simply to automate existing services, or is it optimization, re-engineering, or transformation? Is it about moving resources towards the front line by taking cost out of internal operations by helping to streamline and simplify them? There needs to be clarity about exactly what the design outcomes and benefits are, rather than a simple assumption that this is something we need to do in the digital age.
I think that government can play a significant and positive role in showing how we can enjoy the upside of our digital age, rather than the downside. Rather than simply following the model of the worst of the private sector, misusing and abusing data without users' meaningful consent, government should look to raise standards. There is a chance to lead by example.
I would be happy to provide more detailed links and references after today's session if that would be useful. Thank you for taking the time to listen to me this morning.
9 a.m.
Conservative
The Chair Conservative Bob Zimmer
Thanks once again, Mr. Fishenden.
We'll go first of all to Mr. Nathaniel Erskine-Smith. You have seven minutes.
9 a.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
Thanks very much.
With this study, we're looking at how digital government can improve services for Canadians while also protecting their privacy and security. Do you have an ideal case, an example that we could specifically point to and say, “Here's an initiative that has done just that”?
9 a.m.
Technologist and Government Advisor, As an Individual
I think there have been several initiatives in which privacy has been very much at the core of the program. I think some of the programs have struggled. One of the particular ones that comes to mind is the GOV.UK Verify program, which looks at identity. It's based on a very sound set of privacy principles, and it was designed from the ground up to ensure adherence to those and to take account of upcoming legislation, such as the European Union's General Data Protection Regulation. However, I think that for other reasons, this program has struggled to deliver the outcome it once set out to achieve.
Other areas that I've been involved with include some of the police national systems, where the thing is generally very well designed in terms of data protection of the citizens involved and has protective monitoring. Unfortunately, there have been one or two cases that have proved the value of the protective monitoring in terms of officers being belatedly identified as having abused the trust with access to those systems. I think we need to look at ways to have more proactive monitoring on systems so that if there is potential abuse by an insider such as in those cases, or indeed by a hostile player from outside, we're much more timely in the way we respond to those incidents.
9 a.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
In terms of ideal cases, though.... I mean, in your comments, you indicated that the U.K. looked to Estonia. We had Estonian officials before us last week, and they spoke very highly of their system. It has improved services. They've reduced costs—2% of GDP. There has been no identity theft with regard to their digital ID. Is that, in your view, if you look internationally, the model?
9 a.m.
Technologist and Government Advisor, As an Individual
I have a lot of respect for the Estonian approach, and I've spent time with their officials and politicians as well.
I think one of the things, to be frank, that we struggled with in the U.K. is that theirs obviously relies on quite a different approach to identity than the one the U.K. has adopted. That forms the core of the system. To be frank, we are still struggling in the U.K. with adopting a reliable and consistent identity framework that would enable citizens not only to easily prove who they are when they're online, but also to prove that a particular dataset belongs to them, which is a much more complex issue. Even if I've proved who I am to a third party, when I turn up at the front door of the National Health Service or the welfare office and try to claim access to a particular record, there's still a need to associate my identity with the particular data held in different data silos across government, and that's proving also to be quite a complex challenge.
9 a.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
That's an interesting point, because when the Estonian officials were before us last week, my colleague Mr. Baylis asked them to walk us through the building blocks, the starting point of where we should begin. They said that the starting point has to be the digital ID. They noted that their digital ID is itself an encryption device, which is why they haven't had the identity theft issues that we've had here without having digital ID.
You've criticized the U.K.'s digital assurance program to date. Is what Estonia did...? The question, fundamentally, is this: why not do exactly what Estonia did?
9 a.m.
Technologist and Government Advisor, As an Individual
That's a good question, and it spills over into the realm of politics. The current identity assurance program, Verify, was created after the incoming government of 2010 abolished the U.K. ID cards program, which had been a political commitment by the coalition government, the Liberal Democrat-Conservative government. They were very keen to find a method of achieving a similar outcome, but one that did not mandate that every U.K. citizen needed to go and register their biometrics on a national identity register. This was an attempt to find a middle ground.
I think, partly, there's also been a change in that we have an initiative such as open banking, which started recently in the U.K., under which you can go online and prove who you are using your bank as the backstop in terms of confirming your online identity and then confirming through a third party that you are who you say you are. I think there's currently a desire to have a look at what the government originally wanted to achieve, which was effectively a marketplace of trusted identity providers working within a framework that government trusted and ultimately could regulate if necessary, and whether that can now be achieved by changes that are happening in the marketplace anyway.
The one missing thing, to me, is still this link between a proven identity and the various silos of data that relate or belong to me sitting in the different government departments. There needs to be more discussion about the process that's going to bind my identity to those different multiple datasets in a way that people can—
9:05 a.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
To that end, you mentioned that politics sort of got in the way, to some degree. Assuming we remove politics from the equation, then would the best policy answer be to adopt what Estonia did with the digital ID in their encryption device, or would you say there are ways to improve upon the Estonian experience?
9:05 a.m.
Technologist and Government Advisor, As an Individual
I think if you're starting out, you could follow a track very similar to the Estonia approach. Most people now carry mobile phones or mobile devices around with them. I'm thinking of a principle of using those mobile devices as the core means of proving identity. I use that approach with a lot of my online commercial services. I have two-factor authentication or two-factor verification set up so that when I try to log in online, I get either a time-based code I can read from my phone or a text message is sent to me, which is obviously less secure. I think government could take advantage of the technology enhancements that have happened since the Estonians developed their model to come up with a solution oriented around mobile devices that's probably more amenable to trust.
I think the issue in the U.K. was partly the fact that the Home Office was seen as the arbiter at the national identity register and the feeling that people were going to have to store all of their biometrics and personal data with one single government department. I think that now there would be more effective ways of linking one proven identity to the different data silos or lockers so that I could prove who I was to the NHS, the National Health Service, and prove the link to my health records without necessarily exposing that linkage to perhaps the taxation department or the welfare department, if it were not appropriate for me to do so or there was not a regulatory reason that I needed to do so.
9:05 a.m.
Conservative
9:05 a.m.
Conservative
Jacques Gourde Conservative Lévis—Lotbinière, QC
Thank you, Mr. Chair.
I'd like to get back to the numerical data concerning Canadian citizens, and perhaps to data pertaining to citizens of other countries as well, which are sent to various departments, where people work in isolation.
In my 12 years as an MP, I have come to realize that when they come to me for help, some of my fellow citizens' problems are due to the fact that there is erroneous data, and it differs from one department to the next. This causes problems for them. We then have to do a search with them to help them reestablish the accuracy of information. For instance, it's often an address that differs from one department to another, quite simply. This means that citizens lose rights or services, among other things.
In order to get around the issue of work done in isolation, could we not create a personal digital file for every individual? Everyone would have the right to his or her file, which would belong to them, and they could correct it themselves so that the data would be real, accurate and in real time? It could be the individual's responsibility to see to it that his file is always up to date.
9:05 a.m.
Technologist and Government Advisor, As an Individual
You paint a picture I recognize. It sounds very similar to the United Kingdom model, with data held in multiple places, often with conflicting information.
I'm very much a believer in the citizen having access to their data and control over it precisely for that reason. I think the citizen is the ultimate arbiter of their own data, subject to some validation, obviously, where necessary, by the government. Maintaining their own records would be a good way to do it, as we do with commercial organizations when we log in and update our credit card details or our address records.
Some of the U.K. has started to do that. We now have a single tax portal. When I log in, it not only shows me my current tax position but also my state pension position, even though that data is coming from a separate department. It enables me to see in one place data that spans more than one government silo.
I don't think necessarily that enabling citizens to access and maintain their own records means you have to pull all the data into a single database. The fear is always that if it's all in one place, a potential compromise will mean that all of that citizen's data is compromised at the same time. I think there can be good justification for silos if that is done as a design intent and if the user, the citizen, can still maintain their data through a single online service, even if the data that's updated then goes back into perhaps....
I'm thinking about areas like health, where citizens are particularly sensitive about their records potentially being made available to others. I think that in some sense, just having a silo by design around health records can be a good thing, but enabling the citizen to still update the common aspects of that record, such as addresses, across multiple government agencies could still be achieved through a single portal.
To me, it comes back to the identity issue, which really does need to be cracked first. You need to know which citizen it is and then to establish that they really are the citizen who owns those different data records. Then I agree entirely that the citizen is well placed to look at the data and to either directly make amendments and corrections or to request the appropriate corrections and amendments by the owning department.
9:10 a.m.
Conservative
Jacques Gourde Conservative Lévis—Lotbinière, QC
A central file would no doubt allow citizens to be informed of the fact that this or that department or organization is using their data, if they were asked for that authorization in order to provide services. For instance, the Canada Revenue Agency could ask for the authorization to access a person's central digital file to solve a problem. Currently, Canadian citizens do not know which departments consult their existing digital data.
I believe that this data belongs to individuals and that they should be aware of the fact that an organization is doing research on them.
Do you think it would be legitimate that the individuals in question ask to be kept abreast of the fact that a department is examining their digital data?
9:10 a.m.
Technologist and Government Advisor, As an Individual
Yes, I think the principle is very sound. Obviously there are occasions when the state needs make investigations in the background to which it would not be appropriate to alert the citizen, such as cases of fraud or crime, but as a general principle I think it's right.
That's partly why I like the Estonian system. Estonian citizens can see which departments and officials have been accessing their records, and if they feel that wasn't appropriate, they can request an explanation as to why their records have been accessed by either a particular official or by a government department. I certainly believe that would be a very good way to go.
9:10 a.m.
Conservative
Jacques Gourde Conservative Lévis—Lotbinière, QC
On the health front, that's really very interesting.
When you go to the hospital, there is a file about you on site. That file is shared, or it is not. If you change physicians during your life, it unfortunately happens that files are not transmitted in their entirety, or that the information they contain is not sufficient.
Digital health data should be compiled in a file that would follow us all our lives. It would be more practical and safer for people. What do you think?
9:15 a.m.
Technologist and Government Advisor, As an Individual
It would ideal if we had a composite health record.
I'm also very conscious, with the growing use of wearable devices, that our health information now spans far wider than it did in the past. For example, I'm wearing a device that measures my heart rate periodically, and my exercising. It would be good if it could all be consolidated into a single place, so that when I go to see my doctor, they're aware not only of the health service interventions in my life but also of my lifestyle.
Again, I think it's making the citizen the custodian, or at least having the citizen have access and control so they can decide what they want to share among different officials. I would happily share any medical data from my wearable devices with my doctor. When I go to see them, they can either validate whether I'm telling the truth about how much I exercise or at least get insight into some of my lifestyle that would enable them to provide better health care to me.
I think it's an important point that's sometimes missed, particularly with the system we have in the U.K. at the moment, that more and more health data is no longer held exclusively within the health care system. As consumers and citizens, we're going to be generating quite a lot of useful medical information that also needs to come into those records.
I'm basically agreeing that it would be nice if there were a very highly trusted place where we could store both the medical service data and our own personal health acquired data, so that there would be a single health data repository that would enable medical professionals to give us the best possible care.