Information & Ethics Committee on April 17th, 2018

Good morning.

I would like to thank the committee for the invitation today to discuss the privacy implications of online platforms and appropriate legislative responses to the concerns of citizens about how their personal information is being used.

As you are aware, I received a complaint about this matter and announced some weeks ago that my office is conducting a formal investigation into how personal information on Canadians has been impacted by the activities of Facebook and Aggregate IQ.

Due to my confidentiality obligations under the law, I'm not in a position to discuss the details of this investigation with you today. I cannot prejudge our findings.

What I can share with you, however, is some perspective on the wider context that may assist you as you begin your study.

Canadians want to enjoy the many benefits of the digital economy, but they rightly expect they can do so without fear that their rights will be violated and their personal information will be used against them. They want to trust that rules, legislation, and government will protect them from harm.

In the recent Facebook matter, what happened, as acknowledged by CEO Mark Zuckerberg, was, quote, a “major breach of trust”. As recognized by the CEO of another giant tech company, Tim Cook of Apple, the situation is so dire that it is now time to develop well-crafted legislation to regulate the digital economy. The time of self-regulation is over.

In Canada, we of course have privacy legislation, but it is quite permissive and gives companies wide latitude to use personal information for their own benefit. Under PIPEDA, organizations have a legal obligation to be accountable, but Canadians cannot rely exclusively on companies to manage their information responsibly. Transparency and accountability are necessary, but they are not sufficient.

To be clear, it is not enough to simply ask companies to live up to their responsibilities. Canadians need stronger privacy laws that will protect them when organizations fail to do so. This was a major conclusion of my annual report to Parliament last year, and a point I made during your recent study of PIPEDA, Canada's private sector privacy law.

Significantly, given the opaqueness of business models and complexity of data flows, the law should allow my office to go into an organization to independently confirm that the principles in our privacy laws are being respected—without necessarily suspecting a violation of the law.

The time has also come to provide my office with the power to make orders and issue financial penalties, helping us to more effectively deal with those who refuse to comply with the law.

Strengthened legislation does not need to be an impediment to innovation. We know that personal information plays a key role in the digital economy, including advances in the field of artificial intelligence, which are necessary for Canada's social and economic development. We need legislation that ensures, as a general rule, that Canadians provide meaningful, informed consent for the collection and use of their personal information. But consent will not always be possible in the world of big data and artificial intelligence, where personal information may be used for multiple purposes not always known when it is collected.

This is why we recommended that Parliament examine exceptions to consent. We believe such exceptions, subject to conditions that would offer other forms of privacy protection, are preferable to relying on an interpretation of consent that is so broad as to become meaningless. We prefer narrower, specific exceptions, but we recognize that one option could be a European-style legitimate interest exception.

I'm of course very pleased that your committee recently issued a report calling for comprehensive changes to the federal private sector privacy law, which included several recommendations I had made but also others that would significantly improve the privacy rights of Canadians. Your report has shown that you are attuned to the issues stemming from the dated state of federal privacy laws in Canada, and you have actively called upon the government to make comprehensive changes.

Many in society, particularly in the last few weeks, are making similar calls. Even leaders of the tech industry now see the need for enhanced regulations.

If there was ever a time for action, I think, frankly, this is it.

Another area ripe for action concerns privacy protections and political parties.

As you are aware, no federal privacy law applies to political parties; British Columbia is the only province with legislation that covers them.

This is not the case in many other jurisdictions. The UK, much of the EU and New Zealand all cover political organizations with their laws.

In point of fact, in many EU states, information about political views and membership is considered highly sensitive, even within existing data protection regimes, requiring additional protections.

There are also now—in the digital environment—so many more actors involved: data brokers, analytics firms, social networks, content providers, digital marketers, telecom firms and so forth.

So while I am currently investigating commercial organizations such as Facebook and Aggregate IQ, I am unable to investigate how political parties use the personal information they may receive from corporate actors.

In my view, this is a significant gap.

Some independent authority needs to have the ability to review the practices of political parties and to assess whether privacy rights are being truly respected by all relevant players.

This gap requires addressing in one statutory form or another, either in privacy laws, in the Canada Elections Act or in a specific statute.

In conclusion, I would again highlight the urgency to act, as well as the stakes involved.

The integrity of our democratic processes—as well as trust in our digital economy—are both clearly facing significant risks.

I cannot think of more relevant questions for legislators to confront, and I applaud you for doing so.

Thank you again for your invitation, and I would welcome your questions.

Thank you.

Yes. I have one final point.

There is also a cryptocurrency token aspect to this. Exactly one comment within the GitLab commentary section was marked with flag that later I noticed was a confidential flag. That comment had to do with the Midas token. I looked into it. The Midas token was a project they were working on, and it was tagged to a website selling cryptocurrency at a $10,000 minimum buy-in.

The website has gone down since this was made public, and it feels very fishy to me. If you could figure out why somebody was developing a cryptocurrency on the AggregateIQ GitLab instance, for sale to the public, and why they would possibly not want anyone to know about this, I think it would be worth the investigation.

Thank you. I look forward to answering any questions.

It's highly likely that this has occurred. I have the tools. I don't have the ingredients that those tools mixed with, because that would have involved taking the additional step of going into databases and such. From what I see, there's no reason to have these tools in this way, and the documentation as it is, if you are not going to mix the political data for commercial reasons.

The most personal information specific to the voter data breaches or just generally?

The most detailed message you have sent to a loved one through any chat app could very easily be logged, archived, tied to your name.

Yes, but let me clarify. There is a separate Facebook-related incident that has not been reported at all yet—I'm working with a journalist right now to bring it to everyone's attention—that is not involved with Cambridge Analytica, as far as I know, but the number is 48 million people on that one. It does involve messages. The degree of privateness they were sent...is not quite determined yet, but they do get pretty personal.

Yes. In their documentation, Aggregate IQ go into detail about their system. It starts with being bootstrapped by the RNC's Data Trust data vault, which is the Republican National Committee here in the United States. I had actually found the Data Trust database before it was part of the find in June 2017. It's quite extensive. It contains data as they merged with i360, which is a Koch brothers-backed political information company. Data Trust deleted a blog entry where they claim to have merged their data with i360.

There's also L2 Political. They provided data to this whole beast of a machine. That was admitted to on Cambridge Analytica's website recently.

Facebook is obviously part of it. The documentation by AggregateIQ goes on to explain that commercial databases are involved. I know that Experian is one that contributed data toward the RNC Deep Root Analytics data briefs that I found in 2017. I know that because there were Experian IDs being lined up to each voter ID with all the consumer habits being tied onto everybody.

AggregateIQ also states that candidates can bring in their own sources of volunteer and supporter and donator information. They'll aggregate all that into the main “database of truth”, as they call it. State voter files then corroborate what the RNC has on file.

So there's really no end to what they can plug into here.

Well, one example that is very appropriate, because it illustrates both the original discovery and the whole nature of this relationship, is an employee named Ali Yassine. I usually try not to name people, but I feel that it's important for you to know this for the purposes of looking into it. He was a full stack developer for SCL Group. On his public GitHub page, he had code that came out of AggregateIQ. I know this because I found it within AggregateIQ's code base, and it was marked as being authored by an AggregateIQ employee named Koji. So you have SCL and AggregateIQ that supposedly have no relationship but both working with the same code base. Then, further on down in the code base, there is a field that says “client”, and written in there is “Cambridge Analytica”. Now, I can't see why SCL Group would be saying that Cambridge Analytica is a client of theirs. They basically own Cambridge Analytica. SCL Group is the mother ship on top of that. The only reasonable explanation to me is that AggregateIQ would have been the one putting Cambridge Analytica as the client, then the code being passed to SCL Group, and that just not being changed immediately. There's a little triangle going on there.

I can also tell you that the GitLab logs very clearly show that with the Ripon project, which was primarily developed for Ted Cruz's 2016 campaign, the very initial seeds of it were downloaded from the domain scl.ripon.us, placed in the GitLab, and developed and evolved from there. Scl.ripon.us is a domain underneath Alexander Nix's name. He's the one who is registered under the WHOIS records. That's another example of code flowing from one to the other.

Also, there are examples that Cambridge Analytica has put forward, through their public statements, of data that they used. More recently, I guess they felt pressure to be transparent about where the data came from. They admitted that they got the RNC Data Trust data. The RNC IDs are all over the place in the fields, categories, targeting scripts, and parsers that are present in AggregateIQ's repository as well as in their documentation. So if data [Technical difficulty—Editor] directly from one to the other, they are certainly dealing with the same type of data.

It's difficult to say. There are many factors at play here. Under the law, we have one year to complete our investigation. We'll obviously try to do so before then.

When you look at the allegations made, you see a fairly complex web of interactions between a number of players. These we will need to clarify. That could take a bit of time. We're also working in concert with other commissioners or data protection authorities. Of course, we're doing so with the Province of British Columbia, with which we're jointly doing this investigation, but we're also in contact with others, including in the U.K. but not limited to the U.K. There is, then, a bit of coordination.

What I'm saying is that this is somewhat complex, which may add to the time, but we have certainly at the most a goal of doing this within a year, and we'll try to do that before then.

I would say probably both, actually. The situation currently is that most federal political parties have privacy policies—internal codes of conduct, so to speak, in their relationship with the people with whom they interact and from whom they collect information. That's a start.

I think, first of all, the substance of these policies could be improved, from what we have seen. One common element missing from the privacy policies of federal parties is the right of individual electors to have access to the information that parties have about them. That's a huge flaw. There is, then, the issue of the substance. But these are voluntary codes, and no one independent of the parties examines whether the parties actually live up to the promise they're making in these policies. That leads me to a very important reason that political parties should be governed by legislation: to ensure that whatever substantive rules exist, hopefully better than what they are now, are verified by an independent third party.

Should that independent third party be the Privacy Commissioner, the Chief Electoral Officer, a third person? That can be discussed, but I think that what this leads to—leads me to, at least—is that there are at least two types of issues at play here. There's the issue of privacy and whether parties treat the personal information of individuals properly, which is a privacy issue that would make me, perhaps, the best person to look at the question. Then, the allegations that we have been seeing in the past few weeks lead to a mix of the use of personal information and privacy on one hand and political purposes on the other, which is more the domain of the Chief Electoral Officer. Ideally, I would say, the two institutions would be able to verify what is happening so that the expertise of each is put in common.