Evidence of meeting #99 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was facebook.
A video is available from Parliament.
10 a.m.
Director of Cyber Risk Research, UpGuard, As an Individual
No, this is something entirely separate, as far as I am currently aware.
Part of the work I do tries to highlight the prevalence of this type of data breach. It happens a lot more often than people realize. It is something I come across all the time. It is very hard to surprise me these days. People don't seem to have any grasp of how often these very large spills of information are occurring.
10 a.m.
NDP
Charlie Angus NDP Timmins—James Bay, ON
I'll be following up in my next round with much more focus on the issue of the database breach and AIQ's role in it. But you said that the database was open, that you could just go there. I figure that if you're looking for this stuff, other people are looking for this stuff. I mean, we have Russian troll armies, we have cyber-threats, we have criminal gangs. Was that database open to exploitation from others? You mentioned the danger of other players. Would you elaborate on the potential danger of other players getting access to that data?
10 a.m.
Director of Cyber Risk Research, UpGuard, As an Individual
Yes. Every breach I come across—then see that it is secured after I've come across it and then eventually talk about it in public reports—is completely open to anyone and everyone with an Internet connection. There's no username, password, or other protection involved.
To get at what I believe you're asking about, the answer is, yes, if I'm coming across all of these and I'm one guy—now working with a team these days, but relatively one guy coming across all this—it would be extremely surprising if adversarial nations were not devoting large sums of resources to do the same for malicious intent.
10 a.m.
NDP
Charlie Angus NDP Timmins—James Bay, ON
We're going to get to this in my next round, but it's not just that the information that came from the app that was used from Facebook was taken from Facebook users; it is the ability of political operatives such as AIQ or Cambridge Analytica to use Facebook—the platform—to then either distort news or influence voters.
Can you talk about how the use of Facebook is not just the taking of the information but the ability to plant information?
10:05 a.m.
Director of Cyber Risk Research, UpGuard, As an Individual
Yes. As a starter to answer that, I want to make it clear that Facebook app usage and potential exploitation, going over into the grey area of what you can do with it, is a prolific problem. I discovered over the weekend that one of the Facebook apps tied to AggregateIQ—it actually has their name on it as a scraper—was classified under the games category of Facebook apps. I don't believe it's one that anybody has mentioned yet. There are probably many—
10:05 a.m.
Director of Cyber Risk Research, UpGuard, As an Individual
They have been suspended from the Facebook platform, so I believe it is no longer functional, but the identifier for the app still exists within the code that I found.
That's the first part of your question. Can you remind me what the second part of the question was?
10:05 a.m.
NDP
10:05 a.m.
Voices
Oh, oh!
10:05 a.m.
Director of Cyber Risk Research, UpGuard, As an Individual
I'm sorry. I'll try to be more concise.
10:05 a.m.
Conservative
The Chair Conservative Bob Zimmer
That's okay. It's valuable testimony.
We'll start a whole new round. We'll try to grab 10 minutes for committee business at the end of this, so I'm going to try to keep you a little tighter this time.
We'll start off with Ms. Vandenbeld for seven minutes.
10:05 a.m.
Liberal
Anita Vandenbeld Liberal Ottawa West—Nepean, ON
Thank you.
I'd like to thank both of you for being here. There's a lot of information here. What we really want to get down to is what the remedies are, what things we can do as legislators, because I think a lot of this is very alarming to our constituents and to Canadians.
I want to be sure that I'm understanding exactly what the problem is. You mentioned, Mr. Vickery, that data multiplies, so you can't actually prevent it, but you can contain it, and that these spills are happening all the time. This to me is a very bad combination. On the one hand, you have the issue of legitimate use of data. Let's say a political party is going door to door, and they run into somebody who says,“I really like your child care platform. I'm going to vote for you because of that.” They make a note of that so that the next time they do something on child care, they can let them know. Even if the person gives consent and says, “Yes, please keep me updated about that”, you've got that. Then that goes into a database. The issue to me is not so much whether the candidate goes back to the person and says, “Hey, look at this great policy we have”, but whether it is then shared, either accidentally or maliciously, with, say, Toys“R”Us, who says, “Ah, they're concerned about child care, therefore let's sell them toys.”
Is that where we're looking? Is that the problem, or is it vice versa, that Toys“R”Us might be accessing somehow this political data...or you're looking at what Toys“R”Us is selling to kids, or somebody on Facebook who shows they have kids, and inferring it? So it's the cross-purposes of data: is that where the issue resides?
10:05 a.m.
Director of Cyber Risk Research, UpGuard, As an Individual
It's happening both ways. Political data is making its way into commercial ventures and marketing, and the consumer behaviour data gathered by Toys“R”Us or whoever is making its way into political campaigning purposes.
I don't believe there's much of a problem with going door to door and knocking on somebody's door and gathering that data. You can't scale that out exponentially, because you're limited by time and space.
I don't know what gun laws are like in Canada, but in America we have the concept that you have certain guns that are okay to own, but we don't allow civilians to own machine guns. It's the same type of thing. You can have knocking on doors and gathering the phone number of one person at a time or whatever, but when that turns into more of a machine gun situation, whereby you are sending out thousands of surveys and emails and Facebook advertisements and everything and harvesting en masse the private details—or personal details, at least—of many, many thousands of times the people you could normally reach, that gets into the machine gun category, and that is dangerous.
10:05 a.m.
Liberal
Anita Vandenbeld Liberal Ottawa West—Nepean, ON
What worries me is what you were talking about; I think you said there are spills happening all the time. Even if you wanted to maintain it in a small, local campaign—just things that you're keeping or that a commercial entity is keeping track of, purchases of people in their store, or for advertising—when this is happening accidentally....
We're not talking about legislation that says you must notify when you share the information with X, Y, or Z, because many of these entities won't even know that they're sharing this information. It's out there in a place where then somebody else can access it. Really, it seems to me the problem is at the aggregate level, at which you have other entities seeking information, combining information, and then selling that information. Really, that's where we need to be focused, on the selling of that large mass of information that's perhaps collected from multiple different sources.
10:10 a.m.
Director of Cyber Risk Research, UpGuard, As an Individual
That's true to a degree, but I think it's also worth taking a whack at the source of the data as well. Many of the leaks that occur are happening because companies are willingly ignorant of their security posturing. They have no monitoring going on. They know that what they're doing is profitable, so they don't want to look for problems. The problems exist, and they are being taken advantage of, and companies don't want to know about it. There's no incentive to find a data breach, because then it's just your problem.
We need to incentivize looking for the problems and punish those who are not willing to up their game.
10:10 a.m.
Liberal
Anita Vandenbeld Liberal Ottawa West—Nepean, ON
Just going on what you said about the cryptocurrency, you have another whole level when you talk about maybe underground organizations, or nation-states, or criminals who might be trying to do this in other jurisdictions where we can't legislate, where they may be collecting this data and using it for very nefarious purposes. We almost can't legislate that.
Are there ways to be able to prevent that, or is it really, as you said, going back to where the data is collected and housed and making sure that there are incentives for security at that level?
10:10 a.m.
Director of Cyber Risk Research, UpGuard, As an Individual
The good news is that for this data to be optimally useful for the malicious purposes, the bad guys have a need for it to be continually updated and accurate, just as for legitimate usage. If we can stop the flow of accurate, up-to-date information, in time what they already have will become irrelevant, to a large degree.
10:10 a.m.
Liberal
Anita Vandenbeld Liberal Ottawa West—Nepean, ON
As well, in terms of the solution here being that we need to make sure companies are taking it more seriously in terms of privacy, is that part of it? The other question I have is about what you mean by a legitimate interest exception. That was the other piece you mentioned that I wasn't quite clear on.
10:10 a.m.
Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
I would agree with what Mr. Vickery has said as to the sum of the solutions. Given the mandate you have, perhaps you want to look at what might be some legitimate uses of the information to communicate legitimately with electors. I agree that there's a concern both ways—information collected for political purposes being used commercially, or vice versa—and that needs to be looked at, but what I'm perhaps adding on the table is that this flow of information is certainly worth looking at, but it may not all be inappropriate. If you take your example of the family that buys toys and you say that political parties need to communicate with electors, to convince them properly, knowing who the electors are, is it necessarily a bad thing that the commercial habits of the family are part of what is assessed?
I'm not an expert in elections and in what goes against the integrity of an election or does not, but I'm looking at it conceptually. As there is a need for parties to communicate with electors intelligently, knowing who the electors are, some of the data analysis may be okay, but certainly not all of it, and the allegations in the case of Facebook and Cambridge Analytica certainly suggest an inappropriate use of information for political purposes. I'm just saying that there might be some legitimate uses.
As for legitimate interests, we're not in the world now of Facebook and Cambridge Analytica. We're more in the world in which, if the privacy laws are strengthened, there is a legitimate concern that the rules, or some would say restrictions, should not inhibit legitimate, responsible innovation. In answer to Mr. Baylis, I said that the value at stake for the most part is consent—control by individuals over their personal information. In the modern world, however, information may be used for several purposes, and it may not always be possible to inform the holder of that data of all the purposes to which the information will be put. The information is properly put to use in certain artificial intelligence initiatives, for instance.
Part of the challenge is to have strong rules that generally ensure that consent is respected, but in the world of big data and artificial intelligence, it may be that there's a need for an exception to consent. The Europeans use this exception of legitimate business interest as a way to ground lawful processing of data without consent. I think a balanced piece of legislation would enhance consent, on one hand, but also needs to consider what we do as a country with proper business or social concerns—it may be in the health sector—that need to have information without necessarily the consent of the individual, for a true benefit for society.
10:15 a.m.
Conservative
10:15 a.m.
Conservative
Jacques Gourde Conservative Lévis—Lotbinière, QC
Thank you, Mr. Chair.
My question is for Mr. Vickery.
In the last U.S. presidential election, which was relatively tight, the candidate who won the popular vote lost, while the candidate who, in some minds, should have come second in the voting managed to win by collecting a majority in the electoral college, perhaps through more targeted advertising.
Last week, the founder of Facebook explained that his company's raison d’être, its business model, is to sell advertising. And Facebook does it very well, being particularly able to target regions, even streets or buildings: if someone lives in building X, they will receive advertising Y.
As an example, I own a Mazda, and, as if by chance, Facebook sends me a Mazda advertisement every day on my Facebook feed. So we see that Facebook targets ads in an extremely effective way. It is likely that American political parties use Facebook to advertise in certain sectors, states, or parts of states where voters are more likely to be supportive and therefore to vote for them.
Do you think that American political parties, both Democrats and Republicans, have done any electoral profiling or used the services of companies that have analyzed the best way to target advertisements or influence Americans in certain states? Would it be possible to conclude that the person or party who was most effective in his Facebook advertising campaign won the U.S. election?