Information & Ethics Committee on Feb. 1st, 2024

The image of an American comedian who died in 2008 was used recently in a new show. The video isn't perfect, but the voice, tone and comments are the same. Current events are discussed.

Would you say this kind of thing is a violation of privacy?

According to the World Economic Forum, disinformation, or misinformation, and privacy are the main concerns.

Would it be possible to obtain the public statements that Canada and your G7 counterparts made last year?

Thank you very much.

I know my colleague Ms. Khalid is very concerned about protecting children's privacy.

Thank you, Mr. Villemure and Mr. Dufresne.

Mr. Green, you have six minutes.

Go ahead, please.

Thank you.

I appreciate being able to go back to the point about the human context of surveillance. We certainly delved into that when we talked about AI and its use for surveillance that was on-device in the audit response. We covered—I think, compellingly—the ways in which bias is baked in.

What I'm struck by in this way is surveillance that was more akin to CCTV. You know that in places like the U.K. and the United States, where there's an expansive use of CCTVs, they're found to be really susceptible to abuse, just based on human nature. The American Civil Liberties Union identified four ways in which CCTV is susceptible to abuse, so for the purpose of this round, I want you to just consider that context.

The first is criminal abuse. In instances like this, obviously if the federal government is doing it, the legality could suggest criminality if it's warrantless and outside the scope of their work. The second is clandestine, if we're talking about our RCMP, our national defence or perhaps more specifically our national security establishment and the way it does online surveillance. I'm not suggesting they're involved in that, but that is a possibility. The third is institutional abuse, the overreach, the top-down approach and the way in which government institutes surveillance on the public is a significant risk. CCTV was found to be not only ineffective but also, it was argued, an institutional abuse.

I think what I'm most concerned about with the sensitive nature of the information is the abuse for personal purposes, which is why I was trying to drill down on exactly who. I think, for anybody who's not aware of IT, we have an idea of who's on the IT side.

Would you agree that the intentions or the possibilities, the susceptibilities, for abuse at the level of CCTV or the analog level ought also to be considered at the deeply digital level, particularly as it relates to AI and the technologies and the full and complete access that it has to people's personal information and data? Is that a fair assumption?

I want to get back specifically to the PIAs. Do you have any way of knowing who has access to the information in the technology that you're reviewing? That's the first part.

Second, are there any current legislative or reporting mechanisms that would identify how often somebody's doing it? For instance, knowing that I have access to this type of, what I'll call, “digital voyeurism” is one thing, but not knowing how many times I'm using it is something completely different. In the case of CCTV, the voyeurism became a real thing when it became.... For police departments, there was evidence that they were using it to stalk women, to get information on their spouses or their ex-wives, and so on and so forth.

Do you currently have any mechanisms in place that would provide safeguards against this technology, which you may have approved in departments but for which you don't actually have oversight?

But clearly you don't know that—do you?

The other issue that I have with the reporting is.... It seems to be the case with government...and again, I'll chalk it up to human nature and not necessarily make it a partisan jab. I'll just state that it is often the case that people only hold accountability when they're caught. The issue that I have right now is that we've only identified about a dozen organizations.

If you check your email accounts, you'll notice that I put a motion together. I'll speak to the motion while you guys look at your accounts because the inventory of federal organizations and interests identifies 137 departments or organizations under the federal public service. We're talking about 23 ministerial line departments, three service agencies, 17 departmental corporations, 15 departmental agencies and 12 special operating agencies. It's pretty far-reaching. The issue that I have is that we're only currently talking about 12. We don't know in this committee exactly who's using this and what the scope and scale of the use of this is.

What I'd like to do is move a motion. I move:

That, in relation to the study on the use of tools capable of extracting personal data from telephones and computers by government institutions, the committee write to each federal department and agency not already named in the study and request that they confirm whether or not they have procured or have access to software used for extracting information off of electronic devices; and request that the response be sent to the committee no later than 10 business days after receipt.

Thank you, Mr. Green.

The motion, as Mr. Green stated, had been sent to everyone's email prior to his moving that motion. The motion has been moved. I'm going to accept it because it is in relation to what we're studying today.

Is there any discussion on Mr. Green's motion? I don't see any.

(Motion agreed to)

Thank you, Mr. Green. That concludes your time. The motion has been adopted.

We're going to go with five minutes, five minutes, two and a half minutes and two and a half minutes to conclude.

I know that everybody is aware that Mr. Barrett will be moving a motion at the end of this meeting. We should dispose of that fairly quickly.

We're going to commence our five-minute round with Mr. Kurek.

Go ahead, Mr. Kurek.

Thank you very much, Chair.

I think that the passing of that motion highlights a concern around the unknowns that exist. When I saw that Environment and Climate Change....

I represent an area with lots of farmers. There have been concerns highlighted to me by farmers who get correspondence from different levels of government. They don't know what certain demands are, what they mean or what's included in that. They're asked to agree to things that they don't necessarily have all the details about.

The fact that there are unanswered questions highlights how important it is to really get to the bottom of this. If that is impacting the privacy rights of Canadians, certainly we need to be very clear on that.

There's also the fact that Environment and Climate Change Canada recently had a job posting where they were looking for climate enforcement officers. What does that look like? Farmers in my constituency are asking what that looks like. I certainly would ask those questions.

Commissioner, you've outlined some of the concerns. I would, if I could, ask you to provide some specific examples of what needs to be changed in order for you to not only have the tools but to ensure that the legislative framework is in place so that the questions that we have asked—and all parties have asked—can in fact be answered. Those questions are not currently able to be answered because of gaps or because of regulatory frameworks that don't go far enough in Canada.

Could you outline some of those things?

Yes. It's too bad that we need to even consider order-making power when I would hope that the attitude would be to presume privacy and to presume that privacy matters for Canadians. Obviously, over the four years or so that I've served on this committee, that is not the case.

Whether it's order-making power or when there is non-compliance, I'm curious where penalties, proportionality.... What would you recommend as the solution to ensure that ultimately, at the end of the day, this is not just a recommendation or a Treasury Board mandate that gets ignored, with nothing happening to those who wilfully ignore what could be the privacy rights of Canadians?

Do you have a number? I'm just curious. You mentioned fines. Is it an administrative penalty? What is the thought?

Thank you, Mr. Kurek.

Thank you, Mr. Dufresne.

Mr. Erskine-Smith, I have you next for five minutes. As you started last time, you said “hey” to the analysts. I know that you spent three years on this committee and, on behalf of the analysts, I'm going to say “hey” back.

They wanted me to say “hey” back. I know they weren't going to do it, but I did it.

Go ahead for five.

Thanks, John.

Thanks, Alexandra and Maxime-Olivier.

Commissioner, my colleague Matthew Green drew a parallel to CCTV. There is no question, then, of documented abuses of CCTV. This is of course a different technology, and different technologies have different challenges.

It strikes me that in this particular instance, with this particular technology, there are two considerations and potential concerns for you to look at. One is whether the search of a device is warranted and justified—that's number one—and then whether the scope of the search of that device is reasonable, necessary and proportionate.

Does that sound right?