Information & Ethics Committee on Feb. 13th, 2024

Thank you, Mr. Chair.

Good morning Mr. Chair and members of the Committee. Thank you for the invitation to appear before you today.

My name is Mario Mainville. I am the chief digital officer at the Competition Bureau. Joining me today is my colleague Pierre-Yves Guay, deputy commissioner of the Cartels Directorate.

The Competition Bureau is a law enforcement agency that protects and promotes competition for the benefit of Canadian consumers and businesses. We administer and enforce the Competition Act by investigating and taking action to address anti-competitive business practices that harm consumers, competition and our economy.

We investigate criminal offences such as price fixing, bid rigging and mass marketing fraud as well as civil provisions such as deceptive marketing practices and abuse of market power through restrictive trade practices.

We also review mergers to ensure that they do not substantially harm competition.

Finally, we advocate for procompetitive government policies and regulations.

It is solely within the context of investigations that the Bureau uses the technological tools at issue in the Committee's study.

The targets of these investigations can be sophisticated firms or individuals operating in a deliberately covert or fraudulent manner. Rapidly advancing technology may act as a vehicle permitting users to communicate with others to implement possible anti-competitive conduct and can assist in the perpetration of anti-competitive conduct while acting as a storage device to house information related to anti-competitive activity. In these cases, the Commissioner may apply to the courts for a search warrant in order to gather all necessary information.

It's important to recognize that the Competition Bureau cannot make a decision to search a party's electronic data on its own authority without consent. The bureau must submit a court document setting out the grounds justifying the issuance of the search warrant and the need to search the computer system. The court could then decide to authorize the commissioner to conduct a search of the identified premises and to copy or seize certain records or other things for examination. Our use of these tools is therefore limited by the scope and conditions outlined in these search warrants.

The bureau recognizes the importance of respecting individual privacy rights while executing a search warrant. The issuance of a search warrant by a judicial authority is a safeguard to ensure that searches are conducted with proper legal authorization. Law enforcement agencies are expected to handle and manage the personal information obtained during the investigation responsibly and in accordance with law and constitutional principles. Privacy considerations are relevant, and the bureau has policies and procedures in place to ensure compliance with privacy principles and legal requirements. The bureau works closely with legal counsel from the Department of Justice to ensure that our practices align with both criminal law procedures and privacy obligations. Additionally, any subsequent use, retention and disclosure of information collected during the execution of a search warrant is governed by Government of Canada policies on retention and disposition.

With that, we look forward to discussing these tools with you today. Thank you, and we welcome your questions.

Mr. Chair and members of the committee, I am very pleased to be here to set the record straight regarding Shared Services Canada's use of technological tools to extract information from government-issued devices.

Before I begin, I’d like to acknowledge that we are gathered on the traditional, unceded territory of the Algonquin Anishinaabe people.

With me today from Shared Services Canada is Daniel Mills, Assistant Deputy Minister of Enterprise IT Procurement and Corporate Services.

As you are aware, SSC is responsible for providing the foundational IT infrastructure for the Government of Canada. SSC is committed to improving the digital services that it provides. The department also has a significant role to play in ensuring the security of Government of Canada information while respecting the requirements of the Privacy Act.

Mr. Chair, while the initial media coverage referenced spyware, I want to assure you that under no circumstances is this an accurate description of the tools used by SSC. Departments across the Government of Canada, including Shared Services, use digital forensics tools to support administrative investigations. These tools are essential to our ability to investigate and conclude investigations that I, as deputy head of SSC, am authorized to conduct under the Financial Administration Act.

Investigations happen only when there's a credible allegation of employee wrongdoing and to ensure the security of government networks upon which Canadians depend. Impacted employees are always made aware of the conduct of these investigations, and procedural fairness is ensured. Examples of administrative investigations could include suspected inappropriate website browsing on a government-issued device, malicious software installed on a government-issued device or network, or the unacceptable use of departmental electronic networks and devices, contrary to the policy.

Under such circumstances, I have the authority to conduct an investigation and our technical experts need these tools to do their work thoroughly and fairly, while protecting the privacy of employees.

We take the protection of the privacy of employees extremely seriously, and we use digital forensic tools very judiciously.

A security administrative investigation follows very strict standard operating procedures and is taken under the direction of Shared Service's chief security officer. Investigations have a clear mandate and scope, including assurance of independence and impartiality in data collection.

The digital forensics tools used to conduct an administrative investigation are used in tightly controlled environments. Government-issued devices, and only government-issued devices, are brought to a physically segregated secret-level lab, where the tools are then used to conduct analysis: Only information necessary for the investigation is included. In addition, we also use these tools for legitimate operational purposes, such as to accelerate the retrieval of information to respond to requests faster under the Access to Information Act and the Privacy Act.

From a privacy and protection of personal information standpoint, I take the department's responsibility for personal information in SSC's custody very seriously. We have well-established standard operating procedures to protect privacy and embed trust in SSC operations. This is absolutely paramount.

These digital forensics tools are used to analyze large quantities of data and information in digital form. I'd like to add that the Government of Canada has purchased these digital forensics tools for many years. When Shared Services was first created, the purchase of these tools was centralized at SSC to leverage the Government of Canada's buying power and consolidate the number of smaller contracts that were prevalent across the government. As the IT service provider for the Government of Canada, SSC has put in place contracts to acquire these capabilities, allowing other federal departments and agencies to use our contracts to procure them in support of their operations.

We are aware that the use of digital forensic tools can raise privacy and ethical concerns. That said, SSC takes the protection of information, the privacy of employees and the security of Canadians very seriously.

I will be very pleased to answer your questions.

Thank you.

Good morning, Mr. Chair and members of the committee.

I would like to thank the committee for inviting the Transportation Safety Board of Canada to appear today.

First, I'd like to take a moment to explain who we are and what we do.

The TSB was created in 1990 by the Canadian Transportation Accident Investigation and Safety Board Act, which contains the act. The TSB is an independent federal agency with a statutory mandate to advance transportation safety by investigating “transportation occurrences” in the federally regulated air, marine, pipeline and rail modes of transportation. “Transportation occurrences” encompass both accidents and situations that, if left unattended, could reasonably lead to accidents.

The TSB’s objects are set out in section 7 of the Canadian Transportation Accident Investigation and Safety Board Act. The TSB’s key objectives are to advance Canadian transportation safety by conducting investigations into the causes and contributing factors of transportation occurrences and identifying safety deficiencies, making recommendations to reduce or eliminate any such safety deficiencies and reporting publicly on its investigations and findings.

The TSB has the discretion to investigate any transportation occurrence for the purpose of carrying out these objects. The TSB's policy is to investigate occurrences that have a reasonable potential to result in new lessons learned that can lead to safety actions or that generate a high degree of public concern for transportation safety. The TSB's investigations and its resulting reports highlight issues that federal regulators and the transportation industry must address to reduce risks and safety deficiencies in Canada's transportation system. The TSB is independent and reports to Parliament through the president of the King's Privy Council for Canada.

In accordance with its mandate as an investigation and safety agency, the board is not empowered to assign fault or determine civil or criminal liability, and subsection 7(4) of the Canadian Transportation Accident Investigation and Safety Board Act provides that none of its findings are binding on the parties to any legal, disciplinary or other proceedings. TSB is not a regulatory agency and makes no administrative decisions.

Given that we're here today to discuss the use of data, I'd like to touch briefly on our own process for collecting and using data. The CTAISB Act creates a number of privileges and evidentiary rules that are intended to ensure that the TSB has access to the information it requires in the context of its investigations. Pursuant to section 19 of the act, in the context of an investigation, wreckage and other items relevant to the occurrence are collected based on reasonable grounds. These items are examined and tested for the purpose of the investigation. Special tools are often needed to recover pertinent data, which comprises mainly technical information such as any data recorded and displayed in the instrument panel and onboard computers; the position of switches, gauges and actuators; GPS data showing longitude, latitude and altitude; and accelerometer data, which provides the exact position and orientation, as well as information on speed, acceleration and vibration.

Relevant data can include moments prior to and throughout the occurrence.

This information is necessary in determining the timeline of a transportation occurrence and enables TSB to fully carry out its mandate. With the exception of audio recordings of, for example, conversations from the flight deck of an aircraft, locomotive or bridge of a ship, pursuant to section 20 of the Canadian Transportation Accident Investigation and Safety Board Act, any items gathered in the context of an investigation are returned to their owner.

As an investigative body, the TSB handles a variety of sensitive information. It is the TSB's top priority and statutory obligation to protect personal information collected in the context of its investigations. For example, the TSB is required to always intervene in court proceedings to protect its privileges, such as witness statements. We are committed to updating our PIAs for our investigation program, to ensure that it is inclusive of all the current technologies used to deliver on our mandate.

The TSB welcomes the opportunity to discuss with the committee how it has always protected personal information in compliance with the CTAISB Act and the Privacy Act.

Thank you.

From a government device on a government account, the email goes to the server, and there's a record maintained of that email.

There would be. It would be on the server that an email was sent at this time and on this date, and showing the metadata associated with it.

For the mobile phones, it is directly with the telecommunications router, so those records would be retained by the telecommunications provider. I would have to verify if we have access to calls made. To the metadata associated with a call, we definitely don't have access to the calls made. My understanding is no, but I'd have to reconfirm that with our team, just to see if there is some arrangement. We wouldn't have access to the text messages or calls. They would only be on the phone.

If the email was deleted because it had no records value and wasn't loaded into the official record system—it was deleted from “sent”, etc.—there would still be the record, and anybody who received it would still have a copy of it, but the record that the email was sent would still be in the system logs.

There should be a record of the “sent”, the fact that an email was sent. What's exactly in that metadata and in that record, we'd have to check. I haven't looked at that for about 20 years in my career.

I would need to verify exactly....

If you're asking if the email itself exists, once it's sent, whoever received it will have a copy of it. Now, whether they delete it or not, the record of the event, that an email was sent, would be in the records.

I'd have to confirm exactly what's stored in that metadata. I just don't know offhand.

I would have to verify. I can't think of an example in which we've used them in that manner.

We can certainly do that.