Evidence of meeting #141 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cra.
A recording is available from Parliament.
NDP
Matthew Green NDP Hamilton Centre, ON
You told reporters who interviewed you that “The thieves entered the bank, and the alarm system was not working.” Can you elaborate on what you think went wrong in this case in order to stop fraudsters from misappropriating funds?
Associate Professor, Faculty of Law, Université Laval, As an Individual
If the fraudsters take your credentials through H&R Block or whatever, and they have your information, well, there is nothing here that will stop them from claiming huge amounts of money on your behalf. The CRA doesn't seem to see that and to have enough of a firewall in their computer system to stop that. Fraudsters are in the bank and in the open: How much do we want? They claim that credit, and there it goes. It's gone.
The CRA has to have a better firewall and computer system to prevent that from happening.
Matthew Green NDP Hamilton Centre, ON
I'll give you an example from my office. We help fixed-income people file their taxes. We know that the government knows, based on their previous filings, almost to the dollar how much they should owe, and yet they're forced to go to H&R Block and third parties.
How much would modernization through an automatic filing system for fixed-income folks and people on social assistance and pensions help reduce scenarios in which these massive breaches occur?
Associate Professor, Faculty of Law, Université Laval, As an Individual
To me, the problem may have occurred because the pixels were caught by fraudsters through Meta or Google. In Australia they do have a system for people to file their tax returns online. It's a government system called myTax. In Australia there is no outside system. There is no outside software. It's government only.
I talked to my good friend Rick Krever. Rick is a tax professor there. He is a really great tax person. He has allowed me to use his name. He told me that he thinks most of the private software packages are integrated into bookkeeping, and that's why some people will use the private system, but myTax has been checked and it's completely safe.
NDP
Matthew Green NDP Hamilton Centre, ON
Mr. Lareau, I think I'm out of time, sir. Thank you so much. I appreciate it. I will come back in my second round.
Thank you, Mr. Chair.
Conservative
The Chair Conservative John Brassard
Thank you. Just so you know, Mr. Green, I did try to get the Public Sector Integrity Commissioner to come today but, unfortunately, she wasn't available.
We're going to start the second round right now. Mr. Caputo, you have five minutes. Go ahead, sir.
Conservative
Frank Caputo Conservative Kamloops—Thompson—Cariboo, BC
Thank you, Mr. Chair.
Thank you, Professor, as well, for being here. I can also, like Mr. Green, say that I was here last time, and I appreciate the fact that you've shown us the courtesy of showing up again, despite the fact that not all parliamentarians did. I appreciate that, because I probably wouldn't have, if I was in your position. I thank you for the grace that you've shown this committee in what would otherwise be difficult circumstances to attend again, in my view.
Professor, I understand that you didn't see the minister's testimony, but my colleague Mr. Chambers, who asked you questions earlier, asked the minister about how much was written off based on privacy breaches by CRA. The minister, in my view—and you can agree or disagree—hid behind section 241 of the act to essentially dodge the question, saying she couldn't comment on specific cases. To me, Mr. Chambers was asking in generalities about how much money had been written off. Does that seem to you to be an appropriate use of section 241?
Associate Professor, Faculty of Law, Université Laval, As an Individual
No, not at all. Section 241 deals with confidentiality and confidential information, and it also defines confidential information. I don't have the act beside me, but I'm sure that if you only ask for an amount of money that has been lost by fraud, then it is not confidential information.
I think it's unfortunate. Revenue ministers—and the current person and the previous minister—are, I'm sure, really good people, but they're not tax people, and in not knowing tax and the tax system, they are not the best people to have this job, unfortunately.
Conservative
Frank Caputo Conservative Kamloops—Thompson—Cariboo, BC
Well, I dare say that this is a trend in this government, but I would actually go one step further. Like you, I'm trained as a lawyer, but I'm not a tax person. I took a tax class, and I don't remember much of it. I can't calculate capital cost allowance—that's for sure—but I think that anybody who reads the act will know that the confidentiality relates to a specific taxpayer. The whole point of it is that nobody can reveal how much tax you make and things like that. To me, when somebody hides behind that when asked a completely general question, as in how much money was defrauded, it's so obvious that the person is dodging the question. That's what I would say there.
Associate Professor, Faculty of Law, Université Laval, As an Individual
Yes.
Conservative
Frank Caputo Conservative Kamloops—Thompson—Cariboo, BC
Now can I ask you this? Is it your opinion...? These are my words: The minister gave us the impression that she and the CRA team have handled everything related to the issues we're discussing and that there should be no worries. Would you characterize the minister's and CRA's response with such confidence?
Associate Professor, Faculty of Law, Université Laval, As an Individual
Can you repeat the question, please? I didn't hear it properly.
Conservative
Frank Caputo Conservative Kamloops—Thompson—Cariboo, BC
I'm sorry. The minister has given us the impression that she and the CRA team have handled everything in relation to the issues that we're dealing with today, and that there should be no worries and Canadians should feel good about how these breaches and subsequent frauds have been handled. Would you characterize the response in the same way? Should Canadians feel confident?
Associate Professor, Faculty of Law, Université Laval, As an Individual
Well, you see, it's not enough to express that people should be confident. They have to carry out the proper actions and make the proper gestures to make people confident in the system. They should have gone forward, gone public and told the public what happened. It's not enough to say that people should be confident. It doesn't work this way.
Conservative
Frank Caputo Conservative Kamloops—Thompson—Cariboo, BC
The very cover-up of the issue really destroys public confidence. I'm paraphrasing you, but is that accurate?
Associate Professor, Faculty of Law, Université Laval, As an Individual
Yes, it is.
Conservative
Frank Caputo Conservative Kamloops—Thompson—Cariboo, BC
Based on the actions that the minister took, do you feel confident that the CRA has done all it can and that the minister has done all she can?
Associate Professor, Faculty of Law, Université Laval, As an Individual
Have they done all they can do to prevent that from happening? I have no idea. They have to do a better job in the future.
Have they done a good job of informing the public? The answer is no.
Conservative
Conservative
The Chair Conservative John Brassard
Thank you, Mr. Caputo and Professor.
Mr. Bains, go ahead for five minutes.
Liberal
Parm Bains Liberal Steveston—Richmond East, BC
Thank you, Mr. Chair.
Thank you, Professor Lareau, for joining us again here today.
I know that you've indicated what the government has done with respect to the incident response. My understanding is that when a breach of this kind happens, the CRA individually notifies each affected person, and then the TBS and the privacy office would report regularly on the privacy matters and information would be available on government sites in some capacity.
Can you talk a little bit about what would have been an effective incident response plan to this data breach?
Part of the reason I'm asking is that our goal in the work we do in committees is to find recommendations and make sure that we're making improvements along the way. I know you've talked a little bit about what should have been done. Can you provide more recommendations and talk a little bit about the data protection breaches and what responsibilities should be put forward as well?
Associate Professor, Faculty of Law, Université Laval, As an Individual
You see, the answer is that CRA says it has contacted every taxpayer who was targeted. Well, that's fine, but at the same time, this ignores one specific problem. Canadian society is more like a partnership. A partnership means that we all pitch in. When there's fraud, we all lose.
I understand that these people who were defrauded did not lose any money. If the money from their tax returns went away, then it was refunded to these people. That's fine. However, if the government was defrauded of millions of dollars, then you and I lost on that. That's why all taxpayers lose in that fraud system. That's why we all should be informed of what happened.
We should be informed also of the mechanism that will be put in place by the CRA to correct that. With the current system, when you buy from H&R Block or UFile online, the contract says specifically that they are a worldwide corporation. They know that when you trade with them, you allow them to transfer your information. You have to understand that this information will go to other countries. It says in the licence that the information will go to other countries and that you recognize that these countries might offer you a lower protection than Canada does. They say in the contract that you accept that by buying their software.
You see, it's all in that—
Liberal
Parm Bains Liberal Steveston—Richmond East, BC
In your view, what's a corrective measure to that problem?
Associate Professor, Faculty of Law, Université Laval, As an Individual
The corrective measure is to prevent those companies, when you buy software, from transferring any type of information to other parties. The most important thing that has to be done is to have government software so that you file your tax return through the Government of Canada using CRA software.
You see, the CRA is aware of my income, your income and 90% of the taxpayers' income. Why does the CRA ask people to file a tax return? There's no reason for that. The CRA should, in fact, send all of the information to taxpayers, asking, “Do you have anything to add?”
That would not be on private software but on the government file on your platform with the CRA. You all have a platform. If you wanted to do that, you could do it on the platform. You could say “yes” or “no”. If you want to add something, that's it; it's gone. That would work well.
In Australia, as Rick Krever said, nothing goes outside the software.