Evidence of meeting #49 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was things.
A recording is available from Parliament.
4:10 p.m.
Conservative
The Chair Conservative John Brassard
Thank you, Mr. Green.
We will now begin the second round.
Go ahead, Mr. Gourde. You have five minutes.
4:10 p.m.
Conservative
Jacques Gourde Conservative Lévis—Lotbinière, QC
Thank you, Mr. Chair.
Thank you to the two witnesses for being here today.
Mr. Malone and Ms. Wylie, can you give us some situations where, upon arriving in Canada, Canadians were adversely affected by the ArriveCAN app?
4:10 p.m.
Assistant Professor, Thompson Rivers University, As an Individual
Yes, I had my inbox flooded with stories after I wrote my Globe and Mail piece on August 8.
There was an individual in Montreal whom I spoke with on the phone who was quite distraught about his experience trying to get to Vermont for family and for health reasons. There was an individual in rural Saskatchewan who contacted me and said he and his wife did not own a cellphone, and he was reaching out to me from a public library, where he had been trying to print his ArriveCAN.
I can imagine Bianca has stories as well.
4:10 p.m.
Partner, Digital Public
Yes, I have many.
There's an op-ed written by a Canadian in a publication called rabble.ca. Beyond getting the glitch notification, they had a hard time getting an answer from the government about whether there was a glitch or not. They were told on the phone, “No, it's just a glitch”, but they were unable to get anything in writing or any confirmation.
I think if we look at the thousands of people who were impacted just on the glitch level, and then the other thousands of people—probably more than that—who were scared to travel or had an uncomfortable experience, we're into very large numbers here with negative consequences for people using this app.
4:10 p.m.
Conservative
Jacques Gourde Conservative Lévis—Lotbinière, QC
Let's say Canadians filed a class action because of the ArriveCAN app. A number of companies were subcontracted to work on the app, so who would be responsible for the fiasco?
4:10 p.m.
Assistant Professor, Thompson Rivers University, As an Individual
I would say that the committee itself has responsibility over certain aspects of the story, and I would turn it a little bit to you.
For example, GC Strategies operates essentially as a quasi-lobbyist. I've put in access to information requests to obtain records of the correspondence and communication that those figures had with figures within TBS and other sectors that were responsible for contracting. It's not entirely clear to me why they were not registered as lobbyists when that is essentially the work they were doing.
In addition to that piece, I would say that the access to information aspect of this story is incredibly important. I have outstanding access to information requests that would be directly relevant to the questions the committee is exploring right now.
For example, in July, I put in a request for assessments of privacy, cybersecurity and data breach risks of the ArriveCAN app, including but not limited to studies, reviews, explanations, audits, manuals, bug reports, validation studies and others concerning the security of the app that the CBSA conducted or that third parties conducted for the CBSA.
The CBSA responded by giving me a 90-day extension, which has subsequently elapsed, and they have simply not responded to my request, which is a violation of the Access to Information Act. That seems directly relevant to the scope of the work of this particular meeting.
4:15 p.m.
Partner, Digital Public
I don't have much to add in terms of the responsibility here. I would consider what precedent there is. I think, at the end of the day, this lands with the government as a whole. I'd have to understand any other case.... When there was a digital product, who was at the end of the line from a liability perspective?
4:15 p.m.
Conservative
Jacques Gourde Conservative Lévis—Lotbinière, QC
ArriveCAN was said to cost a total of $54 million. Might the contractor and subcontractors have left themselves a considerable buffer within that budget to deal with potential lawsuits?
Maybe that's one reason why the app was developed rather quickly. Other experts say the price tag was pretty hefty for an app that wasn't all that complicated to develop.
4:15 p.m.
Partner, Digital Public
When a product is developed, there's a stage called requirements, writing and gathering. In terms of the time it would take to work between the government and the contractors, that's different from someone saying, this should be fast because I handed you what to build. I think there is a relevant process time in that number.
In terms of the rationale for the cost, without seeing how this went down, I couldn't speak to it. But I want us to remember that what we don't get when we fail to invest in a public service is reuse. If we're spending this much money, we should be investing into the capacity and code with conditions that we can reuse as the federal government. This to me is a bad spending decision regardless.
4:15 p.m.
Conservative
The Chair Conservative John Brassard
Thank you, Ms. Wylie.
Next we have Ms. Hepfner for five minutes.
November 28th, 2022 / 4:15 p.m.
Liberal
Lisa Hepfner Liberal Hamilton Mountain, ON
Thank you, Chair.
I would like to start off my questions through you to Mr. Malone.
I heard you talk about breaches to the app, but then you went on to describe faulty quarantine notices that went out. It wasn't that it was a breach of data or personal information; it was 10,000 false quarantines that went out to people, which is about 0.03% of the 30 million times that it was used.
I'm wondering if you have any evidence of data breaches or personal information being leaked from this app.
4:15 p.m.
Assistant Professor, Thompson Rivers University, As an Individual
There is one outstanding access to information request, which I believe dates from the summer of 2021, which is viewable—
4:15 p.m.
Liberal
Lisa Hepfner Liberal Hamilton Mountain, ON
You have a request out but you have no information at this point.
4:15 p.m.
Assistant Professor, Thompson Rivers University, As an Individual
No, no, there's one request that is not mine that is already processed, which confirmed that as of the summer of 2021 there had been no breaches. Then I put in a request for confirmation from the CBSA's media unit in early September, and they also confirmed that there were no data breaches.
That's separate from my outstanding request to know more about the studies that were done to prevent data breaches. So far, I've heard that there have been no breaches of the app as of September 1, 2022. That is separate from the glitch that sent those erroneous quarantine orders.
4:15 p.m.
Liberal
Lisa Hepfner Liberal Hamilton Mountain, ON
Thank you. That's helpful.
Ms. Wylie, I was listening to you talk about how ArriveCAN is sort of closed code. You've been advocating that it be open code so that people can understand it better. To quote Mr. Barrett, at the OGGO study that revolved around these same sorts of things, the app contains biometric, personal and health information of more than eight million people who downloaded the app. Mr. Barrett was concerned about hypothetical bad actors who could build in a backdoor access to this information in the future. He said, “There are a lot of ways that foreign state actors can test our systems and our processes, and this looks like a great opportunity for them to do that.”
Do you agree, based on this sensitive information, that this app should have been developed with the highest degree of sensitivity and the most constraints around our personal information?
4:15 p.m.
Partner, Digital Public
Making the code base for the app closed doesn't create the security that I think you're suggesting. Of course, it should be well developed, but it could be well developed, and with an eye to what is being collected and used, but still be open-source code. The mechanics, the underlying code, the architectures, how it works, there's no problem with that being open and also with it serving the purpose that it served.
4:20 p.m.
Liberal
Lisa Hepfner Liberal Hamilton Mountain, ON
Okay. You don't see any privacy concerns with that.
This study focuses specifically on the cost associated with ArriveCAN and the handling of personal information. You talked about how there should have been, from the beginning, redundancies so that people didn't have to use the app. But I'm wondering if you took into account how much it would have cost to have all those redundancies put in from the beginning.
4:20 p.m.
Partner, Digital Public
Yes, I definitely did. I don't think you can put a price on trust. I think with the damage that this app did to public trust you could have tripled what was spent on ArriveCAN to make sure that kiosks were updated or that they were staffed.
4:20 p.m.
Partner, Digital Public
No. But however much it would cost not to have lost this trust would have been a worthwhile investment.
4:20 p.m.
Liberal
Lisa Hepfner Liberal Hamilton Mountain, ON
Do you know of any breaches of personal data or privacy that came from using the app?
4:20 p.m.
Liberal
Lisa Hepfner Liberal Hamilton Mountain, ON
In your expertise, what challenges would exist to ensure the integrity and safety of the data that people provide to a company or in this case the government?
4:20 p.m.
Partner, Digital Public
The best principle is always minimization. This is why I repeatedly ask what the public health rationale was for ArriveCAN to be developed as an app. I don't understand what the public health rationale was for this act.
