Information & Ethics Committee on Nov. 20th, 2023

I think that ransomware, like so many problems we have online, is a reflection of society. It is the same type of crime that was committed before the Internet. The Internet is a tool that allows the perpetrators to commit these crimes in greater numbers, with greater efficiency and cost efficiency from their side, with greater returns. That's terrific, but it's no different. It's really no different.

The problem is education, again. You can have the best technology, the greatest security, but if somebody doesn't have the courage to question the boss or to call up the president and say, “Excuse me, ma'am, but did you actually send this?” or if they don't have the curiosity or the skepticism, especially nowadays, to question what is presented in their email—and I'm sure they act in good faith—and if they click the wrong thing, that opens the entire organization up to ransomware and to problems.

The organization can recover, but what about all the individuals whose personal information has now been compromised? In the case of Equifax, there were 146 million Americans, and the payout, the negotiated settlement, the fine.... I remember Kevin Mitnick, when he was still alive, on LinkedIn showing the cheque he got for $5.42. That was supposed to help him recover. In Canada, the Canadians who were affected got one or two years of credit monitoring that was administered through Equifax's American organization.

At this point, I would say it's the EU, because of the GDPR and because, at the very last minute, they put the brakes on a piece of legislation that would have required, basically, encryption to be broken to facilitate the ability of the police to find the predators. The police do that now without the encryption back doors.

I do.

Thank you.

I would say they are self-interested, because they are for-profit organizations. They do what they have to in order to improve their bottom line and to provide the greatest return possible to their investors and shareholders.

I think there are some that are better. They do take a greater interest in individuals' privacy. I could name the Tor Project, Signal, and Proton. These are the three that come to mind. They're not particularly social media platforms, but they are certainly communications tools that don't take any information, any metadata, anything. They don't keep it. That provides much greater security. As well, their encryption technology is much stronger.

That's a very difficult one, because each one of them has its own interests at heart. They collect the information and provide advertisers with the opportunity to reach our eyeballs. I don't know that any of them is really interested in our privacy.

“Surveillance capitalism”, the term that Shoshana Zuboff coined, is a wonderful term. We could also call it “surveillance economy”, because nowadays much of our economy is based on surveillance in one way or another, whether we realize it or not.

What can be done? Before a drug is allowed to be sold in Canada, before a vehicle is allowed to be sold and licensed in Canada, and a lot of other products, they have to be tested by an independent Canadian authority to make sure they are fit for purpose and safe. I think the same thing has to apply to the technology we all use every day, which is now being sold by self-interested corporations. That all fosters the surveillance economy.

The only way of pulling back from having our information used continuously as fodder for surveillance.... Spin doctors say, “Well, everybody is okay with it because they keep giving their information”, despite the fact that we have very little option or no way of opting out. It's up to our government to regulate it, despite the objections of big tech.

Well, I think it's a step backwards from what we now have in PIPEDA. First of all, the first word is “consumer”—the consumer privacy protection act—labelling us all as consumers. We are commodities, with our information to be commoditized.

It provides a private right of action once we complain to the commissioner, who is—like most of them—chronically underfunded. Once they finally get around to assigning the file, investigating, deciding and determining, it will go to a new tribunal, which I expect will have to at least review this, if not provide a fulsome re-investigation. If the tribunal agrees with the commissioner that a fine is in order, then the offending company has the right to take it to court.

How many years will that take? Once they have exhausted their legal recourse, you and I get to advance our private right of action. We then pay another lawyer and go through another 7-10 years.

Yes, this is a feature that.... I've found that in a lot of organizations, the people who create the websites don't talk to the people in the privacy office, shall we say. It's the old story that we'll put in all of these wonderful tools that can collect information, and it's really neat to say, “Hey, we can maybe do something with it in the future”, without knowing—because of lack of education—that they are overcollecting. The way it works is similar to a cookie. Before you even see the website you have called up, the fact that you are there has already been transmitted to Facebook and data brokers.

Absolutely. Our information is being sold, traded and bid on in real time. We don't know it and we can't say, no, don't do that, because we have no idea who is bidding on our information. We don't have a direct relationship with them. We have no recourse. Our information is gone.

I can give you a very quick example.

The way companies now are fined, but not the individuals, is meaningless. By contrast, after the Enron scandal, 20 to 25 years ago, the United States passed the SOX legislation. The complete name is the Sarbanes-Oxley Act of 2002. It said very simply that the person at the head of the organization is responsible for everything in the financial statement. If things go sideways, they personally face multi-million dollar fines and jail time. Companies around the world, including Canada, scrambled to make sure that they were SOX-compliant. We need the same thing.