Information & Ethics Committee on Nov. 20th, 2023

Thank you.

Good afternoon, Mr. Chair and members of the committee.

My name is Cherie Henderson, and I'm an assistant deputy minister and assistant director of requirements at CSIS.

It is an honour to join you today and to have the opportunity to contribute to your important discussion on social media and foreign entities. I am joined by my colleague Peter Madou, who is Director General, Strategic Bureau.

Today, we hope to provide insights to this committee on the national security concerns related to data sharing with foreign entities like the People's Republic of China and the role that CSIS plays in ensuring the protection of Canada's prosperity, national security interests and the safety of Canadians.

Foreign state actors leverage all viable means to carry out their foreign interference activities, and social media platforms are ideal tools.

Threat actors, including the Russian Federation and the PRC, exploit media to spread disinformation, leveraging suggestive algorithms to amplify echo chambers and manipulating content for unsuspecting viewers. This utility was indeed evident in the 2016 United States presidential election, and it continues to be of concern in Canada. These same characteristics of social media are also weaponized by extremist threat actors to radicalize and recruit users.

Social media platforms are of interest to threat actors because of the data they generate and collect. Social media platforms run surveys, collate datasets and request access to users' personal data through terms and conditions, enabling access to users' photo albums, messages and contact lists. Although some of this data is benign in isolation, when collected and collated on a massive scale, it can provide detailed patterns and insights into populations, public opinion and individual networks. Canadians should therefore be aware of the privacy considerations at play when choosing to share their personal information online, especially when it is with foreign-owned companies that are based outside of Canada or our allied countries.

Authoritarian states like the PRC leverage big data, including from the private sector, to carry out their foreign interference activities. While government use of data in Canada is strictly governed to respect ethical, legal and privacy considerations, authoritarian states are not similarly limited. The PRC uses this unfettered access to harvest data at a scale that outpaces all other countries in the world combined, while fiercely protecting its own information.

Emerging technologies, such as artificial intelligence, will only further enable its nefarious activities. Through its 2017 National Intelligence Law, the PRC compels individuals, organizations and institutions—including social media platforms operating in China—to provide mass information to the Government of China. This information is then used to assist the PRC security and intelligence services in carrying out a wide variety of intelligence work. PRC-based organizations and PRC citizens are also required to protect the secrecy of all state intelligence work. This policy supports and is reflective of the PRC's bold and sustained attempts to conduct foreign interference in Canada.

It is imperative that Canada builds resilience against foreign interference. This includes bolstering awareness of the PRC's ability to harvest and use Canadians' information obtained through social media to conduct foreign interference.

For example, CSIS' X account recently posted a thread on how PRC intelligence services used LinkedIn to target Canadians by deceptively posing as interested business contacts looking for consultants in Canada, so that they would unknowingly provide privileged information that is of interest to the PRC to trained intelligence officers.

Now more than ever, protecting Canada's national security requires a whole‑of‑society effort that begins with informed and trusted discussions among communities, academia and governments at all levels. Individual users of social media need to be aware of the risks when sharing personal data with platforms. CSIS remains a committed partner in this effort, and our team of dedicated and talented professionals are working hard to keep Canadians safe, secure and prosperous.

I will be pleased to answer any questions.

Thank you.

Good afternoon, Mr. Chair and members of Parliament.

I'm pleased to be joining today's meeting. I'd like to acknowledge that we're meeting on the traditional unceded territory of the Algonquin Anishinabe nation.

My name is Sami Khoury and I'm the head of the Canadian Centre for Cyber Security, also known as the cyber centre. The cyber centre is part of the Communications Security Establishment.

As Canada's technical authority on cyber security, we use our expertise to keep safe the information and systems that Canadians rely on every day.

We work to protect and defend the country's valuable cyber assets, lead Canada's federal response to cybersecurity events and raise Canada's cybersecurity bar so that Canadians can live and work online safely and with confidence.

At the cyber centre, we share advice and guidance with Canadians regarding online dangers. This includes informing them how they can protect themselves and their organization most effectively from the threat social media apps could potentially pose.

We also help inform Government of Canada policy decisions regarding cyber security, including the use of social media apps, which are an important online communications tool to reach Canadians.

In February of this year, the Treasury Board Secretariat issued a statement announcing the ban on the use of the TikTok application on government-issued mobile devices. As recently as last week, a similar announcement was made regarding the use of WeChat. Both decisions were made by the chief information officer of Canada, who assessed that the apps in question present an unacceptable level of risk. While these bans apply solely to government-issued devices, both TBS statements led Canadians to guidance published by the cyber centre.

In our unclassified national cyber-threat assessment 2023-24 report, we assessed that foreign states are using social media to target Canadian individuals. Public reporting by the University of Toronto’s Citizen Lab detailed how cyber-threat activity has targeted activists in Canada through disinformation or intimidation on social media, denial-of-service attacks against their organizations and compromise of their personal devices.

Beyond cyber-threat activity against individuals, states are very likely using foreign-based social media and messaging applications popular with the diaspora groups in Canada and around the world to monitor communications. States can take advantage of permissive terms of use and their own legislative powers to compel data sharing. This activity threatens the privacy of the communities using these applications.

Canadians with commercially sensitive information on their devices should be especially cautious when granting access to their devices.

Not all instant-messaging apps and social media platforms are created equal. Some platforms are more responsible, where you potentially don’t have to worry about the data falling into the hands of a nation-state, but other platforms are too close to that line.

The cyber centre strongly recommends that Canadians make well-informed decisions for themselves about what online services they are willing to use.

Conducting these assessments and making these decisions does not have to be difficult, and the Canadian Centre for Cyber Security has published online resources to make this process easier.

The cyber centre recommends researching the app or platform to determine whether it is trustworthy. This includes reading the terms of use and conditions. Find out what is being said about a particular app in the media and other trusted sources and, most importantly, know what you are consenting to. Ask yourself whether this app really needs access to your personal data, like your contacts list. While it may seem unimportant to review a platform’s security and privacy functions, doing so allows you to avoid using apps that lack strong authentication protections and is well worth the time invested.

Finally, always prioritize security over convenience, and consider where your data is being stored and how this may affect your privacy.

In conclusion, social media has changed the way Canadians communicate, stay in touch and build new relationships.

As the social media threat landscape continues to evolve, Canadians must make sure to make responsible and informed decisions about how best to protect themselves and their information online.

If you can inform yourself to adopt better privacy and security protection, you could also help to support your family members and loved ones.

Again, thank you for the invitation to appear today. I welcome any questions you may have.

I'm sorry. I had to go back a bit in my memory here.

First of all, I'm not sure that I would necessarily call them “police stations”. I think what we have seen over the past few months is individuals who have links back to the PRC or who are supporting some of the work of the PRC—often, individuals who have been perhaps co-opted. At one point, we were looking at three—and it was in the media—where the RCMP was fully engaged in regard to those stations.

I wouldn't want to comment any more in regard to the activities of the RCMP.

I wouldn't specifically focus on the so-called police stations. What I would say to you is this: There is absolutely foreign interference activity happening in our country, but it can come in all forms and varieties. By focusing on just the police stations, I worry that individuals will then miss what else is happening in the environment.

I think that's a very interesting question and one we need to discuss.

A lot of it comes down to how Canadians protect their own personal information—or any citizen of the world, let's say. If you are quite open and put a lot of your personal information out on social media, absolutely, hostile states will be able to scrape that data, regardless. It doesn't have to be China. It could be other hostile states we're dealing with. I think that's also very important. Don't lose sight of all the hostile activity directed against Canadians by focusing on just one actor. It's very important to totally protect all of your social media access and the data you put on there.

You're absolutely right in the comment you made. Hostile states will pull that information. They can collate it, crunch the big data and do very targeted attention, if they want to.

Sami, would you be able to answer that particular question?

No, I can't, unfortunately.

I'm not sure whether I could indicate that it went back to China. I'd have to go back and see what we know about it.

What I can say is that, again, you're very right. Individuals will pull all of that data and target whoever they feel is somebody they need to try to repress, want to get more information on, or want to try to influence in regard to the activities they may be engaging in.

Absolutely, social media can be used to collect the information to do that.

I would term that as a foreign interference activity, yes.

I couldn't give you a specific number.

Again, what I would say is that every single politician, every member of Parliament, should always protect their personal information, their privacy, and be aware if somebody or an entity is trying to approach them in order to engage in some sort of foreign interference activity. It can come in all forms and shapes.

No, that would be GAC. Foreign Affairs is the one that manages the rapid response mechanism.

Yes, absolutely.

Several months ago, the Minister of Public Safety issued a ministerial directive indicating that if we became aware, within the service, of negative activities directed against politicians by hostile foreign states, then we were to look at the information, determine the threat value of that information and then reach out and advise the various political actors.

Thank you for the question.

I think we need to distinguish a little bit between what is required to register for a TikTok account and what is being asked for to enhance user experience. There might be additional access, as I pointed out in my opening comments, to your contacts list, your calendar, or other sorts of privacy settings in your phone, in order to enhance the user experience. That's maybe the secondary offer of information that is being collected through TikTok.

The banning of TikTok on government devices was a decision made by the Treasury Board CIO of Canada, based on an aggregate risk level that was deemed too high. From a government perspective, the aggregation of all that information could potentially expose who our contacts are within government and our activities within government. I suspect that, from a privacy perspective, this is what led the CIO to promulgate the policy around banning the application from government systems.

Our concern at the cyber centre is one of raising awareness of the threats posed by social media and educating users about the privacy settings and best practices on how to use those applications—not to volunteer too much personal information and to ensure that the privacy settings on the apps are as attuned as possible to the particular user, recognizing that in some cases where the data is hosted and who has access to the data can pose an additional risk to the user. In that case, the data hosted in some countries might pose less of a risk than it would in a place like China or somewhere else.

Our role is really one of education and raising awareness about the threats posed by these applications.

Informing Canadians of what it is they are signing up for is absolutely important. We can describe it through our cybersecurity advice and guidance, but if it's also explained in individual apps in such a language that users understand exactly what they're consenting to sharing and with whom, that will definitely help everybody be aware of what is happening in the background.

I don't have any recommendations per se, but I would like to pick up on one thing that you noted, and that was the vulnerability of our youth. What I am very worried about is that some of the youth do get onto these social media platforms and then they can get into some extremist milieu and get very influenced in a negative way. That is something we need to be quite concerned with and aware of. They make connections and they get into almost an echo chamber. That's something we need to be aware of.

Thank you for the question. I will respond in English.

What I would like to explain a little bit more is the fact that a lot of individuals do go onto social media platforms and they do share a lot of information. As my colleague Sami noted, sometimes it's just what you like, and sometimes it's things that you follow. You have your camera on, or you have your pictures, and it's all up on social media. Foreign actors with a hostile intent can pull all of that information together and get a very good picture of who you are as an individual and how they might be able to influence you.

The other thing we find happening within social media is that it seems to be a very good place for trends to be noted and seen. If a foreign actor wants to determine what kind of trend might be happening in a certain area, they can keep an eye on what's happening on a social media platform: Where are people voting? What are people worried about? What are people concerned with? What misinformation or disinformation are they following? That is why I say that these are very strong tools that can actually be used to harm and to engage in foreign interference activity.

I don't think it's ever too late to step back, but what I would say is that in some cases the horse may already have left the barn. You do have to be a little bit worried about that, but people do change as they move forward. If you stop sharing that personal information or you are more attuned to what you're sharing, even from today moving forward, I think you will be starting to put in some protections around your social media presence.

I always hate to narrow things down, because then I worry that people will start to focus only on those threat actors.

I think everyone in this room is probably already aware that another actor we're concerned about is Russia. We are also concerned about Iran and North Korea. Those are at the top of our list at the moment, but I would say that you should think even more broadly than that and always protect whatever's on your social media account. You never know who's looking and who's trying to gather more information on you.

I, myself, am not fully aware of all the networks within those specific countries.

Again, as an innocent individual on a social media account, you need to try to find out where that social media account is being generating from. The more information Canadians take to get themselves informed, the more they will be protected. You may think it's not coming out of a state that we may be concerned about, but if you start to dig a little deeper, you might get there.

I would say, always double-check to make sure you know exactly what you're engaging in and whom you're engaging with, to the best of your abilities.

I think that's an extremely good question and it's an extremely difficult question to answer.

I think a lot of it goes back to what my colleague Mr. Khoury said, which is education—constant education. It's not only education for adults, but education at all levels. I'm not a policy person; I'm an operational person, but I think it would be very important to figure out ways to educate the youth and engage on that level. I think there are other government departments that can support that sort of work.

Thank you.

As my colleague just said, education is extremely important in keeping young people informed. In reality, it's clear that China raises somewhat more complex concerns.

Any information we put in the public domain could ultimately be a source of concern. It's important to keep both young people and not so young people informed of the risks that publishing such information could have in the future. It might not pose an immediate threat, but it can present a threat later, once a more complete portrait or profile of the individual has been compiled.

Yes.

I don't know.

We are not a regulator and we don't assess every app out there. Our advice is how to consider the risk, from a privacy perspective, of the permissive settings that the app is requesting.

Along with the ban of TikTok, we also put out some advice and guidance on social media applications for Canadians and for Canadian businesses in general.

On TikTok, just in case it didn't come out clearly, it presents an unacceptable level of risk. That's why the application was banned.

Many apps that we have on our government phones are apps for which the level of risk is acceptable. In our advice and guidance on what we put on our government phones, we look at a number of things, like security control and who is behind the app.

It's been 32 years.

I was at CSE. I wasn't in my current role, but I was at CSE.

I wasn't in a position where that was my task.

I'm not aware of that.

No, I'm not aware of that.

In our role at the cyber centre, we want to make sure that we expose the threats and that we educate Canadians and Canadian organizations about the threats. We invite them to ask themselves the questions of how to protect—

We definitely factor all of that into our threat assessment, but when we put out our advice and guidance, we pose a set of questions that we encourage Canadians and Canadian organizations, individually, to—

Mr. Chair, if you share information, that can potentially contribute to the data-mining exercise of whoever is at the other end of that data leak.

I will begin and then my colleague can respond.

The role of the Canadian Centre for Cyber Security is to collaborate with Elections Canada to ensure that elections infrastructure is properly protected. That's what we did during the 2021 election.

Our role is not to examine the content of messages exchanged. Our main role is to protect infrastructure.

I want to make a clarification. We don't view content because we don't have the mandate to do so. The role and mandate of the Canadian Centre for Cyber Security is to protect infrastructure and not to check content. Clearly, we're concerned with infrastructure security, but also with foreign interference. Our goal is to teach Canadians how to stay as informed as possible and where to get the most credible information. Generally speaking, that's our focus.

Unfortunately, I don't remember the date. I apologize.

Maybe I can answer this question. Thank you.

First of all, I'm going to start by saying that foreign interference does not occur only during an election. Foreign interference occurs all the time, every day, and I think we have to bear that in mind, because when you start to look at an election, which is a finite time frame, you're not going to always catch the foreign interference that's happening at that point. We start watching what's happening every day with regard to the buildup to an election, and we are constantly monitoring to see if there is any type of foreign interference coming from a hostile state actor.

When you're looking at a specific time frame and you're dealing with perhaps a social media attack, it takes a very long time to be able to figure out where that actually came from. You don't just flip a switch and already get it back to the country it came from or the threat actor it came from. It takes a long time for the intelligence services to put that work together and to follow that train back.

Also, when you're looking at social media, we do not monitor social media. You don't want your national intelligence service to monitor all social media. We have to make sure that we know there's a threat there, and then it comes under our mandate.

We also have to guard freedom of speech. We have to educate across the board to make sure that we are guarding freedom of speech but also educating, at the same time, in regard to foreign interference. It's an extremely complex situation. It's not just determining that, yes, this came from a foreign state; we also have to make sure that it's actually causing an impact to our sovereignty and our national security. Then we start to educate across the broader sphere on that perspective.

We don't necessarily monitor the development of social media platforms. It goes a little bit back to what I said earlier, that I would worry that we would focus on one specific platform or two specific platforms. I think it's really important to start to educate everybody on really good social media hygiene. I don't know if that's a phrase, but I'm going to call it that. I think it's fundamentally important that every individual takes responsibility for what they're actually sharing and is aware of the cost and the impact that could have on them.

Therefore, if people are being aware and careful, then even if there are other media platforms, they're already in a good state of mind. They're protecting themselves. It doesn't matter if there's another platform developed, because they already have, again, good social media hygiene practices.

In my role as the head of the cyber centre, I'm here to share with you the threat landscape as we see it. That threat landscape is informed from a number of sources. Some of them are public sources and some of them are classified sources. In a sense, whenever we find something, we will distill it down and we will put it out there, regardless of what the source is.

Unfortunately, I did not watch the testimony on the date you indicated.

The concerns we have are these: Who has access to the data? Where does the data reside? How easy is it for the host nation to get access to the data? That is what we are asking. Everybody who uses a social media app should ask themselves those questions in order to be a better-informed user of social media. In the case of TikTok, if the data is hosted in China, that would be a concern, considering some of China's permissive laws for getting access to user data.

We want Canadians to ask those tough questions about security settings in order to be better-informed consumers.

Thank you for this extremely important question.

I think education needs to happen at all levels.

Again, I'm not a policy person. I'm a mother, and I would like to make sure my kids get educated at schools, in community centres and across the board. We need to start to have that greater engagement, but that's me speaking as a mother, not as a security officer.

I think we need to have that education piece, absolutely. It's fundamentally important.

Foreign interference is something we have been looking at in the service. I've been in the service for 32 years. From the day I started, we've been investigating foreign interference. It's something that has been in our country for decades.

Canadians have become very complacent and comfortable in our environment. I think we need to become much more aware of what's going on around us. It's become much more prevalent with the advent of social media and the technology we're dealing with. We are at risk from the activities of hostile states. They are interested in undermining our sovereignty and our democratic institutions. It's fundamentally important to protect the national security and the future of our country. We must take the necessary precautions, with awareness and education, in order to protect ourselves and our systems moving forward.

In our role, we don't issue advisories on specific apps. We share advice and guidance about social media in general.

That is a decision of the CIO of Canada.

No.

Not to my knowledge, no.

We provide advice to government on foreign interference in the general sense. I'm not aware of us advising, specifically, on this social media platform.

We investigate threat actors; we don't investigate social media platforms. Depending on how threat actors are evolving, we may have insight into what goes on a platform, but otherwise we investigate actors.

Thank you.

Can you just repeat the question?

I think detecting counter-narratives on social media platforms may be a common occurrence, but to link them specifically to a hostile threat actor is a bit more complex. I'm not sure how often that happens. We do know that threat actors do that—such as the PRC, Russia, or other hostile state actors, as my colleague mentioned—but I don't have a specific number for you.

I'm not quite sure what you're asking me. I'm sorry.

How I would answer that would be to say that, in any situation, any foreign threat actor is always monitoring everything that's going on within a country of interest. They will pick up on any little piece of information, and they can magnify that into misinformation or disinformation in order to achieve their goal. They will continue to magnify that until they feel that the damage is done.

The way I'm going to answer that is to indicate that there is always going to be, as you noted, a grey area. There is the policy and what the social media is collecting and engaging intentionally, such as—as they indicated—email addresses. However, as Mr. Khoury indicated earlier, it's not only the email address that you signed up with; everything else you are doing as an individual on that site is also data that can be collected. That's what we call, in many cases, big data. They will scrape all that big data off, and then they can do their data crunching.

That is where some of the danger comes in. That's where they can start to find the trends in the ways they can do the interference and the influence.

I think it's a very serious problem.

These aren't going to be hostile states; these are hostile terrorist organizations. These individuals will be sitting in another country. They are out there monitoring social media, creating their own websites and looking for youth. They are looking for those individuals who perhaps are on their own, sitting in their room on their computer exploring and trying to answer questions. They are very vulnerable. Then those individuals pick up and they build a relationship.

Traditionally, in the espionage world, we used to call that creating a honey pot. You attract these individuals to come to you. That's what they do. Once they have these individuals, they continue to work on them. They continue to give them media pictures. They build that extremist ideology and they mould that young mind.

That's what I'm very worried about, because I think we have a lot of very vulnerable youth at this time and a lot of very hostile actors who are willing to take advantage of those children.

We're definitely concerned about misuse of artificial intelligence. Artificial intelligence comes with opportunities, but also with challenges. We know that artificial intelligence is often used to amplify misinformation. Part of the algorithmic nature of some of those tools is to amplify misinformation.

We're also concerned about information leakage through artificial intelligence when you interact online. We've put out some advice and guidance to Canadians on how to make use of some of the public tools that are out there in terms of artificial intelligence, on being aware of the threat that is inherent in the use of artificial intelligence and on how some countries or some states are trying to exploit AI algorithms for their benefit.

We're doing a number of things. One is our own internal research on what the state of the art is in terms of what AI is up to these days. From a government perspective, we're also working closely with Treasury Board to ensure that it provides some guidance to the rest of the government departments on how to use those tools with informed advice. Beyond government, we've put out some publications. We talk. We offer speaking opportunities to inform about the threat that comes with AI.

Absolutely, there are opportunities, but we also know that the flip side of that opportunity is potentially a challenge or a threat.

Thank you very much.

Thank you for inviting me to share some views about whether, and how, social media can undermine privacy, safety, security and democracy.

I am Sharon Polsky, president of the Privacy and Access Council of Canada, which is an independent, non-profit, non-partisan organization that is not funded by government or industry. It has members in the public and private sector who routinely use social media in their personal and professional lives.

Many can recall when Google mail was introduced. It was a brilliant marketing manoeuvre that preyed on human nature. Only the chosen few who were selected to have an account could have one. The invitation accorded those few people special status among their peers. This tactic and the media attention created demand. There was no talk about downsides, risk or privacy. People just wanted to have that Google account. It was simple psychology that showed how easily people can be manipulated.

Since then, we have seen countless examples of big tech manipulating us to share the most intimate details of our existence online. Social media continues to leverage human nature, and the lucrative data broker industry is the biggest beneficiary, other than those who would manipulate us for their own benefit, whether they're companies, political parties or governments. With recent geopolitical events, it's easy to think that what people post to social media might be used to coerce, extort or manipulate, but crediting social media alone, or social media from one country or another, is short-sighted.

Online risks reflect society and come from many sources, including familiar communication and collaboration tools that many in this room probably use most days. Every one of them is a real and constant threat. Zoom, Teams, Slack, Facebook and the rest are all foreign.

It's no secret that many companies scrape data and justify their actions by saying they consider the information to be public because their AI systems were able to find it on the web. Maybe the secure location where you posted personal or confidential information, or the Ontario hospital you visited recently, has been breached and now your health condition or sensitive conversations are being sold on the dark web.

If the concern is that people who use social media might disclose information that could make them politically sensitive and at greater risk of being influenced, I look to the recording we hear every time we call our cellphone provider or most other companies that says, “This call will be recorded for training”, which typically means the training of artificial intelligence systems through machine learning. The human side of that training is done in countries around the world by individuals who have access to your sensitive information.

A Finnish tech firm recently started using prison labour to do data labelling. It goes on and on. We have no choice whether the labelling is done by someone in Alberta or in Albania. There is no control over it and there is nothing stopping a company or a government from purchasing information, because it is available largely through the data broker system. It is widely available internationally. I could go on and on.

Yes, certainly education is important. Computers have been on desktops for almost half a century. The education is not there yet, as we see big tech investing tens of billions of dollars a year in objecting to and undermining efforts to regulate the industry, with the claim that it will undermine innovation. It's a red herring that's been disproven many times throughout history.

We see dating sites that people use routinely, which are wonderful for a social life, but when things like the Canadian dating site Ashley Madison are breached, I dare say that many of their customers become politically sensitive.

If children or adults go on any website, usually, before they even see the results, the fact that they have been there—whether it's for mental health, addiction or medical counselling.... That website has already secretly been transmitted to the likes of Facebook and data brokers.

This isn't something Bill C-27 is going to fix, or any of the other legislation. In fact, most of the laws being introduced here and abroad will make the situation much worse for everybody, including children—especially children.

I am happy to take your questions. This is a massive endeavour, and I commend you all.

It's a terrific question, especially considering that previous witnesses in this committee, from CSE and CSIS, repeatedly said it is up to the consumer, including children, to read the privacy policy and understand what is going on. A lot of my colleagues and members of the Privacy and Access Council of Canada don't get it. They don't understand it. How can we reasonably expect children or anybody else to? I live this stuff. Most people don't.

How does it happen? Largely, it's foreign companies. Our laws are obsolete, ineffective and poorly enforced. They do it because they can.

I think it is pervasive.

Also, in the last half-hour, it took me a few minutes to find the birthdays of all but three members of this committee. I wish you an advance “happy birthday” for next week.

It's very easy. Our information is out there, even if we put out bogus information. You can imagine what my children go through. They have their online birthdays. On their real birthdays, their friends say, “happy birthday” and the algorithms pick up on that. The algorithms detect, by the volume of greetings on the real date, that it's the real birthday, along with the other information amassed through this hidden data broker system, where our information is traded, sold and bid on instantly.

The minutiae of our lives are available globally for sale.

I agree. It's not just a matter of one social media platform or another, one company, or one government or another. This is pervasive, and it's been growing for a generation.

What do we do about it? How do we stop it?

Yes, it's education starting at the very youngest ages. Is it too late to put the genie back in the bottle? No. There is so much information about each of us floating out there that we don't even realize that we individually are at a loss. Corporately, people who are procurement officers, who know as much or as little as most people, are at the mercy of the vendors. They're not interested in your privacy. They're interested in their commission, their bottom line and their shareholders benefiting.

I'd be happy to.

I read some of the written record, yes.

No. Was it a complete, thorough, fulsome answer? I don't know, but from my experience—keeping in mind that I'm the president of the Privacy and Access Council of Canada, that I've been a privacy adviser for about 30 years, and that I've been inside a lot of organizations and have seen a lot of things—very often, the language in testimony, in media reports and in so-called privacy policies doesn't give the full story. We'll collect your information and share it with our partners and affiliates, but with whom, when, where in the world and for what purpose?

As lawmakers, one thing you could do is not enact Bill C-27, because that's not going to make it better; it's going to make it worse.

What can we do? Is PIPEDA a comfort? No, it is not, because it's not sufficient, as Jennifer Stoddart said when she was in the final days of her role as commissioner. It could use some more teeth. How many years ago was that? It still needs some more teeth. Sure, Canadian organizations are responsible for the proper collection, use, disclosure and all the rest of it under PIPEDA, but when the information goes offshore, they lose control of it. We as Canadians have no recourse when our information is in a foreign nation and goes into the wind, or when we see things that breach our privacy, whether from Equifax, Meta, Google or any other organization.

One commission or another somewhere in the world hammers them with a multi-million dollar fine or hundreds of millions of dollars as a fine. They put it in their financial report as a line item, and it reduces their tax liability—that's sweet, on to the next. That's all. It's lunch money to them. It's to the company, not an individual.

I think that ransomware, like so many problems we have online, is a reflection of society. It is the same type of crime that was committed before the Internet. The Internet is a tool that allows the perpetrators to commit these crimes in greater numbers, with greater efficiency and cost efficiency from their side, with greater returns. That's terrific, but it's no different. It's really no different.

The problem is education, again. You can have the best technology, the greatest security, but if somebody doesn't have the courage to question the boss or to call up the president and say, “Excuse me, ma'am, but did you actually send this?” or if they don't have the curiosity or the skepticism, especially nowadays, to question what is presented in their email—and I'm sure they act in good faith—and if they click the wrong thing, that opens the entire organization up to ransomware and to problems.

The organization can recover, but what about all the individuals whose personal information has now been compromised? In the case of Equifax, there were 146 million Americans, and the payout, the negotiated settlement, the fine.... I remember Kevin Mitnick, when he was still alive, on LinkedIn showing the cheque he got for $5.42. That was supposed to help him recover. In Canada, the Canadians who were affected got one or two years of credit monitoring that was administered through Equifax's American organization.

At this point, I would say it's the EU, because of the GDPR and because, at the very last minute, they put the brakes on a piece of legislation that would have required, basically, encryption to be broken to facilitate the ability of the police to find the predators. The police do that now without the encryption back doors.

I do.

Thank you.

I would say they are self-interested, because they are for-profit organizations. They do what they have to in order to improve their bottom line and to provide the greatest return possible to their investors and shareholders.

I think there are some that are better. They do take a greater interest in individuals' privacy. I could name the Tor Project, Signal, and Proton. These are the three that come to mind. They're not particularly social media platforms, but they are certainly communications tools that don't take any information, any metadata, anything. They don't keep it. That provides much greater security. As well, their encryption technology is much stronger.

That's a very difficult one, because each one of them has its own interests at heart. They collect the information and provide advertisers with the opportunity to reach our eyeballs. I don't know that any of them is really interested in our privacy.

“Surveillance capitalism”, the term that Shoshana Zuboff coined, is a wonderful term. We could also call it “surveillance economy”, because nowadays much of our economy is based on surveillance in one way or another, whether we realize it or not.

What can be done? Before a drug is allowed to be sold in Canada, before a vehicle is allowed to be sold and licensed in Canada, and a lot of other products, they have to be tested by an independent Canadian authority to make sure they are fit for purpose and safe. I think the same thing has to apply to the technology we all use every day, which is now being sold by self-interested corporations. That all fosters the surveillance economy.

The only way of pulling back from having our information used continuously as fodder for surveillance.... Spin doctors say, “Well, everybody is okay with it because they keep giving their information”, despite the fact that we have very little option or no way of opting out. It's up to our government to regulate it, despite the objections of big tech.

Well, I think it's a step backwards from what we now have in PIPEDA. First of all, the first word is “consumer”—the consumer privacy protection act—labelling us all as consumers. We are commodities, with our information to be commoditized.

It provides a private right of action once we complain to the commissioner, who is—like most of them—chronically underfunded. Once they finally get around to assigning the file, investigating, deciding and determining, it will go to a new tribunal, which I expect will have to at least review this, if not provide a fulsome re-investigation. If the tribunal agrees with the commissioner that a fine is in order, then the offending company has the right to take it to court.

How many years will that take? Once they have exhausted their legal recourse, you and I get to advance our private right of action. We then pay another lawyer and go through another 7-10 years.

Yes, this is a feature that.... I've found that in a lot of organizations, the people who create the websites don't talk to the people in the privacy office, shall we say. It's the old story that we'll put in all of these wonderful tools that can collect information, and it's really neat to say, “Hey, we can maybe do something with it in the future”, without knowing—because of lack of education—that they are overcollecting. The way it works is similar to a cookie. Before you even see the website you have called up, the fact that you are there has already been transmitted to Facebook and data brokers.

Absolutely. Our information is being sold, traded and bid on in real time. We don't know it and we can't say, no, don't do that, because we have no idea who is bidding on our information. We don't have a direct relationship with them. We have no recourse. Our information is gone.

I can give you a very quick example.

The way companies now are fined, but not the individuals, is meaningless. By contrast, after the Enron scandal, 20 to 25 years ago, the United States passed the SOX legislation. The complete name is the Sarbanes-Oxley Act of 2002. It said very simply that the person at the head of the organization is responsible for everything in the financial statement. If things go sideways, they personally face multi-million dollar fines and jail time. Companies around the world, including Canada, scrambled to make sure that they were SOX-compliant. We need the same thing.

I wouldn't go so far as saying it's fraudulent, but it's perhaps misleading. It's permitted under the current legislation and under Bill C-27, which is going to maintain the status quo of the same vague consent. That's not going to improve the privacy.

Okay. There are two things you're talking about here, I think.

One is that the companies or organizations that are supposed to obtain our informed consent at the time of or prior to collecting our personal information acknowledge—as did Mark Zuckerberg before Congress—that few people read these privacy policies. This, to me, says they are collecting our personal information knowing that nobody reads the privacy policy. Therefore, it is not informed consent. They are in violation of our privacy legislation, the GDPR and others.

What to do about it? Turn it around. Stop allowing the organizations to be in control. Turn it around so that we each have the ability to—

No, it's more than just opting in or opting out. Interrogate the company. Make it so that there is an index of companies where consumers can go and see how a company complies with the legislation. If one company does it in a way that is better than another, the consumer can make a choice. I allow my information to be used by your company for a certain purpose. I get a receipt. There is a record of it that I am in control of and not the company.

Spyware.

Absolutely.

I have a challenge with that sometimes. There's a lot, as I said, to discuss.

It's the granularity of the information they collect about us—usually without our knowing about it—such as the ride-sharing app we use that records the precise geolocation and the time of day. They can use it for their own purposes. Whom is that given to, and what assumptions can be drawn from that or any other information?

It is effectively spying on us. I agree.

We're protecting the next generation, absolutely, but we're all fighting against well-funded big tech that insists everybody wants this. Nobody understands it. Well, a few people understand it well enough to object to what it is doing to us.

Things have changed very quickly. I think it was in 2004 when a minister of the Canadian government was in the hot seat because it had been discovered by the media that the government was collecting 2,000 bits of information about each of the 33.7 million Canadians when there were some 31 million Canadians. People reacted quickly and vocally. The minister said, “Never mind. We've given the information back”—how you do that with electronic data, I don't know—and they apparently disbanded it.

That very quickly changed. Instead of dealing with one government department or another, now we deal with government, and the government says it owns our information. The whole concept of public policy has shifted. I dare say that if there is a genuine interest in preserving and protecting children, privacy and future generations, there needs to be some serious thought given to actually doing that. Studies are wonderful, but action has to be taken very quickly.

Is it a threat to our liberty? Absolutely. It's too easy for any organization to use the information that has been amassed about us to sway our views, to sway views of public policy, government, legislators, teachers, institutions. It's absolutely a threat to democracy and civil liberties—human rights. Artificial intelligence is going to make it even worse, unless there is effective, strong regulation to protect individuals, not just to foster commerce.

I have not investigated either of those companies closely enough to know what they gather, but in more general terms, companies do gather that information.

Typically—and keep in mind that we're told to respect authority and to give a straight answer when asked a question—people give their real information. It doesn't occur to them to give a made-up name or a made-up birthday or to use an email address that is a throwaway or that hides their real email address. They use their email address, and that gets connected in the background by the data brokers. It's a huge concern.

As for how to identify whether somebody is providing their real age or not, there are a lot of companies that are selling this service. They will collect your government photo ID and they will verify it. They amass that information, and that is another threat. On legislation, I know that Canada is thinking about the same thing that the U.K. and the EU have been thinking about—or, in the U.K.'s case, it has been enacted—and that is requiring organizations to collect that information. That is a huge threat.

I think they're very much like the questions you get: What's your favourite dog, your favourite animal or your favourite colour, or if you were a car, what would you be? These are all subtle ways of gathering information about people and their psychological makeup and their preferences. You don't know who's collecting it and what they're going to use that information for. It's a huge concern, absolutely.

There are places, well-funded organizations, that promote education, but it's a drop in the bucket. I think it's a matter of public policy to require.... I realize this is not a federal jurisdiction thing, but I'm sure the federal government could have some influence, perhaps, with its provincial and territorial colleagues, to say, “Include this in the mandatory curriculum, from pre-kindergarten.”

Oh, oh!

I've lost the interpretation.

I'm on English, but it faded away. I couldn't hear the translation for the entire question.

One of the things we see in existing Canadian and foreign legislation is consent that has no granularity. You have to consent to the organization collecting information from you and about you. It'll be shared with its business partners and affiliates. You don't know who those are, where in the world they are or what they're going to do with it.

Bill C-27 maintains the status quo, except it's going to have to be in simple, non-legalese English. It doesn't change anything. It's not granular. We need granularity.

Actually, the Quebec government has a new piece of legislation that was enacted about a year ago. The consent portion of it came into effect in September this year. It is better. It's not what it needs to be. It still gives the organizations the reins.

We need to turn it around so that the organizations are compelled to comply with legislation and be rated on their compliance by an independent organization that creates a publicly available index, if you will. We can then all go to this index and determine whether or not we want to deal with an organization based on its compliance with the legislation. It is then up to us to give our consent.

I'd be happy to send more information. I'm working with colleagues who are developing an international standard and a facility to do just what I've been describing. It turns it around, puts us in the driver's seat and compels organizations to comply with legislation.

That's important, considering there are still a lot of them in Canada that have yet to comply fully or at all with PIPEDA, 20 years later.

Go at it with both prongs, so that the organizations have to comply. Think of it as what Ralph Nader did long ago with the auto industry. Some people called it public shaming.

If you don't know how an organization is complying, whether it's complying or to what extent it's complying, you're in the dark.

Make it so that it has to publicly fess up.

I think there are an awful lot of laws already on our books that address the societal problems and the human nature problems that we see online and in social media. I don't know that having more laws—certainly, not more bad laws—is going to improve anything, so the answer is no.

Look at what we already have and enforce that.

If the people in a position to enforce had the authority to enforce the laws, yes. Now we have people who have the responsibility, but not enough authority or funding.

Yes, but I would challenge you on your reference to “a reverse onus on the corporation”. No, it's an obligation they already face under legislation. Make them comply.

Yes, reverse it. Thank you.

That's right. They monetize our information. They should be the ones to prove that what they are foisting upon an unaware and unsuspecting public is safe and is not going to undermine privacy, security and national security.