Information & Ethics Committee on Dec. 6th, 2023

Thank you, Mr. Chair.

I'd like to table the following motion. It has been distributed to all committee members.

The motion reads as follows:

That, as of January 29, 2024, the committee undertake a study concerning the use of technological tools capable of extracting personal data from telephones and computers in investigative processes conducted by several federal government departments and agencies; that the committee focus in particular on the reasons justifying the use of this investigative equipment by the various government institutions and on the privacy risk assessment process; That the committee devote at least 6 meetings to this study; That the committee invite each of the following witnesses to testify for at least one hour: (a) The President of the Treasury Board; (b) Each of the senior officials of the following departments and agencies: (i) Fisheries and Oceans Canada; (ii) Environment and Climate Change Canada; (iii) Canadian Radio-television and Telecommunications Commission (CRTC); (iv) Canada Revenue Agency (CRA); (v) Shared Services Canada; (vi) Competition Bureau; (vii) Global Affairs Canada; (viii) Transportation Safety Board of Canada; (ix) Natural Resources Canada; (x) Correctional Service Canada; (xi) Canada Border Services Agency (CBSA); (xii) National Defence; (xiii) Royal Canadian Mounted Police (RCMP); (c) The Privacy Commissioner; (d) Any other expert witness the committee deems necessary, provided that the President of the Treasury Board be the first of all to testify; and that the committee report its observations and recommendations to the House.

Thank you.

Thank you, Mr. Villemure.

The motion is in order.

Before we begin the debate, I invite you to say a few words about it first.

I yield the floor to you.

Thank you, Mr. Chair.

Privacy is a fundamental right. All the work we've done on this committee has shown us just how important it is to take an interest in these subjects.

Citizens are concerned about what's happening with their data. When we learn that agencies or departments have allegedly used software to monitor data, we can ask them if they have carried out a prior privacy assessment, as required by the Privacy Commissioner of Canada. If they haven't, the committee certainly has a duty to go further, to investigate in order to understand what happened. That's the first objective.

The second objective is obviously to correct what needs to be corrected. Certainly, we need to inform people of the risks involved in using certain software. However, we also need to inform them of the risks associated with activities they may be unaware of, because it's been done without their knowledge.

I don't believe the Government of Canada should be monitoring anyone without their knowledge. The Privacy Commissioner of Canada says the same thing in his rulings and reports. It is for this reason that I thought it appropriate to request this emergency meeting, in order to review the points mentioned above.

Thank you.

Thank you, Mr. Villemure.

Several members would like to speak on this subject.

I'll start with Ms. Fortier. Then it will be Mr. Green and Ms. Kusie's turn.

Ms. Fortier, you have the floor.

Thank you, Mr. Chair.

I thank the member for alerting the committee to this issue.

Some parts of the report that was published raise concerns. There were probably some departments that didn't follow the guidelines put in place by Treasury Board. I would still like to say that the government is not there to spy on public servants or departments. There are guidelines in place to do surveillance, obviously while protecting privacy, and Treasury Board must ensure that the procedure followed is appropriate.

I've had the privilege of serving as President of the Treasury Board. So I know there are protocols in place. What really concerns me is that the departments probably haven't followed those protocols. I think it would be a good idea to ask them first if they have followed them. It's also a question of seeing the reasons why they wouldn't have followed, precisely, the protocols put in place by Treasury Board.

There may also be a case for asking the Privacy Commissioner of Canada to appear. We could see how this commissioner could review these departments' compliance with the guidelines, or take a closer look at the procedure. I think it might be a good idea to add the Privacy Commissioner to the witness list.

I'd like to raise one last point. I think it's too early to ask the President of the Treasury Board to come and testify first. Instead, we should ask the departments to appear. Then, among other things, we could ask the Privacy Commissioner to do so in turn.

I'll stop here, Mr. Chair, in terms of my comments on the motion. Later, after hearing from my colleagues, some amendments may follow.

I want to point out that the commissioner is already on the list, in point (c).

Thank you, Ms. Fortier.

Mr. Green, you have the floor. Please go ahead.

Thank you very much.

I'm grateful to my friend from the Bloc for ensuring that this is a priority. It's certainly something that we flagged as New Democrats. I will reference our November 30 notice of motion, putting this committee on notice of the same. I fully support why my friend Mr. Villemure would want to see this prioritized in this way.

You will recall that in my notice of motion, under (j), I suggested that Chris Aylward, president of the Public Service Alliance of Canada, and Jennifer Carr, president of the Professional Institute of the Public Service of Canada, be added to the list of witnesses.

I don't know if we could maybe find consensus, Mr. Chair, whether through unanimous consent or on division, to add those witnesses to the list. They represent the workers who are ultimately impacted by this.

Mr. Green, I appreciate your wanting to add to that list. I will have to accept that as an amendment, if that's what you want to propose. Then we can discuss the amendment, come back to the committee and see if we do indeed have consensus. If not, we'll need to have a vote on it.

Mr. Green, just to confirm, I'm going to take Mr. Aylward and Ms. Jennifer Carr as an amendment to the witness list proposed by Mr. Villemure.

Thank you.

Is there any discussion on the amendment to add those two witnesses?

Go ahead, Mr. Kurek, on the amendment.

Yes. It's two unions.

As Mr. Green said, he has those two names in the motion on notice that he's proposed. He's just looking to add them here.

Not seeing any further discussion, can I have consensus among the committee to add those two names to the list?

(Amendment agreed to)

Thank you for that.

Ms. Kusie, you have the floor.

Thank you very much, Mr. Chair.

Thank you very much to the committee for having me here today as part of this conversation.

Mr. Chair, as you can well imagine, we were very concerned when we found out late last week that 13 different federal departments and agencies have this spyware attached to them. They include, but are not limited to, Fisheries and Oceans Canada, Environment Canada, Canada Revenue Agency, Global Affairs Canada—and as a former employee of Global Affairs Canada, I'm especially troubled by this agency—Canada Border Services Agency, the Department of National Defence and the Royal Canadian Mounted Police. Several other institutions are using this spyware technology. As I said, we became aware of this late last week.

This is being used across government, Mr. Chair. This isn't limited to a single department or agency. What's even more concerning is what this spyware is capturing. It runs the gamut of all communications across government. It includes all the text messages employees have sent to their friends and family. Of course, we know we all use our phones on a daily basis. The sensitive information in these text messages includes information about where your children go to school and whether you have to pick them up, your place of work perhaps and any medical appointments you might have. The most sensitive information is communicated through these text messages.

Can you imagine your entire contact list being made public, being in the hands of government and being exposed to being released or shared with those you had not intended to share your contacts with?

It's photos. I enjoy taking photos, especially at this time of year, when there are so many beautiful decorations across the capital and elsewhere, but having your entire photo library shared across government is absolutely concerning.

It's travel history, as well. The government, through this spyware, has a history of your travel. That's very concerning as well.

This spyware can also be used to access cloud-based data. What isn't in the cloud in this day and age? This is what the government has exposed our public servants to—having their cloud-based information across the network.

I for one would certainly not like my Internet search history put out for the public to see, in terms of what movies I'm interested in, perhaps, or the items I am considering buying my family for the holidays. This is the most personal of information we're talking about here, which has been gathered through this spyware and is now in the hands of government.

We have content that we have deleted in an effort to dispose of it. Certainly, we've all heard the fact that, once it's on the Internet, it's out there forever. Who knew that, with this government, once it's on your phone, it's with the government forever? Apparently, according to the report here, this is the case.

Finally, it's social media activity—every single post you ever liked, everything you ever reposted and every comment you ever made. If you are with one of these federal agencies, this is now in the hands of government. It's very concerning.

Public servants are concerned as well. They are gravely concerned. They wonder “why any government office would need such access to people's private information”, yet this is where we are at this point, where the government has access to this private information.

I'll quote two witnesses who were, fortunately, added to the list.

Ms. Jennifer Carr, the president of the Professional Institute of the Public Service of Canada, said:

We need to make sure that if our personal information is gathered, that we know about what information is gathered, how it's being used and how it could be affected if there are others who were able to access that.

My goodness, if you have any breach of public information in this day and age, a responsible corporation immediately notifies you of it. In this situation, our public service wasn't even being notified of the collection of this information, never mind the potential breach of it.

Here's another quote:

In a statement...Public Service Alliance of Canada national president Chris Aylward—

That's another witness I see you have, fortunately, added.

—called the use of such technology without a privacy assessment “alarming” and “shows a deliberate lack of transparency and accountability by federal departments and agencies.”

Those words could not be closer to the truth, Mr. Chair.

To add insult to injury, yesterday, in my role as shadow minister to the President of the Treasury Board, in the effort to get a response from her—many media outlets were denied any communication from her, any statements—I sent a letter asking her, under section 3.2 of the directive on privacy impact assessment, to take responsibility for this, because I hear my Liberal colleagues saying, “Oh, you know, we have these measures in place. They should be enforced.”

The Treasury Board does have oversight of this under section 3.2, where it states:

The President of the Treasury Board...holds general responsibility for registering all [privacy impact assessments] and reviewing the manner in which they are maintained and managed in all government institutions....

We also see in the article that “those departments' use of the [spyware] did not undergo a privacy impact assessment as required” under 3.2 of the PIA, which is under the responsibility of the President of the Treasury Board. That adds insult to injury. This just gets worse.

In that letter, Mr. Chair, I hope you will be assured, my Conservative colleagues here will be assured, my Bloc and my NDP colleagues will be assured and the government will be assured that I have called upon her to immediately enforce compliance, and if those privacy impact assessments are still not initiated by year-end, then she must follow through on the obligations by enforcing the consequences of non-compliance. That is certainly the very least that can be done when we find out that this spyware is in place. After the lack of oversight by the Treasury Board and the lack of oversight by this government, this can at least begin to be made right.

In conclusion, I think what concerns us most, on this side, my Conservative colleagues and me, is what was referred to in an article that was just published yesterday. That is the idea of—and I want everyone to hear this phrase—the “normalization of surveillance”. It is terrifying.

I think all Canadians should be consumed with the normalization of surveillance—I'm not even going to get into the digital ID issue here—and they have good reason to be concerned, as we have found in this information that was uncovered last week.

I cannot state enough the urgency and the necessity of this study, as brought forward, and thank you very much to my colleague for doing so. This must be addressed, and it must be addressed immediately, to quell the concerns of the public service and to further provide Canadians with confidence that this government gives a darn about their privacy.

Mr. Chair, I, too, would like to move an amendment, at this moment, to build upon the motion that was put forward. If the moment is right, I will read it into the record.

Go ahead with the amendment, Mrs. Kusie.

Thank you very much, Mr. Chair. It reads:

That, between the dates of January 8 and January 29, 2024, the Committee undertake a study concerning the use of technological tools capable of extracting personal data from telephones and computers in investigative processes conducted by several federal government departments and agencies; that the Committee focus in particular on the reasons justifying the use of this investigative equipment by the various government institutions and on the privacy risk assessment process;

That the Committee devote four meetings to this study;

I'm sorry, Mrs. Kusie. How many meetings did you say the committee devote?

I believe it's four in the subamendment.

On the subamendment...? It's an amendment to the motion that you're making.

That's correct. It's an amendment to the motion.

Okay. I'm going to get you to read the amendment into the record. The last part that you finished at was that the Committee devote at least four meetings to the study. Do you want to keep it at six, or do you want to move it to four?

According to this, I would like four, please.

You want fewer meetings. Is that correct?

My understanding is that it's four on the content of the amendment.