Procedure and House Affairs Committee on April 29th, 2020

I would say that Parliament needs to prepare for whether this is a blizzard or whether we are facing a snowstorm. If we're in a prolonged snowstorm, it will require a very active engagement from Parliament with the political executive.

We also need to become much better at anticipating low-probability, high-impact events. Part of the reason we haven't been able to do that is that we haven't had an adequate strategic assessment capability within the Government of Canada for almost 30 years. These types of what you might call “black swans”, even though this is not one of them, necessitate us to have a much more robust foresight capacity of anticipating the challenges that we face and what the best arrangements are in a democracy—for instance, what should a state handle or what should the private sector handle—because I think we can't go through this again in terms of the amounts of money we are currently paying out.

If I may, I would like to answer this question by reframing it. I think it's very important that you frame the challenge properly. It is not a privacy challenge; it is a cybersecurity challenge. It is why, for example, earlier on I heard Monsieur Turcotte refer you to the Communications Security Establishment.

You hardly ever share personal information. Privacy applies only to personal information. The broad challenge you have is one of cybersecurity, and therefore, like Monsieur Turcotte earlier on, I encourage you to seek the advice of Communications Security Establishment officials.

First of all, you may have noticed I did not use “100%”. I said “guarantee”, but you said “100%”.

As a lawyer, I would never say “100%”.

That being said, my point is that to frame the challenge properly, meaning to frame it as a cybersecurity challenge, you will bring to the debate or to the discussion the information that is truly relevant and that is truly for your security experts in government.

Good evening, Madam Chair and committee members.

I had intended to speak a bit in French, but given the time and the technical issues, I think I will just continue in English for the translators' ease.

Thank you for your invitation. I understand that in this panel session the committee is focusing on possible video conferencing platforms and their feasibility as it relates to establishing a virtual Parliament.

In terms of the feasibility of the technology, I expect others on this panel will discuss virtual and interactive teleconferencing in light of the capacities of different mediated platforms, albeit with some inherent limitations, security considerations and the risk of malfunction.

In terms of the feasibility of the House's capacity to amend its internal rules to facilitate members' virtual presence in lieu of their physical presence, it is clear that this can be achieved constitutionally. From J.G. Bourinot, writing in 1901, to David E. Smith, writing in 2017, in our system “legislative bodies alone are masters of their proceedings”.

As someone who studies government in Canada, my interpretation of feasibility today revolves around what sort of costs and benefits the adoption of virtual legislative meetings implies for democracy within Canada and beyond the walls of the House of Commons, so I engage this question: Is virtual assembly democratically feasible? Below are five points that may be helpful to you in your deliberations.

First, technology is intrinsically disruptive. The first taxi drivers to use cellphones to plot their courses could not imagine how this technology would alter their industry within a very short time. Plus, the law of unintended consequences warns us that intervention in complex systems tends to produce unanticipated consequences. Taken together, technology plus systemic intervention equals deep change marked by unpredictable outcomes. We cannot know the consequences of such change, but they will not all be positive for our democracy.

Second, the Canadian Parliament is unique. It is sui generis. We have a complex, diverse, finely balanced political system. In the rush to address the pandemic, it is tempting to examine how other parliamentary systems are moving towards virtual sessions, but it is a profound mistake to simply assume that what works in other systems necessarily will work the same way here. Because technology is disruptive, we need to carefully study technological adoptions and adaptations before asserting that we can estimate the effects of such change. In the history of legislatures to this point, no advanced democratic legislature deliberates and votes virtually as a method of normal business. Especially because of our complexity, Canada should not be among the first to do so.

Third, the state of democracy in Canada is not static. It has changed and evolved and continues to do so. It is dynamic and responsive to the factors and pressures that bear upon it. This is to say that the change can diminish it, as well as enhance it. Indeed, the quality of democracy can be easily damaged and insulted, as we have seen recently in some of the world's leading democracies. Any diminution in the legislature's task of holding the executive to account, or the media's key role, lessens democracy.

Fourth, considering a move to virtual House of Commons sessions and committee meetings uncovers many complex issues. Of these, one of the more perturbing concerns the deliberative function. As Valere Gaspard and I have written elsewhere, “The opportunities for formal and informal exchanges during debate, in committee work, and at work-related social activities provide crucial interactions among the members. These interactions allow MPs to be exposed to different ideas and perspectives. Such encounters are a key part of our democratic politics.... By reducing parliamentary debate, interaction and exchange to the click of a button, we risk losing what makes our democracy work.” Smith observes, “deliberation is more than an aggregation of individual constituency demands”. One of the challenges in the move to virtual assembly is to ensure that e-deliberation is more than just an episodic, half-hearted online opinion poll.

Fifth, other witnesses have commented on the importance of member privilege, so I will not repeat that information here. I find it difficult to accept, at this point, that virtual sittings and sessions can fully facilitate all the aspects of privilege that members enjoy when meeting in normal conditions. In particular, I expect that the privileges around political speech will be difficult to ensure and safeguard in a virtual context. The capacity of members of the House of Commons to express dissent—such as by voting against their party leadership, absenting themselves from controversial debates, challenging a ruling of the Speaker or even being removed from the House—to have that dissent understood, and to be sanctioned in known ways in accordance with the legislature's rules and the rule of law is fundamental to democracy. All manifestations of dissent demonstrate that democracy is present. It's not at all clear to me how one dissents effectively in a virtual session when those who are not speaking are literally muted. If dissent is not present and not demonstrated, then is their legislature really free?

These five points illustrate some of the costs to consider in moving to some form of a virtual assembly. Against these costs is stacked a weighty benefit: minimizing the risk of infection for MPs, staff, security, administrators, technicians and all their families. The benefit of good health is inarguable.

Therefore, the committee may well decide that meeting virtually is the best among few viable options. In this case, my view is that virtual meetings should be held very sparingly and with the understanding that these are short-term measures taken during an extraordinary period. Certainly going forward there's merit to ensuring that the House can meet virtually as a default or a backup option for future crises, and much more careful research should be undertaken as to how best to effect this. Creating this sort of institutional e-infrastructure will require a large, careful effort to fully understand the implications of such change. This period of crisis, in other words, should not serve as an accidental gateway to bringing in a permanent method of virtual assembly that is not well understood and that carries large democratic implications for Canada.

Is virtual assembly democratically feasible? Perhaps it is, but in small doses and with the intention to return to normalcy as quickly as possible.

Thank you.

Thank you, Madam Chair and committee members. I'm glad to be here.

As was mentioned, I'm director of the Citizen Lab. The Citizen Lab does research on digital security issues that arise out of human rights concerns.

As much of the world moves into work-from-home rules of self-isolation, technology has become an essential lifeline; however, this sudden dependence on remote networking has opened up a whole new assortment of security and privacy risks. In light of these sudden shifts in practices, it's essential that the tools relied on for especially sensitive and high-risk communications be subjected to careful scrutiny.

In my comments, I'm going to first quickly summarize Citizen Lab's recent investigation into the security of Zoom's video conferencing application—the application we're using right now—and the company's responses to our published reports. Then I'll discuss a broader range of digital security risks that are relevant to the work-from-home routines that MPs and their staff are following. I will conclude with six recommendations.

First, with respect to our published report on Zoom, we published it on April 3 and did a follow-up on April 8. In essence, at the core of that report was that we found that Zoom did not seem to have been well designed or effectively implemented in terms of its encryption. Its public documentation made several misleading claims about its encryption protocols that did not match what we observed in our analysis. I invite committee members to take a look at that report.

We also found potential security issues with how Zoom generates and stores cryptographic information. While based in Silicon Valley, Zoom owns three companies in China, where its engineers developed the Zoom software. In some of our tests, our researchers observed encryption keys being distributed through Zoom servers in China, even when all meeting participants were outside of China. A company catering primarily to North American clients that distributes encryption keys in this way is obviously very concerning, because Zoom may be legally obligated to disclose those keys to authorities in China.

In our report published on April 3, we also discovered that there were issues with Zoom's “waiting room” feature. We didn't disclose those at the time, because we consider them very serious. We did a responsible disclosure to the company.

Now, in response to both of these reports, Zoom has taken a number of actions regarding security. It has committed to a 90-day process to identify and fix security issues, including a third party security review, enhancing their bug bounty program and preparing a transparency report. They've also committed to improving their encryption, including working towards the implementation of end-to-end encryption. They acknowledged that some Zoom users based out of China would have connected to data centres within China and indicated that they had immediately put in place measures to prevent that from happening.

They've released new versions of their platform. You can see that there are some new features, like we experienced today with waiting rooms and passwords and so forth, and they've done a very good job in terms of hiring people with credible expertise in the cybersecurity area.

While it's encouraging that Zoom has made these improvements, the sudden reliance by a very large number of people on a platform that was never designed for highly sensitive communications is symptomatic of a much larger set of problems related to work-from-home routines. It's imperative that we evaluate all the risks associated with this sudden change in routines, and not just those associated with one particular application.

Legislators working from home are connecting using devices, accounts and applications through widely differing home network set-ups, as are their staff. These networks may be shared with roommates and family members whose own digital security practices may vary widely. Whereas in pre-COVID times these devices were routinely brought back into the government security perimeter where sensors might detect problematic network behaviour, this is obviously no longer the case.

Generally speaking, the communications systems we rely on have rarely been designed with security in mind. Security is either routinely regarded as slowing the speed of innovation or impossible to patch backwards. The consequence is that there is a vast array of unpatched systems that leave persistent vulnerabilities for malicious actors to exploit.

Meanwhile, governments and criminal enterprises have dramatically increased their capabilities to exploit this ecosystem for a variety of purposes. Almost all nation states now have at least some cyber espionage capabilities. There is also a poorly regulated private market for cybersecurity that includes numerous companies that provide off-the-shelf targeted espionage and mass surveillance services. Our own research at Citizen Lab has shown that the market for commercial spyware in particular is prone to abuse and has been linked to targeted killings and the targeting of a Canadian permanent resident. These relationships may well open the door to the same tools being deployed against legislators and their staff in jurisdictions like Canada.

At the best of times, these problems present extraordinary challenges for network defenders, but now parliamentarians and their staff are at even greater risk, and threat actors are capitalizing on this new environment.

In terms of recommendations, I make six, and I'll go through these very quickly.

First, where possible, extend the digital security resources developed for the House of Commons to all Canadians. I think the IT team at the House of Commons will be severely taxed dealing with all the problems I'm describing here. Some measures have been taken already, with CSE helping out. There are ways in which the measures that CSE is undertaking to push threat indicators out to some organizations outside of the government perimeter could be done more widely, but I would urge that they be done in a transparent and accountable way.

The second recommendation is that the Government of Canada should evaluate and issue guidance on work-from-home best practices, including those for video conferencing applications. This should include recommendations for scenarios on the use of some applications for specific purposes but not others, and I assume that we'll get into that in the question and answer session. Some of that has been done already by the cyber centre, but these are dated and largely insufficient for the task at hand.

The third recommendation is to support independent research on digital security and the promotion of secure communication tools. At a time when we're depending on technological systems, there should be more high-quality, independent research that scrutinizes these systems for privacy and security risks. To assure Canadians that the networks they depend upon are secure, researchers must have the ability to dig beneath the surface of those systems, including into proprietary algorithms, without fear of reprisal. Presently, researchers can come under legal threat when they conduct this research, to the detriment of everyone's security, so we recommend that the Government of Canada pass legislation that explicitly recognizes a public interest right to engage in security research of this sort.

The fourth recommendation is to implement a vulnerability disclosure process for government agencies, including the House of Commons. These processes establish terms by which researchers can communicate the presence of vulnerabilities in organizations' systems or networks without fearing legal repercussions. I believe Canada should do this as well to mitigate vulnerabilities and make it comfortable for researchers to engage in this type of adversarial research.

The fifth recommendation is to establish a transparent and accountable vulnerabilities equities process. The Communications Security Establishment currently has a process by which it evaluates whether to conceal the presence of computer software vulnerabilities for use in its own intelligence operations or to disclose them to ensure that all devices are made secure. However, CSE is formally alone in making decisions over whether to retain or disclose a vulnerability. We therefore recommend that the Government of Canada broaden the stakeholder institutions that adjudicate whether vulnerabilities are retained or disclosed, especially in light of the enhanced risk that all government workers face when working from home. We also recommend that the Government of Canada follow international best practice and release a full vulnerabilities equities process policy, so that residents of Canada can rest assured that CSE and their government will not retain vulnerabilities that could seriously compromise the security of all Canadians.

My last recommendation is to support strong encryption. Given the potential for adversaries to take advantage of poorly secured devices and systems, we recommend that the Government of Canada support the availability of strong encryption so that MPs, their staff and residents of Canada can be assured that the government is not secretly weakening this life-saving and commerce-enabling technology to the detriment of all Canadians and our allies.

Thank you very much.

Yes. I will do it, Madam Chair.

Madam Chair, members of the committee, good evening.

My name is Nathalie Laliberté, and I am vice-president of service to Parliament and interpretation at the Translation Bureau, within Public Services and Procurement Canada. With me today is my colleague, Matthew Ball, director of interpretation and chief interpreter.

I would like to thank you for this invitation to participate in your work concerning virtual sittings of Parliament.

The Translation Bureau is mandated to provide linguistic services for these sittings, and we are happy to share our views with the committee. I would like to specify, however, that our services do not cover technical support during the sittings.

As you know, under the Translation Bureau Act, we are responsible for providing services to both houses of Parliament and to federal departments and agencies in all matters related to the making and revising of translations from one language into another of documents, and to terminology and interpretation. We provide high-quality linguistic services in the two official languages, indigenous and foreign languages, and sign languages.

The Translation Bureau plays a vital role in implementing the Official Languages Act. This role makes the bureau a key player in communications with the public, the language of work in the public service, and the advancement of English and French in Canadian society.

Since 2017, we have followed a clear vision to guide our future as a centre of excellence in linguistic services for the Government of Canada. Under that vision, we launched major initiatives to increase quality control, modernize our business model and provide the most advanced language tools.

We expanded our capacity to provide services in indigenous languages, and we increased co-operation with the language industry in Canada. We introduced ways to better support our employees, deliver the training they need and take care of their mental health.

We revamped our recruitment processes and created partnerships to support the next generation of language professionals. For instance, we participate in the master of conference interpretation program at the University of Ottawa. We loan equipment and instructors to the university and, in return, we benefit from a pool of highly skilled new interpreters.

We are applying the same forward-looking approach as we adapt to the COVID-19 pandemic. Since mid-March, as you've seen, we've continued to focus on carrying out our mandate in helping Parliament meet its responsibility concerning the interpretation of proceedings and the translation of documents. That being said, we have the same issue with reduced capacity as the rest of government.

Luckily for us, translation lends itself particularly well to telework, and we've been able to maintain our services while having our translators work from home. As for interpretation, which is the focus of our discussions today, the bureau has been providing this service since 1959. Through the years, we have been successfully maintaining our services through the dedication of our outstanding employees and freelancers.

In this period of pandemic, given the technical requirements of interpretation, interpreters must continue to work on site in Parliament. However, I can assure you that their health is a top priority, and we have carefully applied expert advice to protect them.

We have added portable interpretation booths and installed partitions in existing booths so that there is some separation between interpreters who share the same booth. Interpretation booths are disinfected twice a day. We've provided interpreters with disinfectant wipes so that they can disinfect equipment before and after each assignment. We have loaned tablets to interpreters so that they can consult background information in the booth, without having to handle printed documents. We have reduced the size of teams and applied physical distancing rules to prevent contact between interpreters. We've made parking spaces available to interpreters so that they do not have to use public transit. We're taking into account the circumstances of interpreters who have young children or who must stay at home for other reasons, and we're keeping the lines of communication open with the unions.

You will ask, can an interpreter work from home? We've started to explore this possibility, but remote interpretation poses major challenges.

We use the term “remote interpretation” when one or more participants are not in the same location as the interpreters. In recent years, the increased popularity and accessibility of video conferencing has led to an ever-growing demand for remote interpretation. In response to this demand, the Translation Bureau began conducting its own tests and studying international best practices. However, the sudden onset of the pandemic forced us to step up our efforts, and for the last few weeks we've been actively working on this matter in collaboration with the House administration.

We have determined that certain criteria must be met in order for remote interpretation to work. These include the following: All participants must wear a headset with a microphone to ensure clear sound quality; participants must appear via video conference so that the interpreter can see their facial expressions and clearly communicate the tone of their message; participants must strictly adhere to the rules for speaking and must wait their turn to speak; a technician must be in the room with the interpreters at all times to address any technical issues; the audio feed of the interpretation consoles must have limiters or compressors to prevent acoustic shock; interpreters must be able to do sound checks with the technician and participants before each meeting begins; and, as always, participants who plan to read written statements must provide them in advance to our interpreters.

These criteria are needed to establish the optimal conditions so that interpreters can provide high-quality services in a safe environment. Abiding by these criteria will not completely eliminate the risk of interpretation service interruptions due to the technology used by remote participants, but it will greatly reduce this risk and help ensure the best possible interpretation.

The criteria on sound quality are particularly important, since sound is the cornerstone of interpretation. For example, if the sound quality is poor, an interpreter may mix up the words “symptomatic” and “asymptomatic”, which completely changes the message. Furthermore, poor sound quality puts the interpreter at risk. In the last two years, several health and safety incidents have been reported involving sound issues during teleconferences and video conferences.

Regarding the human resources required to provide interpretation at virtual sittings, the Translation Bureau will augment its team of interpreters. Variation in sound quality means that interpreters have to concentrate harder, which means they have to work shorter shifts. This means that we need to assign more interpreters per sitting. However, we will make every effort to meet this need.

Madam Chair, members of the committee, our mission is clear: we are here to serve Parliament, and we are doing our best to respond to the call. We are committed to pursuing our collaboration with the House administration and all our partners to help ensure that a virtual Parliament runs smoothly.

The Translation Bureau is proud to be able to help Parliament continue its essential work during this crisis, and we are proud to help the Government of Canada share the information Canadians need to stay healthy and up to date on what is happening in English, French, American Sign Language and Quebec Sign Language.

I would like to specifically commend our official language and sign language interpreters for the incredible work they are doing every day at the various press conferences. This crisis has shone a spotlight on their excellent work, and we are grateful for their dedication.

To close, I would like to thank the interpreters at this meeting. In addition, thank you to all the employees who work behind the scenes to make important meetings like this one possible, despite the difficult circumstances we find ourselves in. I would like to extend a special thank you to our invaluable partners at the House multimedia service and the committees directorate. I am sure you appreciate their efforts and expertise as much as I do.

Lastly, thank you, Madam Chair and members of the committee, for your attention and your interest in our services. Mr. Ball and I would be happy to answer your questions.

Thank you, Madam Chair.

I am pleased to be here today.

My name is John Weigelt. I'm the national technology officer for Microsoft in Canada.

I've had the privilege of working with the federal government for my over 30-year career in trustworthy computing, starting in uniform in the Royal Canadian Air Force, in the Treasury Board Secretariat as a public servant, and now as CTO at Microsoft Canada.

I'm grateful for the opportunity to appear before this esteemed committee and its members today as you discuss how technology can support the continuation of the Parliament of Canada during this unprecedented time. My remarks will focus on a thoughtful and deliberate approach to using technology to support virtual parliamentary activities, with privacy and security as the foundation.

You may ask yourself why we're focusing on security, as parliamentary proceedings are public and do not contain sensitive information. Microsoft believes that security must be the foundation of everything you do with technology, regardless of whether it's publicly available or involves sensitive material. Security protects against unwanted intrusions causing disruptions or introducing cyber-threats.

First, I'll give you some background.

Microsoft has a long history here in Canada. Since the establishment of Microsoft Canada in 1985, Microsoft's presence has grown to include 10 regional offices around the country, which employ more than 2,300 people. At our Microsoft Vancouver development centre, over 700 employees are developing products that are used around the world. Cutting-edge research on artificial intelligence is also being conducted by Ph.D.s and engineers at Microsoft Research Montreal.

These unprecedented times have forced every person in the world to adapt and dramatically change all aspects of their lives: how they work, how they learn and how they interact. We are proud to have enabled remote learning for students and educators. Virtual health visits are allowing for the delivery of health care while protecting patients and health care workers, and Microsoft technologies are empowering millions of Canadian workers in all sectors of the economy to work remotely during this COVID crisis. In fact, today over 100,000 federal public servants are now working remotely using Microsoft Teams, and this number is growing every day.

Today's technology and video conferencing capabilities are built on what we call cloud services. A cloud is information technology infrastructure upon which these virtual activities rely, and the safety and reliability of this cloud are key. Microsoft has been a long-standing partner of the Government of Canada, supporting the development of a thoughtful and deliberate approach through policy, guidance and standards for the government's adoption of cloud services. This strong partnership has enabled the rapid deployment of technology tools in response to the COVID crisis.

Our Canadian data centres in Toronto and Quebec City were the first to undergo independent audits and reviews against the government's security standard. As a result, the government certified Microsoft's services to safeguard the Government of Canada's information at the Protected B level. This is the government security classification for sensitive and personal information.

In addition, Microsoft has also worked with leading Canadian privacy experts to conduct a review of these services. We've published and shared this analysis in what is called foundational privacy impact assessments, setting a precedent across the industry. These assessments help public sector organizations of all types across the country understand how Microsoft cloud services, including video conferencing, address their privacy obligations. In addition, we're the only cloud provider that publishes all of our compliance and audit information, as well as the results of our security tests, publicly on our website.

I'm here to tell you that technology exists today to support virtual parliaments in a secure manner. Using our Microsoft Teams platform, we've been supporting parliaments in various jurisdictions. For example, the U.K. House of Lords is currently sitting remotely via Microsoft Teams, as are committees of the Quebec National Assembly. Virtual activities in these jurisdictions have been the result of close collaboration between the various Microsoft teams and the procedural and technical teams of these legislatures. This is new for everybody, and putting in place virtual parliamentary activity has required flexibility and adaptation on everyone's part. It's a mix of technology, process and people.

With over 75 million daily users worldwide, and now having exceeded 2.7 billion meeting minutes in a day, Microsoft Teams provides a robust environment for people to do their best collaborative work. It includes video conferencing and has many of the same features you've come to know with Skype and Skype for Business.

But video conferencing is only the beginning of what Microsoft Teams can do.

While the emphasis in this conversation has been on video conferencing capabilities, this flexible platform offers a broad set of collaboration services that we believe are useful in digitally transforming government and committee meetings. For example, it could facilitate the transfer of meeting minutes, pre-readings and written submissions. While we recognize that this is not a priority in the short term, this should be something that Parliament looks at in the future term. Microsoft Teams has the ability to support this activity in a secure way.

Further embedded in Microsoft Teams are a variety of assistive technologies to support individuals with unique accessibility requirements due to mobility, seeing or hearing challenges. We are pleased that Microsoft Teams is currently in the process of being deployed to each member of Parliament and employees of the House of Commons.

To be clear, security is at the heart of everything we do at Microsoft. We employ over 3,500 security engineers and run the Microsoft security response centre, which operates 24 hours per day, seven days per week, every day of the year. We analyze trillions of events encountered from our global footprint to keep ahead of threats. Since security is a shared responsibility that no single organization can address on its own, we have exceptionally strong connections to the government's cybersecurity team, and we work together to protect both the federal government's cyberspace and Canada's cyberspace.

While the technology does exist to support virtual Parliament, there are still privacy and security considerations despite the public nature of these meetings. For example, in the virtual space, how would you prevent unwanted disruptions by unauthorized individuals? Just imagine for a moment, if you will, that the public galleries are filled with hundreds of unruly spectators. In the physical space, the Sergeant-at-Arms and the Parliamentary Protective Service would ensure that they don't cause unwanted disruptions. How would you put in place similar safeguards in a virtual space to protect the integrity of proceedings? Solving for these security and privacy issues is a matter of correctly configuring privacy and security controls, and also making sure that you have the right security development cycle.

Similarly, individuals should have confidence that the software they deploy on devices, whether it's Windows, their Mac, their iPhone or Android, only does what they expect it to do. Recognizing this as a top priority for customers almost 20 years ago, Microsoft implemented the trustworthy computing initiative. This means that privacy and security are part of every step of the development of our products and services, and follow the privacy-by-design principles, which were invented here in Canada. This is a fundamental commitment that Microsoft makes to its customers.

Microsoft's privacy commitments, which exceed those found in Canada's privacy legislation, provide the confidence that Microsoft will never use customer data for any other purpose than providing the service.

In closing, I fully recognize the complexity of the procedural and technical work associated with examining remote options, and I applaud this committee's very important work and the work of the House of Commons. I have deep respect for the institutions of Parliament, and I am confident that the possibilities technology can offer to support your work in a virtual fashion can enable parliamentary activities to take place in a new and different way, all while maintaining the integrity of the democratic system.

It will be my pleasure to receive your questions. Thank you.