Evidence of meeting #16 for Industry, Science and Technology in the 43rd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was fraud.
A recording is available from Parliament.
3:45 p.m.
Liberal
Majid Jowhari Liberal Richmond Hill, ON
Once you identify that, what is the next step? How do you inform the registrant that they're not allowed to operate? Also, how is an individual who is now trying to access the .ca domain informed that it is a fraudulent domain?
3:45 p.m.
Corporate Counsel, Canadian Internet Registration Authority
That's a great question.
We have an audit process, the registrant information validation process, or RIV for short. What we do in those instances is send an email to the domain name holder asking them to confirm that they meet CIRA's Canadian presence requirements and that they confirm their identity. In circumstances where they don't respond or they can't show they meet CIRA's Canadian presence requirements, we suspend the domain name, which means that the website will be taken down. Ultimately, we delete the domain name.
3:45 p.m.
Liberal
Majid Jowhari Liberal Richmond Hill, ON
That's the proactive part that CSE also mentioned, but before it even gets into the Canadian domain is it already stopped, so it's not going to impact?
3:45 p.m.
Corporate Counsel, Canadian Internet Registration Authority
That's correct. I would also note that to date we have not received any complaints at all with respect to any COVID-19-related websites on a .ca domain name.
3:50 p.m.
Liberal
Majid Jowhari Liberal Richmond Hill, ON
Do you work with CSE to inform them that such an organization was attempting to create a domain? How often do you have that communication with CSE?
3:50 p.m.
Corporate Counsel, Canadian Internet Registration Authority
We collaborate regularly with CCCS, but in terms of instances of one-offs, I don't believe we communicate each domain name to them individually.
3:50 p.m.
Corporate Counsel, Canadian Internet Registration Authority
In terms of the domain names that are not—
3:50 p.m.
Corporate Counsel, Canadian Internet Registration Authority
Those are not made public.
3:50 p.m.
Liberal
Majid Jowhari Liberal Richmond Hill, ON
Okay. Let me move to CSE.
Mr. Jones, I was reviewing the Library of Parliament notes, which indicate that the “effectiveness of CIRA's technology relies on intelligence provided by the Communications Security Establishment's CCCS”. Can you shed some light on the technology you're referring to?
3:50 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
From our perspective, we're one intelligence thread that is fed into CIRA. I'll let our colleagues at CIRA talk about the broader approaches, but our feed comes from our defence of the Government of Canada. As we see attacks or compromises happening, such as, for example, spam emails being sent to us or attempts to defraud the government, etc., we share those indicators regularly with our partners, including CIRA.
In CIRA's case, then, with Canadian Shield, they're able to take those and put those to block, so that even if a Canadian were to click on the link they wouldn't be able to get to the bad or malicious site. That's an advantage. We do that same level of defence on the Government of Canada as well, but that's where we get the information from. It's really from our defence of a coast to coast to coast and global network. We try to feed that into our partners at CIRA to make sure Canadians are protected.
3:50 p.m.
Liberal
3:50 p.m.
Liberal
The Chair Liberal Sherry Romanado
Thank you very much.
Our next round of questions goes to MP Lemire.
Mr. Lemire, you may go ahead for six minutes.
May 20th, 2020 / 3:50 p.m.
Bloc
Sébastien Lemire Bloc Abitibi—Témiscamingue, QC
Thank you, Madam Chair.
I'd like to start by recognizing Mr. Masse's contribution; he's been making us more aware of the issue for quite some time. Thanks to him, it's on our radar and we are learning more about it. As a member of Parliament, I think it's incumbent upon us to act to better protect our constituents.
I'd like to follow up on Mr. Marchand's comments. One thing he mentioned was that, as people's socio-economic conditions worsen, external attacks become much more frequent. He referred to a 600% increase. What's more, he said information that's stolen isn't used immediately; that tends to happen down the road, within approximately 18 months.
Mr. Marchand, you said there was an accountability gap because the current state of affairs makes it easier to open fraudulent accounts and carry on criminal activity. Can you tell us, in concrete terms, how that's problematic and how companies could be held accountable?
3:50 p.m.
Certified Fraud Examiner and Certified Administrator, Biometrics and Security, Nuance Communications
Thank you, Mr. Lemire.
To start, I'll provide some clarity around the 600%. It refers to the increase in the number of attacks involving COVID-19 during this very specific period of time, not necessarily to the increase tied to economic factors. Naturally, during times of economic crisis, the number of scams goes up. The percentages vary.
That said, the lack of accountability in federally regulated companies is problematic in that all the current legislation—think of the Personal Information Protection and Electronic Documents Act, for example—forces companies to disclose that they were hacked and data was compromised. In Canada, however, we don't have an overall sense of how many people fall victim to identity theft once their information is stolen. Since banks and telecommunications carriers are federally regulated, they are making crimes involving one another easier to commit. In other words, much of the credibility for an identity is based on the fact that the individual has a cell phone account or bank account. These companies have tremendous amounts of sensitive information at their disposal, so once a hacker gets in, they can commit more and more fraud.
I have over a decade of experience in prevention, and I work with the fraud prevention teams in those companies. I can tell you that a bank's or telecommunications carrier's prevention team is under no obligation to disclose how many fraudulent accounts were opened daily or annually. They don't even have to contact or identify identity theft victims. That means you may have been the victim of identity theft, that your identity may have been used to open an account with a telecommunications carrier, for instance. The team in charge of fraud was able to detect the fraudulent use of a person's identity and reverse the transaction, but it doesn't have to notify the individual, in other words, the consumer. Consumers are completely clueless. No one has any idea when their identity has been used. The person can't take further steps to protect themselves in the future. That lack of accountability prevents the government from taking clear action to regulate the process of identifying or authenticating people who open bank or cell phone accounts.
3:55 p.m.
Bloc
Sébastien Lemire Bloc Abitibi—Témiscamingue, QC
Mr. Marchand, I gather that the Canadian Anti-Fraud Centre must be informed of this type of situation, for example.
For a company, what are the advantages and disadvantages of strong accountability when it comes to fraud? We know the advantages and disadvantages for individuals and for the public, but what about for companies?
3:55 p.m.
Certified Fraud Examiner and Certified Administrator, Biometrics and Security, Nuance Communications
The primary benefit of accountability is that it gives the government a clear picture of the situation. This makes it possible to determine the exact number of victims and to guide the steps needed to strengthen security measures in banks and telecommunications companies.
This certainly imposes a burden on the companies that must submit reports. However, I don't think that this burden is excessive, since the work has already been done. The data is already known. The data simply needs to be passed on to the legislator, to an organization overseen by the government. This organization could present the data on a broader and more anonymous basis so that the members of Parliament can access the information and know exactly what's happening in Canada.
3:55 p.m.
Bloc
Sébastien Lemire Bloc Abitibi—Témiscamingue, QC
I now have a question for Mr. Fortin from the Autorité des marchés financiers.
Mr. Fortin, what do you think of the potential requirement for companies to inform the anti-fraud centre of situations involving fraud?
3:55 p.m.
Executive Director, Enforcement, Autorité des marchés financiers
Thank you for your question, Mr. Lemire.
This issue doesn't necessarily fall within our jurisdiction. We're a law enforcement agency. I would still say that it's a good idea. I don't know what would be legally feasible. I was listening to you speak earlier and I was thinking that the methods used to prevent fraud obviously include education and transparency. This is a key component.
In this type of situation, the question that you asked Mr. Marchand about informing people who have been victims of identity theft or whose information may be used by third parties could be a good way to prevent fraud.
3:55 p.m.
Bloc
Sébastien Lemire Bloc Abitibi—Témiscamingue, QC
My last question is for the representative of the Royal Canadian Mounted Police.
Would the requirement for companies to provide much stronger accountability help you with your work, if the legislation were amended, for example?
3:55 p.m.
A/Commr Eric Slinn
It's a difficult question to answer. A lot of companies want to protect the integrity of their systems and all that kind of stuff, so they're apprehensive about coming forward sometimes.