Yes.
Evidence of meeting #17 for Industry, Science and Technology in the 43rd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.
A recording is available from Parliament.
Evidence of meeting #17 for Industry, Science and Technology in the 43rd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.
A recording is available from Parliament.
6:30 p.m.
Partner, British Columbia Public Sector, Global Business Services, IBM Canada
Yes.
6:30 p.m.
Liberal
Lloyd Longfield Liberal Guelph, ON
Building public trust in order to get people to return back to work is a real challenge, so that's one that fits into Google and what is going on with Google and Apple.
I'll go over to Mr. McKay maybe to comment on the Privacy Commissioner of Canada's saying that if this isn't effective, we will destroy the information that we've collected, and that there will be management.
Google gives us, again, worldwide opportunity that, if somebody is coming from another country, let's say the United States.... We have a lot of visitors from the States, not so much right now, but at some point we will have that again. How do we protect ourselves against Americans who are coming into our country and bringing COVID with them?
6:35 p.m.
Head, Government Affairs and Public Policy, Google Canada
I think you're talking about general public health protections and border restrictions.
From the point of view of the exposure notification API, you've noted an important element of how contact tracing must roll out and must be negotiated between public health authorities in different jurisdictions, which is how exactly they share information or they correlate information so that they can provide exposure notifications outside their own jurisdiction.
That is one of the more complicated elements of the conversation we're having around privacy because of the intersection between public sector data privacy rules and private sector data privacy rules that needs extreme focus and debate.
6:35 p.m.
Liberal
Lloyd Longfield Liberal Guelph, ON
That also brings into the discussion the World Health Organization and the need for an international body.
I'm out of time.
Thank you very much.
6:35 p.m.
Liberal
The Chair Liberal Sherry Romanado
Our next round of questions goes to MP Rempel Garner.
You have five minutes.
6:35 p.m.
Conservative
Michelle Rempel Conservative Calgary Nose Hill, AB
Thank you, Madam Chair.
I'm just going to build on some of the questions that my colleague MP Patzer was asking.
I will go back to the sharing of information with an app or the utilization of the API.
I'll go to Google. You talked about how there would be a binary between the app and, let's say, a public health authority. What about in a situation where the public health authority is part of what Western democracies would consider to be a malicious state actor with human rights violations? Is your company concerned about potentially aiding and abetting potential human rights violations in that situation?
6:35 p.m.
Head, Government Affairs and Public Policy, Google Canada
In the context of the exposure notification API, we've explicitly engineered it so that there is only the exchange of information about Bluetooth localization, and it isn't identifiable information for the public health authority. We would be communicating information about mobile phones that had been near each other within the constraints identified by the public health authority. They would have—
6:35 p.m.
Conservative
Michelle Rempel Conservative Calgary Nose Hill, AB
Okay.
So then, going on to that, I know that Bluetooth technology in and of itself is certainly not impervious to security issues. I know that there are two common vulnerabilities. There's “Bluesnarfing”, which is unauthorized access from a Bluetooth connection, or “Bluejacking”, which is sending unsolicited messages to a nearby Bluetooth device.
What work has your organization done to prevent a situation where, for instance, a hacker falsifies the spread of COVID? Let's say a malicious actor does that and then that information is spread. Let's say I had my phone on and I'm all well and good, or my family is all well and good, but somebody wants me to be in quarantine for two weeks. I have no idea who would want me to do that, but let's say somebody hacks my phone and sends a false positive on that. What liability would your company have, or how would you be preventing that from happening?
6:35 p.m.
Head, Government Affairs and Public Policy, Google Canada
It sounds like you're describing two separate things.
In terms of Bluetooth security, I can certainly follow up with what we've been doing to create a secure environment on Android phones.
In the other context, particularly the one you have identified around false positives, that's actually a system that would be controlled at the public health authority. They would be taking the results of COVID-19 testing and then using the API to notify people who had been in close proximity to the person identified as being diagnosed positive. So you—
6:35 p.m.
Conservative
Michelle Rempel Conservative Calgary Nose Hill, AB
Sorry, but just to clarify, I was asking this: What if I were falsely identified as being near that person?
6:35 p.m.
Head, Government Affairs and Public Policy, Google Canada
Well, that verification would be up to the public health authority who's using that information to then request proximity data from the API in order to notify people that they've been close by. The next step from that is then to move to testing. The way the API would work is that you would be notified that you had been in close proximity to someone who had been identified as infected. Then you would move to testing to verify whether or not you, in fact, had been infected by the virus.
6:35 p.m.
Conservative
Michelle Rempel Conservative Calgary Nose Hill, AB
Right. I mean, we're sort of having this conversation in the context of a western democracy, but what about...?
Things have changed here even, to a certain extent, one could argue, but again, I just don't understand that security aspect. What if I were falsely identified through hacking or misinformation or something using this Bluetooth API? I would be subject to a whole range of measures that I or somebody else wouldn't need to be. Has this been identified as an issue? How would you address this?
I guess what I'm saying is that contact tracing through API could be spoofed, right? How would we address that as legislators?
6:40 p.m.
Head, Government Affairs and Public Policy, Google Canada
I mean, we're speaking about a hypothetical. The data that we're talking—
6:40 p.m.
Conservative
6:40 p.m.
Head, Government Affairs and Public Policy, Google Canada
Yes, but the data that is on an Android or iOS device is simply a list of exposures that you've had to other nearby devices over a defined period of time.
If someone was going to spoof your test results or was going to try to trigger—
6:40 p.m.
Conservative
Michelle Rempel Conservative Calgary Nose Hill, AB
I'm not saying spoof my test results; I'm saying spoof me being near somebody who had a positive.
6:40 p.m.
Head, Government Affairs and Public Policy, Google Canada
I'm just processing this.... In the context of the data that's available on the phones, that would be extraordinarily difficult, because the Bluetooth records themselves are randomized and anonymized.
6:40 p.m.
Liberal
The Chair Liberal Sherry Romanado
Our next round of questions goes to MP Jowhari.
You have five minutes.
6:40 p.m.
Liberal
Majid Jowhari Liberal Richmond Hill, ON
Thank you, Madam Chair.
Welcome to all the witnesses. This is quite informative.
We're going into a lot of depth in the technology and also in privacy. One of the areas that I continue to struggle with still is one of the elements that was highlighted as part of the Triple A rating of Madam Arjomandi, specifically the adoption.
Let me tell you what I'm struggling with and put it into perspective. Canada has around roughly 35 million people. If we try to adopt even the lower end of the scale, which is about 60%, we would need about 21.5 million people participating in this. Assuming that we look at anyone above 15, this is probably about 100% of our adult population. In Ontario, we have about 14.5 million people, which puts it at about nine million people who should participate. Bringing it even one level lower, in York region, we have 1.2 million people, which means that about three-quarters of a million people should be participating. In Richmond Hill, we have about 200,000 plus, which means that 120,000 people should be participating.
Now, almost 20% of our population lives in the rural and remote areas. That's roughly eight million. Therefore, using that 60%, 4.5 million people should participate in that. Forget about the digital divide and the challenges that we have on being able to actually get the platform going.
I know that most of you opted out of answering this question, but I want to go back to where MP Erskine-Smith left off. Why should we not consider, in circumstances such as a pandemic, an opt-out model? Make it mandatory by the government and health organizations to adopt and use the application.
We could start with Ms. Arjomandi.
6:40 p.m.
Founder, President and Chief Executive Officer, Mimik
An opt-in or opt-out model won't work, because I can turn off my phone and not use it, or I can use a different phone. Why do that when there's a solution? Again, the solution is that you create a trust between end-users and government that here is a solution that you have, it's in your control and it is available. There is no digital divide in the solution that we're proposing. It's available on both Android and iOS. On the data, again, the data remains on your own device.
Let me give you a very different analogy here. Imagine that all your digital assets are kept in your home. Nobody has the right to come into your home unless it's with a warrant because you're accused of an illegal breach, right? If that's the way I think about my data, then that's the way I would try to utilize the app. I would use the application, because it benefits me as well—
6:45 p.m.
Liberal
Majid Jowhari Liberal Richmond Hill, ON
Yes. I anticipated that probably you'd answer. I did a quick check. In 2019, when we had the federal election, out of 33.5 million people, 25 million were eligible to vote, and 66% participated knowing that their votes and their participation would stay confidential. That's about 17 million. That's still way short of the 21.5 million for us, based on the number being discussed. We can talk about the U.S., with 2% adoption, or Calgary, which is now into the 4% adoption rate.
If in our most sacred civil duty we get 66%, or 17 million, how are we going to ensure that we can get to 21.5 million?
6:45 p.m.
Founder, President and Chief Executive Officer, Mimik
Because it's my health and it's important for me. Also, it's about being suspicious about existing systems. We all know that on the Internet no data gets deleted. I buy something from Amazon shopping and I come to YouTube and see the video of what I was looking for, so we know that nothing is getting deleted. We know that every intimate moment of our lives is being captured and utilized for advertising.
This is about health. We are worried. We are scared for ourselves and for our loved ones. We would use a solution if we knew that our data was—
6:45 p.m.
Liberal
The Chair Liberal Sherry Romanado
Thank you very much.
Now we'll start the next round.
Mr. Savard-Tremblay, you may go ahead. You have two and a half minutes.
6:45 p.m.
Bloc
Simon-Pierre Savard-Tremblay Bloc Saint-Hyacinthe—Bagot, QC
Thank you, Madam Chair.
I have a question for Mr. McKay from Google Canada. In recent years, Google has entered the health domain, partnering with hospitals and health groups. There were two stories in the news where it was revealed that patients didn't know their information had been collected.
From what I understand, that's not at all how this works. It's something the person agrees to voluntarily, so there's no risk of someone's information being collected without their consent. Is that true, yes or no?
Please keep your answer brief because I have another question for you.