Evidence of meeting #36 for Industry, Science and Technology in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was information.
A video is available from Parliament.
12:50 p.m.
Conservative
Michael Kram Conservative Regina—Wascana, SK
Okay.
I will turn things over to my colleague Ms. Gray.
October 3rd, 2022 / 12:50 p.m.
Conservative
Tracy Gray Conservative Kelowna—Lake Country, BC
Great. Thank you very much.
My questions are also for Mr. Baran-Chong.
During your testimony, you referenced your experience with Rogers. Of course, we had Rogers here for an emergency committee meeting this summer, and the CRTC really seemed to be defending the telecoms instead of being a regulator. Your comment actually was very similar when you said it seemed like they were standing up for the telecoms.
I'm wondering if you can go into that in a little more detail. Really, the CRTC should be holding the telecoms to account and standing up for Canadians. It seems like it's the other way around. Could you explain what your comments were in a little bit more detail?
12:50 p.m.
Co-Founder, Canadian SIM-swap Victims United, As an Individual
Absolutely. You kind of wonder whose corner they're in.
We've been consulting with PIAC quite a bit. We've been trying to get this data, for example. You'd think macro-level data is not too big of an ask or too much of a threat to security. We weren't even asking at the telco level what the data was in terms of the incidence of SIM swaps. The CRTC rejected that. The CRTC said that the hearing does not need to occur because the public has no real contribution to helping solve this problem.
Therefore, the question is this: Is the regulator trying to defend the telcos from being embarrassed or from further legal action? I know that a lot of the times in the early days, when people were trying to do lawsuits around this, they thought they were one-off incidences. When we heard it was 25,000 cases within that 10-month period, we were shocked. We thought it was in the few thousands or so. If you think about it, the prevalence and magnitude of this crime is massive. We think they're protecting them because this could be a big, big fraud and completely embarrassing.
12:50 p.m.
Liberal
The Chair Liberal Joël Lightbound
Thank you very much, MP Gray and Mr. Baran-Chong.
We now have to turn it over to MP Fillmore for five minutes.
12:50 p.m.
Liberal
Andy Fillmore Liberal Halifax, NS
Thanks very much to the witnesses. Thank you, Chair.
I'd like to bring us back to the topic of data in the era of great interest in protecting public privacy.
I'll get us there in this way. About six months ago I visited the cyber centre of excellence in Vancouver. It's embedded in Mastercard. It's a centre that this government invested about $50 million in. They're devising techniques and algorithms that will help to identify fraud during transactions.
I learned things. For example, in cases of ported or cloned phones, Mastercard can tell, if I normally type holding my phone this way, that someone's pretending to be me because they're holding it another way. They know if I hold it this way, flat instead of up, and how hard I'm pushing on the keys, or whether I'm using two thumbs or one finger. Some of the techniques that are emerging to figure out if the right person is on the other end of that phone are incredible. That's the bank and credit card perspective.
Then there are the vendors. The vendors are also party to fraud. They're creating profiles on all of us—what time we shop, what we buy and all of those kinds of things.
There are really three parties. There are consumers, banks and vendors involved in many of these things, and everybody has data. There's all this data being generated.
Perhaps I'll begin with Mr. Mecher.
In your experience, are there adequate feedback mechanisms or data sharing between the RCMP, CRTC, banks and vendors? Are we doing a good job there? Is there required reporting? Is it required to have fraudulent transactions reported to the RCMP? Is it voluntary by the banks?
Can you say anything on the discussion of data sharing in the era of the protection of personal privacy?
12:55 p.m.
Retired RCMP Fraud Investigator, As an Individual
I really can't speak to privacy matters. That's really not my niche.
I can say that previously, banks in particular have been periodically fully engaged on the fraud-fighting front. At the same time, some banks have gone in the opposite direction and, through willful blindness or what have you, have actually assisted fraudsters. That usually catches up with them.
12:55 p.m.
Liberal
Andy Fillmore Liberal Halifax, NS
Let's use the Mastercard example. When they detect a fraudulent transaction, is there a requirement that they inform the RCMP, or is that really a matter between their customer and them?
12:55 p.m.
Retired RCMP Fraud Investigator, As an Individual
Honestly, I don't know. I might give you a guess, but I don't want to hedge an answer on a guess.
12:55 p.m.
Liberal
Andy Fillmore Liberal Halifax, NS
Would Mr. Cosgrove or Mr. Baran-Chong have anything to add on that point?
12:55 p.m.
Co-Founder, Canadian SIM-swap Victims United, As an Individual
I would add that there's a company called EnStream, which is a joint venture of the major telcos. One of the services they offer is identity verification to prevent things like SIM swap fraud. This is a product that they sell to the banks.
I've spoken to some folks on the cybersecurity teams in the banks, and they know SIM swap fraud well, because banks are the ones who ultimately pay for it. They're the ones who are compensating for the credit card losses, other thefts and things like that. Banks are being sold a product by the telcos whereby the telcos can help identify frauds. There's this kind of perverse organization that exists.
Some other countries have done some of the stuff that you're alluding to. For example, they will block bank transactions after a port. There will be a bit of a freezing window. They know that there's a high risk of things like that.
There are connections between bank, telcos, privacy and security in the enabling of these frauds.
12:55 p.m.
Liberal
The Chair Liberal Joël Lightbound
Thank you very much, Mr. Fillmore.
I have to cut you off because we're almost out of time. We still have two questioners.
I'll turn to Mr. Lemire for a short two minutes and 30 seconds.
12:55 p.m.
Bloc
Sébastien Lemire Bloc Abitibi—Témiscamingue, QC
Thank you, Mr. Chair.
I have listened to the witnesses and I see the importance of legislating for victims of fraud. The government has introduced Bill C‑27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts.
What is your opinion of this bill? Does it go far enough?
Do you have any recommendations for us in this regard?
12:55 p.m.
Co-Founder, Canadian SIM-swap Victims United, As an Individual
I'm admittedly not familiar with Bill C-27.
12:55 p.m.
Bloc
12:55 p.m.
Retired RCMP Fraud Investigator, As an Individual
I'm sorry. I didn't hear your question.
12:55 p.m.
Bloc
Sébastien Lemire Bloc Abitibi—Témiscamingue, QC
Have you heard about the new Bill C‑27?
Does it go far enough in protecting victims?
1 p.m.
Liberal
The Chair Liberal Joël Lightbound
Thank you very much, Mr. Lemire.
I yield the floor to Mr. Masse for two and a half minutes.
1 p.m.
NDP
Brian Masse NDP Windsor West, ON
Really quickly, Mr. Mecher, do you feel that a civilian-led attempt to bring the different jurisdictions together would be appropriate at this time, whether it be to help coordinate...? It doesn't have to be aggressive to the RCMP, the CRTC and the others, but I'm wondering whether a third party is required to help coordinate the sharing of resources and the sharing of information.
Mr. Mecher, did you hear that?
1 p.m.
Retired RCMP Fraud Investigator, As an Individual
I had a technical issue.
Anything is worth a try. I don't think that particular approach is entirely unique. It might be beneficial. The nice thing about having it beyond law enforcement, I suspect, is that it would be a whole lot easier to be transparent.
1 p.m.
NDP
Brian Masse NDP Windsor West, ON
Mr. Cosgrove, I'll go quickly to you on a civilian-led approach, and then I'm sure I'm out of time.
1 p.m.
Digital Safety Educator and Civilian Advisor, As an Individual
Yes, absolutely. There is a tendency from the stuff that I see myself, because I'm speaking from my own experience, to over-complicate things, overpresent them and overformalize some of this information. If we're looking at seniors as being a major target of just about any type of fraud, making big formal documents and online bills and everything doesn't make them aware of this stuff.
We need to get down into the trenches and resolve this stuff more in person or with easier information.