Public Safety Committee on April 3rd, 2019

Evidence of meeting #155 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.

A video is available from Parliament.

On the agenda

Cybersecurity in the Financial Sector as a National Economic Security Issue

MPs speaking

John McKay
David Graham
Glen Motz
Pierre Paul-Hus
Michel Picard
Matthew Dubé
Julie Dabrusin
Jim Eglinski
Sven Spengemann

Also speaking

Gregory Smolynec  Deputy Commissioner, Policy and Promotion Sector, Office of the Privacy Commissioner of Canada
Leslie Fournier-Dupelle  Strategic Policy and Research Analyst, Office of the Privacy Commissioner of Canada
Glenn Foster  Chief Information Security Officer, Toronto Dominion Bank

4:40 p.m.

Liberal

Julie Dabrusin Liberal Toronto—Danforth, ON

We talked a little while back with HackerOne, who suggested that maybe we would want to consider legislation that would allow what they termed “white hat hackers”—I wish I could think of a better term for it and say “good person hackers”—who would help to poke at systems and find out where the problems might be.

From a privacy perspective, what would your thoughts be? If we were going to create that kind of legislation, what kind of protections would we need to be thinking about to enable people out there who are not part of, say, the public sector to start hacking into our systems?

4:40 p.m.

Deputy Commissioner, Policy and Promotion Sector, Office of the Privacy Commissioner of Canada

Dr. Gregory Smolynec

In part of my statement, I referred to cybersecurity reinforcing privacy and that they could be mutually reinforcing, but you also have occasions where perhaps excessive or inappropriate cybersecurity could have implications for privacy.

How good is the white hat hacker at protecting someone's privacy? They should not have access to some individual's personal information, if they are doing this hacking in the interest of cybersecurity. It would still not be good from a privacy perspective if individuals who are doing something for the benefit of enhancing cybersecurity are violating privacy.

4:40 p.m.

Liberal

Julie Dabrusin Liberal Toronto—Danforth, ON

I see that. I'm just trying to see what kind of protections we might be able to build in to enable that kind of a system, if we were going to do what had been asked of us by the HackerOne people. I can't remember what they suggested, but money would be offered to white hat hackers if they could find weaknesses in a system, as a way of getting people who are creatively hacking in.

The problem is, I guess, is that once they do that, they do have access to private information, potentially. Is there anything you can think of that we should think about as far as building in protections is concerned?

4:45 p.m.

Deputy Commissioner, Policy and Promotion Sector, Office of the Privacy Commissioner of Canada

Dr. Gregory Smolynec

There might be some ways of doing things in an experimental environment that do not put real people's private information at risk. In the military and other organizations, as well as in some cases...in the privacy world too you can war-game cyber operations in a protected space. That might be an area to explore. In the privacy world there's even some war gaming of privacy protection as well.

4:45 p.m.

Liberal

Julie Dabrusin Liberal Toronto—Danforth, ON

I see that I have half a minute. I'm going to give that....

4:45 p.m.

Liberal

The Chair Liberal John McKay

You're going to give it to Mr. Motz. Mr. Motz loves this.

4:45 p.m.

Liberal

Julie Dabrusin Liberal Toronto—Danforth, ON

I was giving it to the collective pool of extra time. I could just talk it out for the next 20 seconds.

4:45 p.m.

Liberal

The Chair Liberal John McKay

There's a plus and a minus here, Mr. Motz.

You have four minutes, please.

4:45 p.m.

Conservative

Glen Motz Conservative Medicine Hat—Cardston—Warner, AB

Thank you, Mr. Chair.

Thank you, witnesses.

I just want to continue the line of questioning by Ms. Dabrusin.

Would Canada be better off having a vulnerability disclosure agreement with what I'll call “ethical actors”, so they are protected when they find faults in a company's system, so that it can be fixed before it is exploited. I think what you're trying to get at is that it would be beneficial to all Canadians.

4:45 p.m.

Deputy Commissioner, Policy and Promotion Sector, Office of the Privacy Commissioner of Canada

Dr. Gregory Smolynec

I haven't considered, nor has our office considered, the implications of ethical or white hat hacking for us to be able to give a detailed response. We could undertake to consider this space and come back to the committee with a more considered answer.

4:45 p.m.

Conservative

Glen Motz Conservative Medicine Hat—Cardston—Warner, AB

At my age, I know that sometimes I forget some of the witnesses' testimony, but we did have specific individuals here—and HackerOne was one of them—who do great work ethically to protect the consumer.

If this or the next government is looking at protecting against an adverse economic impact on Canadians by improving our cybersecurity, I would think we should have some understanding around some protections for those individuals. What are your thoughts on that?

4:45 p.m.

Deputy Commissioner, Policy and Promotion Sector, Office of the Privacy Commissioner of Canada

Dr. Gregory Smolynec

Our interest would be ensuring that people's privacy is protected, regardless of what the.... There may be a balance of interests here to consider, but in this context, I would say that citizens' privacy needs to be protected in their own right.

4:45 p.m.

Conservative

Glen Motz Conservative Medicine Hat—Cardston—Warner, AB

Yes, I agree with that. I suppose it's like national security to some degree. There's a balance between privacy and the need to protect national security. I think in the same way, if we have an ethical hacker who is able to protect the.... If there's some structure around how they operate, some protections for them as well as protecting the data of consumers, it's something that I would think that we should maybe consider pursuing.

I'll move on to a different line of questions.

You made a number of recommendations when you were at the Senate banking committee. One of them was that your office be granted enforcement authorities, including the right to independently verify compliance without grounds to ensure that an organization is in fact accountable for protecting personal information. Have you had any push-back from the private sector since you made that recommendation at the Senate?

4:45 p.m.

Deputy Commissioner, Policy and Promotion Sector, Office of the Privacy Commissioner of Canada

Dr. Gregory Smolynec

No, nothing.

4:45 p.m.

Conservative

Glen Motz Conservative Medicine Hat—Cardston—Warner, AB

How do you envision those enforcement authorities working for the Privacy Commissioner's office?

4:45 p.m.

Deputy Commissioner, Policy and Promotion Sector, Office of the Privacy Commissioner of Canada

Dr. Gregory Smolynec

Pardon me?

4:45 p.m.

Conservative

Glen Motz Conservative Medicine Hat—Cardston—Warner, AB

How would you see those authorities working for the Privacy Commissioner's office?

4:45 p.m.

Deputy Commissioner, Policy and Promotion Sector, Office of the Privacy Commissioner of Canada

Dr. Gregory Smolynec

This is something that exists in the United Kingdom, and we're actively looking at the United Kingdom in this particular area of enforcement activity to understand what the British experience has been on inspection without grounds.

4:45 p.m.

Conservative

Glen Motz Conservative Medicine Hat—Cardston—Warner, AB

I have one last question.

We had a witness, I believe it was on Monday, who called Canadians innocent when it comes to our own cybersecurity. What needs to change in Canada, from your perspective, sir, so that citizens are more vigilant about cybersecurity, and thus, their own privacy? You mentioned something to Mr. Dubé about that, but is there something more specific from your side that we can do from a legislative perspective or whatever?

4:50 p.m.

Deputy Commissioner, Policy and Promotion Sector, Office of the Privacy Commissioner of Canada

Dr. Gregory Smolynec

I'd say the number one objective, the number one priority, would be privacy law reform, rights-based privacy law reform.

4:50 p.m.

Liberal

The Chair Liberal John McKay

Explain that very briefly.

4:50 p.m.

Deputy Commissioner, Policy and Promotion Sector, Office of the Privacy Commissioner of Canada

Dr. Gregory Smolynec

Currently, I would say that our private sector law is principles based and, in a sense, very broad. In passing, it refers to the privacy rights of Canadians, but a rights basis would recognize, as Canada does, that privacy is an internationally recognized human right and, in the context of a human right, that there are also procedural rights associated with it. It would also recognize that this would be applied broadly across both public and private sectors. Canadians should be informed of their rights and how to exercise those rights. It's both a legislative challenge and an associated public education challenge.

4:50 p.m.

Conservative

Glen Motz Conservative Medicine Hat—Cardston—Warner, AB

With rights and responsibility?

4:50 p.m.

Liberal

The Chair Liberal John McKay

Thank you, Mr. Motz.

I think you've used up Mr. Paul-Hus' extra time and Ms. Dabrusin's extra time.

4:50 p.m.

Conservative

Glen Motz Conservative Medicine Hat—Cardston—Warner, AB

Thank you, I appreciate your indulgence.