Evidence of meeting #165 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.

A video is available from Parliament.

On the agenda

MPs speaking

Also speaking

Brian Johnson  Senior Director, Information Security, PayPal, Inc.

4:30 p.m.

Liberal

Ruby Sahota Liberal Brampton North, ON

I have seen articles also just recently this month of actual accounts of people being defrauded, with up to $9,000 or so being taken out of their bank account, and it has been done because the app can be hacked. As a result, the vulnerability of the app is allowing access into people's bank accounts directly.

We heard from credit card companies that the information is never shared directly. People's bank information does not directly go to the credit card company, but it seems in this case, the bank information is being directly shared with PayPal and then if there's a vulnerability there, the hacker can access all the information.

How are you protecting against that?

4:30 p.m.

Senior Director, Information Security, PayPal, Inc.

Brian Johnson

Media reports are not always accurate. To be technically accurate, the access of information within the PayPal account would only be through an authorized account holder or through their loss of credentials and device. If there's a loss of credentials by a consumer—let's say they have malware on their computer and their log-in credentials are stolen or lost through that—the access of their account through a malicious attempt would be caught by our fraud platform or risk systems to detect that. If it's not caught by some vulnerability, the only access into the PayPal account would be to PayPal balance, but not directly into the consumer's bank information. The bank information is stored in our system and not made visible, even after entered into the system by the consumer.

The only method they would have is of trying to extract data by using the PayPal system to process transactions. They might try to attempt fraud, but they wouldn't be able to get their bank account information through the platform.

4:30 p.m.

Liberal

Ruby Sahota Liberal Brampton North, ON

That's interesting. The article warns people to check their bank accounts regularly and look for PayPal transactions that may not have been authorized.

When this occurs, how does the person recover? Do they recover from their bank? Are they able to recover from PayPal?

4:30 p.m.

Senior Director, Information Security, PayPal, Inc.

Brian Johnson

We have buyer protection so if there are malicious or unintended transactions on a consumer account, we provide buyer liability and buyer protection for those fraudulent transactions and protect the consumer in that case.

I want to reiterate though that a malicious account access into a PayPal account is unlike a malicious access into any account. If online fraud occurs, we cover liability for the buyer, for the consumer, in that case. Our seller protection has other coverages to sell our merchants. The access to the PayPal account does not mean that the malicious actor necessarily has access to the bank account directly. They don't have access to credentials, nor to the bank account information, but only the linkage that we provide for the bank account as a funding instrument into the PayPal account.

4:30 p.m.

Liberal

Ruby Sahota Liberal Brampton North, ON

Okay.

I used PayPal many years ago, but I stopped using after a while when I continued to get fraudulent emails telling me about certain transactions that were made. I have a final comment; it can lead to being very confusing for the user and, therefore, I steered away from it because I found I was receiving too many fake emails from PayPal.

4:30 p.m.

NDP

The Vice-Chair NDP Matthew Dubé

Unfortunately, we're going to have to leave it there.

I now give the floor to Mr. Paul-Hus for seven minutes.

4:30 p.m.

Conservative

Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC

Thank you, Mr. Chair.

Here is my first question.

Mr. Johnson, you mentioned that PayPal has existed since 1998. You have therefore been in existence since the beginnings of the Internet.

We know that cybersecurity issues have evolved in parallel with the Internet. Is PayPal able to follow that evolution and counter those threats?

4:30 p.m.

Senior Director, Information Security, PayPal, Inc.

Brian Johnson

Many of our staff in our information security organization are members of industry alliances that are helping to make the Internet more secure. We are absolutely in the research and development stages of many investments. Email phishing and anti-phishing working groups are other areas as well, as Ms. Sahota mentioned. The investments we make in email security, Internet security and browser security are at the forefront of our investments.

4:35 p.m.

Conservative

Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC

You also mentioned that people trust PayPal.

What measures have you undertaken to ensure that those who do business with PayPal do so with complete trust?

4:35 p.m.

Senior Director, Information Security, PayPal, Inc.

Brian Johnson

As I mentioned, our buyer protection programs provide liability coverage for any fraudulent activities that might happen on a consumer account. We also invest heavily into cybersecurity initiatives and our fraud-risk platforms. We have industry-leading metrics on how low our fraud numbers are in the sense that we protect and prevent a significant amount of fraud, and protect merchants and consumers on our platform at an excellent rate that we're very proud of.

4:35 p.m.

Conservative

Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC

Excellent.

Among the witnesses who have appeared before our committee for this study, we have had representatives from a number of banks, including the Toronto-Dominion Bank. One of its representatives informed us that cyber attacks against the bank come from a number of different countries.

Can you name the countries attacking PayPal's system?

4:35 p.m.

Senior Director, Information Security, PayPal, Inc.

Brian Johnson

Interestingly, foreign countries—you mention nation-state, and it's not information I'm at liberty to share, but related to private attackers or individuals who are online fraudsters who would attempt to attack websites happens on a regular basis. They're not centralized to any particular geographic region. There is, of course, a high distribution of cyber-attacks where their origin or their attribution to the country of origin is often difficult to trace, because a lot of countries participating in their infrastructure are allowing it to be hacked. As an example, attackers may originate from one country and use Internet services from another country to direct their attacks. Criminals use a multi-layered economy, and multiple parties are usually involved from different regions of each attack.

4:35 p.m.

Conservative

Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC

I understand the difference between an individual's country of origin and the country from which an attack comes, but my question was more about the countries than the individuals. Has PayPal been subject to attacks from states?

4:35 p.m.

Senior Director, Information Security, PayPal, Inc.

Brian Johnson

Not in particular. We have no singular concentration of countries that attack us as a company uniquely.

4:35 p.m.

Conservative

Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC

Okay, perfect.

Your company is based in the United States and deals with many different countries, all of which have different regulations. Given that we are studying this from a Canadian perspective, do Canadian laws and regulations have an effect on PayPal's activities? For example, are our privacy laws too restrictive or not restrictive enough?

4:35 p.m.

Senior Director, Information Security, PayPal, Inc.

Brian Johnson

It's an excellent question. The data protection and data privacy implications that Canada is proposing and has outlined as a framework are an excellent support for industry and businesses globally.

To answer the first part of your question about operating globally, we do have staff in many of our regions that have increased regulations. We gave a local presence in many countries, including Europe, with support for GDPR, and in regions in Singapore where we have support for our business in the APAC region. We do have localized staff and support for each of those regions, as well as in other areas in the world that support local regulations. We have a global workforce that encourages participation with local legislators and regulators. We work closely with examiners and regulators when there are data protection and data privacy laws to ensure that we not only support and accommodate those, but help to align with regulations that are evolving and help inform practical applications to those in a context that's suitable for a global economy.

4:35 p.m.

Conservative

Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC

In your opinion, are there aspects that Canada should improve? You have said that our country has strong laws, but do you still have recommendations for us on the legislative level?

4:40 p.m.

Senior Director, Information Security, PayPal, Inc.

Brian Johnson

By the way, on the announcement of the new digital charter, PayPal applauds Minister Bains and the Government of Canada for taking leadership on that important topic of data protection. We believe that this responsibility does help us to protect users against harm and support privacy laws. It's a great first step. It derives some principles. I believe the 10th principle, or the last one on that was to provide accountability and enforcement. More detail around that would be helpful.

Certainly, as Canada has not been the first mover of data privacy law, I think that's actually worked to your advantage because you've been able to learn from other regions and regulators about the right balance of privacy law. But in being specific with companies with respect to the digital privacy and regulations that you're encouraging, there will be a tough balance between the framework that you've provided and those guiding principles that help direct good behaviour and strong accountability. As well, the work with industry and private partnerships will help to build strong legislation that you can support in years to come.

4:40 p.m.

NDP

The Vice-Chair NDP Matthew Dubé

Thank you very much.

We will now give the floor to Mr. Picard for seven minutes.

4:40 p.m.

Liberal

Michel Picard Liberal Montarville, QC

Mr. Chair, usually, you would also have the right to speak for seven minutes.

Under the circumstances, I propose allowing the Chair seven minutes so that he can ask questions on behalf of his party.

4:40 p.m.

NDP

The Vice-Chair NDP Matthew Dubé

You are very generous, thank you.

4:40 p.m.

Liberal

Michel Picard Liberal Montarville, QC

I won't do that again.

Sir, I would like to look at your operation from a money-laundering standpoint. When I buy credit or I put money in my account, my first naive question is where does my money go?

4:40 p.m.

Senior Director, Information Security, PayPal, Inc.

Brian Johnson

Where does your money go in a PayPal balance stream?

4:40 p.m.

Liberal

Michel Picard Liberal Montarville, QC

Yes.

4:40 p.m.

Senior Director, Information Security, PayPal, Inc.

Brian Johnson

PayPal balances are backed by a number of U.S. banks, so we support depositing and safe investment and deposit of the account money. The first item was if you use credit. Was that a supporting comment, or what was the line there, before I answer?