Good afternoon. I now call this meeting to order.
Welcome to meeting number 17 of the House of Commons Standing Committee on Industry, Science and Technology. Pursuant to the order of reference of Saturday, April 11, the committee is meeting for the purpose of receiving evidence concerning matters related to the government's response to the COVID-19 pandemic.
Today's meeting is taking place by video conference. The proceedings are being made available via the House of Commons website.
I would like to remind the members and the witnesses to please wait before speaking until I recognize them by name. When you are ready to speak, please unmute your microphone and then return to mute when you are finished speaking. When speaking, please speak clearly and slowly so that the translators can do their work.
As is my normal practice, I will hold up a yellow card when you have 30 seconds left in your intervention, and I will hold up a red card when your time for questions has expired.
I'd now like to welcome our witnesses.
We're joined by François Perron, director of CyberQuébec.
From Google Canada, we have Colin McKay, head of government affairs and public policy. From IBM Canada, we have Eric Johnson, partner, British Columbia public sector, global business services. From Mimik, we have Fay Arjomandi, founder, president and chief executive officer; and Michel Burger, chief technology officer.
Each witness will present for seven minutes, followed by a round of questions.
With that, I will start with CyberQuébec, Monsieur Perron.
Mr. Perron, you have seven minutes.
Good afternoon, everyone. Thank you for inviting me to this meeting.
My name is François Perron, and I'm the director of CyberQuébec. I run the college centre for technology transfer at the Cégep de l'Outaouais. This CCTT consists of a team of cybersecurity researchers. It's one of 59 other centres in a network that currently involves over 1,400 researchers. I'm also a technology entrepreneur, a teacher and a researcher. I've worked on telecommunications, transportation and renewable energy projects.
My remarks will be divided into three main parts. First, I'll provide some context. I'll then give three impressions. Lastly, I'll give a short introduction to the principles that I believe are important for discussing geolocation solutions.
First, regarding the context, the needs are currently exacerbated. We're all going through a much-needed lockdown in response to a pandemic that's pushing all Canadians online. Our needs are universal. We know that the Internet must be accessible to everyone. Right now, I'm thinking a great deal about the most vulnerable people. It's not necessarily a matter of age. Isolation can also be a factor, along with, perhaps, the ability to use technology. Clearly, because of the current physical distancing and voluntary isolation, we have greater needs. All areas of our lives are affected. Basically, we're in an acceleration phase, where the expected transition to digital services has been catapulted at high speed.
In my view, for all this to work, the concept of online trust is very important. The quality and security of the digital services that we use revolve around a few key principles, including the ability to create trust during a transaction. The foundations of online trust depend on our ability to confirm the identity of those whom we're speaking to during a transaction and to leave non-refutable traces that can't be erased or falsified for the purpose of entering into contracts. That's the current context.
Three impressions emerge when we start talking about geolocation, particularly with regard to recent identity theft. I don't think that we need to go over what has happened in the industry in recent months. Clearly, the government's use of a unique identifier—I'm talking about the social insurance number—is completely outdated. Once this secret source that identifies us is revealed, there's no way to replace it.
I believe that, to interact properly on the Internet, we now need a digital identity system. I think that this system should be outsourced, in multiple parts, perhaps even in open source software, to ensure that it includes three key components.
First, if a government chooses to provide verifiable information, it must be able to do so. However, other verifiable sources must also be available online.
Second, I'd like the individual to be responsible for collecting this verified information and for choosing whether to submit it. I'll address this concept of choice a little later in my presentation.
Third, we need an identifiable and fully functional system that will make it possible to confirm ownership or a claim that someone could make, so that, ultimately, a minimal response can be provided to formal questions. The word “minimal” is very useful—
I had reached the third part. I was saying that it could be very useful to have the ability to provide responses with a minimal amount of information and that the individual would be responsible for choosing which information to submit during a transaction. This would be a paradigm shift towards a new system. Instead of having a single secret, such as the social insurance number or a fixed digital identity, we could enter into several contracts with several people. This would make it possible to share information.
This would also enable us to share information by choosing what we want to disclose. Perhaps we could also avoid making our identity known in this context by providing an authentication token that would make it possible to remain completely anonymous.
If we consider this type of system—and this is my second strong impression—we'll also need to look at biometrics. We'll need to have sources of biometrics that we won't be required to fully disclose and to maintain the ability to regenerate other biometric information about ourselves. We'll need to have a biometric data reserve so that we can create new secrets of our own to prevent a complete theft of our biometric identity.
My third strong impression is that personal information and the protection of that information is a matter of sovereignty, citizenship and autonomy. Individuals must understand the significance and value of their own data and their privacy. We likely have some work to do in this area.
Businesses must follow suit. As we find the right rules to regulate the sharing of information, we can improve the situation. Some countries have started to do this. For example, in Europe, the general data protection regulation, or GDPR, sets out stiff penalties. If we don't deal with this, people will move here hoping to take advantage of laws that may be less stringent. We have some work to do to make the rink good for everyone.
In conclusion, I just want to tell you what role I think that the government should play. It must manage its own rink. People will play hockey if they want to play hockey. However, on the privacy rink, we must have the right to be forgotten. Businesses must be required to disclose incidents in which information has been compromised. We must work together to create an ecosystem where our digital identity can be monitored by the individual.
Thank you, Madam Chair.
It's a pleasure to be with you in such unusual circumstances. It looks like you've started to adjust, but this is my first experience like this, so please forgive any interruptions.
I want to thank you for the time to speak about Google's efforts to help our users and communities during this time of crisis. Since the first appearance of COVID-19, we've been through an exceptional transition at Google. Teams across the company have launched 200 new products, features and initiatives in response to the crisis and needs of our users and our communities. We have made $1 billion in grants and additional resources available to users, communities and countries to help them through this crisis, through the transition.
Our major efforts are focused around keeping people informed with trusted information, supporting them as they adapt to a changing world, and making our contribution to recovery efforts across the globe. Early on, we took steps to make sure that, when users searched for information related to COVID-19, they would immediately see guidance from the authoritative sources, such as the Public Health Agency of Canada, and information about symptoms, prevention and treatments.
On YouTube, we began showing users information panels about COVID-19 when they search for information about the outbreak. This is on desktop, on mobile and on the YouTube home page under any video related to COVID-19. Basically, you get bombarded by these information panels when you're using the YouTube service. We've delivered more than 20 billion impressions of these panels to date.
In a short time, we've all had to change how we live our lives. Google quickly recognized that we can provide resources to help small businesses, parents and teachers adapt. We've collected these at google.ca/covid19. I think every one of us here today is trying to adapt in some way, so that's a useful resource.
Educators and parents face the challenge of teaching remotely at an unprecedented scale. Over 90% of the world's student population has faced some sort of school closure. To help teachers, we created Teach from Home, a central hub of information, tips, training and tools. One hundred million students and educators are now using our Google Classroom product. This is double the number from the beginning of March. For parents, we launched Learn at Home, an enhanced YouTube learning hub to complement family learning with additional content and activities.
For employers and employees, we've consolidated tools and resources under our Grow with Google banner, trying to help them stay connected and productive, including smoothing the transition to remote work.
As the world tries to maintain relationships in a period of isolation, we've made Meet, our video conferencing product, free for everyone. We are seeing roughly three million new Meet users a day, with employees now working from home, students in virtual classrooms, and people looking to connect with friends and family.
We know that people everywhere are looking for a sense of culture and community. On YouTube, we launched the Stay Home #WithMe campaign, working with over 700 creators around the world to urge their combined two billion subscribers to stay home and connect virtually with videos like Bake with Me, Work Out with Me, and Jam with Me.
We're also supporting cultural moments here in Canada such as National Canadian Film Day, featuring Canadian films on YouTube; our Pray With Me initiative, enabling religious organizations like the Archdiocese of Toronto to livestream their services; and a virtual exhibit in partnership with the McMichael gallery to celebrate the 100th anniversary of the formation of the Group of Seven.
In this committee's previous meetings, you've commented on our launch of a new product, community mobility reports. We developed this report to provide insights into population movements that are relevant to public health needs, similar to the way we show popular restaurant times and traffic patterns in Google Maps. These help authorities see in aggregate how social distancing requirements are working in regions across Canada. They adhere to stringent privacy protections; the data does not reveal individual movement or visits to specific establishments. It's based on aggregated, anonymized, opt-in location history data. While the information in this report is not meant to provide a complete picture of the spread of COVID-19, it does provide information that can help public health officials respond to the crisis.
I also note that this committee has discussed contact tracing. Since COVID-19 can be transmitted through close proximity to affected individuals, public health organizations have identified contact tracing as a valuable tool to help contain its spread. To help in this effort, Apple and Google are in the process of launching an exposure notification solution that includes application programming interfaces and operating system-level technology to help public health authorities in enabling a contact tracing program.
This joint effort will enable the use of low-power Bluetooth technology on mobile devices, both Android and iOS, to help the authorities reduce the spread. Just yesterday, we announced the release of this exposure notification API. We're providing a tool that enables public health authorities to build their own apps in a way that is both privacy-preserving and working reliably across both operating systems.
Here in Canada, all of us are only just beginning to explore how we are going to reopen our communities and re-establish ways of working and living within those communities. At Google, we know that small businesses are the backbone of our economy. We've committed funds and resources to helping these businesses, which are our customers, our partners and our users, to weather the storm created by COVID-19.
As we are all isolated and have fundamentally changed our buying habits, businesses were forced to react and adapt. At Google, we made changes to our Google Maps and Google My Business products to help them communicate more clearly to their customers and their neighbours. We are collaborating with small business networks to work together to create and provide tools to speed this transition for SMBs. We've partnered with Digital Main Street and the City of Toronto's ShopHERE program so that independent businesses can build a free digital presence, enabling them to overcome challenges as they try to react to the ever-evolving marketplace.
We at Google feel that our greatest contribution to this crisis can be through empowering others, whether they are the teachers and the small businesses keeping the wheels of society turning, researchers and public health experts, or creators who are keeping people connected and entertained. We know that this work is far from over, and we're committed to continuing to provide helpful products and useful support as we navigate this crisis together.
I have to underline that since the beginning of this outbreak we've turned our attention and our teams to creating tools and services, and revising our existing tools and services, to support the breadth of our community.
Thank you very much, Madam Chair.
Thank you, Madam Chair and members of the committee.
Hello, and thank you for the opportunity to speak about IBM and the Canadian response to the COVID-19 pandemic.
My name is Eric Johnson, and I am speaking to you today from Vancouver, British Columbia. I am a partner with IBM Canada, supporting public sector clients for over 30 years. For the last 10 of those years, I have focused primarily on public health and disease surveillance. I am also part of the IBM global COVID-19 task force.
IBM is a global leader in business transformation, serving clients in more than 170 countries around the world. Here in Canada, we are headquartered in Markham, Ontario. Our history of a hundred-plus years in Canada and our unique approach to collaboration provide small and large businesses, start-ups and developers with the business strategies and computing tools they need to innovate and keep the Canadian economy competitive. We are guided by principles of trust and transparency in technology to create a more inclusive society.
During the pandemic, our priority has been, and will continue to be, protecting the health and safety of IBM employees and our clients. At present, we have about 90% of our global workforce working from home, without any interruption in our ability to support clients worldwide. Now we are thinking and planning carefully for a phased return to the workplace, taking into account local health and government directives and conditions, employee roles, the availability of testing and tracing, employee sentiment and more. We have developed a data-driven, evidence-based global return-to-workplace guidance, which lays out a set of principles being used to serve IBM and our clients.
Since the start of the pandemic, we've been working closely with governments around the world to find all available options to put our technology and expertise to work to help organizations be resilient and adapt to the consequences of the pandemic, and to accelerate the process of discovery and enable the scientific and medical community to develop treatments and ultimately a cure.
In addition to the many efforts that IBM and IBMers are leading across the country to support our communities, today I want to stress three key areas in which we're exploring the use of our technology and our expertise to drive meaningful progress in this global fight.
The first is putting technology in the hands of first responders. Annually, IBM puts out a call to developers around the world to build solutions that address some of the most pressing issues of our time. This year, we encouraged developers around the world to put forth solutions that would fight against COVID-19 and climate change. This is perhaps the largest software developer effort in history, and we have dozens of IBM technical experts donating open source code and access to Watson on the IBM cloud.
The second is solutions focused on business resiliency and trusted data. Our cloud-based resiliency and business continuity solutions have supported businesses to implement digital capabilities by providing mobility tools and infrastructure that resulted in seamless transitions of our clients' workforce towards working from home.
IBM and the Weather Company created a new and precise incident map, driving unprecedented hyperlocal understanding of the outbreak with health data from trusted sources, and it's updated every 15 minutes on the IBM cloud.
IBM Watson Assistant for citizens was created for local and regional governments and health agencies, and it brings together years of investments in AI and speech recognition to create chatbots that can help guide citizens in a dynamic situation and free up important resources. This tool is currently being used by a number of organizations around the world, including the City of Markham in Ontario.
The IBM solution for disease surveillance is implemented in seven Canadian provinces and one territory. It provides a unified data model managing immunization data, vaccine inventory data and, for some provinces, outbreak management. We're currently focused on the provincial health requirements, with the goal to help integrate the multiple data sources coming from contact tracing and lab results into the existing provincial public health databases so that the data may be used by our clients as a single source of truth for analysis, reporting and predictive modelling. In addition, we are already helping provinces prepare for the upcoming mass immunization events that will need to take place once a vaccine is developed.
Finally, we're leading the way to a cure with supercomputers. In collaboration with the White House Office of Science and Technology Policy and the U.S. Department of Energy, IBM helped launch the COVID-19 high-performance computing consortium. These high-performance computing systems allow researchers to run very large numbers of calculations in epidemiology, bioinformatics and molecular modelling. These experiments would take years to complete if worked by traditional computing platforms. Since the consortium was announced, on March 22, we have received 55 research proposals from the U.S., Germany, India, South Africa, Saudi Arabia, the United Kingdom, Spain and Croatia.
Those are just a few of the initiatives we have launched. IBM is also supporting Canada’s faculty, students and families across academia by offering tools and resources to meet this new reality in real time. IBM has extended its online education resources to all for free, including IBM Skills, Open P-TECH, and the IBM AI Education series for teachers.
Now the focus is towards rebuilding and relaunching. There is emphasis on cybersecurity, expanded emergency operations management, social programs and technology that will support the focus on the mental well-being of Canadians.
There is no question that this pandemic is a powerful force of disruption and an unprecedented tragedy, but it is also a critical turning point. It’s an opportunity to see what we’re all capable of and how we emerge stronger.
Thank you, Madam Chair and esteemed members of the committee.
My name is Fay Arjomandi, and I also have Michel Burger, our CTO, on the call. I’m the co-founder, president and CEO of Mimik, a software company based in Vancouver, British Columbia. For the past 10 years, Mimik has been pioneering the development of hybrid edge cloud computing, a technology that adds cloud capability to devices and apps to increase data privacy, reduce infrastructure costs and radically improve real-time interactions. It's eco-friendly and provides access to rural communities. Mimik’s technology is already empowering some innovative companies in health tech, fintech, AI, smart cars and smart cities.
I’m grateful for the opportunity to speak to you as a fellow citizen, entrepreneur and technologist. Our platform is already being evaluated by large enterprises as part of a “going back to the workplace” solution and gaining traction from some of the indigenous communities, but we believe that with your support it can be used across Canada and globally for contact tracing.
COVID-19 has caused the loss of many Canadian lives and is impacting our economy and the livelihood of our citizens. It has attacked our way of life. Contact tracing is essential to implementing intelligent social distancing to send our citizens back to work safely and revive our economy. However, it evokes fears of surveillance, privacy abuse and stigmatization, and rightfully so, because solutions implemented by other countries are exactly that. One could say that such solutions will be another attack on our way of life.
Mimik’s platform can be used to implement effective contact tracing without compromising citizens’ privacy or patients’ anonymity, and at the same time avoid many pitfalls along the way.
There are three important aspects to an effective contact tracing implementation.
The first is about ensuring adoption. Adoption is poor if citizens have concerns that their personal data, however limited, is being held centrally by any external entity or that third parties can track their location and access their contact history. Countries such as South Korea and Singapore have resorted to force to ensure compliance. This is unthinkable in Canada.
With our platform, each edge or client device, such as a smart phone, acts as its own server system capable of receiving, storing and sending information. The system detects exposure by combining several technologies, including network address and Bluetooth proximity. This exposure log is recorded, calculated and processed locally on each device, eliminating the need to send this information to a central system. All devices remain anonymous and the only source of data, putting citizens in complete control of their data.
The second is about anonymity in action. Some of the better attempts with contact-tracing apps preserve anonymity until a positive case is identified. However, as soon as a user tests positive, the entire contact log from the user can be accessed by a central authority. The core issue here is not about the data of the user who tested positive, but rather the violation of the privacy of everyone else who was in contact with the user. By contrast, our platform can verify a valid positive test ID and then use a token to send out alerts to the exposure log anonymously, directly from a user's device.
The third and perhaps most critical aspect is that any contact-tracing solution needs to be adaptable. This means avoiding points of failure. We see several major issues with current attempts at contact tracing. I'll list a few.
One, many apps require users to register with a central health authority to get started. This not only creates privacy issues but also complexity, as users in proximity might not be registered with the same health authority.
Two, some approaches require adding COVID-19-specific features into device operating systems. This is unnecessary, plus it adds the additional pain of dismantling. Citizens may be concerned that once a function gets implanted in my phone and theirs, it will not go away, which may inhibit adoption.
Three, apps that save tracing logs on a central system need to connect with that system frequently to poll information. This creates a heavy load on the network, causing all sorts of issues.
I'll conclude by saying that hybrid edge cloud computing was developed for data exchange and transactions in a private manner with the ability for central oversight to curtail any abuse of our communications systems by bad actors. This solution can work seamlessly across health authorities, technologies and networks. Most importantly, by eliminating the need for sending or saving contact-tracing history on central systems, we can protect citizens' privacy, avoid network loads and implement a truly scalable solution across Canada in the health sector and others.
As I have mentioned today, adoption, anonymity and adaptability are the three important As of contact tracing. Every citizen deserves a solution with this triple A rating.
Thank you. I will be happy to answer any questions.
Thank you very much, Madam Chair.
In Canada, we're facing a major dilemma. We have advocated for putting our frailest seniors in solitary confinement, with inadequate care and no visitors. Truly it's a mixed-up society.
We have blindly followed new, disproved advice from our health ministry, and we're ready to convince ourselves that the government's knowing our daily whereabouts is a good thing. My niece had to hear about her husband's death through a long-term care centre's window. This is in a community where you'd be hard-pressed to find a single COVID case. Whatever we've done so far is cruel and unusual punishment.
When I look at the many concerns, I think one of them has to do with jurisdiction. The last thing Canadians want is a one-size-fits-all approach imposed on them by some Big Brother central government.
I know that health care is a provincial responsibility. The approach to treating high-density urban populations is completely different from the approach to treating rural populations. If provinces have something that works for them, should we not be letting them proceed with that, rather than relying on some faceless national entity telling them what to do? That is my concern. Provinces should do what they want to do. However, the biggest fear is that the federal government might want to take this over.
Google, you have had opportunities to deal with major players throughout the world. What would your comments be in this regard?
Like many Canadians, I think the use of contact-tracing technology could well lead us down a slippery slope. I think that is what the folks from Mimik were talking about. In several places where these applications have been developed, there's nothing to indicate how long the applications will be around for, how long any information collected from them will be used or who around the world will be able to use it.
Mimik, I understand you've developed an application that's supposed to address the privacy issue. You've spoken of that. Canada's Privacy Commissioner recently issued a joint statement with regard to contact-tracing applications, and I'll highlight the points it made. It said, “Government should be clear about the basis and the terms applicable to exceptional measures. Canadians should be fully informed about the information to be collected, how it will be used, who will have access to it, where it will be stored, how it will be securely retained and when it will be destroyed.”
Are you aware of any government anywhere in the world that has embraced the principles that Canada's Privacy Commissioner has mentioned? Also, I'm concerned about what happens if there's a breach of one of these applications. Who would be responsible?
Mimik, go ahead.
Thank you, Madam Chair.
I'll have a question for every witness. There will be a part (a) and a part (b). I'll set it up and then go through the list so that they can answer appropriately.
Back in March 2018, I tabled Canada's first digital bill of rights. It was an attempt to start the process and a discussion on a more formalized updating of our regulations, laws and agencies, with an overall feeling, I guess, that Canadians would be confident that their digital rights would be respected, similar to their physical rights. It was about empowerment and, as well, controls and issues such as net neutrality. There was a series of different things, but the most important is to have a predictable pattern, I guess, so that businesses, not-for-profits, governments and also other institutions from around the world will understand that Canadians are protected in a very specific and very tangible way, empowered by law.
We've seen a number of different issues come up with this COVID response, with everything being discussed, and now, even tracing. Last night, we had interesting testimony with regard to fraud, which was very important. This is part of the question.
I look at some of the issues and at the Competition Bureau, for example, when we talk about online information. They just fined Facebook for $9 million—it's $5 billion in the United States—for misleading Canadians in using third party applicants and allowing private information to be dispersed. The Competition Bureau here is only at a $9-million fine versus $5 billion.
The Privacy Commissioner has already said specifically that they need more resources and money with regard to doing their job in terms of the challenges they face. Look at the CRTC. Even before now, it has taken ages to get an answer or a decision and, also, enforcement on public policy issues related to Internet use, service rates and expansion.
My questions for the guests are: (a) Do you accept, support or reject a digital bill of rights that could be brought forth in some capacity, with everybody involved, to finalize a position and to have at least an understandable sound grounding of what that means for each person and also for the responsibilities of companies? (b) Do government agencies and does the respective legislation need modernization or updating? You don't have to get into the specifics of that, but I'd like to hear about those things.
I'll start with the order of presentation, so perhaps we can start first with CyberQuébec. First, do you accept, reject or support a digital bill of rights? Second, what is your position on whether government agencies need modernization, or are they capable right now?
Thank you for the question.
Yes, I think I remember your bill and when you tabled it. There are many elements that are complementary to the conversation we've been having, up until this crisis, around reforming Canada's data protection laws.
I want to underline that there's certainly a conversation that we had around PIPEDA, but also around the Privacy Act, especially in the context of the conversation we're having today in regard to modernizing and recognizing, as many of witnesses have reinforced, the need for explicit consent from users, and then, in defined circumstances, for the use and then withdrawal of data that has been shared. So I think my answer to you is yes, and I think we've seen some of those paths begin.
On my answer to your second question, as we can see from the Competition Bureau's decision, there are specific roles, responsibilities and penalties that already exist within our system. You hinted in your question they may not work at the speed and the breadth that some of us may want. Google certainly is working globally around levelling the playing field on data protection, as well as consumer protection, and we're a participant in those conversations. There's certainly space to grow in Canada.
Thank you, Madam Chair.
Welcome to all the witnesses. This is quite informative.
We're going into a lot of depth in the technology and also in privacy. One of the areas that I continue to struggle with still is one of the elements that was highlighted as part of the Triple A rating of Madam Arjomandi, specifically the adoption.
Let me tell you what I'm struggling with and put it into perspective. Canada has around roughly 35 million people. If we try to adopt even the lower end of the scale, which is about 60%, we would need about 21.5 million people participating in this. Assuming that we look at anyone above 15, this is probably about 100% of our adult population. In Ontario, we have about 14.5 million people, which puts it at about nine million people who should participate. Bringing it even one level lower, in York region, we have 1.2 million people, which means that about three-quarters of a million people should be participating. In Richmond Hill, we have about 200,000 plus, which means that 120,000 people should be participating.
Now, almost 20% of our population lives in the rural and remote areas. That's roughly eight million. Therefore, using that 60%, 4.5 million people should participate in that. Forget about the digital divide and the challenges that we have on being able to actually get the platform going.
I know that most of you opted out of answering this question, but I want to go back to where MP Erskine-Smith left off. Why should we not consider, in circumstances such as a pandemic, an opt-out model? Make it mandatory by the government and health organizations to adopt and use the application.
We could start with Ms. Arjomandi.