Skip to main content
;

OGGO Committee Meeting

Notices of Meeting include information about the subject matter to be examined by the committee and date, time and place of the meeting, as well as a list of any witnesses scheduled to appear. The Evidence is the edited and revised transcript of what is said before a committee. The Minutes of Proceedings are the official record of the business conducted by the committee at a sitting.

For an advanced search, use Publication Search tool.

If you have any questions or comments regarding the accessibility of this publication, please contact us at accessible@parl.gc.ca.

Previous day publication Next day publication
Skip to Document Navigation Skip to Document Content






House of Commons Emblem

Standing Committee on Government Operations and Estimates


NUMBER 045 
l
1st SESSION 
l
44th PARLIAMENT 

EVIDENCE

Thursday, December 8, 2022

[Recorded by Electronic Apparatus]

(1600)

[English]

     I call the meeting to order.
    Welcome, everyone. We're going to get going.
    This is meeting number 45 of House of Commons Standing Committee on Government Operations and Estimates, also known as the mighty OGGO.
    We have a shortened meeting today. We are going to do two 45-minute sessions. The first is with our witnesses, Mr. Ossowski and Mr. Manji, and Mr. Manji is appearing virtually.
    Mr. Clerk, can I just confirm that Mr. Manji and everyone appearing virtually have passed the sound test?
    Yes, they have, Mr. Chair.
    Wonderful.
    We'll start with two five-minute opening rounds.
    Mr. Ossowski, could you start us off for five minutes, please? We are short on time, so I'll keep you right at five minutes.
    Good afternoon. I'm John Ossowski. Up until June 24 of this year, I was the president of the Canada Border Services Agency.
    As I'm appearing before you today—

[Translation]

    Excuse me, Mr. Chair, but there's no interpretation.

[English]

    I'm sorry, Mr. Ossowski. Could you try again?
     I am John Ossowski. Up until June 24 of this year, I was the president of the Canada Border Services Agency.
    As I am appearing before you today as a private citizen, I will remind members of the committee that I no longer have access to any departmental documents on contracts or financials for the ArriveCAN application. I note that you have already met with departmental officials, who have provided this information.
    I think it's important for the committee to recall the operating environment of April 2020, when we received a call from colleagues at the Public Health Agency to develop an application for them that collected traveller and health information. By the end of April 2020, 100,000 people around the world had already died of COVID-19, and infections in Canada were at around 30,000 cases. This was a time of great uncertainty, and the need was urgent.
    Despite restrictions on entry at that time, in April 2020 the number of travellers who were exempt and arriving by air was around 70,000, compared to the close to 3.2 million who arrived in April the year before. Up until this point in time, travellers had to provide verbal responses to the CBSA officers making sure they were compliant with the myriad rules being established through various orders in council. The result, when combined with the need for social distancing, made airports chaotic scenes. Paper was being distributed to travellers to capture contact tracing and quarantine plan information. These were critical data points for health officials, both federally and provincially, who were desperate to know who was coming in and where they were going.
    In the early days, the CBSA collected huge volumes of paper, and the government was challenged to convert this information into usable, shareable electronic data—a process that took well over seven days. It was critical for federal and provincial health officials to have timely access to this data in order to slow the spread of the virus. In addition, I recall the average passage time per traveller was up to seven minutes long. You might also recall that in those first few months of the pandemic, there were concerns the virus could live on paper for extended periods of time.
    Needless to say, it was clear to everyone that we urgently needed a scalable digital solution that would help the travelling public as well as health care authorities.
    Fortunately, the CBSA had some initial IT experience with mobile apps in the border context, as we had been looking for some time, along with our Border Five colleagues, at similar approaches to help speed up the border processing of travellers. However, the agency needed outside support for the app's quick evolution. As health measures continually adjusted, so did the application, with over 70 iterations being developed and released for Apple, Android and web-based platforms. Many of these were fundamental changes that required significant recoding.
    As the Public Health Agency was the business owner of ArriveCAN, we took direction from them for requirements. The CBSA passed along all data collected for them to share with the provinces, which were desperate for this information. Over time, the CBSA built in new aspects that helped validate the proof of vaccine certificates of foreign nationals using AI tools, as well as the ability to validate, in real time, critical provincial QR codes to make it easier for Canadian citizens. We had a high degree of confidence in their certificates.
    Because the app was linked with passports, provincial vaccination credentials and CBSA systems in real time, many travellers were never asked any questions about ArriveCAN or their health care status. Instead, for the roughly 30 million submissions for, I'm told, 60 million travellers, the border service officer simply saw a green check mark on the screen advising them that all border health requirements had been met, because the app provided and validated the information in advance. This allowed the officer to focus on the over 100 pieces of legislation and regulations they administer on behalf of other departments.
    Eventually, the same approach was applied on the commercial side. We built in a feature for frequent crossers that saved their profiles so that they didn't have to refill the entire set of questions for each passage. Each iteration of the app required careful consideration of hundreds of scenarios, regression testing, accessibility, security, approvals by the app stores and linkages with many departmental systems.
     As I mentioned earlier, along with our Border Five colleagues, we were looking at technologies like ArriveCAN to better manage risk and improve throughput at airports, something the air industry had been requesting for quite some time. Indeed, even though the app is voluntary, it is still being used every day to complete advance declarations to further speed up passenger processing times at the airport.
    Budget 2021 provided the CBSA funding for traveller modernization. I would encourage members of the committee to look at a short video about it on the CBSA website. I have given the clerk of the committee the link to this video.
    In closing, I would like to say that I am incredibly proud of how the agency responded to the call for help from our Public Health Agency colleagues, provinces and territories, as well as the air industry. I am excited that technologies like this will be used to continue to improve the traveller experience while keeping our borders safe and secure.
    Mr. Chair, I am happy to answer any questions from the committee.
    Thank you.
    Mr. Manji, we have you for five minutes for an opening statement.
(1605)
     Good afternoon, and thank you for having me here today.
    My name is Zain Manji. I'm one of the co-founders of Lazer Technologies.
    Lazer is an engineering and design studio that helps fast-growing start-ups as well as large and established organizations to build and ship amazing digital products and experiences. Some of the companies we have helped include Shopify, RBC, The Weather Network, Canadian Tire, LoyaltyOne and many more. The projects we have worked on span a number of industries including health care, e-commerce, finance, crypto, media, gaming and more.
    When we work with companies, we focus primarily on the design and engineering execution of their products. This includes items such as product discovery; UI/UX discovery, or user interface/user experience discovery; wireframing; high-fidelity designs; architecture designs; product road map planning; engineering execution, such as back-end infrastructure; front-end engineering; DevOps and more. We also do go-to-market strategies.
    In addition to helping these great companies, we also build our own products in-house. One of the products we built was a COVID-19 vaccine-finder chatbot, which someone could use to text a phone number with a postal code and that phone number would text them back with the closest three to five vaccine locations for that postal code. Through this product, we helped over 150,000 Canadians find vaccine locations across Canada.
    Personally, I have been in technology for over 10 years as a software engineer and a product manager. Prior to Lazer, I worked at Google, Yelp and Instagram. I completed my Bachelor of Arts and Science degree at the University of Toronto in computer science and economics.
    I believe I was invited here today because after reading about the dollar figure associated with the ArriveCAN app development through a Globe and Mail report, we made a cloned version of the ArriveCAN app's front end in two days. We did this because we wanted to shed light on how quickly the front end of an app like this could be made and how capital-efficient it could be if the right parties were engaged in the process.
    We believed that by building the front-end experience of the app, we could open up the discussion as to how to improve the way Canada produces new technology. Personally, being deeply embedded in Canada's tech community, we also wanted to show that Canada has exceptional talent that is eager and excited to help out our country if need be.
    We have already seen examples of this two years ago, first when Shopify engineers created a COVID-tracing app for free, and then a year ago when we created a COVID vaccine-finder app for free.
    Personally, I love that the government is placing more of a focus on becoming digital-first. I hope we can continue to improve the transparency and efficiency around the development of Canadian digital projects. I also hope that we can work together towards creating the better structures, teams, resources, tools and frameworks that are needed to build the best technology for Canadians.
    At the end of the day, we would love for Canada to become the most proficient when it comes to new technology and be a prime example of a country that develops impactful technology well.
    Thank you.
    Thank you very much for being rather concise.
    Mr. Barrett, we'll start with you for six minutes, please.
    Thanks, Chair, and thanks to the witnesses for being here today.
    Mr. Ossowski, I'm going to move through a couple of questions as quickly as we can. I'm going to be referring primarily to your role when you worked for CBSA.
    Did you have contact with Kristian Firth of GC Strategies in that role?
    No.
    Do you know who in your reporting structure would have dealt with Mr. Firth, if there were interactions?
    I wouldn't know that.
    Okay.
    Do you or did you have a working relationship with Marc Brouillard?
    Is he from the Treasury Board Secretariat?
    I believe he's the chief information officer.
    I've known Marc for years, yes.
    Did you have any contact with respect to this ArriveCAN project specifically?
    No.
    Did you have any conversations with respect to GC Strategies?
    No.
    To the best of your recollection, when did you first brief the minister on ArriveCAN?
    I'd have to go back. I'm sure the department has records on this, but it would have been in early April, after we got the call from the Public Health Agency and asked for the development of the app. That call came fairly quickly, given the volumes of paper.
    We would have provided some advice. We had an idea that we could do what I'll call a “quick and dirty app” to start capturing this basic kind of information. We would have advised them to have this approach.
     I would reiterate that all of these business requirements would have come from the Public Health Agency. We were essentially the general contractor for this project.
(1610)
     Did you discuss contracts with the minister during those briefings?
    No, never.
    To the best of your knowledge, how often would you have briefed the minister on ArriveCAN?
    I think it was really quite perfunctory, in terms of, “We have a solution to this problem”, and we launched it. If memory serves, we did a soft launch about a week before it was launched nationally.
    It would have been very iterative. In those early days, we were meeting regularly and discussing many other issues around the border.
    Would there have been a higher degree of information sharing between you or any of your direct reports and staff who worked for the minister, specifically with respect to ArriveCAN?
    If the answer is yes, my next question will be whether any of those discussions would have involved contracts.
    I wouldn't be aware of that.
    Certainly, my IT folks and the staff in the travellers branch would have been working with our Public Health Agency colleagues on what the art of the possible was in putting something together.
    Okay.
    Do you have any familiarity with GC Strategies?
    I have none.
    You're saying none. You don't have any in your role with CBSA or in your post-government employment.
    I have none.
    Did CBSA work with PSPC to develop the contract for ArriveCAN?
    I understand—and I think you've heard this testimony, because I've listened to it myself—that there were some contracts already in place, through which they did some initial task authorizations, and then they went through a more formal RFP process, or a selection process, later on.
    I don't know the details of how that played itself out because, quite frankly, I didn't need to concern myself with that.
    When you talked about delivering something quickly for the minister—that “quick and dirty app”—was that developed in-house, or was that developed using external contractors?
    I think we probably had some external contractors with us at the time, but I think those would be better questions to pose to the department.
    They'd be better questions that would.... I'm sorry.
    They'd be better posed to the department.
    Okay.
    With what frequency were you communicating with PSPC on ArriveCAN?
    I never communicated with PSPC on ArriveCAN.
    Who at CBSA would have been responsible for managing that project?
    Again, the business requirements were established by the Public Health Agency, and any sort of contracting work that was done—because initially, we had....
    I'll play it through a bit, if I may.
    You may.
    In the initial phases, the Public Health Agency, as the business owner, was going to pay for it. They didn't have the resources available, so we made some in-kind contribution to the early development of it, and then they sought resources through the regular parliamentary process.
     They paid for it, and then we were basically, as I mentioned, the general contractor for the app.
    So that I'm clear on it, in providing that support, it was in-house capacity at the Canada Border Services Agency that did that work for PHAC, which didn't have the capability. Is that correct?
    They're a public health agency.
    I'm sorry...?
    They're a public health agency.
    Yes, but my question is, did CBSA...? You said that CBSA—
    Yes. We developed the first version, and I think you've heard testimony that it cost roughly $80,000. I can't speak to whether or not that was all in-house or whether there were some contractors who helped with that.
    Okay. That was my question.
    I think I have about 10 seconds left.
    You have 18 seconds.
    Okay. We'll see if we have another chance for a couple more questions.
    Thanks very much for your brief answers.
    Okay.
    Thank you, Mr. Barrett.
    Mr. Housefather, I believe you're up for six minutes.
    Thank you so much, Mr. Chair.
    Thank you, Mr. Ossowski and Mr. Manji, for being here with us today.
    Mr. Manji, I'm going to start with you.
     I think the hackathon, or the work that you did—I also come from a tech background—has very much been misinterpreted and misused.
    Let me start by asking you this: Did you ever claim that all of the costs for ArriveCAN—not just the development costs, but all of the costs—could have been $250,000?
     Did you ever say that?
    No. That wasn't me, or us.
    You've heard members of Parliament and members of this committee get up in the House and make that claim. I'm glad you clarified that.
    Of course, you also understand that development costs are not the same as all of the different costs that are associated with an app. We're not talking—
(1615)
    Yes. There are development costs, and then there's customer service and a bunch of other costs associated with it.
    On the question of the app itself, we've talked about this app, and we've heard a lot about it at this committee. There was an original version, and then it went through about 70 different updates.
    When you did the front-end hackathon of the app, did you ever go through 70 different iterations and go from one update to the other update, or did you just take the 71st version—assuming that there were 71—and then replicate the front end?
     Yes, we took the latest version and we replicated the front end completely.
    That's not the same at all as going through an original and then doing 70 different updates. Is that correct?
    That's correct.
    You also didn't do regression testing with each of the 71 different versions. Is that correct?
    No, because we did only one iteration.
    And you didn't also, as I understand it, replicate the back office. Is that correct?
    We didn't do any back-end infrastructure.
    That's probably the most complicated part of this type of app. Is that correct?
    It's hard to say, but yes. It depends.
    In this case, each of the different iterations had to work with different systems—whether iOS or Android—and had to link to all of these different vaccination systems of provincial governments and foreign states. You didn't do any of that. Is that right? You didn't do security stuff or any of that.
    We didn't do any iterations, but I also don't know what the definition of those 70-plus iterations is.
    That's correct, but you never claimed to know, and you never claimed to have done it.
    Yes, exactly. We just made the one app—the front end of the app—over two days by mimicking the latest version of the app.
    As well, you didn't do any research into privacy law or any of the other legal security stuff or privacy stuff that needed to be done, correct?
    We did not do—
    That's in terms of an app like this, to comply with Canadian legislation.
    Yes, we did not do research.
    You didn't translate everything, or did you?
    No, we didn't do internationalization.
    Okay. I appreciate that.
    And you didn't do user testing to see if what you did was usable.
    No.
    So I think we can both agree that what you did was valuable. It shows that Canadian developers are out there to assist the government. Maybe things could always be done more cheaply and better, but your goal was never to show that this was a terrible thing that could have been done for a tiny amount of money versus the millions of dollars that got spent.
    No, that was never our goal. Our main goal was to show that there's talent inside Canada that can build apps like this, but that the way the app could be built in the future could be done in a more cost-efficient or timely manner.
    Thank you.
    Can I also ask you if any member of Parliament or their staff reached out to your company before you did the hackathon?
    No.
    Okay. You did it based on your own inclination to try to show something.
    Yes.
    That's perfect. Thank you so much.
    Mr. Chair, do I have any time left?
    You have a full two minutes, approximately.
    Okay. That's great.
    Thank you very much, Mr. Manji.
    Mr. Ossowski, can I turn to you, please?
    Thank you so much for coming. You know, you're not in the public service anymore, and it's very nice of you to come to committee without the resources you would have had if you were still there to go through documents to assist you.
    Can you just make something very clear? I think you answered Mr. Barrett on this. No politician ever directed you to contract with any particular company on ArriveCAN. Is that correct?
    Absolutely not.
    And you are not aware—and you would be—of monies having gone to any companies that did no work on ArriveCAN. Is that correct? That's not how the system works.
    No, absolutely not.
    You would agree that the people who were working on the app from your department, PHAC and PSPC and everyone else are all professional public servants who always do their best to deliver the best products for Canadians, even if sometimes we make mistakes. Is that correct?
    Absolutely.
    The CIO of Public Safety came to this committee and said that the app, she felt, was developed in a relatively cost-effective way and that it was very complex and in the end delivered most of what was needed. Would you essentially agree with her?
    Well, I'd go a little further and say that if you divide the amount of money it took for the development of the 70 different versions we did across three different platforms, that's about $125,000 per version, which to my mind was very inexpensive.
    We learned a lot as we went along. This was a new thing for us, to be fair. We started off with something quick and dirty, and then it got very sophisticated in terms of its ability to validate PCR testing pre-arrival—
(1620)
    I'm afraid that's our time.
    Thank you.
    Ms. Vignola, it's over to you for six minutes. Go ahead, please.

[Translation]

    Thank you very much, Mr. Chair.
    My first questions will be for you, Mr. Ossowski. Thank you for appearing as an individual before the committee today.
    Last November, federal officials told the committee that a contract for the accessibility of the ArriveCAN app was awarded under a national security exception.
    Why would a department use a national security exception to award an accessibility contract?

[English]

     I think officials from the department, as I see on your website, have provided an answer to that.
    Quite simply, during COVID what Public Services and Procurement Canada did was say that during the RFP stage, you could be exempt from the national security requirements but that before you could begin any work or get any task authorizations, the clearances had to be satisfied.

[Translation]

    Is it customary to request a national security exception for accessibility, whether in a pandemic or not?

[English]

    It isn't for accessibility reasons. I think it was really because of COVID and the staff's availability to actually do the clearance part of the process.

[Translation]

    Thank you.
    To your knowledge, how does the department determine the security clearance of a subcontractor? Does a subcontractor automatically have to have security clearance? If so, how is it determined?

[English]

    I think you are better placed to ask that question of Public Services and Procurement Canada. It's in charge of the security clearance program for contractors.

[Translation]

    Okay.
    There was $4 million for hosting the app for about 18 months.
    In your experience, is that cost normal, low or high?

[English]

    I have no reference point for what's reasonable. I think we had incredible value for money, given the context we were operating in and the need that it satisfied. For me, I think it was exceptional value for money, but I have no reference point because we've never done anything like this before.

[Translation]

    Are you able to compare pre-pandemic and pandemic application development costs?

[English]

    Before the pandemic—and I mentioned this in my opening remarks with respect to the Border Five colleagues of Canada, the United States, Australia, New Zealand and the United Kingdom—we were all looking at how we could better deal with managing risk, given the environment in which volumes of travellers and goods were increasing and the velocity was increasing. We were all looking at—and it's a very fundamental concept—pushing the border out, getting as much data as we could in advance so that we could reduce the interaction time of officers with travellers. Ultimately, it would help officers make better decisions about who should be coming into the country or what should be coming into the country. We were looking at it from that lens.
    When the pandemic hit, I had a very capable IT team, and it saw this need from the call from the Public Health Agency. We put this together, as I said, in a very quick and dirty way at first, but eventually it became a very sophisticated program that reduced the traveller interaction time with officers and provided incredibly timely and real-time information to officers to help them make better decisions and provide data to the provincial health care authorities. These authorities wanted to know where these people were coming from, whether they had a quarantine program and whether they were going to be managed appropriately.
(1625)

[Translation]

    We have received documents related to ArriveCAN, but they date back to 2017, which is three years before the pandemic.
    How is it that three years before the pandemic, contracts were awarded in connection with what would eventually become ArriveCAN?

[English]

    Mr. Chair, I think that's a question for the department.

[Translation]

    Thank you.
    Mr. Manji, I'm also going to ask you about the cost of hosting the app.
    In your own experience, does $4 million represent a low, normal or high cost for hosting data for an application like ArriveCAN over 18 months?

[English]

    That is on the medium-to-high end of the spectrum.

[Translation]

    Thank you very much.

[English]

     Thank you, Ms. Vignola.
    Now we have Mr. Johns for six minutes, please.
    Thank you, Chair.
    There was some unfinished business at the last meeting that I want to get out of the way, if I could, Mr. Chair.
    I apologize to our witnesses. I need to move forward with a motion that I brought forward, and I want to explain to the committee why I am moving it.
     You know that the government continues to procure supplies for the health care system, and I believe it's prudent that we ask how we can support a resilient domestic industry to provide essential supplies like personal protective equipment. We've just just passed supplementary estimates (B) that included about $136 million in proposed spending for supplies for the health care system—
    I'm sorry, but when you're done with that, could you read your motion into the record, please?
    I will, absolutely.
    At the beginning of the pandemic, our country didn't have enough supply of personal protective equipment, and we struggled to procure supplies during a time of high global demand. The government encouraged Canadian industries to help meet the need for these products, and many small and medium-sized enterprises began producing PPE.
    These businesses invested in setting up shop, creating innovative products like more breathable and sustainable masks and respirators, and employing Canadians. Sadly, many of these businesses have since shut down or are at risk of closing because the government awarded contracts to multinationals instead of supporting this emerging domestic industry.
    I'll give you an example. Dave Brimacombe, who owns Wayward Distillery in Courtenay in my riding, is a retired veteran who works very hard. He donated $75,000 of PPE hand sanitizer to local health workers and to first responders. He donated that. Later a subcontractor through Loblaws contracted him to provide it. Then Canada started bringing in a foreign supply of hand sanitizer, and it flooded the market and drove the cost down. Then the Loblaws supplier suddenly cancelled the contract after they had asked him to scale up. He ended up eating the $400,000 on his own after he came to the rescue of Canadians.
    I think it's in our national interest to ensure that we have a resilient PPE industry here. We know that new variants of COVID-19 still remain a threat and we must be prepared for future pandemics. If Canada does not prepare its own PPE industry, there's a risk that it will disappear. We need to ensure that we're prepared for national security.
    I believe it would be a good use of this committee's time to hear from domestic PPE manufacturers about the state of the industry and the barriers they faced in the federal procurement process. I believe this committee could do some valuable and timely work making recommendations on how procurement practices can better support this important domestic industry.
    I'm going to read the motion. The motion is:
That pursuant to Standing Order 108(2), the committee undertake a study on the role of federal procurement in fostering a resilient domestic personal protective equipment industry; that the committee have no less than three meetings to hear from witnesses; that the committee request testimony from the Minister of Public Services and Procurement, any relevant government officials, and industry representatives; that the committee report its recommendations to the House and that, pursuant to Standing Order 109, it request that the government table a detailed response to the report.
    Thank you.
    This is debatable. Does anyone wish comment on it, or is there general support for this motion?
(1630)
    It's consensus or call the question, Chair.
    If we have consensus, we will consider it passed.
    (Motion agreed to)
    The Chair: Mr. Johns, you have a minute and 20 seconds.
    Thanks so much, committee. I really appreciate it, colleagues.
    Mr. Ossowski, first I want to thank you for your service to Canada. I don't think public servants got enough credit, especially through COVID and the number of hours that you put in to protect Canadians.
    You've heard about GC Strategies and the commission and that these folks were making $1.3 to $2.7 million. You as a public servant didn't earn anything near that. These are contractors who don't even specialize in tech.
    Can you share your feelings of how you see, sense and understand the outrage of Canadians when they learn of subcontractors who are doing this kind of volume of business with these grotesque margins?
    I really have no comment on the margins. I can simply say that it's really important for us to have these relationships with industry because they have unique capacity to come in very quickly and help us solve problems in an agile manner. Because of that, you pay a premium for it, but I really have no assessment of what's an appropriate amount or not.
     We heard from the national president of the Customs and Immigration Union, and they said the frontline workers weren't even consulted about the app. They're dealing with the app day in and day out.
    Can you speak about...? Their frustration is valid.
    I would simply say for sure, at the very beginning....
    I'll remind you once again that it was the Public Health Agency's app. They were the business owner. The union doesn't work for them; it works for us.
    In a normal circumstance, the union would be consulted. I had regular meetings with Mr. Weber throughout my tenure, and with his predecessor, Monsieur Fortin. We talked about the app all the time. We got feedback from officers and we did make improvements as time went along, but these weren't normal times.
    Okay.
    That's basically your time, Mr. Johns.
    We'll now have Mr. Barrett for five minutes, please.
    Could the app have been made for less?
    Than what? The first version of the app, or...?
    Could the version that we have today have been made for less money?
    I think when you look at the complexity of the back-end systems, the regression testing, the work that was put into it, the call centres, the costs that have all been conveyed to you by the department and produced as evidence, you might be able to squeeze out a little bit more, for sure, and I think there are lessons learned. If we were to look back at it, I'm sure there might be some stuff that the department would be willing to hear about as we go forward, but these technologies, as I said, are critical for the future for us.
    If there are lessons learned from your study, they would be more than happy to receive them. I think President O'Gorman said the same.
    Is there anything you would have done differently?
    It's hard to say, because I was there at the time. I would say—
    You have the benefit of hindsight now.
    With the benefit of hindsight, I would say that we were moving very quickly. With the orders in council, as those requirements were being established, almost in real time we were having to reimagine the application and how we were going to recode it. I really feel for my team, which had to put in incredibly long hours to put this together. I know even in Mr. Manji's blog he talked about this and how it would take weeks to get approved by the app store. It took us days, maybe a week at most, for the app store to approve our version of the app. We were very good at this, but it was incredibly stressful for the team.
    Are you aware of any Treasury Board policies having been contravened during this—
    Absolutely not.
    —program?
    Thank you.
    What was the role of your minister in the contract management?
    Zero.
    With respect to due diligence, did you ever ask if the requirements from the other agencies—for instance, the Public Health Agency of Canada—were necessary?
    We met with them regularly to talk about the requirements and what was actually doable at the border. As I mentioned, we administer 100 other pieces of legislation and regulation at the border, and we have an on-the-ground understanding of how the throughput at airports and ports of entry works and how to do things like mandatory random testing and/or PCR testing or whatever it is. The synergy that we had in discussing these things was a daily conversation with the Public Health Agency.
(1635)
    Are you able to tell us what funding envelope was used to pay the GC Strategies contractor?
    I would refer you to the department for that information.
    Did you have delegated authority to approve any of the contracts on this project from the minister?
    I wasn't required to sign off anything on these contracts.
    Okay. Who would have signed off on them?
    Normally, the procurements are delegated down to at least the vice-president or the director general level, but the CFO and his team would be involved in procurements.
    Okay. It would be the VP or DG at CBSA.
    Yes.
    Did you consult Treasury Board with respect to this program at any point?
    Treasury Board was involved in these calls all the time, intermittently. They were aware that we were taking this approach to replace the paper in the early days, and they were aware as well in terms of the timing of the orders in council, because those would have been approved with Treasury Board ministers, and they were aware of the timing issues around the application.
    Were you involved in the consultations on the contracts themselves?
    I wasn't involved in those.
    Okay.
    PSPC would have signed off on the contracts.
     Yes, normally. Yes.
    Okay. At what level would that...?
    I have no idea.
    Did you ever meet any resistance from anyone in the public service when you were implementing ArriveCAN?
    Did I hear it from public servants? No.
    Did you hear it from members of the CBSA?
    I think Mr. Johns referred to the union's wanting to have more consultation, but as I mentioned, that was simply not possible in the early days.
    With my last 15 seconds, Mr. Manji, could this app have been made for less money, and could it have been made faster?
    I believe so, yes.
     That's our time.
    We have Mr. Jowhari for five minutes.
    Mr. Johns, unfortunately, I misinformed you. After Mr. Jowhari, we're done with this round of witnesses.
    Thank you, Mr. Chair.
    Thank you, Mr. Ossowski, for your work and your team's work.
    I'm going to ask a bunch of rapid questions. I'm trying to get to a couple of points.
    I understand that the development cost of the application was roughly around $8.8 million. The first version was within a couple of months, and it came to about $80,000. There were 80 orders in council, or OICs, and 70 rounds of updates to that application within 18 months. Are those numbers facts, sir?
    I'm sorry...?
    Are those numbers correct?
    Yes, generally speaking. Yes.
    Let's talk about the speed with which this application was developed. We'll get to the complexities in a minute.
    If I take 18 months, and I either use 21 working days or 30 working days divided by the 70 versions that were developed, if I'm using 30 days, it will end up about seven days per version that was developed, and if I use 21 days, it will be five and a half business days to develop.
    In your testimony, in your response to one of my colleagues, you talked about each version, with the complexity and with the complete testing, taking about a week. Am I right to say that, sir?
    It went in fits and starts, but on average, you could say that, yes.
    We developed 70 very complex, totally integrated versions and we made sure that they met the requirements that the Government of Canada or Health Canada put out to ensure the safety of people. Each version took seven days. Do you think we could have done that application under any circumstances faster than seven days or faster than 5.5 days?
    I've been in the industry for 21 years, and I'd like to challenge the comment that this application could have been developed much faster than five business days or seven full days, sir.
    I completely agree with you, and I think you have to build in the cyber-vulnerability testing we did, the regression testing we did, the back end, the call centres and getting briefings to the frontline officers so they knew what changes were happening with various orders in council. This was literally a 24-7 operation, and is still a 24-7 operation.
(1640)
    You just mentioned five or six different activities that happened during 24 hours for seven days for each one of those iterations. The development must have been only about a day or day and a half. The rest of it was all the testing, all the verification and all that. I want to make sure that's on the record.
    How many people—how many Canadians and how many travellers—did we get through that application?
    I understand that upwards of 60 million travellers went through with the ArriveCAN app.
    Thank you for that.
    On $8.8 million and over 60 million Canadians or 60 million uses of the application, what is the dollar per transaction?
    I'd have to do the math. I did the math earlier of 60 million into the total cost built so far of $41 million, and I think it's about 68 cents per traveller.
    Thank you.
    If you take the total cost of $41 million—which is to date, which is not $54 million—and you look only at the development costs of roughly about $10 million, that's going to be less than 60 cents a day.
    Let's say, for 20 cents per transaction, we ensured, during the pandemic as changes were coming in, that we saved so many lives. Without these measures and vaccines and the others, we could have put more Canadians at risk.
    Thank you for that.
    Now I want to go into the evolution of the sophistication of the application during those 18 months. Can you give us some idea of where we started to where we ended up, based on those 70 requirements? What level of sophistication did you see?
     I think that's an excellent question.
    As I mentioned, at the beginning it was simply contact tracing and the ability to get basic traveller information to the provinces. Eventually we added the capture of pre-arrival testing—PCR, rapid testing or whatever it was at the time. We put that in, and eventually the vaccine certificates.
    Every country did it completely differently. For some countries, it was very basic optical character recognition. It would be uploaded, and we would capture that it was, for example, a Moderna vaccine. There was some basic information there for us. Others were much more sophisticated.
    As I said earlier, because of the QR code that we had with provincial health care authorities in Canada, we had a very high degree of confidence in that information, and many Canadians came across the border and were never asked for—
    I'm afraid I have to cut you off again, Mr. Ossowski. We are out of time.
    We are going to suspend very briefly as we switch our witnesses.
    Mr. Ossowski and Mr. Manji, thanks for joining us today.
(1640)

(1640)
    We are back for our second hour.
    We will start with opening statements. Again, we are short on time, so I'll ask you to stick to five minutes.
    We'll start with you, Mr. Croll.
    I'd like to begin by thanking the committee for inviting me to discuss the ArriveCAN application.
    ArriveCAN cost too much to build. Canadians should be angry, not because of the cost, but because of what our inability to deliver good technology quickly means for the future of our society.
    This Thanksgiving, a couple of tech firms cloned the ArriveCAN app’s front end to show that its development was too expensive. As it has been pointed out, this PR stunt doesn't prove much about the cost of the program, because it takes more than copying a few screens to run a border.
    ArriveCAN had to be invented in the first place, and deployed, hosted and backed up. As we have heard, just the hosting fees for running it for a year and a half cost $4 million. It had to be updated constantly during that time. It needed to connect to passport, medical and travel databases. Thousands of people from coast to coast to coast had to be trained in the middle of a global public health crisis.
    ArriveCAN teams faced so many bureaucratic hurdles, outdated rules and legacy systems—en deux langues—that it’s amazing the app was built at all, let alone in a month. Few people are comparing the cost to the alternatives—face-to-face manual processes during a pandemic, or shutting down the border entirely—but it was still much too expensive.
    ArriveCAN cost so much because we do not have a digital government. While some of the ArriveCAN criticism may be a thinly veiled protest about vaccine mandates or public health measures, most of it is warranted, because our public sector is falling behind in its ability to deliver reliable and accessible technology on time and on budget.
    Each year, the UN publishes an assessment of digital government across its 193 member nations. In 2010, Canada ranked third in the world. This year, we’re 32nd. We should be angry because our government is unable to deliver superb information technology quickly and affordably.
    Canadians already spend nearly eight hours a day online. We are fluent in apps, living on the web and connected in our classrooms and our cars. We sleep by our phones. They’re the first thing we check every morning. We are always connected, with a screen in every pocket, just 15 years after the iPhone was introduced. We are quickly becoming, at least partly, a digital species. In the next century, we will fundamentally rethink everything about government, from how residents interact with public services to how we choose our leaders. A hundred years from now, our government will be as unrecognizable to us as modern democracy is to the monarchy. We are changing, and the government is not adapting alongside us.
    While on the outside, the government looks like the thing that builds roads, tests cars, checks crops, staffs service desks, protects coastlines and, yes, chairs committees, at its core the government deals in information. The government ushered in the mainframe, the Internet and satellites. The government is information technology.
    As chair of the world’s leading conference on digital government and public sector modernization, I have had the chance to speak with the national CIOs from dozens of countries, including many that now outrank us on the UN’s digital government assessment. In those countries, people brag about the amazing apps they’re building for their fellow citizens. Innovation and experimentation are celebrated. New graduates want to work in government technology. However, here in Canada, we are stumbling into the digital age.
    The answer is not more outsourcing. There’s plenty of room for public-private sector collaboration on the utility parts of computing and technology, such as cloud computing, broadband or off-the-shelf software. I don’t want a government to be a hollowed-out shell of policy-makers and bureaucrats, completely dependent on the private sector for its operation. We cannot abdicate the reinvention of our society to others. The government must code.
    Fixing this problem will take real, meaningful changes in compensation, culture, training and, yes, the replacement of those who can’t or won’t adapt. Many of these changes are politically unappealing, but they are also necessary.
    The hard truth is that we live in a digital society and we deserve a digital government. ArriveCAN is a canary in the digital coal mine, warning us that we are unprepared, unwilling or unable to adapt to that new reality.
    Mr. Chair, my objective with these remarks is to not to give you an exhaustive explanation of why ArriveCAN cost so much, but to frame this conversation in a broader context.
(1645)
     I was invited here because of my background in technology start-ups and my role as the founder of a digital government conference.
    I will be pleased to answer any questions from the committee members.

[Translation]

    Thank you.

[English]

    Thank you, Mr. Croll.
    Mr. Hutton, welcome back. We'll give you five minutes.
    Before we do, I just want to point out for those who have not been with us before that Mr. Hutton is a great friend of OGGO and a big part of what I think was a groundbreaking report on whistle-blower protection.
     It's great to have you back with us, Mr. Hutton.
    My name's David Hutton and I'm a senior fellow with the Centre for Free Expression at Toronto Metropolitan University. I offered myself as a witness because I felt that my particular experience might enable me to offer a useful perspective.
    As a young engineer, I led the quality assurance of large, complex computer systems by monitoring the development process, conducting independent testing and approving a final release. Later, as a management consultant, I led my own consulting practice for 20 years, conducting in-depth audits of the management systems of over 100 organizations around the world. For the past 17 years, I've been assisting public interest whistle-blowers and advocating better protection for them. Typically, these are honest employees who speak up about wrongdoing and are punished for doing so.
    These three apparently quite different careers have something in common: a quest for truth and integrity so that organizations can deal with facts and reality, making them more successful and also serving the public interest.
    I think one of the central questions facing this committee is what happened with respect to ArriveCAN, on a spectrum ranging from a reasonable outcome and value for money, given a fast-changing emergency situation, through contractors taking advantage of a difficult situation opportunistically but perhaps entirely legally, to, at the far end, corruption or collusion through which laws or codes of conduct were violated.
    This is difficult to find out, especially if there are wrongdoers who will do their utmost to hide their misdeeds. Based on my experience and research, if we had even half-decent whistle-blower protection in this country, this committee would very likely soon have the answers.
    Let me explain.
    Given the cost of this project, hundreds of people must have been involved as public servants and contractors. If there was any wrongdoing, then some of them would certainly know. However, they have no safe way to provide this information to the committee or to the public, as there's no protection from career-ending reprisals for speaking up.
    That's because Canada has literally the worst protection law in the world. It is supposed to protect about 400,000 public servants, but in 15 years of operation at a cost of more than $100 million, not a single whistle-blower has ever been protected.
    This system also completely failed to detect the impending Phoenix pay disaster, even though hundreds of people knew about the problems. Let me share some relevant information about Phoenix as an instructive example.
    With my background, you can understand that I was absolutely rivetted by that project. How was it possible that such bad software could be written and released, untested and without any fallback, into a mission-critical role where it would dispense billions of dollars and directly impact the lives of hundreds of thousands of employees?
    I read the detailed reports that were available from many sources, but ended up with more questions than answers. I decided to conduct my own investigation, assisted by the Centre for Free Expression.
    We set up secure channels of communication and called for insiders to share their experiences confidentially. A few responded, and now I have my answers, which I hope to publish in due course, though I need more sources to corroborate what I learned. This is difficult, because people are terrified to say anything, even those who are retired, years after the event.
    My story illustrates two things. Number one, whistle-blowers are by far the best source of information to uncover any wrongdoing that may exist in an organization. Decades of research confirm this. Number two, without protection, very few people will dare to come forward with vital information. That's the situation that the committee finds itself in today.
    This is a long-standing problem that affects the work of this committee and all oversight bodies. One obvious solution is to implement proper federal whistle-blower protection, as this committee unanimously recommended in 2017.
    Because of its track record and mandate, this committee is uniquely placed to help solve this problem. If you succeed, this will help clarify the true status of many projects, from Phoenix to ArriveCAN.
    Thank you.
(1650)
     Thank you, Mr. Hutton.
    We have Ms. Kusie for six minutes, please.
    Thank you to both of our witnesses for being here today.
    Mr. Hutton, as you're well aware, in 2017 OGGO published a report with recommendations on whistle-blower protections. Do you support these recommendations?
(1655)
    Absolutely.
    I hope so. Excellent.
    Do you think if these recommendations in the report were implemented, public servants would have been more comfortable coming forward in cases of wrongdoing?
    That's undoubtedly the case.
    Excellent.
    Do you believe that if the recommendations in the 2017 OGGO report were put in place prior to the pandemic, public servants would have been more likely to come forward with concerns around the ArriveCAN app?
    If there was wrongdoing, of course they would, yes.
    Excellent.
    Why do you think the current government has ignored the recommendations in the 2017 report for the last five years?
    Well, that's a good question. I don't actually see this as a partisan issue. I think successive governments have behaved in this very similar fashion. What I take from this is that governments in power find it very convenient to not have this avenue of disclosure, while people in opposition would like to have it. Of course, the public would like to have it.
    Certainly. I guess, coming from the Conservative side, we did introduce accountability 1.0, and the 2017 report did come out under the Trudeau government. I struggle with your point, but I understand.
    Do you think the Liberal government will continue delaying reforms for whistle-blower protections?
    I hope not, but I can't speak to the future.
    I'm sure you're well aware that a Bloc Québécois member put forward the private member's bill, Bill C-290, to implement more whistle-blower protections, and I can only assume the absence of Liberal action, since this report had been available for five years.
    Do you think the government should be supporting this bill?
    I think they should bring it to committee and debate it and make sure it's up to par. I think it's a very good start.
    It should be with the least delay possible.
    Absolutely, yes.
    Excellent.
    Do you think if this bill were implemented, it would make public servants more likely to come forward about cases of wrongdoing for big projects such as the ArriveCAN app?
    Yes, I do.
    Excellent.
    I'm sure you're aware as well that the government recently decided to put together a task force to look at reforming whistle-blower protections. Do you think this task force is necessary, or do you think that the framework is already available, given the 2017 report that was released?
    I could answer that by saying there is an article I wrote in The Hill Times today that gives a long answer to that, and people should perhaps read it.
    However, no, I don't think it was necessary. I think the priority is to put in place the recommendations that are already made, and then there is going to be lots more room for improvement after that.
    Certainly.
    Do you think 12 to 18 months is the right time frame for this task force to make its assessment, especially given that now we've had not only the 2017 OGGO report—the mighty OGGO report—but as well this recent private member's bill?
    I don't see any purpose in the task force until these other steps have been taken. Once you have a baseline in place of what's already been recommended, then I think there will be plenty of room for further discussion, because we still will be far from internationally respected best practices.
    Is it safe to say, then, that the current Liberal government could implement something at this time, that perhaps this task force isn't necessary, and perhaps is even a delay in implementing information in a framework that already exists?
    I think it doesn't really matter what this task force does as long as this doesn't impede the urgent implementation of what's already been recommended.
    Well, 18 months is quite an imposition. I think it's already being impeded.
    Do you think that some of the work of the Public Servants Disclosure Protection Act review task force would overlap with the parliamentary process involved in Bill C-290?
    I'm sorry. Could you say that again, please?
    Do you think that when the task force begins its work, it will come to lots of conclusions that are already not only in the 2017 report but also in Bill C-290 as presented by the member for Mirabel?
    I don't know what the task force will come up to, because it's starting from a fairly low base in terms of knowledge and experience, I think. There's an awful lot of work to catch up on, the work that this committee did. It would take them months to complete the work that's already been done.
    What role do you think the Treasury Board should be taking to ensure that public servants who witness mass wrongdoing, such as with the ArriveCAN app, will come forward and be willing to report it?
    The law needs to be reformed. The Treasury Board must start conducting proper oversight of the departmental processes, which is its responsibility. Yes, those are the main things.
     Do you think that not having—
    I'm afraid that's our time, Ms. Kusie.
    Thank you very much.
(1700)
    Oh, I apologize. I stopped a minute early.
    That's okay. Thank you so much. That's very kind.
    Mr. Hutton, do you think not having adequate whistle-blower protection for public servants undermines the ability of parliamentarians to get answers about mismanagement of government projects such as the ArriveCAN app?
    Yes, it certainly does.
    Without adequate whistle-blower protections, do you think parliamentarians and Canadians will get the full answer about what happened with the ArriveCAN app?
    As I just said in my remarks, I think that's the central problem here—that without that safe disclosure channel, you're not going to hear from people who may have information that's unwanted.
    Do you believe there are more wrongdoings occurring because of a lack of whistle-blower protections?
    Certainly. If you look at the other channels people can use.... I ran a small charity for some time. We offered a free helpline service. I was getting inquiries at the rate of more than 100 a year. That's more than the official agency that's supposed to be protecting people.
    Thank you.
    Thanks, Mr. Hutton.
    I apologize again, Ms. Kusie. My brain was stuck on five-minute times.
    Mr. Kusmierczyk, go ahead for six minutes.
    Thank you, Mr. Chair.
    Thank you, Mr. Hutton and Mr. Croll, for your time with us here this afternoon.
    Mr. Croll, I really welcome your suggestion about how to bring our government even further into the digital age and be a leader in terms of digital government.
    Before we talk about that, I really appreciated the article that you published a couple of weeks ago, entitled “ArriveCAN hot takes miss the point”. I thought it was really illuminating. There was a part in the article under the heading “What it takes to build an app in government”. I think a lot of folks at home may not understand the differences between an app built by a private sector company for the private sector and what a government is responsible for when it's building an app. There are obligations and things a government app needs to make sure are working and cross-referenced. The apps aren't the same. There's a private sector app and then there's a government app.
    Can you talk about the differences in terms of some of the obligations and responsibilities that a government-built app has to tick off?
     Absolutely.
    The first thing you have to do with any application is design it.
    In 2020, there was no COVID border app to copy, so ArriveCAN had to be invented. The design process itself is difficult because you have many stakeholders. You have to understand how they are going to use the application and make sure that you've met their needs.
    There's governance. You have to respect users' rights. Ironically, many of the most vocal critics of ArriveCAN are also vocal critics of government overreach and invasions of privacy. They should be happy that we are spending so much time protecting their rights, particularly with medical data, passport data and travel data—some of the most precious data there is.
    We have to train people on how to use software. It's not magic. Everybody here had to learn how to use Teams in six weeks. Learning ArriveCAN had to happen across thousands of employees in real time, during a global pandemic. They had to be trained with each new version of that software.
    Private companies don't necessarily have to do that. They're also not trying to use those applications in degraded conditions. By definition, every user of ArriveCAN was going to use the app and then turn on airplane mode. It's call “airplane mode” for a reason, so your app is naturally going to disconnect. The testing and the edge cases are very difficult, and so far, that's true for public and for private companies, but hen you get into government, you get into much more governance, in part because of accessibility requirements. If you call up TribalScale or Lazer and say that you want an app and, by the way, you would like it to be accessible, they are going to add a line item. Do you want it to work with screen readers? That's going to cost you more. Do you want it to work with other phones and all these different platforms for accessibility?
    Government doesn't have the luxury of targeting the lucrative middle. Government applications are for everyone. That's a much wider range of development, testing and coverage.
    There are also issues of interoperability in working across jurisdictions. There's even language. I'm not just talking about translation; if one misplaced pronoun gets somebody upset, then a member of Parliament is going to get yelled at and a public servant is going to get thrown under the bus. Every word has to be scrutinized, when in fact it should just be a matter of fixing it in the next release.
    Government is under this sort of scrutiny. Perfect may be the enemy of good enough, but government doesn't have the option of good enough.
    Obviously we talked a lot about procurement, meaning the outsourcing and the markups and so on. Those are legitimate issues. The lesson here should not be that government should outsource more efficiently; it should be that governments should know how to build apps. We should be in charge of our own future. If you just look at the markups that we're paying by not having a robust public sector that's technology-smart, that explains a significant portion of these costs.
    Finally, I think there are deployments and backups. When you're building a software application, you have to build a sandbox to build the next version. You have to build a system that can be replicated. You need a backup plan. If this stops working, there are literally thousands of people in transit who can't arrive in the country. A private company that delivers an app doesn't have to deal with 10,000 people lined up at the Dorval airport who are wondering how to get into the country.
    I think it's disingenuous to try to compare the two.
(1705)
    I very much appreciate that. It's a much more complicated task.
    If we were to compare, let's say, what you just said about building a government app like ArriveCAN to a decathlon in the Olympics, where you have to be good at multiple sports, what would you compare a weekend hackathon to—like the one our Conservative colleagues would actually prefer us to build?
    I noticed one of the members of the committee mentioned mass wrongdoings, such as the ArriveCAN app.
    As a citizen who has been studying this carefully, I don't think we've arrived at the point that there are mass wrongdoings of any measure. I think that in fact the leaders of both Lazer and TribalScale agreed with my assessment in no uncertain terms very publicly when I published it. I think it is fair to say that you can copy the plans and clone an app, but that doesn't mean you can run a border.
    I'm going to ask you one last question.
    You described the complexity of building a government app. There's the fact that the government was able to do that in a month with 98% effectiveness. There were only 2% glitches.
    How would you describe that accomplishment?
    I can't speak to—
    You are going to have to describe it in the next round, perhaps, or in writing to us. We are at our six minutes. Thanks, though.
    We'll go to Ms. Vignola for six minutes, please.

[Translation]

    Thank you very much.
    I'd like to thank both of you for being here.
    Mr. Hutton, in your opening remarks, you indicated that the consulting firm you headed had done extensive audits—

[English]

     I'm sorry. I'm only hearing French.
    Try again. I'm sorry.

[Translation]

    In your opening remarks, you said that the consulting firm you headed had conducted extensive audits of the management systems of more than 100 organizations around the world.
    To your knowledge, does Canada have an extensive independent audit process for management systems similar to the audits you were doing?

[English]

    You're asking about my experience in auditing these companies or auditing these organizations.

[Translation]

    I'm asking if Canada has a similar process.

[English]

    Yes.

[Translation]

    Okay. What are the benefits of these audits?

[English]

    We may be a bit off topic here, but it was basically to look at how organizations' management systems function in a system fashion, as an engineer would do—

[Translation]

    Can my colleagues turn their microphones off? I'll do the same, because we can't hear each other because of our microphones. I'm sorry.

[English]

    I was looking at how an organization is managed in a very systematic fashion, looking at leadership, how it interrelates with customers and so on. That would give the organization a very detailed understanding of exactly where they were going wrong from a management system point of view. That provides them with golden nuggets of areas that they can improve on. That's the type of work that I used to do.
     Does that answer your question?

[Translation]

    Yes, thank you.
    In my humble opinion, this type of audit should be done more often in Canada and the recommendations of the committees should be implemented, but hey.
    In your opening remarks, you talked about ArriveCAN and the fear that contractors and public servants have of disclosing information.
    Is there any evidence that public servants or contractors currently have information, but are unwilling or unable to provide it for fear of losing jobs or potential contracts?
(1710)

[English]

    No. I don't have any information like that. I don't have any inside information. The only way I would know is if someone had decided to come to us and try to disclose something.
     There are other avenues. If they were public servants, they'd need to go to the Public Sector Integrity Commissioner. They probably won't do that if they study the track record of this law.

[Translation]

    In the case of the Phoenix system, you have established secure communication channels to get information.
    Does the Public Servants Disclosure Protection Act provide for such secure channels? If not, should it?

[English]

    The safe channel that we provided was for people to get in touch with us and share information. That's just the first step. People had to trust us and trust that we would not do anything with it that would be damaging.
     The problem with the Public Sector Integrity Commissioner is not getting information to them safely; it's what they do with it. Basically, the pattern is that if allegations are mostly ignored and not even investigated, and when you go to the office, they become secret forever—beyond access to information not just for 10, 15 or 25 years, but forever—the whistle-blower really has no chance of any remedy for reprisals.
     As I said, in 17 years with about 500 whistle-blowers having complained of reprisals, not a single one has been compensated.

[Translation]

    Let's say that a public servant or a contractor has complied with the Public Servants Disclosure Protection Act and has followed each of the steps set out in that act regarding information about ArriveCAN. Neither you, nor I, nor any member of the public would know that unless the discloser spoke out in the media.
    Is that right?

[English]

    The typical process would be that they go to the integrity commissioner with a disclosure. There's then a lengthy process that could take over a year before it's even assessed to decide whether they're going to investigate. Investigations often take more than a year. At the end of the investigation, there's often a conclusion that there's no wrongdoing. At that stage, there would be a report to Parliament.
     That's a process that takes years. It very rarely works. We've had only 18 cases of founded wrongdoings in 17 years, out of 1,500 disclosures of wrongdoing.
    It's a very slow process that rarely ever works, and the wrongdoing that has been reported is mostly really minor compared with other stuff that we've seen going on in the public service.

[Translation]

    To your knowledge, how many of those 1,500 complaints were about information technology?

[English]

     I couldn't give you that information. I'm sorry.

[Translation]

    Thank you.

[English]

    Thanks.
    Mr. Johns, we'll go over to you.
     Before you start, though, I've just got a notice that bells will be at 5:27. We'll be able to get through most of the rounds, but when the bells go off, I'll ask for everyone's consent to finish off what will appear to be the final two and half minutes for the Bloc and the NDP.
    Can we just give that consent now, Chair?
    Yes.
    That's perfect. Thanks.
    Go ahead, Mr. Johns.
    Mr. Hutton, if a public servant had blown the whistle on the procurement or development of the ArriveCAN app, how likely is it that the public or parliamentarians would be aware?
    There's no obligation to tell the public or parliamentarians. The only person who gets to know immediately is the leader of the department. The individual isn't identified, but they are the person who is told.
    If the Integrity Commissioner decides to conduct an investigation, which they usually don't, they must inform the head of the department. Everything is secret until the whole process has concluded, at which point there's a report to Parliament. As I said, this could take years.
(1715)
     I'm going to read a quick quote.
    You wrote an opinion piece in the Ottawa Citizen back on October 19, entitled “Canada's whistleblowing system protects wrongdoers, not whistleblowers”, and you were writing about the Public Servants Disclosure Protection Act. I'm going to read a quote. It says:
    
When then-minister Pierre Poilievre introduced the legislation in 2006, he claimed repeatedly that it would offer “ironclad” protection and indeed it does—but for wrongdoers, not for the whistleblowers or the public.
    
It's time for our leaders to do what they have promised and what Canadians expect, by putting in place a system that will truly protect the public....
    Can you talk about the costs on taxpayers, on workers, by the failure to address this serious issue?
    Gosh, that's almost incalculable.
     I would call to mind Phoenix and the $2.4 billion and counting—and it still doesn't work, by the way. That was a situation that was well known to hundreds of people, almost everyone who was directly involved in the project. There was a catchphrase, “Everything going well with Phoenix”, which was ironic and was in common use, yet I believe and have evidence that the Integrity Commissioner was given credible warnings about the management of that project, and there was no investigation.
    There's $2.4 billion right there.
    Now, the public service spends about a billion dollars every working day. I don't know how much of that is wasted or stolen, but it's probably significant. Anyone who's a professional fraud examiner will tell you that there's corruption everywhere. All organizations experience it, and it's just simply a matter of how quickly you can find it and detect it. We have no system for detecting that.
    You wouldn't expect that in a government in a country like Canada. Certainly everyday people wouldn't expect that kind of corruption or failure.
    Can you speak about ArriveCAN, Phoenix and how preventable these runaway costs could have been if we had a good whistle-blower system?
    As I said, I've no inside information on ArriveCAN. I'm not making any judgments on what this committee may conclude about the project. What I am saying is that if there has been wrongdoing within it, this committee is not going to find out through the current mechanisms.
     I'm not trying to compare Phoenix and ArriveCAN directly. There are simply some lessons to be learned about all IT work and all government work from looking at Phoenix.
    In the 2022 budget, the government committed $2.4 million over five years to the Treasury Board Secretariat to launch a review of the Public Servants Disclosure Protection Act. Do you think this new review should preclude the House of Commons from moving forward with amendments to the act in the interim to better protect whistle-blowers and the Canadian public?
    No, absolutely not. I think the process of implementing this committee's recommendations and perhaps examining this new member's bill should go forward as urgently as possible.
    That committee, if they want to, can look at further improvements that would take our whistle-blowing laws to the level of the European countries, for example, which we're far from. The recommendations the committee has provided are excellent, but there will still be significant room for improvement after that.
     Bill C-290 came up for debate on November 2. Do you think it's any coincidence that on October 30—three days before—the government announced that they'd be moving forward with a review of the act and gave three full business days to have representatives apply for two positions on the advisory committee it is striking as part of the review? This is after five years, and they had to do it. Do you believe this is proper engagement with the public sector unions and the Canadian public?
    It does look odd, especially when you look at the pattern of very long delays when things are important, and then sudden action on something that I have said to me looks like a delaying tactic.
    You talked about the track record of the government in terms of enforcing the—I'm going back again to that article—“18 cases of wrongdoing in its 15 years of operation”. This is the PSIC. This was after receiving more than 1,500 disclosures of allegations of wrongdoing, and not one had been protected by the tribunal that was set up for this purpose. Can you speak a little bit more in detail about that?
(1720)
    The law is set up—
    In about 10 seconds, Mr. Hutton.
    The law is set up to prevent whistle-blowers from ever getting a remedy because of.... It's a technical term. There are lots of problems, but there's no reverse onus at the tribunal. The employee has to prove that a reprisal was taken against them, and that's impossible. The burden of proof has to shift to the employer to show that the actions were not a reprisal.
    Thank you, Mr. Hutton.
    Thank you, Mr. Johns.
    We will go to Mrs. Block for five minutes, please.
    Thank you very much, Mr. Chair.
    I want to thank you both for being here today and for your testimony and just the wealth of knowledge and experience that you're bringing to this conversation.
    I want to circle back to some comments that my colleague Mrs. Kusie made and that were followed up on by Mr. Croll. If forcing 10,000 Canadians into two weeks of quarantine under the threat of fines or jail is not mass wrongdoing, what would you define as mass wrongdoing?
    First of all, I'm not a public health official and I'm not an ethicist. I believe the quote was about witnessing mass wrongdoings, such as the ArriveCAN app. I cannot speak to whether or not the ArriveCAN app was tied to any kind of quarantine or other public health practice, but I think that saying that we have mismanagement of government such as the ArriveCAN app seems prejudicial and I'm not speaking to the effects on citizens as part of travel.
    I would say that very few people seem to be comparing the costs that we're talking about today to the costs of shutting down a border entirely, the costs of letting a virus burn through our population, or the costs of face-to-face interactions at a time when we had very little science on what was happening, but I can't speak to the matter of your question itself.
    You are aware of the reports on about 10,000 Canadians being forced into quarantine wrongly. You didn't hear those news reports?
    Yes, I've been following the news. I think it is not my place to decide what is an acceptable cost to the public in a matter of public health. I think that's better placed for ethicists and philosophers.
    I think you called into question what was considered a mass wrongdoing, so my question to you is this: Would you consider that a mass wrongdoing as the result of an app that failed?
    I don't think that I can speak to anything other than the cost of software development and the efficacy of that. I don't have any insight into the operation of the application that was delivered by the people using it or the technology used to scan and verify any documentation that may have happened.
    Okay.
    I'm speaking strictly to the software development side of things.
     Well, I will move on with another question for you.
    In your opening statement, you said that in 12 years we've fallen from third to 32nd in the UN's assessment of digital government. We're obviously going in the wrong direction in regard to what you would say needs to happen with government becoming a digital government.
     I agree with you, especially when I think about what we heard in earlier testimony in regard to the procurement of the ArriveCAN app, knowing that there were three companies identified as the companies that could potentially do this. Then I was surprised to hear that a company like GC Strategies, which subcontracts all the work for an application, took a cut of somewhere between 15% to 30%, and we cannot get any information on the subcontracting. That is deeply concerning to me, because governments need to be transparent and accountable when it comes to the expenditures of Canadians' money.
     I guess I would also say that this undoubtedly increases the price of the contracts to government. Not only do we not have access to who these contractors are, but now we also know it's costing more.
     I'm wondering if you believe the government can create an effective in-house capability or, at the very least, if they should be contracting with IT firms that can do the work themselves in order to save the taxpayers' money.
(1725)
    I couldn't agree with you more.
    It will have to be a brief answer, as well.
    Yes, we are paying a markup, because it's in a public health crisis at a time when tech developers are in high demand. The private sector is compensated ridiculously more than the public sector for technological developers.
     I would refer you to what Amanda Clarke, Sean Boots and Catherine Luelo said on the subject. Canada's paying a premium, and we are mortgaging our ability to define our own future by relying on outsourced contracting marked up by third party procurers.
    Great.
    Mr. Bains, you have five minutes, please.
    Thank you, Mr. Chair, and thank you to our witnesses for joining us today. I'm going to start with Mr. Croll.
    My colleague earlier referenced an article you published. You commented that these development shops are building an app in idealized conditions. Can you expand on that, please?
    It was Thanksgiving weekend. They all decided to stick around for the weekend and do it. I don't think people were in a similar situation in March or April 2020.
     This shop already has access in both cases to version control software, existing cloud-hosting accounts, tools for integrated development environments, tools like Slack, or whatever else. They're already set up to do this stuff. They probably have Figma for user interface design.
    Once you have a pipeline like that, you don't have to recreate it from scratch for a new project. When you're cobbling together dozens of subcontractors across firms, often through third party intermediaries, the overhead of managing and maintaining that process versus what we have within Canada in the Canadian Digital Service and other places, you're already paying a markup just to get the system to work.
    You just referenced the Canadian Digital Service. In that same article, you mentioned that the government should have an app development shop. Now you're referencing the Canadian Digital Service. How would your proposed app development shop differ from the Canadian Digital Service?
     The CDS is our best attempt to do that at the moment.
     The way I would explain it is like Lego. If you're trying to build something out of Lego, you have component pieces that you can put together to build a house fairly quickly. Our government already has applications like GC Notify, which is a tool that will send out notifications very simply. In fact, at FWD50 this year, they built a notification system in an hour.
    We have another one for forms. If you have a form you want to fill out, you use the form tool that we've built. It's automatically accessible, translated and easy to use. It complies with all laws. We have another one for sending out, for example, translation and so on. You build these building blocks, and once you have that foundation, you can very quickly create new pieces of technology on top of it.
     For example, we had a speaker from Ukraine. She's the Ukrainian liaison to the European Union for their digital government. Ukraine has leapt forward in the digital government rankings, despite the fact that they're at war. They have a technology that allows every citizen to be identified by looking at their phone. We don't have a unified digital identity. As you can imagine, being able to log into a system is the first requirement for being able to use it properly. However, in Ukraine, that same tool was quickly repurposed to report war crimes or to report attacks.
    Once you have these building blocks, you can build new things on top of them, but we are not investing in consistent, reusable building blocks. The Westminster model encourages each department to build its own things in its little fiefdom, rather than defining what is a common feature, like a notification or a form, and saying, “This is what we're going to use, and everyone is going to use it”, making it awesome and then letting people quickly build things on top of it as experiments, and when those experiments don't work, taking them back, rather than facing criticism.
    Taiwan has a parallel digital government portal. On every page that you go to on Taiwan's website, you can replace “GOV” with “G0V” and see their beta of the current website. You can go and try it, and if it works, they'll make it mainstream. That's a very big difference from our approach.
    I may have time for one more here.
     We heard from the gentleman who was involved in the hackathon. In the future, do you believe that the hackathons can add value—as opposed to being an opportunity to advertise and market software developers—in helping the government develop apps and have these folks and these hackathons help improve whatever we're working on?
(1730)
    Rapid prototyping in the form of hackathons is great, but it's not a substitute for a finished product. It can often mislead you. Just because you can do something in a week doesn't mean that this thing is going to be the final product.
     I would love to see groups within government doing hackathons on projects when it isn't a crisis. Let's decide what we need to build, as a country, and let's build it without it being a time of crisis. Let's set aside money for that kind of investment so that the product is there when we need it.
     I think in the private sector, hackathons do a very good job of showing that small, nimble shops can often outpace large, well-heeled organizations that are great at filling RFPs. We need to diversify the suppliers of government technology, ideally not to involve third parties—
    I have to cut you off there, Mr. Bains.
    Ms. Vignola, you have two and a half minutes.

[Translation]

    Thank you.
    Mr. Croll, what you're saying is very interesting.
    I think my question is simple. In recent years, the Canadian government has invested hundreds of millions of dollars in technological and other upgrades. Despite this, the country now ranks 32nd out of 193, down from third.
    What accounts for such a decline, despite the investments? How could that have affected the cost and deployment of ArriveCAN, if at all?
    I'll do my best to answer in French.
    First of all, I would say that it's because of the advancement of other countries in relation to Canada. Many other countries have made progress, such as England and Ukraine, for example. The notes I provided contain a lot of information on the subject. There are also some rather surprising research results.
    There are also problems in Canada related to provincial jurisdictions. Since most identification is done through the health insurance plan or driver's licences, it's difficult to have a single federal identification system. It's incredible.
    We trust Google, Twitter, Facebook or LinkedIn to log in, but that's not possible with our country. In fact, the government is the only one that owes us something and that has a legal process. I can't talk to Mark Zuckerberg and tell him that he gave me login information and that he shouldn't have done that.
    We really need to come to the conclusion that the world is in the digital age and our country is in the digital age. Our services have to be digital first. That doesn't mean we're going to leave behind people who don't embrace the digital environment, but digital systems are more efficient. More research can be done on a digital platform. The login information is there, and it's easier to go and see what happened in a session than in a conversation between two humans.
    I think there are a lot of reasons to invest in this, but some government employees don't want their department to be forced to keep up with the technology and expense associated with a common application.
    It's time for Canada to speed up the process and resume its place.

[English]

     I'm afraid I have to cut you off there, Mr. Croll.
    We'll go to Mr. Johns for two and a half minutes and then we'll finish up.
    Thank you.
    My mom was a public servant, and I saw first-hand the sacrifice and how much she cared about her fellow countrymen. It was just amazing.
    The Prime Minister made a statement on June 12, 2022, during National Public Service Week. He said, “the government is taking steps to foster a more inclusive public service”. Thinking and hearing about all this, I would feel it's not a safe or inclusive workplace when you're in fear and when there's nowhere to turn.
    Mr. Hutton, perhaps you can speak about what kind of workplace this is, given these results, when there's nowhere to go. Over 50% of the public service workers who are off work are there because of mental health issues. Do you believe that this is contributing to it?
    I think there are a lot of factors here.
    We know from research that whistle-blowing doesn't take place in some organizations because there's such an open environment and competent management. When wrongdoing is reported to your boss, it just gets dealt with and there are no repercussions. It's not even called whistle-blowing.
    In an environment that's very hierarchical, where there's a fear to report any bad news upwards and there's a significant amount of harassment existing as a problem, then whistle-blowing mechanisms are required. They are not going to fix this, but they will help to avoid some of the harm because whistle-blowing can act as an early warning and prevent major problems from spiralling out of control.
    There's no reason in the world that Phoenix should have lasted beyond the first year of its operation, yet it went on for years and was ultimately released. It's mind-boggling.
    On the larger picture of the atmosphere in the public service, I have opinions, but I don't have direct experience, so I'll pass—
(1735)
    I just want to add that there's the human cost and there's the cost of the economic leakage of the disasters. There are also the mental health claims that the government is incurring. This is significant. When you work in an unsafe workplace and you end up off work with mental health issues, you need help. The government is also failing there.
    I want to thank you so much for your very important contributions.
    I'd also like to mention that many whistle-blowers suffer from PTSD because of what they've gone through in terms of reprisals and so on. It's a big mental health issue.
     Thanks, Mr. Johns.
    Mr. Croll and Mr. Hutton, thanks for joining us today. I appreciate it, as always.
    Unless anyone has anything else, we can run to vote.
    The meeting is adjourned.
Publication Explorer
Publication Explorer
ParlVU