:
I'm going to call the meeting to order.
[Translation]
Welcome to meeting number 145 of the House of Commons Standing Committee on Access to Information, Privacy and Ethics.
Pursuant to Standing Order 108(3)(h) and the motion adopted by the committee on Tuesday, October 29, 2024, the committee is resuming its study of privacy breaches at the Canada Revenue Agency.
I would like to welcome our witnesses for the first hour of this meeting.
[English]
From H&R Block, I want to welcome Mr. Peter Davis, who is the associate vice-president of government and stakeholder relations.
Mr. Davis, welcome to committee. You have up to five minutes to address the committee, and then we'll be following that with questions.
Go ahead, sir.
:
Thank you very much, Mr. Chair.
Thank you, committee members, for the opportunity to appear on behalf of H&R Block Canada today. I appreciate the committee's patience and flexibility in accommodating my schedule.
This year, we at H&R Block Canada are proud to be celebrating our 60th anniversary of helping Canadians with their taxes and with receiving their benefits. Back in 1964, H&R Block Canada's first tax office was established in Toronto, and our national headquarters are proudly located in Calgary today. Throughout our 60 years in Canada, our company has grown to nearly 1,000 locations and 10,000 H&R Block Canada associates, serving Canadians in every corner of the country during tax season.
I'd like to reiterate some key points from our earlier November 15 statement and our December 6 submission to the committee.
Throughout our more than six decades of operation, H&R Block Canada has placed the utmost priority on ensuring the protection and privacy of our clients' tax information. H&R Block Canada is proud of our retail offices' privacy framework, which is among the best in Canada. We understand the important responsibilities and obligations that come with safeguarding Canadians' personal information, and we have robust security systems and processes in place to protect it.
Given H&R Block Canada's commitment to data privacy and security, when we became aware of the incident involving our e-file credentials, we immediately conducted a comprehensive internal investigation and concluded that H&R Block Canada's data, systems and software had not been compromised. We are also not aware of any impact to our clients.
I would also like to assure this committee that H&R Block Canada has never sent any Canadians' personal data, including pixels, to companies such as Google and Meta. While we are aware of past media reports in the U.S. regarding this issue, we can confirm that the pixel usage described in those reports does not apply to H&R Block Canada clients.
Allow me to take a moment to speak on behalf of our broader industry.
As co-chair of Tax-Filer Empowerment Canada, the national trade association for Canada's tax preparation and software industry, I believe it is important to articulate the critical role of industry tax software in helping to safeguard the personal information of Canadians. Tax software developed by industry for use by taxpayers directly or by tax professionals on behalf of their clients must undergo intense certification by the CRA each year in order to be approved for use by the public and to be authorized for the electronic filing of tax returns to the CRA. Tax software providers must also ensure that their products and services are compliant with Canadian privacy and data security legislation. These factors, along with industry innovation and ongoing investment to continuously enhance and evolve data security, afford Canadians many diverse industry options to choose from so that they can feel safe providing their personal information.
Diversification mitigates cybersecurity risks, as threat actors have to attempt to infiltrate several different secure IT systems, as opposed to just one system administered by the CRA. With this in mind, along with the fact that the CRA is a high-value target to threat actors and has experienced previous security breaches, the notion that taxpayers' information will be safer if it is solely controlled and managed by the CRA through automatic filing or any type of government tax filing does not have a credible basis.
Before we move to questions that committee members may have, I would like to raise this point. These proceedings are very likely being monitored by threat actors seeking opportunities to identify and exploit potential data security intelligence for criminal gain. As the largest assisted tax preparation company in Canada, H&R Block Canada closely monitors and defends against attempted cyber-threats on a regular basis. Accordingly, any statements we provide as an organization regarding cybersecurity must be careful not to reveal sensitive information that could give threat actors any intelligence to assist with their criminal activities. Further, we are bound by Canadian privacy legislation and H&R Block Canada’s client privacy and data security policies to ensure that no personal information of Canadian taxpayers is disclosed.
Thank you again, Mr. Chair and committee members, for inviting me to appear today on behalf of H&R Block Canada. I am pleased to answer any questions that you may have, to the best of my ability.
:
Thank you for the question.
As I mentioned in my statement and in earlier submissions to the committee, when H&R Block Canada was notified by CRA that there was a compromise of our e-file credentials, we immediately launched a comprehensive investigation. We left no stone unturned. Throughout the course of that investigation and upon its conclusion, there was no evidence to suggest that H&R Block Canada's systems, software or security apparatuses had been compromised in any way.
As to where this compromise may have taken place, H&R Block Canada can't say for sure, but we know that it was not within our organization.
:
Thank you very much, Mr. Chair.
Peter, it's nice to meet you today. Thanks for being here.
Some of the things that are asked might be things that were asked and phrased in different ways but are all going to be about the same topic.
In the letter you sent to our committee, H&R Block Canada said, “H&R Block Canada's data, systems, and software were not compromised”.
I'm interested in the codes that are assigned to your tax preparer offices. Tell the committee a little bit about your internal strategies and policies to ensure that there is security for those codes.
Each year, we have what's called H&R Block Canada's tax academy. Starting in late summer, we begin taking applications from interested Canadians who want to take our training and become tax associates with us. Through that process, we teach them all about the tax code and how to work with Canadians in preparing and filing their taxes. We also spend time talking about security measures and how to ensure that taxpayer data is being treated with the utmost confidentiality at all times. This also includes information that is required in order to electronically file returns to CRA. There is quite a bit of training on that end.
For those individuals whom we choose to hire from our tax academy, we also provide additional training before they start with us preparing and filing taxes in our offices.
There is quite a bit of security and privacy training. That's held annually for all our staff every year.
:
Thank you for that, Mr. Green.
Mr. Davis, I understand the sensitive nature of the security system and the mechanisms that are in place within H&R Block. You made that very clear in your opening statement.
I would ask that you do answer the questions to the best of your ability. We are covered by parliamentary privilege, but we certainly don't want to put at risk—and I would agree with you on this—any proprietary issues within H&R Block that could cause problems. I'm going to direct you in that way.
Mr. Green, I hope you understand that when the request was made to have H&R Block come before the committee, there wasn't a specific individual who was asked to come. H&R Block has sent Mr. Davis as a representative, and I am satisfied that he's answering the questions to the best of his ability given the nature of what we're dealing with.
I stopped your time, Mr. Fisher, when the point of order was issued, so you have a minute left.
Mr. Davis, you referenced in your opening remarks that H&R Block has never sent any client's personal data, including pixels, to companies such as Google and Meta. You referenced, of course, that this is H&R Block Canada.
Can you describe, for the purpose of this committee, who actually owns the proprietary data H&R Block has—the Canadian subsidiary or the American parent company?
You're aware that the lawsuit comes under their RICO laws, or the Racketeer Influenced and Corrupt Organizations Act, against the tax preparation company—your parent company—and Meta. This is a practice that was established by your parent corporation. Yet, it's your testimony here, with assurance, that H&R Block Canada has never sent them any client's personal information.
Can you make that assurance on the record here today, in this committee, that the same can be said for your parent company in the States?
:
I won't ask you to answer this, because it would potentially be unfair, but I'll say this. It is your business to keep people's information private and secure. There have been a number of other examples of outright fraud perpetrated on CRA, with a number of examples of fraud happening on the taxpayer, fraudulent schemes, and things that are not audited correctly at CRA. The absence of your reporting anything to the Privacy Commissioner tells me that this issue is likely not one that is emanating from within H&R Block, but it could be an outside source, whether that's a third party or maybe even within CRA. I'm not sure.
I won't ask you to comment, because I think that might put you in a difficult position, but when you have CRA saying “It's not us” and you have a list of examples in the past where they've had some challenges with fraud and protecting private information, that makes sense to me. I think your testimony is genuine, and I hope that, to the extent that you find any information, you will bring it forward.
Can you follow up? You mentioned the CRA not collaborating as much with industry, but that does happen in the U.S. Is that correct?
I want to touch on a few things. I want to make the distinction between why we're here now, which has to do with The Fifth Estate report that it was through fraudulent use of H&R Block's special credentials for accessing the CRA website, something that's been built up with private companies and the CRA over the last couple of decades for the use of online filing.... Somehow, somebody got those credentials and used them to change information and pose as imposters to access the CRA website. The other bucket has to do with the sharing of clients' private information.
On the first thing, I find curious your lack of curiosity about how that came to be, your lack of co-operation and your company's lack of co-operation. Historically, I think there has been tremendous co-operation between private tax preparation companies and the CRA to make sure that this wouldn't happen.
:
We'll put that aside, but I really do think it's important that there be co-operation among all parties in this regard, now and in the future.
Around the disclosure of personal information, you do say the following on your website:
We do not disclose your personal information to third parties except as described in this Privacy Policy, with your consent, or as permitted or required by law. Your personal information may be disclosed....
I take Mr. Villemure's point that people do not always know what they are consenting to, but here's what they're consenting to:
To outside suppliers employed or retained by us or by H&R Block US to perform certain services or functions...including...processing of...transactions, marketing, Instant Refund® processing....
That's there for others who want to read it. I have a second copy if people want to read it.
Also, the website states that this information would be “used or stored in the United States and will, in addition to Canadian laws, also be subject to the laws of the United States.”
I think that's something many Canadians would not know, that their information is being stored in the United States, which can be an issue for some people.
:
Just let me deal with this, Mr. Davis.
Mr. Green, I fully agree with your assessment that these answers can be provided in writing to the committee, if it is the desire of the committee to do so. If that's what you want to do, Mr. Green, if we want information to be provided to the committee, we can certainly do that.
I believe that Mr. Davis is sincere in his attempts to answer the committee's questions. Again, as I said earlier, I understand that there's also some sensitive nature here. If the nature of any questions is sensitive enough, then we can request a written response from Mr. Davis on these issues, for the sake and benefit of the committee.
Mr. Barrett, on that point of order, go ahead, sir.
[Translation]
Mr. Villemure, I stopped the clock.
:
It has happened a couple of times. I fully agree with Mr. Green's intervention. Obviously, the witness is required to provide a fulsome answer, to the best of their ability, to any of the questions that are put forward by members of the committee.
As you said, Chair, it's up to the committee if we're willing to accept an answer in writing. That's the proposal from Mr. Green. I don't have any objection to that. It should be noted, though, that it remains the committee's prerogative whether that information is held in confidence, or whether we publish that information—if it's perhaps, simply put, in the public interest—but certainly there is no discretion on the part of the witness to answer or not to answer the question.
While we don't have an objection to the response to this question from Mr. Villemure being provided in writing, an answer must be provided.
:
Based on the two points of order, I think it's pretty clear where the committee stands on this, Mr. Davis.
I don't want to speak for other members of the committee, but if it's your contention that this information can be provided to the committee, then I would recommend that you do that, and the committee will dispose of it in whatever fashion it determines, based on how it affects this study for us as well, because this is a very serious issue for Canadians. I hope you understand that.
There is another option for the committee, too. That is to go in camera and deal with this, but I don't really want to entertain that unless it's the will of the committee to do that.
Mr. Green, are you okay with that?
:
Is it working now? Maybe it's the headphones that are faulty.
[English]
Is it not working at all?
I'm sorry, Mr. Davis. We're going to make sure that Mr. Villemure hears your point.
It's not really on the point of order. I've given you a little latitude on this one, Mr. Davis, just because we have less time than normal.
[Translation]
It's working now, Mr. Villemure.
[English]
Mr. Davis, perhaps you can quickly state the point you want to make.
I would like to go back to the opening statements on the idea of private sector breaches in security.
During his appearance on December 5, 2024, the Privacy Commission of Canada stated, “Data breaches represent one of the most significant threats to personal information globally. In the 2023-2024 fiscal year ending on March 31, 2024, my Office received over 350 reports of cyber incidents, the vast majority, or over 90%, from private-sector organizations.”
Mr. Davis, in your opinion, do these statistics show that cyber-incidents are more frequent and more likely to occur in private sector organizations than in federal government institutions?
Mr. Davis, I am going to ask you to leave, if you want. I would expect that, with the transition to the next panel and some discussion on this, this will conclude your testimony before the committee.
As I said earlier, the clerk has made note of the request of the committee. She'll share that with you, and the expectation of the committee is that you'll send that back to us in a reasonable time frame. The clerk will provide a date by which to provide that information, and it won't be Christmas Day. I guarantee that.
Thank you, Mr. Davis, for your testimony.
I'm going to go to Mr. Barrett now.
:
Mr. Chair, on December 2, the Auditor General issued a report, which is the basis for this motion. This was “Report 8: Canada Emergency Business Account” with respect to the COVID-19 pandemic. It's an independent auditor's report. On December 2, there was widespread media coverage on this very issue. Then, a notice of motion was given and distributed in both official languages to all members of the committee on December 6, so they've had ample time to become well apprised of both the motion and the situation in the official language of their choice. The Auditor General's reports, of course, are available in both English and French in their complete form online and were available in printed format, in advance of being tabled in the House, in an embargoed form, for all members.
To the issue, Canada's Auditor General found that Export Development Canada gave $314 million in sole-source contracts to administer loans. The government selected EDC to administer this emergency loan program. Then EDC turned around and said, “We don't have the capacity to do that, so we're going to outsource it.” They outsourced hundreds of millions of taxpayer dollars in contracts.
Some of the details of these contracts are incredibly concerning. They were paying 14 hours per day to Accenture for their call centre work, but the call centre is open for only nine hours a day. The hourly per-person rate ranged between $60 and $750. Equally concerning is that Accenture outsourced some of the work to a Brazilian subsidiary. Therefore, these folks were receiving rates of $750 per person per hour to administer a program EDC was supposed to be delivering. “Generous” is an understatement. I'm quite certain there are no members of the public service who, in their capacity as public servants, are being paid $750 per hour. We have a massive conflict of interest here.
In concluding my brief remarks, I'll offer a quote from Karen Hogan, who is the Auditor General. She said, “not managing that conflict of interest, in my mind, was unacceptable”. I couldn't agree more with the Auditor General. Of course, we're dealing with Canadians' personal information, Government of Canada programs and the type of conflict of interest that gives rise to a great concern. That conflict of interest was deemed “unacceptable” by the Auditor General.
Of course, that fits within the mandate of this committee. It's important. I don't think the study would take many meetings. The mandate of this committee is dealing with those conflicts of interest. While other committees can do what other committees do, this committee should do what only it can do. That's why I have put this motion forward today.
:
I commend the efforts of my dear colleague Mr. Barrett. At the Standing Committee on Public Accounts, we're conducting a study on the issue of the Canada emergency business account. He knows that because he appeared before this committee. In fact, we're trying to do a study on the public accounts. For a few days now, we've been trying to schedule it, but the Conservatives are filibustering to not even hear from the witnesses. We had the Auditor General before us yesterday, and we had other witnesses as well, but the Conservatives filibustered.
Before voting on this motion, I would invite Mr. Barrett to speak with Mr. Perkins and Mr. Genuis, as well as Mr. Cooper, who also sometimes sits on the Standing Committee on Public Accounts. I therefore invite Mr. Barrett to speak with his colleagues. I'm all for effective parliamentary committees. If the Standing Committee on Access to Information, Privacy and Ethics decides to conduct this study on the Canada emergency business account program, you can rest assured that I will not be in favour of wasting taxpayers' money by conducting the same study at the Standing Committee on Public Accounts.
I know it's Christmas and we're all in a hurry to pass motions and go home and say that we've accomplished things, but I invite my colleagues to have a discussion with their other parliamentary colleagues.
[English]
In that spirit, Mr. Chair, I want to make sure we're not doubling services or parliamentary accountability. I truly believe in it, but we had many reports tabled in the House by the Auditor General on December 2. We had one on seniors. We had one on Canada summer jobs. Let's make sure our parliamentary committees function in a way that is efficient and that gets to the bottom of the issues. Let's not get stuck like we did with SDTC, where the industry committee was doing the same study at the same time, with the same members asking the same questions at both committees, and with the same witnesses.
I enjoy this idea, and I'm not a regular member of the ethics committee, but we're getting into a doubling of services. I'm sure the Conservatives would agree that this is not an efficient use of taxpayers' dollars when the public accounts committee...unless they can convince their folks at public accounts to let ethics do this particular study and let public accounts focus on other reports of the Auditor General. That way, I will be satisfied in terms of the way it's functioning.
I'm sure the honourable members, as they want to form government, would already have had these conversations with their colleagues to ensure greater efficiency of taxpayer dollars and how they are spent. We, too, spend dollars, and it's important that we show taxpayers respect.
We're obligated to deal with the motion that's in front of us. The motion is in order. It deals with data privacy and the potential of.... Well, we don't know; we'll certainly find out, if the motion is adopted, by having these witnesses in.
I see it as separate and distinct from what other committees are dealing with right now. This is a data privacy motion. It's well within the mandate of this committee.
Go ahead, please, Mrs. Shanahan.
I'm sorry that I didn't have the motion handy. I have a folder here, as you can see, with all the motions that have been presented in this committee. I do try to keep track. It is not easy to do so. I suppose we can dispense with those ones for now or keep them for a later date. Maybe they'll be revived. I don't know if anyone has any way...because it's just getting heavier and heavier. That's not good for my back, I can tell you that.
I'm sorry. I am old school. I do like paper. It allows me to read, analyze, take notes and so on.
I listened with great interest to my colleague from the public accounts committee. I think there is something to be said here. This is a topic that has come up on many an occasion, even in this committee: that we shouldn't be duplicating work.
You know, by all accounts, there's only a limited time left on our mandate here to the 44th Parliament. We should make the best use of it. There are many issues that we need to be discussing. I'd like to have an update on reports, perhaps, that have been left unfinished and work that needs to be continued from other motions that apparently other members are interested in pursuing.
I appreciate the offer of limiting this study to two meetings, but how about zero meetings? Let's let the public accounts committee do its work.
Indeed, while talking about letting somebody do their work, it has often been my observation that this committee attempts to do the work of our independent commissioners of Parliament, namely the Conflict of Interest and Ethics Commissioner, not to mention other commissioners from time to time. However, it's chiefly the Conflict of Interest and Ethics Commissioner. We try to get ahead of where he is if there is an issue. I'm sure that members are very capable of alerting the commissioner if they feel there's a conflict of interest issue, as are any members of the public. Anyone who is concerned about this situation could make that known to the commissioner.
We have seen him, in some cases repeatedly on the same complaint—one, two, three, four times—come back with the same conclusion. It apparently was not sufficient for members at that time, but it is still consistent with the role of an independent agent, an officer of Parliament. They do their work, their investigation, and make a report. That is something I certainly would suggest.
As it stands, I cannot support this motion.
Thank you.
Out of respect to the witnesses who are here, I'll be quick.
This is being studied in another committee. I agree that it could be the purview of this committee. Two meetings already have happened at the public accounts committee. I've heard members of this committee state fairly emphatically that they don't support duplication, studying the same thing at two different committees. We'll see how they vote on this.
I'm not going to support this at the moment. That doesn't mean that I wouldn't support it down the road, maybe after the public accounts committee's study. At this point, I'd say that I'd vote against this today. Then we would get our witnesses in.
I will also be brief.
First of all, I have to say that I disagree with my dear colleague, Mrs. Shanahan, a little bit. I do believe very strongly in the oversight by committees of the work of the Auditor General and everybody else. I believe that is the role of parliamentarians. I have no issue with that.
My issue is that I've looked at this report and at the summary of the report, and there's not one thing about privacy that's even included in the summary of the report. This is a report about financial controls and contracts, which is not the purview of the ethics committee. It is the purview of the public accounts committee or OGGO. I don't understand why this is being brought to the ethics committee. I've looked through the summary. Privacy is not even mentioned as one topic in the entire summary of the report. For me, that really is the issue.
It's already being looked at by the public accounts committee. If the focus is not privacy, then I really don't think it's the purview of the committee. Although I think it would be fascinating to look at the contracting policies employed by EDC, which are part of this motion, I just don't think it's the role of the ethics committee.
Thank you, Mr. Chair.
:
Welcome back, everyone.
Pursuant to Standing Order 108(3)(h) and the motion adopted by the committee on Thursday, November 21, 2024, the committee is resuming its study of the wind-up of TikTok Technology Canada, Inc.
I'd like to welcome our witnesses for the second hour today.
From the Canadian Security Intelligence Service, Daniel Rogers is here as director, with Paul Lynd, assistant deputy minister of intelligence collection.
I'm going to go to you, Mr. Rogers. You have up to five minutes to address the committee. Go ahead, sir.
[Translation]
Good afternoon, Mr. Chair and members of the committee.
I have a couple of points, and I'll try to make them fairly quickly.
My name is Daniel Rogers, and I am the director of the Canadian Security Intelligence Service, or CSIS. I am joined by my colleague Paul Lynd, the assistant deputy minister responsible for intelligence collection.
It is an honour to join you today and to have the opportunity to contribute to your important discussion on the winding up of TikTok Canada. Today, I hope to provide insights on CSIS's role plays in ensuring the protection of Canada's national security interests, the safety of Canadians and Canada's prosperity.
The Investment Canada Act, or ICA, which is administered by Innovation, Science and Economic Development Canada, ensures that significant investments in Canada made by non-Canadians benefit Canada's economy. To this end, the act allows the government to review foreign investments to ensure they are not harmful to Canada's national security.
The act aims to strike a balance promoting economic prosperity and safeguarding Canada from foreign actors seeking to gain ownership or control of sensitive Canadian goods, technology, infrastructure or personal data for purposes that could be injurious to Canada's national security.
[English]
In accordance with its mandate, CSIS regularly screens ICA notifications for security concerns, and we work with ISED, Public Safety Canada and federal granting councils to inform the GC’s decisions. This work is essential, as Canada is the target of a number of adversarial state actors looking to advance their own national interests at our expense through their investment activities.
Social media platforms in particular are of interest to threat actors because of the data they generate and collect. They run surveys, collate datasets and request access to users’ personal data through terms and conditions, enabling access to photo albums, messages and contact lists, among other sensitive details. Although some of this data is benign in isolation, when collected and collated on scale, it can provide detailed patterns and insights on populations, public opinion, communities and individual social and professional networks.
Authoritarian states like the PRC use big data, including from the private sector, to carry out foreign interference activities. While government use of data in Canada is subject to ethical, legal and privacy considerations, authoritarian states are not subject to these limitations. Through its 2017 National Intelligence Law, the PRC compels PRC citizens and entities to co-operate with PRC intelligence agencies upon request, which includes providing all information to the state and its intelligence apparatus. This policy supports, and is reflective of, the PRC’s attempts to interfere in Canada and like-minded democracies. Canada and its allies must therefore exercise heightened caution when agreeing to share their data with platforms linked to the PRC.
The ICA review process, which includes CSIS input, determined that allowing TikTok Canada to continue operating would cause injury to Canada’s national security. Although the provisions of the ICA limit what I am able to disclose about specific cases, I would note that the CSIS and Government of Canada assessment was consistent with the March 2024 policy statement on foreign investment review in the interactive digital media sector. Specifically, assessments consider factors such as reach and audience, the nature and extent of an investor's ties to a foreign government, and whether a Canadian business is likely to be used as a vehicle by a foreign state to propagate disinformation or censor information in a manner inconsistent with Canadian rights and values.
[Translation]
Use of social media platforms also raises national security concerns when they act as a breeding ground for extremist ideologies and radicalize users. The increasing volume of violent rhetoric online raises our concern that consumers of this content are more likely to mobilize to violence. Youth in particular can be especially vulnerable to becoming radicalized online due to their more frequent use of social media.
CSIS continues to actively investigate, advise on, and disrupt national security threats. CSIS is also committed to building resilience through our modernized authorities under Bill .
This new authority recognizes that protecting Canada's national security is a shared endeavour that includes partnering with all levels of government, Canadian communities, academia, the private sector, and others. We are committed to co‑operating with these groups in the national interest, including through increased sharing of detailed threat information.
I will conclude by noting that while CSIS cannot publicly comment on our specific operational activities or investigations, I welcome this opportunity to answer your questions.
Thank you.
Thank you, Mr. Rogers.
With respect to personal data being shared with the Beijing-based regime, you cited the 2017 National Intelligence Law. Theoretically, it would seem to be true that there is a risk that the data of Canadian users of TikTok will be shared with the PRC. However, the evidence we heard from TikTok, when they came before this committee a few weeks ago, was that data had not been shared and that, indeed, a firewall had been set up to prevent the sharing of such data.
Can you speak about that?
I will say that it is troubling to see the total lack of transparency on the part of this government with respect to this decision. The government, on one hand, is shutting down TikTok's subsidiary. At the same time, Canadians are free to use the app. I don't necessarily see why not, but there doesn't seem to be consistency. If the objective is concern, for example, about the use of personal information or about personal data being shared with the Chinese communist regime, the solution that the government has come up with doesn't seem to achieve that at all.
I would just try to at least understand, from the theoretical standpoint of personal data being shared with the PRC, that TikTok did set up Project Texas, which ensures that U.S. data stays in the United States.
I'm trying to understand. When you say that there is a risk and that some of that data could be shared and would not be housed entirely in Canada or would not remain in Canada, what do you mean by that? Could it be stored in the U.S., or what?
In terms of risk, at least from a theoretical standpoint, it would certainly be an issue to the degree that the algorithm is operated by the Chinese company ByteDance. In order for the algorithm to work, data necessarily would have to be shared with ByteDance. To the degree that the algorithm is being handled by ByteDance in that regard, then yes, pursuant to the 2017 National Intelligence Law, they could be compelled to share data with the Beijing-based regime.
The problem is that I don't see any evidence that this, in fact, has actually happened. It seems to be entirely theoretical.
For the benefit of the committee, I did ask the clerk to reach out to TikTok to see if they would be available, because I thought they would be material to this discussion. As you may or may not know, they did file a legal challenge against the federal government shutdown order, so, not surprisingly, they weren't available to appear today.
Mr. Housefather, you have six minutes. Go ahead.
Director Rogers, welcome to the committee.
It's nice to see you, Mr. Lynd.
Mr. Cooper's questions were very good, but I don't think they related to the ICA decision. The ICA decision had nothing to do with Canadian users' privacy; it had to do with national security issues other than that. Otherwise, we would have banned the app completely, if we were dealing with the privacy issues.
Is that correct?
I'm sorry. You're still stuck with me.
I'll go back to the algorithm you mentioned. To my understanding, TikTok Canada's algorithm would be no different from the algorithm being used by TikTok in the United States and in other countries, at least according to what I've heard from TikTok. One of the issues related to what I understand has happened in TikTok is that considerable misinformation has been floated for the U.S. elections in 2016, 2020 and possibly 2024 through the TikTok platform.
Has CSIS looked at what we would need to do to protect ourselves in the Canadian election that we expect to have next year, in 2025?
:
I think there's a very big distinction between an individual's choice to use something and the aggregate effect on Canadian national security.
I can give you a personal example. When I was young, I did not expect to be the director of CSIS. At the time, I may have looked at the information available to me and made a decision to continue to use TikTok because I wouldn't have thought I'd care, even if China had my information. I now care because I'm the director of CSIS.
My perspective is that individuals need to consider their own risks. That is an important factor in making a determination. At this stage, I can't speak for government, but I can say there are risks that I hope Canadians consider when they personally decide to use TikTok.
:
That was a good discussion, Mr. Rogers.
Just to let everybody know, I'm going to Mr. Bains for five minutes.
[Translation]
Mr. Villemure and Mr. Green will have two and a half minutes each.
That will conclude our meeting.
[English]
I see a thumbs-up from Mr. Green.
Mr. Bains, you have five minutes. Go ahead.
Thank you to our security intelligence representatives for joining us today.
I'd like to take a moment to thank you for your work, your proactive efforts in community engagement and your work with respect to Bill , specifically on strengthening the Foreign Interference and Security of Information Act, something that hadn't been done in over 20 years. I want to thank you and the department for your efforts there.
I want to start by stating that prolonged operations by TikTok could allow foreign actors to exploit Canadian user data or spread disinformation. Is this an accurate statement in your mind, Director Rogers?
I would say the concern with TikTok is specific to its association with the PRC. As mentioned here, TikTok collects a lot of personal data and has access to a lot of personal data on your device. CSIS has been very publicly warning about the risks of using TikTok. It's very clear that there's a strategy on the part of the PRC to collect big data and personal data from all around the world.
The PRC is also the primary threat actor in Canada connected to foreign interference. When you have a vast amount of collected personal data and on top of that have AI and machine learning that you can use to sort through that data and use it against people, you can use it for foreign interference, to target individuals, for cyber-attacks, to intimidate, to influence and to compromise in the future.
Really, the concern is the vast access that TikTok allows to personal data and the fact that the PRC's national security laws would compel it to share that data.
:
That's an excellent question.
The risks I mentioned earlier in one of my responses apply especially to members of Parliament, who may find themselves of interest to the Chinese government as a target of their influence. If your data is on TikTok and China avails itself of that data, it may seek to understand more about you, more about your personal networks and more about the ecosystem that you work in to be able to target foreign interference, espionage, cyber-attacks or other things toward you.
Obviously, as members of Parliament, you have a particular access to and influence with the government that most people don't enjoy, and I can imagine why you would be a particularly interesting target for the Government of China.
On that point, I would leave to your discretion and that of other committee members how you want to handle this. The motion passed by the committee was to deal with this in the manner in which we are. Specific requests for witnesses were placed before us, and we're doing everything we can through the clerk to make sure we have those witnesses in front of us. I'll leave to your discretion which way you want to go with this.
We're still trying to get a hold of Mr. Vigneault, the former director of CSIS. Also, as I mentioned, I did invite TikTok. They weren't part of the motion, but I thought they were germane to the study. They respectfully declined given, I assume, the circumstances they're now facing with the civil case.
I'm reminded that there's the minister as well, who has indicated to us that he will be available at the end of January. I think that will be an interesting meeting. We'll see what we can do to get everyone here.
I don't have any other business, so Mrs. Shanahan, go ahead.