ETHI Committee Meeting

     Good afternoon, everyone.

    I call the meeting to order.

    Welcome to meeting number 53 of the House of Commons Standing Committee on Access to Information, Privacy and Ethics.

    Today's meeting is taking place in a hybrid format, pursuant to the House order of June 23, 2022. Therefore, members can attend in person in the room and remotely using the Zoom application. Should any technical challenges arise, please advise me. Please note we may need to suspend for a few minutes, in order to ensure all members can fully participate.

    Pursuant to Standing Order 108(3)(h) and the motion adopted by this committee on Monday, November 14, 2022, we are resuming our study of privacy concerns in relation to the ArriveCAN application.

    I would now like to welcome our witness for today. From Amazon Web Services, Inc., we have Nicole Foster, director of global artificial intelligence and machine learning, and Canada public policy.

    Ms. Foster, I want to welcome you to the committee today.

    We have just one witness, Mr. Villemure, so a sound check wasn't done.

    Ms. Foster has asked the committee for seven minutes to address us at the start, and I have granted this.

    Ms. Foster, the floor is yours. Please go ahead.

     Thank you so much, Mr. Chair and members of the committee.

    I'm delighted to be here with you to speak about data privacy and security today, and how these apply to applications that run on Amazon Web Services, or AWS.

    My name is Nicole Foster, and I am the director of public policy at AWS.

I'm responsible for our global AI and ML policy strategy, and our Canada public policy strategy.

    As you may know, AWS is a subsidiary of Amazon that provides on-demand cloud computing services for individuals, companies and governments on a metred, pay-as-you-go basis. The “cloud” refers to the on-demand delivery of IT resources over the Internet, such as servers, and the software applications and databases that run on them. Despite their name, cloud services are physically located on the ground in data centres all over the world, including here in Canada. Organizations that use them do not need to own, run or maintain their own physical servers or software applications. Instead, they can use the cloud to run applications on demand, paying only for what they need.

    AWS is the world's most comprehensive and broadly adopted cloud service provider. Millions of customers, including the fastest-growing start-ups, the largest enterprises and leading government agencies, are using AWS to lower costs, become more agile and innovate faster. This is all done with state-of-the-art security controls.

    AWS is architected to offer the most secure cloud-computing services available today. We support more security standards and compliance certifications than any other cloud provider, thereby helping satisfy security and compliance requirements for virtually every regulatory agency around the globe. We are proud of our record in maintaining the privacy and security of Canadians. Our cybersecurity assessment reports are available to any customer. They include our detailed assessment from the Canadian Centre for Cyber Security.

    As you know, in early 2020, AWS was contracted by the Government of Canada, through established Shared Services Canada procurement channels, to work with the Canada Border Services Agency and the Public Health Agency of Canada. The objective was to help launch aspects of the pandemic response program.

    In the case of ArriveCAN, specifically, AWS's role was to securely host the application on the AWS cloud. In addition to that, we worked with CBSA and PHAC, providing expert advisory services related to ArriveCAN security and infrastructure architecture. This included implementing the Government of Canada's standards on cybersecurity; integrating ArriveCAN with the rest of the CBSA and PHAC ecosystems; enabling architectures and security that have supported major new functionality throughout the two and a half years since it was launched; providing tools to enable CBSA to monitor the integrity of the data and support its operations; and ensuring that AWS services were configured to minimize the overall cost of AWS to Canada, while supporting the ability to ensure high availability of the program to Canadians and international travellers.

    Mr. Chair, I'd like to further elaborate on the security and privacy measures we have in place at AWS. Security and protecting Canadian citizens' data are at the top of our priorities.

     Our customers benefit from data centre and network architecture that is built to meet the requirements of the most security-sensitive organizations. AWS customers in Canada can place workloads, applications and their data in an AWS infrastructure region located here, in-country.

    Specifically, our Montreal region—we refer to a collection of data centres as a region—enables customers to address data compliance and residency requirements. Our extensive security technologies, 24-7 monitoring and alerting, and rigorous attention to all aspects of securing AWS infrastructure are designed to ensure that customers' data can be used by only them.

    The services we provided for ArriveCAN were architected in alignment with the security standards set by Shared Services Canada and the Centre for Cyber Security. Our physical data centres and on-site personnel have been inspected and assessed for compliance by Public Services and Procurement Canada's industrial security directorate. As well, AWS personnel who worked and/or continue to work on ArriveCAN are all Canadian citizens. All have their reliability status, which is governed by the Treasury Board standard on security screening.

    Mr. Chair, AWS is vigilant about its customers' privacy and sensitive information. To be clear with you and all members of this committee, AWS personnel did not at any point in time have access to any personal data from Canadians while working on ArriveCAN.

    In conclusion, AWS is proud to have supported our customers during the height of the COVID-19 pandemic, but we understand that when the public interest is at stake, additional questions may be asked. Within the confines of our agreements, I will endeavour to answer these questions to the best of my ability today. Our focus remains on providing scalable technology services, with security as our highest priority.

    Thank you for this opportunity.

    I would be pleased to take any questions.

    Thank you, Ms. Foster.

    For the sake of the committee, just as a reminder, I left a half-hour for committee business, for which we'll be moving in camera at approximately six o'clock.

    Ms. Foster, I don't know if you've been in front of committee before. We have four rounds of questions, and each party gets six minutes.

    We'll start with Mr. Barrett.

    Mr. Barrett, you have six minutes.

    Thanks, Mr. Chair, and thank you, ma'am, for joining us today.

    How much was AWS paid for work on ArriveCAN?

    I understand that this information was provided by CBSA to the House of Commons on September 20.

    There was information provided. Some of the questions I'm going to ask may be information that the government has provided. There's been a bit of a challenge, though, with the reliability of the information that the government has provided. I'm looking to get a confirmation with the data points that I'm seeking from you.

    If you don't have any of the information I'm asking for, perhaps you could provide it to the committee in writing following your appearance. Would that be okay?

    For any information related to a customer, we would need the consent of the customer to provide that information. If there's specific information that the committee needs, I'm happy to go back and work with CBSA in order to provide that to you.

    Okay.

    Are you able to tell us how much? Is the number that the government stated the correct number?

    Yes. We noted from what was reported by journalists and by what was provided to Parliament that this was consistent with our understanding of what was billed.

    That's great. What was that number?

    I believe it was approximately $4.29 million.

    It was $4.29 million. Thank you.

    How do you determine who's working on what, which resources are being used on particular projects, and how much to bill the client? How do you track that?

    In the case of how we provide those services, the rates in terms of those services are prenegotiated with the Government of Canada through the cloud framework agreement. It's a standard base price.

    In terms of the skills we're looking for, all our solution architects—who were members of the team that provided those services—are experts at our cloud services, and particularly experts on security services. The team in this case was hand-picked based on the security requirements of the project.

    How do you quantify the billing units for cloud services? Would that be done by minute, by gigabyte...? How would you do that?

    It's complicated. The billing of the actual cloud compute is done based on services as well as units of compute. It's difficult to predict in terms of usage, but basically customers are charged only for what they actually use. It's a consumption-based billing service. The rates in this case are pre-arranged through the framework agreement, so again, it's a standard base price.

     In terms of the expert advisory services, those are a weekly unit.

    How much business do you do with the Government of Canada when it comes to cloud services?

    I don't actually have that figure. That would be a number we would have to work with the customer to provide to the committee.

    Would you be willing to commit to the committee to work with your customer to provide that number to us?

    It would be the broader Government of Canada, so it would be by line department, I guess. I'm not sure how we would do that, but I'm happy to work with others to figure that out.

    I appreciate that.

    You also offer professional services separate from your cloud services? Is that correct?

    The terminology in the cloud framework agreement is “advisory services”.

    Is that “proserve”? Is that what that is?

    That would be our internal marketing language, but that's—

    That's what would appear in a contract, for example. It would be described as such.

    I believe the framework agreement would describe it as advisory services.

    You offer advisory services. Can you give me a very brief, 15-second example of what one of those advisory services might be?

    I can try to give you a better characterization of how that work happens. Our proserve team, to use our internal language, never has hands on keyboards. We don't do the kind of IT management services that perhaps might be more common with other types of consultants. The advisory services are really around specific architecting of AWS services within the AWS cloud environment. Those are built in a development environment. Then the implementation or the operationalization of that is done directly by the customer.

    I have the same question about the number of advisory or proserve services AWS provides for the Government of Canada as a whole. You have given an indication of what that answer might look like.

    I have a few more questions. I'd like to circle back to them in my next round. I have about 55 seconds left.

    There's a figure—you said $4.29 million. Would cloud services, advisory services or proserve, contact centres and all the work done through those different lines of business equal a number equal to or greater than the $4.29 million?

    Do you mean on ArriveCAN?

    Yes, I mean on ArriveCAN.

    I don't know about the contact centre. I don't believe it would include any contact centre services related to.... I'm not even sure we did contact centre.

    I have 10 seconds left. It's possible that if there were contact centre services, those would not be included in the $4.29 million.

    That's correct. Those may have been under a different statement of work. I'm not sure that we provided contact centre services for ArriveCAN.

    Thank you, Ms. Foster, and thank you, Mr. Barrett.

    I now have Ms. Khalid for six minutes.

    Go ahead, Ms. Khalid.

    Thank you very much, Chair, and thank you, Ms. Foster, for being here today.

    I'll start by asking something in perhaps a more contextual, broad-based sense. ArriveCAN is an app we brought in during a global pandemic when we were trying to mitigate health risks to Canadians. Can you walk us through the privacy implications for people who downloaded the app? Was any data hijacked or hacked into? What precautions were taken at AWS to mitigate against any of those privacy concerns?

    The role AWS played was less around the privacy implications in terms of the governance of data and really more around the security of the environment. The work we did revolved around ensuring that....

    We didn't actually build the app. The app is really the tip of the iceberg or the part that is really the user interface of ArriveCAN. There are a whole bunch of things that go on underneath the app that ensure not only that it operates securely but also that different systems are able to work together securely, so you have that simplicity of the user interface in the app.

    The role AWS plays is really in securing the environment of the cloud. Then we provided some guidance to the Government of Canada on how to secure itself within that environment.

    I have no knowledge of any breaches to our environment related to ArriveCAN.

     Do you know of any breaches that may have happened with this app, with respect to you or otherwise?

     As far as I know there were no breaches.

    Tell me—I understand this, but I'm asking just for the benefit of Canadians: What is Shared Services Canada, and what are protected B documents?

    Shared Services Canada is the central.... It's sort of a procurement agency, but not because it lives on its own within Public Services and Procurement Canada. However, it is the arm of government that is used to supply IT services to line departments, including cloud computing services.

    The second part of your question was about protected B documents. Protected B or medium-security data is a data classification system. Our services, for the purposes of the cloud framework agreement, were evaluated as to whether or not they provided sufficient security guardrails for that level of classified data.

    Thanks for that.

    We've heard a lot of rhetoric about hypothetical bad actors and potential risks to Canadians, their privacy and their reasonable expectations of privacy. What implications does that whole rhetoric have for the work you do?

    We're here to support customers, whether they're the Government of Canada or a bank or another organization. We're here to help them protect their environment and provide security.

    In terms of the governance of privacy, we help customers to make the right decisions on how they handle or control their own data. We're responsible for helping to provide the security and the environment in which to do that. We offer a number of tools and services that enable customers to do that.

    I'm sorry to put you on the spot, but given your role with AWS and understanding what the ArriveCAN app was, given the context of what it was brought in for, what are your views on how we could have done better with the ArriveCAN app? What were its shortcomings? What were the positive points of it, also?

    Although I'm not appearing as an individual, I did travel with the app quite a bit. I have colleagues who are based in different regions around the world. We were certainly comparing notes about all the hoops we all had to jump through in order to facilitate international travel. There was some envy about the practicality of our ArriveCAN app in Canada.

    As a user, I appreciated the practicality of it. I found it efficient. From that perspective, I think it was a good experience. From the perspective of what we were asked to deliver, I think the app was delivered securely and was reliable, in the sense that there was no inability for users to access it when they needed it.

    Why do you think there's controversy around the use of this app?

    I'm not sure, but I could speculate. I understand that it can be a challenge for some people to adapt to new technology and accessing technology if they're not accustomed to it. I appreciate that. I have parents, too, so I appreciate the challenge for them.

    I also think it was a really stressful time to try to travel, in addition to navigating a new app, testing requirements and health concerns and anxieties. It was an anxious time.

    You have 18 seconds left.

    I just want to thank you, then, for being here today. If there are any recommendations you would like to provide to our committee, please do so now.

    I don't think I could be so presumptuous. Thank you.

    Thank you, Ms. Khalid.

    Go ahead, Mr. Villemure. You have six minutes.

    Thank you, Mr. Chair.

    Thank you for being here today, Ms. Foster.

    I use technology, but I'm not an expert like you.

    Who are AWS's competitors?

    Within the cloud framework agreement there are eight other companies that participate as organizations offering cloud services to the Government of Canada. I'm not sure if I can reel all of them off by heart, but they include Google, Microsoft, ThinkOn, ServiceNow, Oracle, IBM and companies like that.

    The heavy hitters of the industry, in other words.

     Yes.

    All right.

    You said you had a certain number of tools to secure data.

    I would like you to be more specific. Tell us about your security controls, your tools. What exactly do you do? It's a bit too general for me, right now.

    There are a couple of different ways of looking at or considering that. One is looking at the broader cloud environment, in which we secure the cloud itself. There's also the physical security of our data centres. We manage the physical security of those sites and ensure that they're not at risk of natural disasters, that they have access to reliable energy, that they are not on a flood plain, and things like that.

    There's the physical security of the data centre. There's the virtual security of the cloud. These are creating a more secure environment.

    In terms of security tools, there are quite a lot of different security tools. A couple of examples of those would be...for example, we have some artificial intelligence tools that are able to monitor for what might be unusual access to a customer's data or a customer's environment. We have systems that would alert us, and then we can alert a customer. Sometimes it turns out to be nothing and sometimes it turns out to be something, but we have the ability to use artificial intelligence to monitor and alert to those things.

    We also provide encryption tools. That's probably one of the most important security tools we offer. Customers always have the choice to encrypt their data. Once it's encrypted, they also hold the encryption keys to their data.

    When AWS worked on the ArriveCAN project—I'm not talking about the app—was it like any other project, or was it unique?

    That's a good question.

    There are so many unique use cases for cloud services, and none of them are quite the same. I would say that the uniqueness of this would include a couple of features. One was the high security bar that was required for this project. The other is the speed with which it needed to be executed, with that high bar of security. Being able to incorporate a number of different functionalities so quickly made it unique.

    The other thing that was going on at the time was...of course, we all remember that public health guidance and policies on what you needed in order to travel were changing pretty frequently. The ability to operationalize those changes into the technology, also at speed, also made this project somewhat unique.

    Were there many people on the project team?

    No. It wasn't huge. There were a number of people who were brought in very quickly to support it, but it wasn't a huge team, no.

    An article online mentioned a partner by the name of Fortinet. Can you tell me about Fortinet?

    Do you mean in terms of involvement on ArriveCAN?

    What is Fortinet? What role did it play in the project?

    I don't have any knowledge of direct work with Fortinet. I'm sorry.

    It was mentioned in an article on Amazon's site.

    Fortinet wasn't a company you worked with regularly, then?

    I'm not sure about its being directly related to ArriveCAN, but we work with a number of different partners who help customers implement services or manage different aspects of projects they might have. It could include companies like that. It includes companies such as Accenture. Deloitte would be another example.

     We work with a number of different companies that help our customers adopt the technology.

    Do people have the same confidentiality or privacy requirements?

    I think it would vary, depending on the project and what the requirements of that specific project were.

    You said at the beginning of your opening remarks that the servers were located in Canada. Are they all in Canada, or just some of them?

    I'm sorry. Is what strictly in Canada?

    Were all the servers in Canada?

    We have data centre infrastructure all over the world. We enabled the customer—in this case, ArriveCAN—to do the whole project within Canada. In terms of what was ultimately decided, that would be up to the Government of Canada to determine where it put its data.

    The customer has full control over how they operationalize in the cloud.

    It is possible that the servers weren't in Canada, then.

     It wouldn't be a mystery as to what the Government of Canada chose. It would be up to the Government of Canada to give you that information, but it is enabled to exist completely in Canada.

    Thank you.

    Thank you, Mr. Villemure.

    Thank you, Ms. Foster.

    Next we'll go to Mr. Green for six minutes.

    Mr. Green is online, Nicole, just so you know.

    Go ahead, Mr. Green.

    Ms. Foster, you are the director of Canadian public policy. Is that correct?

    I am, for AWS, yes.

    What are the total contracts for AWS with the Government of Canada?

    That question was asked earlier. I don't know the total dollar value of Government of Canada contracts.

    You don't know, or you're unwilling to provide it to the committee.

    I don't know. I honestly don't know. I would be willing to work with our.... First of all, it would be something the customer would need to provide. It's not something we can provide—

    You are the director of Canadian public policy for the Canadian arm of the company.

    That's correct, but I'm not the director of sales.

    You don't know what your department's total contracts are with—

    That [Technical difficulty—Editor] my department within the organization.

    Okay. What are your department's total contracts with the Government of Canada?

    My department is public policy. We have zero dollars of contracts with the Government of Canada.

    How much does AWS contract with the Government of Canada?

    I don't know that number. We would defer to the customer to provide that information. We wouldn't disclose customer information—

    Ms. Foster, this is a government committee for the Parliament of Canada. We have the ability to send for documents and evidence. You have a duty of candour to this committee to answer questions truthfully. You're not here to do the government's work. You're here to answer questions.

    Within your $4.29-million contract for ArriveCAN, was it just for ArriveCAN, or was it for multiple projects?

    That specific amount is related specifically to ArriveCAN.

    I've heard you answer in very roundabout ways. I'm going to ask you for some more direct answers. You said “a number of people” were involved with the contract. How many, specifically, were involved with the contract?

    Our services are not contracted to a specific individual or specific—

    How many individuals were involved in the project?

    I believe it was between 20 and 30. I don't have the exact number.

    How many partners were involved in the project?

    One partner was involved at the very initial discussion, but most of the work was done in direct contract with the Government of Canada. We did not work with partners on this project.

    Did you work on the development of the initial version of ArriveCAN?

    No. We did not develop the app in any way.

    When you were receiving the initial version of the app, when you were developing on the application, building it with the purpose of collecting COVID-19 data, what type of work would have gone into it to improve it from its initial stage?

    We didn't build the app. We were involved in helping architect the security infrastructure that supports the app. The app itself also ran on our cloud infrastructure.

    The specific type of work we did was really to help the Government of Canada implement its standards on cybersecurity and the integration of the ArriveCAN app with the rest of the CBSA and PHAC ecosystems. We enabled architectures in security that supported major new functionalities throughout the two and a half years since it was launched. That was related to—

    Okay. That will suffice. Thank you.

    If you were to quantify the amount of data that was stored, how much data would have been stored for $4.29 million?

    I don't have that information in terms of the quantity of data stored. I know there was public information around the number of users who downloaded the app, but I don't have it in terms of a quantifiable amount of data.

    Would that not have fallen to any reporting that would have happened internally with AWS?

    No—not reporting that I would normally see.

    Ms. Foster, are you the correct person to be in front of this committee and answering these questions at this moment?

    That's really up to you.

    Well, it's up to, I guess, the quality of the answers we get.

    What I'm looking for is this: You didn't do any types of updates at all; you were simply hosting; and 20 or 30 people were involved in the project at any given time. Is that correct?

    I'm really not sure what you're asking. Can you clarify your question for me?

     I'm asking you to confirm what you've just summarized.

    Were there 20 or 30 people involved in the project in terms of providing advisory services? That's correct, yes.

    Have you ever had any data breaches within AWS?

    Within this specific use case, there were no data breaches.

    No. Within any use case, have you ever had breaches within AWS?

    Related to the AWS environment, no, we haven't, not that I'm aware of.

    You've never had any personal data breaches at all.

    Related to the AWS cloud, no, we have not.

    Those are my questions.

    Thank you, Mr. Green.

    We're now going to start the second round, and I'm going to return to Mr. Barrett.

    You have five minutes, Mr. Barrett.

    Thanks, Mr. Chair.

    To pick up a little from where Mr. Green was, I would be interested in more precision. I appreciate that you've undertaken to work with your client to provide global numbers with respect to all the work or possible work that was done on ArriveCAN, including professional services, contact centres and cloud computing. We can leave that there for now, I suppose.

    What would the type of work be that would be completed at the contact centres that I've referenced on a project like this, if it were to have been used? You were unsure if it had been.

    Again, I'm not sure that we worked with this particular customer on a contact centre.

    We do provide contact centre solutions. We essentially provide the building blocks to stand up a virtual contact centre for customers. For example, we worked on other government projects that were related to contact centres, but I don't know specifically if we did one related to ArriveCAN.

    The type of information that would be available when you're billing your client would include all the details that would line up with the contract: your base costs, the time worked on the app. Would you include billable hours? Is that something that would be included?

    I believe that the services are billed by week rather than by hour.

    The way our advisory services work is that they are outcomes-based as opposed to designing some specific coding for a specific thing. There would be broader parameters in terms of requirements the customer would have. Then we would work to design our architect based on an outcome that is required as opposed to a specific part of the project, if that makes sense.

    The benefit of that to the customer.... A lot of our customers may not have the full expertise and understanding of how to leverage those services effectively or efficiently. For example, security services may be of most value to them, in their context, to meet their governance standards. We would have a little more creative licence in driving that solution based on the experts we have within our company to produce those outcomes for the customer.

    We've discussed a suite of services that AWS is able to provide. In previous discussions or papers that have been released by the government, it's been noted that there were other options for the government to pursue—in terms of subcontractors or vendors—on this project. Is design something that's in the wheelhouse of Amazon? Does AWS have a design department? Is that a service you offer?

    What kind of design are you referring to?

    I'm referring to app design.

    No, we don't do that.

    The totality of the services that you were able to provide you did provide on this project.

    I'm not sure what you're asking. I'm sorry.

     Your company competed in a bidding process for the work that you received. Is that correct?

    We competed to be part of the framework agreement. As part of the framework agreement, line departments can procure up to a certain threshold in terms of service, but there's a ceiling to that threshold. Then, once you exceed or expect to exceed that threshold, there's a secondary phase of procurement that would become more competitive to ensure that the government was using the most transparent means to procure those services.

    Thank you.

    Thank you, Mr. Barrett.

    We're now going to go to Ms. Hepfner, who is online.

    I'm sorry. I'll take it.

    We're going to go to Ms. Khalid.

     Ms. Khalid, you have five minutes.

    Thanks, Chair.

    Just picking up on what Mr. Barrett was speaking about, Ms. Foster, can you outline for us—in very layman's terms, because a lot of people may not understand—what Amazon Web Services did, specifically, in the ArriveCAN app? Within that framework, what was your role?

    Again, it's really supporting the underlying infrastructure that supports the app.

    If we think about other apps that we may be more familiar with, like Uber, you put in your address, and like magic, a car appears at your door and takes you to your destination. You don't even have to speak to the driver. All of that simplicity is supported by a whole lot of other back-end technology that makes that happen, from GPS to fastest route, to how you're paying for the service. You can split your bill. All that underlying infrastructure that supports the simplicity of the user interface has to be built.

    In the case of ArriveCAN, it was using a lot of other aspects of infrastructure that are less obvious in terms of what you're seeing in the app. For example, if you upload your vaccination certificate, the app has to be able to read and verify that certificate. It has to be able to do it in multiple languages. You might remember that Ontario, for example, changed its vaccination documentation halfway through all of this. It has to be able to read the document and verify that it's a real document.

    Another piece of infrastructure that has to be supported by the app was some of the accessibility features, like the ability to go from text to talk. That is another machine learning application that was enabled in the app.

    It also had to be able to speak to other aspects of CBSA's infrastructure or PHAC's infrastructure in terms of data that it was verifying in real time once you uploaded your information in the app, as well as boarding information and your travel information. There were a number of pieces that needed to speak to each other in the simplicity of being able to interface with the app.

    Thanks for that.

    Is it a government contract with respect to the ArriveCAN app? Is there public disclosure? Is it listed on your website? How do you let the public know how much the Government of Canada has paid you to do all this?

    In the case of all our customers, we protect customer confidentiality, so we would never proactively disclose that information without customer consent. It would really be up to our customers to choose to share that information.

    Is any of this information, to your knowledge, shared publicly on any website, whether it's a government website or your own?

    Do you mean in terms of the dollar amounts?

    Yes.

    My understanding, based on my preparations to be here today, is that I'm not sure if it's available online but I know there was documentation made available to this committee that we were able to view and verify.

    Are you satisfied with the privacy framework—the privacy policy AWS has in place—not just for the ArriveCAN app but for all of its programming, all of its apps in general?

    Really, the decisions around the governance of privacy and how data should be managed are really decisions that the customer has to make. Our role is to enable those decisions. Our job is to help our customers operationalize privacy and meet their own standards or the standards they have to operate within. Our job, really, is to provide the tools to enable the customer to govern data in the way they want to govern their data.

    We're very aware of our own security parameters in ensuring that we're able to protect customer privacy and data, and that they feel they are able to do so securely within the AWS cloud.

     Are you satisfied...or are you aware of what the Government of Canada's privacy framework was with respect to this specific procurement?

    We weren't involved in the privacy aspects of those decisions. We were involved in helping integrate the security concerns or the cybersecurity standards of that. We certainly can architect to what the government needs, but the government really would have been directing and making those decisions.

    Thank you, Ms. Foster. Thank you, Ms. Khalid.

    Go ahead, Mr. Villemure. You have two and a half minutes.

    Thank you, Mr. Chair.

    Ms. Foster, I brought up Fortinet earlier.

    On October 8, an article by Rejean Bourgault was posted on Amazon's site. According to the article, the app was built in a few weeks by AWS Professional Services, with the help of partner Fortinet.

    Did you have a lot of partners working on the app?

    I'm very sorry. I'm not aware of Fortinet's role in this particular piece of work.

    Did you have other partners working on the app?

    At the very initial stages of work, we were engaged with a partner. Then that partner was no longer involved in the work and we contracted directly with the Government of Canada.

    Who was that partner, and why did their involvement end?

    It was just in terms of the simplicity. Being able to contract directly and work directly with AWS was just what was needed for the project. The partner was a company called Dalian.

    All right. Thank you.

    Are you still billing for the work on ArriveCAN, or is it finished?

    No, it's not finished.

    In a normal course of work, in terms of engaging the cloud, you'll often see a heavier amount of the need for those advisory services at the beginning of a mandate, just to get things up and running as you build.

    In terms of the cloud utility, the app is still functional today. It's still running on AWS infrastructure, and it continues to run on AWS infrastructure, but the billing for that is based on its actual usage. It's based on the volume of users using the app and the activity of those services.

    How long will the data be kept?

    I'm sorry. I missed something in the interpretation there.

    How long will ArriveCAN user data be kept, and how will it be kept?

    It's preserved until the Government of Canada does something else with it. It remains there until the Government of Canada either moves the data, deletes the data....

    The work you are currently billing for has to do with the use of the app, and that's on top of the $4.2 million or so. Is that correct?

    I apologize. I'm not quite sure I'm getting the gist of your question in interpretation.

    The majority of the billing at the front end of the contract, under the framework agreement, would be related to advisory services. The advantage of using cloud is that you can scale up or scale down, depending on the level of your use.

    In the case of anything that has peaks and valleys in demand, you're paying only for what you use. You're able to scale up to a level that's quite high without having to procure servers on your own.

    Before the cloud, basically what we had was, if you were the government—

    I'm sorry, but we're three and a half minutes in already now.

    I'm sorry.

    That's okay. I know once you get on a roll there.... I am going to go to Mr. Green for two and a half minutes.

    I apologize, Ms. Foster. The thing I hate most about being chair is having to cut people off.

    Maybe I'll get back to it.

    Yes.

    Mr. Green.

    Ms. Foster, when a contract like this is procured—I understand that $4.29 million had been utilized—what would be the top-end threshold before you would have to go back and renegotiate?

    All of that is really managed by the customer in terms of how they procure. We follow the Government of Canada's procurement process, or we work with the customer to follow their process.

    I didn't bring those figures with me. I would like to have the opportunity to correct this if I get it wrong, but I believe that for a utility compute the initial threshold is $4.5 million. Then, I believe, for statements of work, there are different streams for advisory services, but I believe it's $500,000 per service.

     The government, I think, assumed that this was going to be used perhaps more than it was in terms of downloads and actual usage, given the amount of money that has been invested into this product and its storage.

    Are you suggesting that you just reached the max threshold of your procurement and then stopped in coincidence with the amount of usage?

    There would be timelines associated with that number. I think it depends on when the project was initiated and concluded, or it's on a per annum basis. I can't speak to the government's procurement process—

    Earlier in my last round, you probably heard some frustration in terms of whether or not we selected the right representative from Amazon to answer these questions. We're here after the House has risen. Everybody's ostensibly done for the year. We're here trying to get to the heart of the matter, and yet you're unable to provide what I consider to be very basic information to this committee for the good and welfare of our report.

    Is there somebody else within the company who might be better suited to being invited back to this committee, who might have some of the answers to the questions we're asking?

    It depends on the question you're asking. Some of the disclosures you're asking for would really be up to a customer to provide you with. As a service provider, we wouldn't disclose customer information.

    You would be directed to provide that through the House of Commons, through our parliamentary privileges.

    I understand that, but I would have to respect the confidentiality of the agreement that we have with the Government of Canada and wait for that disclosure to be requested through those channels.

    Thank you, Mr. Green, and thank you, Ms. Foster.

    For the benefit of Mr. Green, we did invite others. Ms. Foster is the one who was put in front of the committee. I just want to make that clear.

    I am going to now move to Mr. Kurek, I believe, for five minutes.

    Thank you very much, Chair, and thank you, Ms. Foster, for your testimony here today.

    Just as one quick, clarifying question to follow up on what Mr. Green suggested and some earlier answers, there's that secondary procurement trigger you talked about. I'm to understand from your testimony that it was not triggered in the case of the ArriveCAN services provided. Am I correct on that?

    That would be my understanding, yes.

     I think all members of this committee want to make sure we're getting answers about what took place around the $54 million that the government spent in large part on procuring services and different arrangements related to the ArriveCAN app. That's really, I think, the focus of why there are so many questions and, specifically related to this committee, some of the privacy concerns related to that.

    I have a few more questions that we might get to, but in order to get some clarity around some of the issues that are left outstanding after the first few rounds of questions, Mr. Chair, I would move the following motion. It was just sent in both official languages, Madam Clerk, for those around the table who speak both languages. I will read the motion into the record in English. I'll spare you all my French.

    The motion would be as follows:

    Thank you, Mr. Kurek.

    I'm just going to confirm with the clerk that the motion has been passed on to other members of the committee in both official languages.

    Yes.

    Mr. Kurek has moved this motion.

    Ms. Foster, I'm going to ask you to just hang still for a second here.

    Is there any discussion on the motion?

    Go ahead, Ms. Khalid.

    Thanks so much, Chair.

    I know I've said this so many times, and I just hate to be a broken record. It's kind of sucky to be taken by surprise in all of this.

    I would ask your indulgence, perhaps, for me to take a read and look into the motion. I will ask, Chair, for your indulgence in suspending for about five to 10 minutes for us to be able to look at, review and see what exactly the motion is asking for at this point.

    Again, Chair, it would not happen if we were not taken by surprise all the time in this committee.

     I'll go to Mr. Barrett before I decide.

    Maybe during Mr. Barrett's intervention you can find some time to look at the motion, so that we can deal with it.

    Mr. Barrett, go ahead, please.

     Chair, I was just going to say that the necessity for that information arose out of the testimony from the witness. There's ambiguity with respect to the information that different members have requested. That's why the motion was moved.

    If Ms. Khalid or others need a couple of minutes to look at it, I think that's fine.

     Ms. Khalid, go ahead.

    Chair, it's just a point of clarification. I haven't looked at the text of the motion yet, so please excuse me if this sounds ignorant. I'm just wondering if all the documents being requested are in the control of AWS and whether there are any NDAs, etc.

    I'm asking, ultimately, whether we are able to receive them by requesting them from AWS, or whether we need to request whatever documents the Conservatives want from other agencies.

    That's a fair question. I don't have an answer for that. I don't know how practical that is. We can deal only with the motion that's in front of us and the request by Mr. Kurek of the committee to have these documents produced.

    If you need a little more time with this, let's look at two or three minutes, if we can. I want to continue. I don't want to hold Ms. Foster too long. I know more questions are likely going to come to her from the committee.

    I'm going to suspend for two minutes while we look over this motion, and then we'll come back.

    We're going to resume the meeting.

    We have a motion that was put on the floor by Mr. Kurek. Everyone has the motion. I'm looking at it. If this information, or some of it, cannot be provided to the committee, then I'm sure Amazon can provide so rationale or reason, if need be.

    Is there any discussion on this motion?

    Go ahead, Mr. Green. I see your hand.

    Yes, Mr. Chair.

     I move to adjourn the meeting.

     That is a non-debatable motion.

    Madam Clerk, do you want to take a vote on that? The motion is to adjourn the meeting.

    (Motion agreed to: yeas 7; nays 3)

    The Chair: Before we adjourn this meeting, I want to thank, on behalf of the committee, the clerk, analysts and technicians for the work they have done.

    Some hon. members: Hear, hear!

    The Chair: Ms. Foster, on behalf of the committee and Canadians, I want to thank you for making an appearance before the committee today.

    I wish everyone a very merry Christmas. Happy holidays and happy Hanukkah.

    The meeting is adjourned.