INDY Committee Meeting

STANDING COMMITTEE ON INDUSTRY

COMITÉ PERMANENT DE L'INDUSTRIE

EVIDENCE

[Recorded by Electronic Apparatus]

Thursday, February 4, 1999

• 0905

[English]

The Chair (Ms. Susan Whelan (Essex, Lib.)): I'm going to call the meeting to order.

Pursuant to Standing Order 108(2), we are considering chapter 19, entitled “Electronic Commerce: Conducting Government Business Via the Internet”, of the December 1998 Report of the Auditor General of Canada.

We're very pleased to have with us today, from the Office of the Auditor General of Canada, Mr. Douglas Timmins, the assistant auditor general; and Ms. Nancy Cheng, the principal from audit operations branch. My understanding is that Mr. Timmins will begin with his opening statement, and we'll go from there.

Mr. Douglas Timmins (Assistant Auditor General, Office of the Auditor General of Canada): Madam Chair, thank you for this opportunity to present the results of our audit, “Electronic Commerce: Conducting Government Business Via the Internet”.

As reported in chapter 19 of our 1998 report, tabled on December 1, in 1995 the government committed itself to making electronic commerce the preferred way of doing government business by 1998. Budget constraints, the desire to provide Canadians with better service, and fast-growing access to the Internet for many Canadians have increased the importance of electronic commerce in government.

As defined by the government, electronic commerce involves all manner of commercial activities and transactions using computer-based information and communications technologies. It runs the gamut from electronic mail and faxes to payments, electronic funds transfers and income tax filings over dedicated communication lines and now over open systems such as the Internet.

Our audit objective was to assist the progress of this initiative and to highlight any important challenges and risks the government may be facing in advancing the use of the Internet in its operations, both internal and external.

We selected three key areas to audit: the development and implementation of a public key infrastructure for the federal government as a measure for secure electronic commerce; the review of and changes to the legal framework in support of transacting business electronically; and the implementation of common infrastructures to support government administration, operations and delivery of services via the Internet.

There are many other areas involved in electronic commerce that are developing quickly and that we did not examine. In particular, we did not examine privacy issues, on which your committee has recently been deliberating. While privacy deals primarily with the way information is used and shared once it has been received, we focused on the security means offered by the public key infrastructure being developed by the government, including protecting the confidentiality and integrity of the information as it is exchanged between parties to a transaction.

Overall, we concluded that the government is making progress in all three areas we examined and, by addressing barriers to electronic commerce, is moving forward in the area of conducting business via the Internet. For example, good progress has been achieved in two main elements of the public key infrastructure: a cryptography product and a management framework to support the use of public keys in government.

[Translation]

In July 1998, a temporary technological product had been developed for a secure management of public and private keys. Towards the end of 1998, the product was in the process of obtaining approval and certification by the Telecommunications and Security Centre. A final product providing support at all security levels for a number of organizations was to be delivered this summer. The government is expected to accept it definitely by the end of the year.

As for management of the public key infrastructure, the Policy Management Authority was established to formulate policies for the Canadian government public key infrastructure and to provide a management framework for departments and organizations taking part in the project. In early 1998, we also established the senior interdepartmental working group, made up of senior officials, to provide advice to the Policy Management Authority.

• 0910

[English]

The public key infrastructure still has to face two important challenges. First, in order to take advantage of the technology, departmental applications have yet to be developed. The other challenge is determining how the public will obtain certificates to deal with the government and who will bear the cost. The risk is that the public key infrastructure may be undermined for some time.

With respect to legal issues, we noted during our audit that the government has identified the need to update the legislation to make statutes media-neutral, ensure the recognition of electronic signatures, and revise the rules of evidence for electronic records. Parts 2 and 3 of Bill C-54 address these very issues. Nevertheless, the government needs to ensure that the issues of potential liability are identified and addressed as new electronic initiatives are introduced.

For the government to meet its stated goal of making electronic commerce its preferred way of doing business, departments and agencies need to be able to communicate easily across various technology platforms and citizens need to have seamless access to service. In our audit we noted that two and a half years after a policy statement on electronic commerce, there is no senior sponsor to set future direction and many issues remain to be addressed in order to achieve the common infrastructure needed.

Our report recommended the appointment of a senior sponsor with sufficient authority to set direction, develop strategies, and oversee the progress of electronic commerce in government. We also recommended accelerated action in setting the technology standards necessary to support the interoperability of systems across government, including the new public key infrastructure that will soon be ready to be deployed.

As we looked at various electronic commerce initiatives in government, it came to our attention that a wealth of experience exists in government that could be analysed and shared across government for good practices and lessons learned. The Treasury Board Secretariat's Pathfinder project is a commendable step in that direction.

As a last comment, I want to say that the government is making progress in the areas we examined, but it needs to take further action on its commitment to make electronic commerce its preferred way of doing business and becoming a model user of information technology by the year 2000.

Madam Chair, that concludes my opening statement. We would be pleased to answer any questions.

The Chair: Thank you very much, Mr. Timmins.

I'm now going to turn to questions. Mr. Jaffer, did you have any questions?

Mr. Rahim Jaffer (Edmonton—Strathcona, Ref.): I have just one question here.

I was noticing that under the legal issues on this report you don't really mention Bill C-54 directly. I guess my concern was whether in your opinion Bill C-54, from what you've seen of the bill, addresses the legal concerns you may have. If not, what would you be concerned with in Bill C-54 as it applies to electronic commerce?

Mr. Douglas Timmins: Madam Chair, I think the legal issue as we identify it in our chapter is slightly different. It is focusing primarily on the exposure you incur as you create a new service or provide a service electronically. So it's really the legal liability or exposure that might be inherent in a particular initiative, the way you're doing it and what takes place in that transaction.

Oftentimes you can cover it off if there are contractual arrangements that would limit liability or make a contract between the end user and the service provider. But we must remember that in electronic commerce via the Internet, some of this may well involve transactions with many of the public where there will not be a contract. Therefore you may be creating expectation and there may be legal exposure that could be arrived at.

I'm not sure that we're necessarily thinking of something that would be encompassed within a bill such as Bill C-54, but more looking at the implications on each initiative and whether there's a way to limit the liability of government as we move forward.

Mr. Rahim Jaffer: Okay.

The other question I had was on the Y2K problem that we're dealing with quite significantly right now and looking at the way governments are preparing in different departments. I notice in one of the sections here it's mentioned that the year 2000 code problem takes priority and that action is needed to encourage government program managers and business planners to consider using the Internet as an alternative means of delivering services. In your opinion, wouldn't it be important for the government to make the Y2K a single priority right now, given the timing of how close were are to the actual date change and the fact that many departments still are not quite ready? In fact if we look at preparing, I think it says here that we have about 300 staff of various departments and agencies taking part in this GOC PKI project.

• 0915

Wouldn't it be more efficient to look at and address the concerns of the Y2K problem right now, given the timing?

Mr. Douglas Timmins: Absolutely. We certainly support the fact that top priority and the number one priority and all the resources appropriated are being dedicated to Y2K. We have a chapter that was tabled in the same report at the same time talking about Y2K. We certainly would not want to see any removal of that as a top priority.

I think this is viewed in many ways as a second priority. I'm not sure it's fair to assume that the resources that are being talked about here are sort of taken off or away from other projects they could be doing.

Remember that the commercial development of the technology project is being done by a private sector company. Therefore it really isn't taking away those resources in terms of developing that product that is going to be able to provide cryptology and so on.

I'm not sure if I've helped to answer the question. I don't think the resources we're talking about here are really being taken away from any efforts on Y2K. I think Y2K is the priority.

Many other things are continuing to go on in government as well as addressing the Y2K issue. I'm quite sure that if the government felt that any of these resources would help in the Y2K effort they would take them away from that effort and devote them to Y2K. I still believe Y2K is their first priority, and we support that.

The Chair: Thank you.

Mr. Lastewka.

Mr. Walt Lastewka (St. Catharines, Lib.): Thank you, Madam Chair.

I noticed in the document I have, in item 11, you stated that the government could be “undermined”. I wasn't sure what you were getting at there. It was in the area where you said there were other challenges, with the public obtaining certificates to deal with the government and who will bear the costs.

Mr. Douglas Timmins: I think the word I used was “underutilized”.

Mr. Walt Lastewka: No, you used “undermined”.

Mr. Douglas Timmins: Oh, I'm sorry. I apologize. I should have said that the risk for the public key infrastructure may be underutilized for some time.

What we're talking about is a concern that the applications that have been undertaken in electronic commerce to date have been mostly focused on such areas as the exchange of secure messages, as opposed to the business applications. What we're advocating in this chapter is that there is a need to get the business side of the organizations on side to develop what is the need and where are we going to sell this service and use this service, the technical product that's being developed, in a way that is going to further it from a point of view of encompassing the public in a service, as opposed to international applications and operations of the government.

Mr. Walt Lastewka: So in a situation where the government is trying to put all their systems in place to be able to accept, at the same time there has to be work done with businesses and the users to prepare them to use the systems. Is that what your message is?

Mr. Douglas Timmins: Well, it's to identify the actual applications where this would be useful and appropriate, and let's develop them with the idea that the technology product will assist in that.

Mr. Walt Lastewka: Okay. And then under item 13 you talked about a senior sponsor. Could you explain some of the things you were trying to overcome by making that remark? What are the advantages? What do you see could happen there? Or what is not happening that could happen by having what you have suggested?

• 0920

Mr. Douglas Timmins: I believe one of the issues is that there's no sense of a plan or a strategy in terms of addressing the infrastructure, the technology to make it common, to ensure that it's common. There is a technology product, but one of the objectives of the government would be to have a seamless interface with the public.

A positive initiative that we point out is the development of the Canada site as an example. There is a concern as to whether the Canada site is user friendly, whether it's easy, and whether you don't need to still know, for example, what department provides which service, so that you can drill down and find what you want. That is as opposed to the public wanting to come in and say “I'm interested in this particular government service. I don't really know who delivers it or whatever, so help me through this system.” In terms of providing the direction and providing a plan of attack to make it interoperable among the various departments—are they each doing their own thing—that's the kind of thing we were getting at.

I believe that paragraph 19.88 of our chapter explains the role fairly well. We talk about providing a definition. We talk about developing a strategy and giving direction and identifying the deliverables. The discussion earlier about the applications—that I think they could take a lead in making sure there are applications—that's the sort of thing, as well as providing some oversight and monitoring of what's happening across Canada.

The Chair: Does that answer your question?

Mr. Walt Lastewka: I'm sure that during your travels and the previous time the Auditor General's department was here we talked about other countries and comparing with other countries. Could you give us an indication from your findings from other countries, whether it be the OECD or whatever, how Canada compares with other countries? I'm sure you're trying to find out what's best in the world and so forth and try to relay that to Canadians. Could you...?

Mr. Douglas Timmins: Madam Chair, I'm going to ask Ms. Cheng to answer that, please.

The Chair: Ms. Cheng.

Ms. Nancy Cheng (Principal, Audit Operations Branch, Office of the Auditor General of Canada): Thank you, Madam Chair.

In the audit we actually did not do benchmarking against other countries. However, I can clearly indicate that the development of the public key infrastructure project in the federal government is one of the leading initiatives around the world. No other country has been able to come forward with a uniform public key infrastructure to help with secure electronic exchange for its entire government. The United Kingdom and the United States are both trying to establish what standard or what product they would use. So Canada is at the forefront of this initiative, and I think our federal government is quite proud of it too.

Mr. Walt Lastewka: Are you going to be monitoring other countries to be able to help us to pull advantages from other countries? Are you going to be monitoring other countries? Do you monitor other countries and their progress?

Mr. Douglas Timmins: Perhaps I can answer that, Madam Chair.

We wouldn't monitor other countries on a general nature. We would certainly be aware of what's happening, but not necessarily at a technical level or a practical level, unless we're focusing on a particular audit. We then might choose to be aware of what's happening in other countries.

Mr. Walt Lastewka: Okay.

The Chair: Do you wish to add to that?

Ms. Nancy Cheng: There's just one small point I'd like to add. As part of the public key infrastructure initiative, Canada is also trying to establish cross-certification with the Government of Singapore. So there are other parts of the world that are very interested in being able to do business electronically at a government-to-government level. There's some piloting going on, and there is dialogue with the Singapore government at this point.

Mr. Walt Lastewka: Thank you.

[Translation]

The Chair: Ms. Lalonde, please.

Ms. Francine Lalonde (Mercier, BQ): Here is my first question. Why did you not examine the issue of privacy? You stated you did not do so, but you did not explain why. We might have expected you to.

• 0925

[English]

Mr. Douglas Timmins: Madam Chair, I think we chose a scope that was to focus primarily on the technology and the development of applications that we felt were using the Internet. I think we are quite aware of the fact that the privacy issue is clearly there, as is the issue of trust and security, and that's what we focused on.

I think it's fair to say that we are also aware that something such as the privacy issue is a very sensitive policy decision. On that basis, we normally do not audit in the area and make recommendations on policy.

[Translation]

Ms. Francine Lalonde: Let me put the question differently. The question of protecting privacy in the public sector does arise. The Privacy Commissioner criticized the Department of Human Resources Development for using information collected by Customs Canada. Have you examined the issue of information transfer and confidentiality among departments?

[English]

Mr. Douglas Timmins: No, Madam Chair, we didn't, but as—

[Translation]

Ms. Francine Lalonde: Not at all. You did not focus on this issue. Will you be taking a look at it further down the line?

[English]

Mr. Douglas Timmins: No, we don't have a plan to look at it. But I would point out, as I tried to explain in the opening statement, that there is a connection. If you provide confidentiality and integrity of the data, then the decision as to where you share that data.... You have some trust that the sharing is being limited.

We looked at something that I believe is connected to that decision. Once you make the decision whether information is shared or not, there is at least some view with the technology that there would be a way to actually protect that and provide security to the people who are providing the information. But the decision whether you share or not is another matter.

[Translation]

Ms. Francine Lalonde: In paragraph 19.71, you state:

...the members of the government's legal community have suggested that every application using the public key infrastructure be preceded with a threat and risk assessment from a legal perspective.

Could you please explain what that means?

[English]

Mr. Douglas Timmins: Yes. I think this is similar to a point I was making in response to an earlier question on the general legal liability issue. The question is that when an application provides a level of service to the general public and it is not on a contractual basis covered between each of the two parties, it creates a potential expectation on the part of that user. Therefore, any of these initiatives may have implications that could create the impression of a legal liability or the potential of a legal liability, just in the way the services are provided or the expectation that's there.

All we are suggesting is that particularly where the initiative does not deal with it through a particular contract, a signed piece of paper such as an actual transaction, this will be addressed partly through Bill C-54, eliminating what we call the paper bias for electronic signatures and so on. You have the first steps, but in each initiative there is a need to determine if there is an increased liability as a result and if there is a way to mediate that before the application goes forward.

The Chair: Last question.

[Translation]

Ms. Francine Lalonde: I have several. Here is a question by one of our researchers:

I note that Statistics Canada uses the services of the financial institutions to handle all credit card transactions (19.95) because no GOC PKI has yet been implemented. Are we to conclude that the private sector is ahead of the federal government...

• 0930

I would also like to know which financial institution is doing this work for the government.

[English]

Mr. Douglas Timmins: The company that is working for the government on developing PKI is called Entrust Technologies, Inc., but they are developing it as a commercial product, and it will be saleable elsewhere.

Many private companies are developing technology security-type services and products. I don't think it's fair to say many of them are developing comparable products in terms of scope and coverage and trying to do what the federal government's project is doing.

Perhaps I could ask Ms. Cheng to add to this particular point.

[Translation]

Ms. Francine Lalonde: That's convenient, isn't it?

[English]

Voices: Oh, oh!

Ms. Nancy Cheng: I'll say a couple of things.

First of all, when you look at the private sector, they're not into large-scale cross-certification, which is where all the complexity comes in. The whole idea of cross-certification is that you have a regime that administers your secured administration and I have one, but can we talk to one another?

When you talk about the private sector, like the banks, it's no different from your signing up with a bank account so that they know who you are and they're comfortable doing business with you over the Internet. But the banks are not trying to exchange information necessarily with another bank, for example. So it's much more complex than what the government is trying to do.

If one government department only.... For example, National Defence has a lot of need for secure messaging. The general might need to talk to the colonel and so on and so forth, on a very secure basis. They can do that readily internally, but if National Defence wants to talk to Revenue Canada, then it's complicated, because Revenue Canada has its own security administration and National Defence has its own, and they have to be able to talk to one another.

If I'm at a level of authority that is highly secured, I have top secret clearance, and you only have the regular clearance, then some of the things I do or say you can't see and you have to be able to link all of those. So what we're dealing with is a lot more complicated. That's number one.

Number two, you were asking about Statistics Canada. The arrangement they have is with the TD Bank, so that's just to answer another portion of the question.

If I may take the liberty, I just want to add one comment on the whole issue of privacy. It's much bigger than just electronic commerce. Privacy issues exist right now. It's on paper and everything else. If you file information with the government, do we have the right mechanisms to make sure that is protected and is only used for the purposes intended?

When you go into the electronic domain, what you're looking for is whether the technology will allow you to fulfil whatever privacy policy you may come down on. That's why in the chapter, when we talk about certifying the public, we bring up the point about who's going to certify and whether you are going to require the public to sign up with just one department or with many departments.

If we truly want to get down to the privacy of individuals and cross-link information, we can do that right now. It may not be very elegant and we may have to go through some hoops, but it's doable. With the electronic commerce situation and having a single sign-up, it may give the perception to the public that their privacy may be more so invaded. That's why it's a high-level policy issue and that's why we didn't get into looking at that.

The Chair: Thank you, Madame Lalonde.

Mr. Keyes.

Mr. Stan Keyes (Hamilton West, Lib.): Thank you, Madam Chairman.

Thank you very much, Mr. Timmins and Ms. Cheng, for your presentation.

Ms. Cheng mentioned that, unlike the banks, for us to go from government agency to government agency would be more complicated. With banks or even insurance companies, I don't know how it is that I can go from one insurance company to the next and they both know exactly what my rates are. I'm pretty sure there might be some dialogue going on there anyway.

I have some questions, Mr. Timmins and Ms. Cheng, that you might be able to provide me quick answers for. They're not very heavy questions. For example, how many Canadians, including business people, contact the federal government every year? Do you have an idea of what that number is?

Mr. Douglas Timmins: Not in terms of connection.

Mr. Stan Keyes: No, not connection. I'm just talking about everyday business—

• 0935

Mr. Douglas Timmins: Contact? No. We could perhaps provide some information about how many people have Internet access, but....

Mr. Stan Keyes: I'm talking about without a computer.

Mr. Douglas Timmins: No, we don't have that statistic.

Mr. Stan Keyes: So you can't give me a percentage of how many of those transactions could be handled electronically rather than by picking up the phone or writing a letter or any of that kind of thing.

Mr. Douglas Timmins: In fact there is some information in our chapter. Ms. Cheng perhaps could find the specific reference. A survey was done of how the use of these government applications might expand, and the focus of the government applications seemed to be still primarily on internal operations. This is the point we were responding to earlier.

It's paragraph 19.39.

Mr. Stan Keyes: That's all very well and good, Mr. Timmins, but maybe you or Ms. Cheng can provide this committee, through the clerk, with information telling us just how many business people or ordinary Canadians do contact the federal government each year, no matter in what fashion, and then, as a percentage, how many of those transactions could be handled electronically by e-mail or computer at the present time.

Mr. Douglas Timmins: I don't want to be uncooperative, but I don't think we have that information. I don't know where we would get that information. I don't think it's accumulated anywhere.

The Chair: Ms. Cheng, would you like to answer that?

Ms. Nancy Cheng: Yes. The point I want to make is that's the job we want the government to do. Remember we were saying they are well on their way in developing this technical product, but the problem is the business side of things hasn't quite picked up. There aren't ready statistics, for example, within government for us to know how many different transactions they do on what basis. You have to go department by department, application by application, or program by program to find out the level of transactions. It's not accumulated centrally and you can't readily say what percentage of them will be electronic.

There is—

Mr. Stan Keyes: Well, I guess we can safely say then that there would be a whole whack of people contacting the federal government from ministry to ministry in one form or another.

Ms. Nancy Cheng: Correct.

Mr. Stan Keyes: There's probably no disputing that. What has to be learned is what percentage of them could access the federal government by way of computer or e-com or certain things like that.

Just to continue, how much has this GOC PKI cost the federal government so far?

Mr. Douglas Timmins: The estimate, as best we could provide it, is in paragraph 19.58 of our report. The cost for the 16 departments is approximately $35 million in the five years ending 1999, with ongoing operating costs of $4 million a year. It doesn't provide for the costs of technology upgrades, maintenance, and support, which may be extensive given the fact that technology will be changing, and therefore it will need to be upgraded as it goes along.

Mr. Stan Keyes: Thank you. Just as a point of clarification, what's the mix of private sector involvement in this whole process versus being government-led and done by government employees and that kind of thing?

Mr. Douglas Timmins: I'll let Ms. Cheng answer.

Ms. Nancy Cheng: It's primarily a Government of Canada effort. In the early days of the development of PKI there was some dialogue with some private sector companies. In more recent years, now that we're talking about certifying with the public, there is a need to consult with the private sector, and there's more contact with some of the private sector firms now.

Mr. Stan Keyes: Given the move toward the private sector, Ms. Cheng, in the same manner as, say, Transport Canada divested air navigation services to a non-profit organization called NAV CAN, has the Auditor General ever taken a look at the numbers or examined the idea of suggesting that the government not take the lead in appointing, say, a sponsor for e-commerce and going through the whole business of developing the program and the upgrades and everything else, but in fact farm it out, as it were, to the private sector in a tender format to inevitably get the government out of the business of running business, which is what exactly this e-commerce would be all about, and probably do it at considerable cost savings?

The Chair: Ms. Cheng.

Ms. Nancy Cheng: Thank you, Madam Chair. I really like the question, because it will allow us to get into a bit of discussion at a slightly higher level.

• 0940

It's important to remember that much of the driver behind the whole idea of outsourcing—allowing the private sector to do it for you—is cost saving. But we often forget that it's still the managers who are responsible for the programs and services they have to deliver. With very many outsourcing initiatives, you see managers start to pull back. They delegate it. They're still responsible, but they no longer necessarily have the information to run it the way it's supposed to be run.

The whole notion of a senior sponsor is extremely important and is one of the key recommendations in the report. We say in government that we're going to use electronics as the preferred means of doing business. We say we're going to be the model user of the information highway. All of those link into the larger agenda of connecting Canadians. If we farm that out, we no longer really have the leadership to lead the government and say this is how we're going to make use of the Internet, for example, to help the government do business. It's the business managers who have to do the thinking.

Mr. Stan Keyes: Well, that was a fear of course that we heard with air navigation services: that we can't possibly let the safety of Canadians fall into the hands of a private sector company. But that's what the government is there for: to regulate and schedule in order to ensure that safety, for example, is still priority one and that the company hired in the private sector to do that job understands that as their primary mandate.

In the case of doing this kind of work, their primary mandate of course would be to take us into the new age of e-commerce, etc., with the guidelines that would be laid down by the federal government through regulation.

Ms. Nancy Cheng: You may be quite right that ultimately that might be one of the avenues, but that cannot happen before the upfront thinking has taken place. Where we're coming at it from is that the upfront thinking has not taken place.

I'm quite certain Transport Canada didn't just say, “Well, perhaps this is an opportunity to privatize air navigation, and we'll just keep the regulatory role.” It's not just regulatory we're talking about. We're talking about all types of government services that can be delivered electronically. The central thinking has to take place first and then you can look at different options. So certainly it comes back to the point that there needs to be this leadership at the federal government level to think it through.

Mr. Stan Keyes: I guess I would just conclude by saying this upfront thinking is costing the government a whack of money, and we're waiting. We may be waiting just a little too long to involve the private sector.

The Chair: Thank you, Mr. Keyes.

Mr. Timmins had a response.

Mr. Douglas Timmins: I just wanted to clarify that the private sector is involved and does have lots of other opportunities to be involved. They are developing the technology product that is there. We talk about the potential for the private sector to have a role as the government decides how they handle the cross-certification and the registration of all the users. They can be involved and will be, obviously, if the technology product is used as the infrastructure is built.

The question I think Ms. Cheng was trying to address is the issue of having some central focus. Right now it's very horizontal and it's very individual department by department. Even if you want to develop that and hand it over and direct the private sector to do it, it won't happen unless there is a common direction and strategy. It's going to continue to be piecemeal hits, depending on what each individual department sees as being appropriate. They may develop a partnership with the private sector or hand it over to the private sector, but it will be, again, a bit disjointed.

We're saying the seamless use and interoperability of it is key, and somebody has to at least oversee that and watch over the private sector or whoever's doing it to make sure they deliver on that end.

Mr. Stan Keyes: Thank you very much.

[Translation]

The Chair: Ms. Lalonde, do you have any other questions?

Ms. Francine Lalonde: Yes, I do. In paragraph 19.53, you state:

The issue of certifying public users is complex and has major implications. If the government does not address it in a timely manner, other options may emerge and later complicate the task of coordinating a common approach. This could significantly compromise the potential return on the government's investment in its GOC PKI project and curtail the scope of secure government business conducted by the Internet.

This paragraph seems to be saying a great deal. Could you please explain it?

[English]

Ms. Nancy Cheng: It's important to deal with the issue of cross-certification head-on. We wrote that paragraph because there seems to be a general approach by the government to try to use phase implementation.

• 0945

Phase implementation usually is a good thing. That means you do things chunk by chunk and you don't try to tackle everything all at once. But the Internet phenomenon is growing at such a rapid pace that it really doesn't allow us to first of all try to do it internally within one department, then experiment with a few departments but still working only on internal administrative processes, and then deal with the public outside.

We pretty well have to start considering these things on a parallel and concurrent basis. Otherwise the danger is that new products develop, new standards come forward, and they may supersede what the government is trying to do in developing this government-wide public key infrastructure. That's why we needed to deal with it on a timely basis, and that's what that paragraph is getting at.

[Translation]

Ms. Francine Lalonde: I am trying to understand, Ms. Cheng. You stated that Canada was ahead, but is apparently threatened by other technologies. So if we do not keep going and develop further, what we have done so far might be for naught. I am a bit lost here.

[English]

Mr. Douglas Timmins: We have to recognize that this technology is moving very fast in all of these areas. You can be ahead at a particular point in time, but you can fall behind very quickly.

The other thing we're worried about is a bit connected to the issue of getting the application while the technology is current so that it can actually be applied sufficiently that it become the base, as opposed to something better coming along and our saying, “Well, that's really not good enough any more. Let's go with what's better.” There's always that risk in the technology field. Every day, when you buy a computer, it's basically obsolete when you take it home.

We have that kind of concern. There has to be some momentum; they have to get some applications quickly to take advantage of it, because of the level of investment to this point.

I'm not sure it's really related to our status relative to progress elsewhere. It's basically a question of taking advantage of the investment in the development to date and getting applications there. That's the basic point we're trying to make.

[Translation]

Ms. Francine Lalonde: Do you mean the government would itself sell...? Several times, you have said there will be products. Are you talking about a variety of small products that will have to be sold before customers can be certified using fingerprinting or some other means? No? So certification could be ensured differently.

[English]

Mr. Douglas Timmins: Perhaps Ms. Cheng can talk more about the actual development of the product, but the product has been developed to register users and match a public key and a private key to allow the secure exchange of the information. That product is a commercial product that is being developed and will be sold. We will buy, in effect. The government will buy, the same as the private sector would buy, from this private sector company.

The issue of buying or selling those devices is not what we're talking about. We're talking about then actually having—-

[Translation]

Ms. Francine Lalonde: That is the choice of technology. You have selected a technology.

[English]

Mr. Douglas Timmins: The government has selected a technology. We're suggesting that as that technology is being developed, the business applications need to be used in more than just secure exchange of e-mail messages within the government. We're talking about making sure there are applications that will make that product deal with the user, the public, and make it seamless to them.

We raise many issues in the chapter, such as dealing with registration and cross-certification. Those keys that are going to be there—the public and the private keys—who's going to manage that? It gets very technical. That can still be a private sector role, but the government needs to identify the applications to make it—

• 0950

[Translation]

Ms. Francine Lalonde: What is preventing the government from moving quickly? That is one thing that clearly emerges from all your statements.

[English]

Mr. Douglas Timmins: I don't know. Ms. Cheng may have a comment on that, but I think it's primarily the fact that it is viewed as a technology product, and not that there hasn't been an involvement of the business side of the organization to say, “Yes, we want to do this in this way, and we think this provides the solution.”

Maybe it's connected to the comment we had earlier about the sponsor. Nobody is pushing it from the centre and saying they want to make sure people are putting it on their agenda in terms of identifying those applications to make it work.

The Chair: Ms. Cheng, do you have a comment to add to that?

Ms. Nancy Cheng: Maybe just a very short one.

As far as the product is concerned, the government is trying to move ahead as fast as they can, but in the chapter we also talk about the need for developing this management framework. That's not a trivial exercise at all. In order for department A to be able to talk to department B and say, “Here are my users; they're good, and you can do the same thing”, there is a very big exercise in developing the tools, which are policy. These are almost like bibles that people have to stay with, because if we don't all do things the same way, then later on we can't exchange information. Those things take a long time to develop.

With some of these instruments, such as the certificate policies, there is a draft, and it's currently being sent out for consultation. It won't be finalized until March. Until you have some of these tools in place, you can't take the next step.

What we're trying to say is that the thought about certifying the public and the cross-certification has to move very fast, because as Mr. Timmins has pointed out, technology moves so fast that the fear is that maybe, out in the private sector, some other standards will emerge and some other form of certificate policy will come through, and they may not be consistent with that of the government. Then it will cause a lot more coordination later on to be able to link up with everybody else.

Right now the government is hoping that its certificate policies, the CPs, can become world standards. In fact Entrust is getting into the Ontario provincial government market as well, and hopefully they would look to the Government of Canada's CPs so that we'd all be using the same set of rules and protocols so that we can communicate later on.

[Translation]

Ms. Francine Lalonde: I didn't talk about that.

The Chair: Thank you, Ms. Lalonde.

[English]

Mr. Shepherd.

Mr. Alex Shepherd (Durham, Lib.): What I've learned in the last half-hour is this. What you're trying to tell us is that the natural culture of the bureaucracy is such that it resists change, and that technology is changing so fast and the natural antithesis to change is delaying the implementation of electronic commerce in the government. Is that a fair statement?

Mr. Stan Keyes: Hear, hear! Very eloquent.

Mr. Alex Shepherd: Isn't that what you're trying to say?

Mr. Stan Keyes: That summarizes it nicely.

Mr. Douglas Timmins: That's fairly close. However, there is one side of the government organization that is accepting the technology change, and the problem is it's the technology people. It's the other side that has to recognize the advantages of the technology. In that sense—

Mr. Alex Shepherd: Okay, so nobody will take responsibility for this.

The area that fascinates me is Revenue Canada, because that's where the tire hits the pavement with a lot of people's lives. As you know, we can pay our water bills and just about anything else over the Internet, but we can't pay Revenue Canada.

Is this PKI project going to be gradually implemented? Are some departments going to come onstream first? And where is Revenue Canada in all of this? It seems a natural thing that people could pay their taxes. Twenty-five per cent of the people in my riding can't use electronic commerce; they have to go down to the bank and get this thing stamped by the bank and go through this hassle, which they don't want to go through. When is a logical implementation date, and who's responsible in Revenue Canada for implementing that?

Ms. Nancy Cheng: Revenue Canada actually is one of the larger information technology shops in government, and in fact it has given a lot of thought to doing business electronically. They are certainly at the forefront in electronic filing, in terms of being able to try to file tax returns electronically, and they are going to be experimenting with filing returns over the Internet. So that's moving towards the use of the Internet front.

• 0955

Who's responsible there? The way the government is set up, it's ministerial accountability. The deputy minister would be responsible and accountable to the minister, who would in turn be accountable to Parliament on that. But each department is not waiting necessarily for PKI to finish before they can do that, because if Revenue Canada only needs to deal with its own program...I can't use the word “beneficiaries”, but people they deal with, the taxpayers—

Voices: Oh, oh!

Ms. Marlene Jennings (Notre-Dame-de-Grâce—Lachine, Lib.): Revenue Canada is the beneficiary.

Ms. Nancy Cheng: If they need to deal with their own set of clients, if you will, then they can register them in some fashion. What we're talking about is the difficulty to do cross-certification, and they don't necessarily have to go that step. So Revenue Canada certainly is not held back by the initiative of the PKI, and with PKI moving forward, it actually would provide a tool, a government-run tool, for different departments to do their programs and services. But it's the departments themselves that are accountable for the programs.

Mr. Alex Shepherd: But you have no knowledge of when they would be able to provide that service to the public.

Ms. Nancy Cheng: We didn't look specifically at Revenue Canada in this audit, but from general dialogue with them, we know they're acting on it right now and that piloting is going on in terms of filing tax returns electronically.

Mr. Alex Shepherd: Yes, I know. The flip side of that is some of the other power that Revenue Canada has, such as third-party claims, being able to make claims against people's bank accounts. From what you've seen in the evolution of their use of technology....

This has a great possibility for abuse, if you know somebody's bank account number by the fact that they sent you some money and in fact you think they owe you more. There's a normal process where you have to give them notice, give the bank notice, and so forth. Is Revenue Canada's audit trail, if you will, still going to be very much in place when they implement electronic commerce?

Ms. Nancy Cheng: It goes back to the point about the legal framework we're talking about. You will recall that earlier on in our discussion there was a reference to a paragraph that talks about the threat and risk assessment. That's where it comes in.

A lot of these security issues also have legal implications, and while we're moving forward in some of these applications, it's important that we look at new ways of being exposed to abuse. It's not any different from what we're doing on a paper basis, but it just gives another instrument or another way for things to go wrong. We have to think about how things can go wrong and therefore take the right steps to mitigate those risks.

The Chair: Thanks, Mr. Shepherd.

Mr. Murray.

Mr. Ian Murray (Lanark—Carleton, Lib.): Thanks, Madam Chairman.

I'd like to look at this problem of encryption from a couple of angles. We're going to have the paper world with us for quite some time yet, and when people deal with the government, they don't encrypt their letters or whatever correspondence or information. The information is as secure as the filing cabinets within the government that these pages are kept in. So I would assume first of all that most of the dealings people have with government would not require encryption, because a lot of it's fairly mundane and wouldn't require that technology.

I have a couple of questions. One, looking at the future, this may not be something you'd ever look at in your job as auditors, but when we get to the point where almost everything is done electronically within government and in talking to the outside world, are we going to be having problems with access to information because there are no longer pages sitting in filing cabinets that can be easily referred to, when people have codes and everything is kept securely in computer databases? Is that going to change that aspect of dealing with government?

Mr. Douglas Timmins: That's a very good question. It wasn't really within the scope of this audit for us to focus on. The issue to a certain degree exists already today, because we have a lot of information that, even if it's within government, is stored electronically, and not necessarily is there an assurance of the paper copy, or if so, where is it?

• 1000

I believe it is the responsibility of our public archivists to deal with that issue of providing the ability to read technology and to maintain a technology base or capability, or at least a document. It's a little bit beyond the scope of what we have covered here, so I'm not absolutely sure of the extent of that. But I think that's where it would be covered.

With regard to your earlier issue of dealing with it as it evolves into a much more paperless kind of interaction with the government, I think it's important to recognize that we're not advocating—and I don't think the government would intend or that this product they're developing would intend—that everything be encrypted. There are options that do not involve encryption that are compatible with this.

Certainly the issue we would focus on is the ability to provide an audit trail for those documents. The issue of short term is one thing. The issue of long term as technology evolves and some technology can no longer be readily accessible is the one I was raising with the public archives and their responsibility.

Mr. Ian Murray: But say someone has their personal key to deal with the government. How restricted is that to the person or the department with which they are dealing? For example, who else could access that within government?

Mr. Douglas Timmins: That's the issue about privacy, which was raised earlier, Madam Chair. Whether as a member of the public you would have one key or multiple keys, one to deal with every department, is a policy question that needs to be addressed. Who maintains that key? Who is the manager of the key, whether it's the private sector or the government? It is almost akin to the discussion around whether or not you use the SIN as a single identifier. It's similar. Do you want to restrict it so that every member of the public has only one key, and that key gets them anywhere? Then you have to deal with the issue of sharing that information. Do you build it in a way that says each individual interaction with a government department has its own key and therefore I deal with them, and it's protected?

Those are to a degree policy questions. The technology can deal with it. It's a matter of making some decisions and then moving in that direction.

Mr. Ian Murray: I think Ms. Cheng wanted to say something.

Ms. Nancy Cheng: If I may just add a small point from the technical perspective, the whole public key infrastructure for cryptography technology rests on having two keys, actually. You have a public key and you have a private key. The public key is the one you put on a directory, and the one who registers you, who has certification authority, would put it on. So you don't need to keep that secret.

The private key is what you would need. It's like a password you can use to open your account, so it's a little bit like your PIN for your bank card. That is absolutely yours to keep. It's much like how you would protect a password or your personal identification number for your bank card. You don't share it with anybody. So with regard to that aspect of privacy, the technology protects you as long as you can protect your own PIN.

But the public key that sits in the electronic directories is what everybody has to have so that when they use that key, they know they are sending it to you and not to me, for example. So that's how the technology could help protect you.

That's just to add to the point.

The Chair: You have time for one last question.

Mr. Ian Murray: You mentioned that the government is working with Entrust to develop some encryption software. I'm still not clear on how the government can have an open approach to cryptography. In other words, there's no restriction on what service somebody might use or what software they might use. This again is a very technical question. I just don't understand how you can have several different types of encryption software interfacing with the government. Say the government standardizes on Entrust technology. Would it not then be logical that everybody dealing with the government would have to use that as well, or am I missing something? I just don't understand how it works.

Mr. Douglas Timmins: Madam Chair, I think that's one option, but it's not the only option. Of course, in developing its product, which is a commercial product, Entrust would recognize that there is a broader market they have to deal with, which would be people who are using other products. So they are going to be very conscious of developing their product so that it interfaces and deals with other technologies.

• 1005

Now, there are always risks and limitations to how well that's done and how it operates and what you need to do to make it work, but to a certain degree within government.... If they are dealing with it so that it's comparable to the government product, then it may give them a leg up in the sense that, if you're there, then you don't have to worry about making it interconnected. But I think certainly in the development of the commercial product they're very aware of the need to make it interoperable, and that is the direction they're going in.

Mr. Ian Murray: Thanks very much.

The Chair: Madame Lalonde, do you have a question?

[Translation]

Ms. Francine Lalonde: My question will be short, though I do not know whether the answer will be. If there is a cumbersome process here, could it not be because we are taking part in a revolution? Ever since writing was invented, there has been a paper base. Now, it's going to change. Of course, the issue of privacy arises. There is also a democratic issue here: access to information. We can ask ourselves the question, and in fact should ask ourselves the question as parliamentarians defending democracy. Will we have access to the information? I know that technology moves quickly, but principles should not be influenced by technology. That is my question.

[English]

Mr. Douglas Timmins: Yes, Madam Chair, I certainly agree that this is the aspect of the question that is out there, in addition to the technology. The technology is there, the technology can do many things, but there is the policy question of deciding how it's going to operate and what is going to be the control over privacy. We certainly don't want to undermine the fact that this is a difficult question to deal with and needs to be dealt with.

It is partly, at least, being done with the discussion of Bill C-54. We certainly encourage the progress on Bill C-54 for that reason, but also because it addresses, as we've discussed in certain aspects that we've raised in this chapter, the security and the paper bias, which we think needs to be dealt with as well.

The Chair: Thank you.

[Translation]

Ms. Francine Lalonde: Well, we differ on that.

[English]

The Chair: Thank you, Madame Lalonde.

Madame Jennings, please.

Ms. Marlene Jennings: Thank you.

Coming back to the issue of a senior sponsor, I take it from your response to the questions that were asked of you previously concerning this that you're not at all satisfied with the government response to the recommendation made by the Auditor General that a senior sponsor should in fact be appointed or created.

Mr. Douglas Timmins: Madam Chair, I'm not sure we're entirely disappointed or in disagreement with the totality of the response. But certainly regarding the aspect they emphasize—they view it as a horizontal issue and that all departments have a responsibility—we don't disagree with that point.

But we don't think that's sufficient. We don't believe the senior sponsor would overtake things and become a director of all operations all across government. That's not what we're advocating either. We think it's more a matter of pulling together a strategy and a plan and making sure everybody is pulling in the same direction, and that I think is different. But perhaps it's also difficult in some cases for the government to deal with that, because it's a matter of what level that individual is at and what priority they have within government.

As was discussed earlier, we certainly wouldn't want this to be taken as a priority above Y2K at this point in time. Maybe that's part of the reason for their response, that they want to keep the focus on Y2K, and that's fine. But I also think there is potentially an opportunity here that will be missed if they don't have somebody providing that strategic direction and plan, and maybe pulling those horizontal efforts together. I think that's really what we're talking about.

• 1010

Ms. Marlene Jennings: But isn't it a fact that generally speaking the federal government and most governments operate horizontally? Therefore I think the idea of having one body that would coordinate and in fact direct policies and strategies across the board is almost against the nature of the type of government infrastructure we have in place, and that may be where the resistance is coming from.

Mr. Douglas Timmins: Yes, Madam Chair, I would agree there's certainly a tendency and a push to devolve that responsibility to all of the various departments. You're absolutely right, that's very consistent with that trend. But we've identified other areas and other issues in other audit work that we feel similarly require some central direction to ensure success, and so on. That's not to undermine or to counter, in effect, that effort to make departments individually responsible for their own initiatives, but there are some other large projects under way that have had some central direction. We've commented on them and the degree to which they are.

Ms. Marlene Jennings: Like Y2K.

Mr. Douglas Timmins: And this is really one more. If you have a sponsor, the sponsor will take some ownership; if you don't have a sponsor, there isn't ownership. I think we're really trying to get some ownership, to make sure it moves forward.

Ms. Marlene Jennings: The second question concerns the legal issues. You point out in paragraph 12 that:

the government had identified the need to update the legislation to make statutes media-neutral, ensure the recognition of electronic signatures and revise the rules of evidence for electronic records. Parts two and three of Bill C-54 address these very issues.

But you say there are other issues that, I'm assuming, are not being addressed by Bill C-54. Is it because they cannot be addressed within the context of that legislation and there's a better forum, or is it that in your view they can be addressed but haven't been, for whatever reason? If there are other issues, identify them, please.

Mr. Douglas Timmins: Yes, Madam Chair. The specific detail of that reference is from paragraph 19.69 to paragraph 19.72.

I think the short answer is that basically we're not expecting that Bill C-54 would be able to address these issues on its own. I think it's similar to a response I made earlier that would indicate we're talking about individual initiatives. As those individual initiatives and applications come forward they need to be reviewed, and their legal implications need to be considered. It's not something that I think can be dealt with within a legislative framework.

Ms. Marlene Jennings: Okay. Thank you.

The Chair: Thank you very much, Madame Jennings.

Mr. Bellemare, you said you had one question.

Mr. Eugène Bellemare (Carleton—Gloucester, Lib.): Yes, it's on security.

Without a Government of Canada public key infrastructure, how have the existing electronic transactions, such as e-mail and direct deposit, been kept secure to date?

Mr. Douglas Timmins: Perhaps I'd ask Ms. Cheng to answer that.

Ms. Nancy Cheng: Thank you, Madam Chair.

With respect to e-mail, that's one of the driving forces for PKI. Until you have the cryptography services in place, e-mails are not secure, so it can be readily accessed by unintended parties. That's why there is the move for security.

With respect to bank transfers, they don't use services over the Internet. Most of the bank transfers are done through what we call EFT, electronic fund transfers. They're dedicated lines; it's one party to another, and you know who you're talking to. It's not wide-open in the arena of open networks. So the technology set-up is different.

Mr. Eugène Bellemare: This would lead me to a follow-up question.

In the absence of a Government of Canada public key infrastructure, have there been any known breaches of security or privacy in the existing electronic delivery methods for the federal government programs?

The Chair: Ms. Cheng.

Ms. Nancy Cheng: Madam Chair, I have to concede that we haven't looked at that. I think that's the subject of an entire audit on its own. So this particular initiative did not cover that.

Mr. Eugène Bellemare: Thank you.

The Chair: I want to thank you both, Mr. Timmins and Ms. Cheng, for being with us today. It's been a very interesting discussion, and we appreciate your time.

We're going to recess for five minutes.

[Proceedings continue in camera]