:
Good afternoon, everyone. I now call this meeting to order.
Welcome to meeting number 16 of the House of Commons Standing Committee on Industry, Science and Technology. Pursuant to the order of reference of Saturday, April 11, the committee is meeting for the purpose of receiving evidence concerning matters related to the government's response to the COVID-19 pandemic.
Today's meeting is taking place by video conference, and the proceedings will be made available via the House of Commons website.
As a reminder to the members and the witnesses, before speaking, please wait until I recognize you by name. When you are ready to speak, please unmute your microphone, and then return it to mute when you are finished. Please speak slowly and clearly so that the translators can do their work, and please make sure your questions and comments are through the chair.
As is my normal practice, I will hold up the yellow card when you have 30 seconds left in your intervention, and the red card when your time for questions has expired.
I will now welcome our witnesses.
[Translation]
From the Autorité des marchés financiers, we have Jean-François Fortin, executive director of enforcement, as well as Christian Desjardins, director of assessment and inquiry.
[English]
From the Canadian Internet Registration Authority, we have Mr. Byron Holland, president and chief executive officer; Mr. Dave Chiswell, vice-president of product development; and Mr. Albert Chang, corporate counsel.
From the Communications Security Establishment, we have Mr. Scott Jones, head of the Canadian Centre for Cyber Security.
From Nuance Communications, we have Mr. Simon Marchand, certified fraud examiner and certified administrator, biometrics and security.
As well, from the Royal Canadian Mounted Police, we have Mr. Eric Slinn, assistant commissioner, federal policing criminal operations; and
[Translation]
Guy Paul Larocque, acting officer in charge of the Canadian Anti-Fraud Centre.
[English]
Each witness will present for five minutes, followed by our rounds of questions.
We will start today with the Autorité des marchés financiers. You have five minutes.
:
Thank you, Madam Chair.
As you mentioned, I am the executive director responsible for enforcement, and with me is my colleague Christian Desjardins, director of assessment and inquiry.
The Autorité des marchés financiers, or AMF for short, is the regulating body for financial markets in Quebec, and its mission is to regulate the financial sector.
The AMF proactively monitors issues and challenges related to financial fraud at all times. That monitoring takes many forms and is carried out by a number of teams within the AMF. Those efforts are complemented by the AMF's active involvement in Quebec, Canadian and international committees.
We have multi-sector teams working together to ensure market oversight, cybersurveillance and vigilant monitoring. We also invest heavily in major awareness campaigns and strategic partnerships.
Since March 16, the AMF has been in telework mode. We were able to quickly set up the teams needed to keep enforcement and awareness work going remotely. With a few exceptions, all employees are fully operational from home. We've had to ease up on activities such as in-person interviews and testimony, but it hasn't affected operations. Information-gathering and analysis work, as well as video-conference interviews are carrying on.
During the COVID-19 pandemic, the AMF has stepped up its web surveillance. It also sits on an investment fraud task force that brings together all of Canada's securities regulators to share information on illegal activities identified in connection with COVID-19.
In addition, the AMF is on a task force established by the North American Securities Administrators Association, which represents securities regulators in Canada and the United States. The purpose of the task force is to coordinate the communication of potential investment fraud stemming from COVID-19, coordinate related investigations and make the public aware of potential risks.
Another step we have taken is establishing a market monitoring strategy to better target potential market manipulation and insider trading. Accordingly, we've been keeping a closer eye on pharmaceutical companies that falsely advertise vaccines or quick fixes, for instance.
We've also made a dedicated effort and tailored monitoring activities to detect potential insider trading in connection with the extended deadline for financial reporting granted by regulators in response to the pandemic. The extension for filing market-related information heightens the risk of insider trading, with executives, professionals, advisers and others having access to non-public sensitive information for a longer period.
That's it for the market oversight and enforcement piece.
Now I'll turn to public outreach and education, an area where we've been extremely proactive. The AMF has sought to raise public awareness by posting COVID-19-related fraud prevention alerts on its website, and stepping up the number of fraud prevention posts on Facebook and other social media sites.
We've sent letters to Quebec's leading seniors associations and consumer groups to remind them that our support services are still available and to encourage them to report scams and other problems they encounter.
Lastly, we've issued multiple investor warnings, which are posted on social media sites and often passed on by our partners.
I'd also like to highlight an important initiative. Back in March, after noticing the number of COVID-19-related scams, we started investing in a large-scale awareness campaign that ran from April 6 to May 5 on television and online including on social media sites.
I want to underscore the number of education initiatives we undertook using TV, social media and other means to reach seniors and vulnerable populations.
The AMF is one of Canada's financial regulators, and we constantly work with all regulators in Canada, as well as international regulators.
Thank you.
:
Thank you very much, Madam Chair and honourable members of the committee.
Most people know the Canadian Internet Registration Authority, or CIRA, as the operator of the .ca registry. Our primary mission is the operation of a safe, stable and secure .ca domain space.
CIRA is recognized as a global leader in the domain name industry. In fact, many other countries leverage our infrastructure, services and knowledge for their own domain name registries. Our technology is considered best in class among our peers. In short, CIRA is fully equipped to navigate the COVID-19 crisis. We are confident in our ability to protect the integrity of .ca.
To date, we have tracked just over 2,000 .ca domain names with COVID-19-related keywords. For context, since January we have registered over 200,000 .ca domain names. This is aligned with what we are seeing from our peers in Europe and around the world, where COVID-19-related domains make up less than 1% of registrations so far this year. However, it’s also important to note that many of these domains are perfectly legitimate, and even positive, such as conquercovid19.ca, a campaign to support first responders.
We scrutinize all COVID-19-related domains carefully to ensure that they comply with our rules, particularly Canadian presence requirements, and to ensure that all domains stay Canadian. We are also working with our global domain name community, including organizations like the Council of European National Top-Level Domain Registries, to ensure that we are aligned with the best practices of our peers around the world.
However, it is not within CIRA's mandate to review or authenticate the content of .ca websites, nor would such authentication be effective, as the Internet, and related threats, is global. While .ca domain names are bound by Canadian law, thousands of other threats come from outside our borders. There are well-established existing tools and processes in place to deal with fraud online and cyber-attacks. If Canadians come across any domain they suspect of being used fraudulently or maliciously, they should contact the Canadian Anti-Fraud Centre or the Canadian Centre for Cyber Security. We work closely with both of those organizations.
When it comes to fraud on the Internet, it is important to remember that hackers love a crisis. While technical solutions form an important barrier to online fraud and cyber-threats, the biggest attack vector is human frailty. Cyber-thieves exploit anxiety, uncertainty and fear to prey on Canadians when they are at their most vulnerable. Unfortunately, the current COVID-19 pandemic provides fertile ground for these criminals.
In this environment, we launched CIRA Canadian Shield. This is a free security and privacy solution for individual Canadians and their families. Working with our partner, the Canadian Centre for Cyber Security, we are already protecting more than 50,000 Canadians with Canadian Shield as they work, learn, teach and socialize while at home during the pandemic. Canadian Shield reflects CIRA's commitment to build a trusted Internet for Canadians. We look forward to the opportunity to protect every Canadian with this free service.
CIRA is helping to protect Canadian hospitals, schools, universities and municipalities through our enterprise cybersecurity service DNS Firewall. It has an install base of more than 1.1 million users, which includes students, teachers, doctors, municipal workers and first responders across Canada.
:
Good afternoon, Madam Chair and committee members. Thank you for the invitation to appear today, from my dining room, to discuss pandemic-related cyber-fraud.
I am Scott Jones and I am the head of the Canadian Centre for Cyber Security at the Communications Security Establishment. CSE is one of Canada's key intelligence agencies and the country's lead technical authority for cybersecurity. Launched in October 2018, the cyber centre is a relatively new organization, but one with a rich history and over 70 years of cybersecurity experience, having previously functioned under CSE's long-standing IT security mandate. The cyber centre is a unified source of expert advice, guidance, services and support on cybersecurity operational matters, providing Canadian citizens and businesses with a clear and trusted place to turn to for cybersecurity advice.
Specifically, the cyber centre focuses on five main areas. We first inform Canada and Canadians about cybersecurity matters. Second, we protect Canadians' cybersecurity interests through targeted advice, guidance, hands-on assistance and strong collaborative partnerships. Third, we develop and share specialized cyber-defence technologies and tools, resulting in better cybersecurity for all Canadians. Fourth, we defend cyber systems, including government systems, by deploying sophisticated cyber-defence solutions. Fifth, we act as the operational leader and government spokesperson during cybersecurity events.
That point brings me to the specific topic of today's discussion, to speak to you about cybersecurity when it comes to COVID-19. As we noted in the national cyber-threat assessment in 2018, the biggest threat facing Canadians online is cybercrime. I would like to provide the committee with an update on the work that the cyber centre is doing to protect Canadians from cyber-fraud occurring before, during and after the pandemic.
During these uncertain times, cyber-threat actors are attempting to take advantage of Canadians' heightened levels of concern and fears around COVID-19. Many Canadians are naturally feeling fearful and stressed, and those emotional responses can be exploited online. We've seen an increase in reports of malicious actors using COVID-19 in phishing campaigns and malware scams.
COVID has presented cybercriminals and fraudsters with an effective lure to encourage victims to visit fake sites, open email attachments and click on text messaging links. These websites, emails and links frequently impersonate health organizations and can pretend to be from the Government of Canada, among others. They are trying to spread malware and scam Canadians out of their money or private data.
The cyber centre has assessed that the COVID-19 pandemic presents an elevated level of risk to the cybersecurity of Canadian health organizations involved in the national response to the pandemic. I want to reassure you that CSE and the cyber centre are working hard to mitigate these threats and protect Canadians.
I am pleased to share with you the steps we're taking to protect the Government of Canada, systems of importance, and all Canadians from cyber-fraud during these times. We continue to leverage all aspects of our mandate to ensure that Canada is protected against threats and that the Government of Canada has access to information that can help inform decisions on our approach to COVID-19. The cyber centre is working tirelessly to continuously raise public awareness of cyber-threats to Canadian health organizations by proactively issuing cyber-threat alerts and providing tailored advice and guidance to Canadian health organizations, government partners and industry stakeholders.
In addition to our advice and guidance for Canadian organizations, we continue to enhance the Get Cyber Safe campaign to help all Canadians take action to help themselves be safe online. In coordination with industry partners and the international network of cybersecurity organizations, the cyber centre is contributing to the removal of fraudulent sites and other materials used to lure Canadians, including sites impersonating the Government of Canada.
To support programs of importance to the government, we have also continued to monitor and protect important Government of Canada programs against cyber-threats, including the Canada emergency response benefit web application. [Technical difficulty—Editor]
:
Members of the committee, good afternoon and thank you for having me today.
My name is Simon Marchand, and I am the chief fraud prevention officer at Nuance Communications Canada. Nuance is an American company with a strong presence in Montreal. It develops technologies that rely on artificial intelligence and voice biometrics for use in fraud prevention, among other things. My specific role is to apply those voice biometric technologies to identity theft prevention. Nuance's products are widely deployed throughout Canada, with most of the big banks and telecommunications carriers using its biometric-based technologies. Nuance also has an extensive international clientele, including major U.S. banks and most of the world's big companies. We develop solutions for law enforcement agencies and government service providers, as well, to help them gather evidence and identify citizens.
I am here today to share with you some of our observations. In my capacity, I'm obviously abreast of all the major scams around the world. I'd like to tell you what we've seen in relation to the COVID-19 pandemic and flag some of the risks that need to be addressed, to help ensure Canada's legislation is equipped to deal with fraud-related issues that may be imminent.
I'll start with some of the internal risks. In response to the COVID-19 pandemic, companies quickly reorganized their operations to accommodate telework. I'm not here to praise or criticize telework, but I will say that it poses real risks, especially in connection with customer service. All customer service representatives who usually work in call centres are now working from home, in an unsupervised environment. Despite having few tools, they now have access to sensitive information about consumers, ranging from information about their assets to information that someone could use to impersonate someone else.
The current socio-economic reality will no doubt put pressure on many households. When it comes to internal fraud, we know that pressure and opportunity are the two basic factors that drive an employee to go against their employer's interests and commit fraud, including stealing information belonging to the organization. Let us not forget that some organizations collect highly sensitive information about Canadians.
These changes in how work is organized raise the possibility of information being stolen and eventually posted on the dark web. That will definitely serve identity thieves well.
Other witnesses have talked about phishing scams, a problem that's already well documented. Sophisticated criminals have adapted to the pandemic and are using COVID-19 as a cover to trick people into providing their information. Some areas have seen a 600% increase in the number of phishing scams involving COVID-19; attachments, links to websites and other methods are being used to lure victims.
Fraudsters will be able to get their hands on vast amounts of consumer information, which they won't use in the next few weeks. Rather, they'll wait six to 18 months before opening up accounts, taking out financial products and acquiring products from telecommunications carriers.
Since banks and telecommunications carriers are federally regulated, lawmakers need to be aware of these risks. Much of the focus is on the company's responsibility to protect the data entrusted to it. I think, though, the focus should be on accountability and the responsibility companies have in relation to the information they use to deliver services. When a bank's system is hacked and client information is stolen, it calls into question the bank's responsibility, which is protecting that information. No one asks about what will happen to the information once it's collected. There's a huge accountability gap.
I would be happy to answer any questions you have on the subject.
:
I've been alerted to where I was. Thank you. I'm sorry about that. Technology affects us all.
In coordination with our industry partners and the international work of cybersecurity organizations, we have contributed to removing of fraudulent sites, and I talked about the protection of the CERB, the Canadian emergency response benefit.
Cyber-attackers are now looking to exploit teleworking connections because so many people are now working outside of their organization's traditional IT security perimeters. In response, the cyber centre has partnered with the Canadian Internet Registration Authority, or CIRA as you've heard, to create and launch CIRA's Canadian Shield. This is a free DNS firewall service that will provide online privacy and security to Canadians. CIRA has shown tremendous leadership in giving Canadians an option to better protect themselves online, and I thank them for their partnership.
To further protect Canadians, the next important step we've taken is informing Canadians about cybersecurity matters. Through targeted advice and guidance, the cyber centre is helping to protect Canadians' cybersecurity interests. We shared cybersecurity tips on video teleconferencing tools and telework to help inform and educate Canadians about how to stay safe online, particularly while many of us are working from home.
The cyber centre has created a collection of advice and guidance products, many of which are now more relevant than ever. I encourage Canadians to visit our website to learn more about our specific guidelines and best practices that can be applied to protect yourself from cyber threats.
Finally, it is important to note that the Government of Canada has a strong and valuable relationship with our international cyber partners. We regularly share information, which has a significant impact on protecting our respective countries' safety and security. CSE and the cyber centre are working to address cyber threats facing Canadians during these times; however, cybersecurity is everyone's responsibility and will take all of our expertise to protect Canada and Canadians.
Thank you again for the opportunity to appear before you today, and thank you for your patience with technology. I am pleased to answer any questions you may have.
[Translation]
Thank you, Madam Chair.
It is a pleasure to appear before this committee as part of its study on the Canadian response to the COVID-19 pandemic.
Appearing with me today is Sergeant Guy Paul Larocque, who has a leading role in managing the Canadian Anti-Fraud Centre, or CAFC.
[English]
As part of our mandate to protect Canada’s economic integrity, financial crime, including fraud, has long been a federal policing priority for the RCMP. In the face of the COVID-19 pandemic, our work with public and private partners in Canada and around the world in combatting and preventing fraud have only become more important. This shared responsibility speaks to the trust Canadians place in the RCMP to keep them safe and provide an effective and timely response to the COVID-19 pandemic.
As the measures to contain the crisis continue, the strain on Canadians and the institutions that serve the country will only deepen. Criminals will seek to exploit vulnerabilities in the system, as well as in Canadians themselves, as we have unfortunately witnessed. We must be diligent in combatting attempts to victimize the most vulnerable by those who prey on Canadians' fears and uncertainty around the pandemic. To be clear, criminals are actively exploiting fear, uncertainty and doubt around the COVID-19 pandemic. We know this because the CAFC has seen a dramatic increase in reporting on fraud from January to April when compared with the same period last year.
Since March 2020, we have seen almost 1,000 complaints of fraud related to COVID-19. Most of these are phishing attempts, where criminals will seek to gain personal information through emails or text messages pretending to be linked to Canada emergency response benefit claims, or attempts to install malware on victims’ devices. However, the biggest monetary losses stem from the fraudulent sale of goods related to COVID-19, such as masks, testing equipment or miracle cures.
While we've seen a large number of COVID-19-related fraud reports, criminals continue to use traditional scams and frauds to exploit Canadians. These frauds take a terrible toll on Canadians. For example, estimates of fraud against seniors last year were over $700 million. These types of fraud have grown during the pandemic as these heartless criminal groups continue to target human and institutional vulnerabilities. Finally, organized crime groups are attempting to defraud the government and undermine efforts to get financial aid into the hands of those who are genuinely in need of aid. The escalation of fraud activity related to COVID-19, as well as traditional fraud, really shows the ability of criminal groups to adapt to and exploit these circumstances for personal gain.
In direct response to the frauds committed in relation to COVID-19, the RCMP have enhanced intelligence enforcement efforts toward this illegal activity as we recognize, more than ever, that at all levels of policing the RCMP have a significant role to play. To coordinate the RCMP response, in March we began running a program specific to COVID-19-related fraud. Coordination efforts are under way at national headquarters, while intelligence analysis and statistical gathering, as well as outreach, are done by the CAFC. Disruption and enforcement are conducted by members in the divisions, who also have the responsibility of liaising with the police of jurisdiction to further coordinate responses at the local level.
In recognition of the shared responsibility between public and private agencies to combat fraud, the RCMP are working collaboratively with key partners and stakeholders, domestically and internationally, to exchange intelligence and coordinate enforcement efforts as they relate to the pandemic. While the initial focus was on online frauds, this has quickly expanded to cover all fraud and criminality with a nexus to COVID-19 to better ensure public safety.
A crucial component in the fight against fraud is prevention, as these fraudsters and their operations are so pervasive, insidious and profitable that relying on enforcement alone is like pulling weeds. As my grandmother often relayed, an ounce of prevention is worth a pound of cure. Continually enhancing public awareness is a vital tool in the prevention strategy that must continue. As you may recall from our last appearance before the committee, the RCMP have operated the CAFC in partnership with the Competition Bureau of Canada and the Ontario Provincial Police since 2005. This centre has been a leader in prevention initiatives, including being extremely active on a variety of media platforms to communicate with Canadians.
As well as operating the CAFC, the RCMP maintain a federal policing prevention and engagement unit. This unit plays a key role in coordinating meetings with multiple police agencies, Government of Canada agencies, private sector vendors and financial institutions from across Canada.
With that, I will cease. I could probably go on, but there are other people who want to talk.
I look forward to your questions.
[Translation]
Thank you very much.
:
I have changed my mike and headset. Hopefully, that will be better.
Madam Chair, thank you for the opportunity to present yet again. I will start at the beginning, as you've asked, to make sure that the folks who were not able to hear can.
My name is Byron Holland. I'm the president and CEO of the Canadian Internet Registration Authority. Our primary mission is the operation of a safe, stable and secure .ca domain name registry.
We are recognized as a global leader in our space. In fact, many other countries leverage our infrastructure, services and knowledge for their own domain name registries. Our technology is considered best in class among our peers. In short, CIRA is fully equipped to navigate the COVID-19 crisis. We are confident in our ability to protect the integrity of .ca.
To date, we have tracked just over 2,000 .ca domain names with COVID-19-related keywords. For context, we've added more than 200,000 .ca domain names since the beginning of the year. This is aligned with what we are seeing from our peers around the world where COVID-19-related domains make up less than 1% of total registrations. However, it is also important to note that many of these domains are perfectly legitimate, and even positive, such as conquercovid.ca, a campaign to support first responders.
We scrutinize all COVID-19-related domain names carefully to make sure that they comply with our rules, particularly our Canadian presence requirements. We are also working with our global domain name community, including organizations such as the Council of European National Top-Level Domain Registries, to ensure that we are aligned with best global practices.
However, it's important to note that it is not within CIRA's mandate to review or authenticate the content of .ca websites, nor would such authentication be effective, as the Internet and related threats are truly global. While .ca domains are bound by Canadian law, there are thousands of other threats that come in from outside our borders. There are well-established existing tools and processes in place to deal with online fraud and cyber-attacks. If Canadians come across any domain names that they suspect are being used fraudulently or maliciously, they can contact the Canadian Anti-Fraud Centre or as we've heard, the Canadian Centre for Cyber Security. We work closely with both organizations.
When it comes to fraud on the Internet, it's important to remember that hackers love a good crisis. While technical solutions form an important barrier to online fraud, the biggest attack vector is human frailty, which cyber-thieves exploit. Unfortunately, the current pandemic has provided these criminals with an atmosphere of heightened anxiety in which to operate and has simultaneously forced most Canadians to work, learn, teach and socialize from their home networks and personal devices, most of which are not equipped with enterprise-grade security.
It is in this environment that we've launched CIRA Canadian Shield, a free security and privacy solution for all Canadians and their families. We've done this, as you heard, in partnership with the Canadian Centre for Cyber Security. We currently protect more than 50,000 Canadians, with a growing user base. Canadian Shield reflects CIRA's commitment to build a trusted Internet for Canadians, and we look forward to providing the opportunity to protect every Canadian with this free service.
We also help protect Canada's hospitals, schools, universities and municipalities through our enterprise cybersecurity service, CIRA's DNS Firewall. We have more than 1.1 million users, who include students, teachers, doctors, municipal workers and first responders across Canada. We are providing this service free of charge to all Canadian health care facilities and small businesses until September, hopefully when this crisis will be starting to recede.
Finally, the most important factor in protecting Canadians from fraud on the Internet is knowledge. Much like how your parents taught you to look both ways when crossing the street, Canadians need street smarts on the Internet to be able to identify fraud, fake news, misinformation and scams. The best way to do that is through awareness and education.
At CIRA, we have partnered with Beauceron Security, a great New Brunswick success story, to launch CIRA cybersecurity awareness training, a platform that provides education, benchmarking and ongoing testing to ensure employees have the most up-to-date cybersecurity street smarts. We have also launched a free cybersecurity course, Cybersecurity for Remote Workers, to help the thousands of Canadians now working from home to keep themselves and their organizations safe from cyber threats.
Everything I've mentioned so far represents elements of Canada's leadership, innovation and expertise in the area of cybersecurity. However, as Canada and the world enter an era when the Internet is proving to be the lifeboat for the global economy, we believe Canada must do more to be a global leader in cybersecurity. We would encourage the Government of Canada to dedicate more funding to cybersecurity research, solutions and platforms to protect Canadians and ensure the security of our digital economy. Only through investment can we ensure Canadians have the education, tools and platforms to protect themselves and their businesses from online fraud and malware.
There is no silver bullet. The threat landscape is constantly evolving, and our cybersecurity awareness and technology must keep pace. At CIRA, we're eager to help any way we can.
Thank you for your time.
:
Thank you, Madam Chair.
Thank you to all of our witnesses for coming in and providing a lot of helpful information.
I'm going to start with CIRA.
Mr. Holland, you've indicated that roughly 2,000 .ca domains have been registered since the start of COVID-19. Can you share some statistics around the following: How many of them have been registered within Canada? Is it possible to register a domain from outside of Canada, and if so, how many have been registered? Also, with regard to these 2,000, you mentioned that most of them are legit. How many of them have you found to be not legit?
:
Thank you, Madam Chair.
I'd like to start by recognizing Mr. Masse's contribution; he's been making us more aware of the issue for quite some time. Thanks to him, it's on our radar and we are learning more about it. As a member of Parliament, I think it's incumbent upon us to act to better protect our constituents.
I'd like to follow up on Mr. Marchand's comments. One thing he mentioned was that, as people's socio-economic conditions worsen, external attacks become much more frequent. He referred to a 600% increase. What's more, he said information that's stolen isn't used immediately; that tends to happen down the road, within approximately 18 months.
Mr. Marchand, you said there was an accountability gap because the current state of affairs makes it easier to open fraudulent accounts and carry on criminal activity. Can you tell us, in concrete terms, how that's problematic and how companies could be held accountable?
To start, I'll provide some clarity around the 600%. It refers to the increase in the number of attacks involving COVID-19 during this very specific period of time, not necessarily to the increase tied to economic factors. Naturally, during times of economic crisis, the number of scams goes up. The percentages vary.
That said, the lack of accountability in federally regulated companies is problematic in that all the current legislation—think of the Personal Information Protection and Electronic Documents Act, for example—forces companies to disclose that they were hacked and data was compromised. In Canada, however, we don't have an overall sense of how many people fall victim to identity theft once their information is stolen. Since banks and telecommunications carriers are federally regulated, they are making crimes involving one another easier to commit. In other words, much of the credibility for an identity is based on the fact that the individual has a cell phone account or bank account. These companies have tremendous amounts of sensitive information at their disposal, so once a hacker gets in, they can commit more and more fraud.
I have over a decade of experience in prevention, and I work with the fraud prevention teams in those companies. I can tell you that a bank's or telecommunications carrier's prevention team is under no obligation to disclose how many fraudulent accounts were opened daily or annually. They don't even have to contact or identify identity theft victims. That means you may have been the victim of identity theft, that your identity may have been used to open an account with a telecommunications carrier, for instance. The team in charge of fraud was able to detect the fraudulent use of a person's identity and reverse the transaction, but it doesn't have to notify the individual, in other words, the consumer. Consumers are completely clueless. No one has any idea when their identity has been used. The person can't take further steps to protect themselves in the future. That lack of accountability prevents the government from taking clear action to regulate the process of identifying or authenticating people who open bank or cell phone accounts.
:
Thank you, Madam Chair.
I want to thank the witnesses, and you, Madam Chair, and the other committee members, for continuing this work. I appreciate it very much.
One of the things that struck me in the testimony we had, which was excellent, is that we rely on social media, including Facebook, to investigate and promote how to protect ourselves against fraud. However, recently Facebook was found guilty and paid a $9-million fine for misleading Canadians. In fact, it was said that it made “false or misleading claims about the privacy of Canadians' personal information.” Yet, we are spending tens of millions of dollars of government money to advertise on its platform.
I'll start with Mr. Marchand, because he may have a bit of perspective on the United States.
With regard to fraud from companies, Volkswagen had a U.S. settlement of $14.7 billion. In Canada, the Competition Bureau fined it $2.5 million. Equifax had a settlement of $600 million in the United States; Canada had a Competition Bureau fine of zero dollars. Most recently, Facebook had a $5-million fine in the United States, and in Canada, a $9.5-million fine.
I view the Competition Bureau, the Privacy Commissioner and the CRTC as important instruments in protecting Canadians from fraud. It seems that they might be a bit outdated with regard to their powers.
Can you comment as to whether there is a misalignment between our penalties in Canada and those in the United States that perhaps can create a problem for bringing accountability even with fraud by so-called corporate entities?
:
Thank you, Madam Chair.
I'd like to thank all the witnesses for being here today.
With regard to COVID-19, people are obviously taking advantage of the fear and the vulnerability of Canadians at the moment. They're doing whatever they can to take advantage of the situation, as they would under normal circumstances, but this is obviously a new angle that they can use.
Given the fact that we're going to be in this situation for at least several months to a year or a couple of years, what are some of the strategies that you think we can use moving forward in order to prevent such crimes from continuing to happen in the future?
That's a general question for whoever would like to answer it.
:
Thank you for the question.
Perhaps we could look at two tools in the short term. The goal is to provide tools to companies that face these risks. Now that the fraudsters have access to the information, how can we equip banks and telecommunications companies with tools to prevent the fraudsters from successfully attacking them?
The STIR/SHAKEN standards are included in these tools. Of course, in my view, because the Americans will implement these standards quickly, we can expect fraudsters to come north of the border and to take advantage of a gap in Canada's legislation and regulations.
In my opinion, the STIR/SHAKEN standards are an essential tool because fraudsters use scooping to carry out certain types of identity fraud. This isn't just a matter of robocalls, but also a matter of identity theft.
As for the other tool, I think that the rules for identifying customers should be strengthened. Right now, a social insurance number, a driver's licence or a health insurance card is enough to open a bank account or a telephone account. These pieces of identification are outdated. We must start looking at the issue of digital identity and biometric identity.
Several countries have already transitioned to these higher levels of identification. To protect Canadians, we must consider whether some form of more advanced biometric identification should be required to open accounts.
:
Thank you for the question.
While I emphasized the health care sector, given the pandemic, we are actually working with and reaching out to every sector of critical infrastructure in the economy, including universities and the broader education sector as well. We rely on the reports of any sort of malicious cyber-activities. We try to proactively communicate anything that we're seeing from our defence of the government.
One of the things is that we don't watch Canadians. We don't watch what's happening on Canadian networks. We defend the government, and we rely on reporting.
We have certainly reached out to universities. We're providing proactive and tailored advice and guidance so they can take some measures to secure themselves, and we are also hoping to build a partnership where they will call us when they see an event or an incident so that we can work together.
:
Thank you for the question.
Ultimately, I think that education is a good thing. People need to learn about the risks that they face when they're online and when they answer calls. In my opinion, the legislation is inadequate. However, the legislation does partly touch on the protection of data entrusted to a company with which people do business. However, an entire segment of the legislation is completely missing. In this case, the segment concerns the verification of what happens to the identity of the individual once they've made the mistake of providing their personal information or once this information has been stolen from them without their knowledge.
When this identity is used to obtain a credit card, open a bank account, engage in money laundering or anything of that nature, we shouldn't only look at the crime. We should also look at the fact that the crime facilitates global criminal activity on a larger scale, including human trafficking, drug trafficking or terrorist activities. I think that companies must be held accountable for this other aspect. Much stronger legislation must be implemented to protect people once their identity has fallen into the wrong hands.
:
Thank you very much, Madam Chair.
Certainly it's interesting testimony that we've had here today.
Of course, on fraud being investigated, we have certain comments, even from the government, about whether or not they even want to investigate fraud at this particular point in time. I think that probably gives the criminal element an opportunity to jump in here as well, which is kind of frustrating.
I want to go back to something. At the end of March, the Communications Security Establishment noted that it had taken down a number of fraudulent websites that had spoofed the Public Health Agency of Canada, the Canada Revenue Agency and, most recently, the Canada Border Services Agency. We recently heard from General Vance, the country's chief of the defence staff, that he's seen indications that Canada's adversaries intend to exploit the mounting anxiety about the global pandemic.
To the RCMP, I'm wondering what form you believe these attacks will take. Which countries are we talking about, and are we taking steps now to deal with this?
This question is for CSE and the RCMP.
We hear from constituents all the time about scams. The RCMP has tallied up that it costs individuals about $100 million a year overall for these scams, at least those that are reported. I would say they are under-reported, because people are embarrassed when they are taken advantage of. We hear about this all the time, and it's not just from seniors, although I've heard predominantly from seniors.
We've made significant investments in cybersecurity over the last number of years. You are the experts. Are there measures that other countries take that we do not? Are there measures, in your experience and estimation, the government could take to better strengthen our society against such fraud?
MP Gray, you were heading down a path that I was thinking of heading down as well, so maybe I can build on some of your questioning.
To continue with the RCMP, we're fortunate in Guelph to have a former RCMP officer, Gord Cobey, as our chief of police. We work quite closely together. We also have the OPP around Guelph, so we have multijurisdictional police forces who are working together and keeping ties between each other.
My question is in terms of the previous meeting when you were with us, Mr. Slinn, and were mentioning public education and how important it is to exchange information quickly. If you're allowed to share that publicly, how does that actually happen between forces? Is there a way we can improve or help you to improve quick responses, as we've needed to do in other areas in COVID?
:
Thank you, Madam Chair.
One of the things that really got me irritated about the Facebook situation was that they used third party applicants too. In the United States, they settled for $5 billion, and over here, $9 million. That doesn't even cover the Government of Canada's advertising costs. We're actually going to try to do that by having advertisements on fraud, this by a party that really has misled Canadians. I think that's inappropriate messaging. I suppose we have very few tools for that.
I'm going to follow with Mr. Marchand. With regard to STIR/SHAKEN, I understand the testimony from the companies, but it wasn't very compelling that we shouldn't do it anyway because there will be some net benefits even if not everybody has STIR/SHAKEN right away. Also, you could screen your phone calls coming in that way. You could have choices as a consumer and be empowered. You could choose to not even take a call if it wasn't being screened through STIR/SHAKEN. You'd have more control.
Are there other things we can do? I don't mind if you shoot these ideas down. It won't hurt my feelings. Should we be doing something more robust with a Crime Stoppers approach? Should we be doing something with direct mail, because we can control the messaging directly to Canadians through the postal system? Should we be looking at a royal commission?
The more we spend on preventing fraud, the more money we also take away from other crime. We seem to be missing a link in this country to take it to the next level.
With that, we are at the end of the third round of questions.
I'd like to thank everyone for being here today. Thank you so much for your testimony.
[Translation]
Thank you for your patience with the technology.
[English]
Thank you to our IT team, translators, clerk and our analysts.
Our next meeting will be tomorrow. Stay tuned.
The meeting is adjourned.