Information & Ethics Committee on April 1st, 2014

Thank you very much.

Mr. Chair and committee members, thank you for the invitation to appear before you. We are pleased to contribute to your efforts to gain a better understanding of identity theft in Canada.

My name is Lu Fernandes. I am the director general of the passport program integrity branch at Citizenship and Immigration Canada. I'm accompanied today by Peter Bulatovic, director of the investigations division of the passport program integrity branch.

With more than 5 million applications a year and approximately 23 million valid Canadian travel documents in circulation, our passport is truly one of the most recognizable symbols of Canadian citizenship around the world. We share the concern that these documents should only be issued to Canadian citizens who are entitled to hold them.

By way of background, I should note that effective July 2, 2013, the Minister of Citizenship and Immigration Canada assumed overall accountability for the Passport Program. This includes issuing, refusing to issue, revoking, withholding, recovering, and providing instructions on the use of Canadian passports. The minister is also responsible for providing guidance to missions issuing passports abroad and supervising all matters relating to Canadian travel documents.

On that date, the delivery of the domestic services under the Passport Program came under the responsibility of the Minister of Employment and Social Development Canada, while the Department of Foreign Affairs, Trade and Development continues to provide passport services to Canadians abroad.

This move to CIC places the passport issuance at the end point in the continuum of services provided by a department that facilitates access to those who wish to visit, study, work, immigrate, and ultimately become Canadian citizens. It also places the domestic delivery of these services in the hands of the government's service delivery arm, Service Canada.

As we continue to modernize the Passport Program, these changes also provide opportunities to take advantage of existing technology investments, such as the CIC Global Case Management System, and leverage the extensive network of Service Canada offices across the country.

I would now like to spend few minutes speaking about the direct responsibilities of the Passport Program.

July 1, 2013, marked the launch of our electronic passport, or ePassport, as well as the inauguration of Canadians having the choice to apply for a five-year or ten-year validity passport. The new ePassport meets the latest international norms set out by the International Civil Aviation Organization, which represents the gold standard for travel documents.

The electronic chip embedded in the ePassport adds an additional layer of security to guard against identity theft. The chip stores the information found on page 2 of the passport, including the bearer's photo, providing border control personnel with an additional tool to validate the passport holder's identity. By accessing the information on the chip and comparing it with the information on page 2 of the book, a border agent can ensure that the information or photo has not been modified.

The design of the visa pages in the ePassport provides another layer of security, making the book more difficult to counterfeit. The pages are made up of unique pairs of vignettes that depict recognizable themes, places, and persons in Canada's history. The different images on each page, along with a variety of visible and invisible security features, make it very difficult and extremely expensive for counterfeiters to reproduce a book or substitute a page.

The Passport Program's commitments to protecting the security and integrity of Canadians travel documents is crucial to maintaining their international acceptance and facilitating extensive visa-free travel for Canadians worldwide.

Supporting the integrity of the documents themselves is the Passport Program's strict regime for determining identity, eligibility and entitlement to a passport. First-time passport applicants 16 years of age and over are required to submit an application form along with authenticated photos, proof of Canadian citizenship, supporting identity documents and a guarantor declaration.

Individuals who are already in possession of a Canadian passport can use the simplified renewal process. This involves a shorter application form and requires the applicant to submit their previous passport and new photos. Proof of citizenship, supporting identification, and guarantor support are not required as the passport program already has this information on file.

Before a passport is issued, various processes are applied to authenticate identity. The passport program uses a combination of trained officers and technology to verify applicant identity.

At the time of application, personal information, photos, and signatures are manually compared with information provided in previous passport applications, documentary evidence of citizenship, and supporting identity documents.

Facial recognition software is used to compare photos of every applicant against the database of all passport holders to counter attempts at identity fraud.

Other automated verifications include comparison of personal information with the program's central database and against the program's watch-list.

Where the applicant's identity is in question, additional verifications may be completed, such as guarantor, reference, and occupation verifications, validation of citizenship and identity documents, or Canadian Police Information Centre, CPIC, queries. In fact, there is a daily electronic exchange with Correctional Service Canada to obtain details about federal offenders.

The Passport Program works closely with other government departments, law enforcement and intelligence partners for the refusal and revocation of Canadian passports when necessary.

For example, travel documents are canceled for persons who are incarcerated or have other mobility restrictions. An individual who is charged or convicted of a serious offence, or who owes child support can have his or her passport revoked and can be refused passport services.

The passport program also has the capacity, within the passport program integrity branch, to conduct administrative investigations to determine ongoing entitlement to a passport or entitlement to future passport services.

Individuals who have been refused a passport or whose passport has been revoked may challenge the decision taken by this program through judicial review before the Federal Court.

The passport program continuously reviews its policies and procedures to ensure they meet evolving standards and program integrity requirements. We are committed to leveraging technology and working with other government departments, provincial vital statistics agencies, international partners, and law enforcement agencies to counter attacks against the passport program and limit any opportunities for identity theft and fraud.

Of course, Canadians must do their part in guarding against identity theft by keeping their travel and other important documents safe and by protecting against unnecessary disclosure of personal information.

I hope that these remarks have given you some insights into the Passport Program identity authentication and fraud prevention activities.

We would now be pleased to take your questions.

Thank you.

Thank you, Chair.

Thank you for the invitation to speak to you today regarding identity theft.

As you mentioned, I'm the director general of the office of consumer affairs, which is a part of the strategic policy sector at Industry Canada.

I would like to discuss a number of the activities and initiatives that the department is involved in with a view to protecting consumers in regard to identity theft.

I will begin my remarks by touching upon the Personal Information Protection and Electronic Documents Act, and describing how this law helps to protect Canadians from identity theft. Secondly, I'd like to briefly discuss certain elements of Canada's anti-spam legislation, a law for which a number of federal actors are responsible. Finally, I'll touch briefly on certain information initiatives with which my office has been involved, including initiatives to help with public awareness in connection with the implementation of the anti-spam legislation.

First, I'd like to turn to the Personal Information Protection and Electronic Documents Act, or PIPEDA, as we call it. This law sets rules for the collection, use, and disclosure of personal information by private sector organizations, such as banks or phone companies, in the course of commercial activity. While the Minister of Industry is responsible for the law, it's the Privacy Commissioner of Canada, operating at arm's-length, who is responsible for enforcing and administering the act. As such, I would defer to the Privacy Commissioner for any issues respecting application of the law. That said, I will take a few moments to provide a brief overview of the act and how its requirements help to address identity theft.

The rules are based on 10 international and recognized principles for how organizations should best manage the personal information of their clients and customers. Many of these rules help protect consumers against threats like identity theft.

For example, the act requires that organizations only collect the information they need and retain it only for as long as necessary, to make sure that they are not maintaining databases of personal information that are not necessary and that would be vulnerable to loss or theft.

The act also requires that organizations put in place appropriate security safeguards to protect the personal information they hold against unauthorized access, loss, or theft. Such security measures, including the use of passwords or encryption of consumer data, help prevent the loss of personal information that is being used in identity theft.

In response to the first parliamentary review of PIPEDA, the government has committed to amending the act to create a new requirement for organizations to notify individuals if their personal information has been involved in a potentially harmful data breach. These amendments would ensure that consumers are informed when their personal information has been lost or stolen and would give them the information they need to protect themselves against identity theft, fraud, financial loss, or other forms of harm. The government remains committed to making these amendments, along with other changes recommended by Parliament in the first review.

I will now turn briefly to Canada's anti-spam law.

The law prohibits sending commercial electronic messages without consent. It also prohibits the installation of software on an other person's computer without consent. Together, these new prohibitions address nuisance spam messages.

Major concerns that the new law is intended to address include phishing messages, which are designed to lure recipients to counterfeit websites and trick them into revealing personal information, such as usernames, passwords, and account information; malware, which involves the installation of software on a person's computer, smart phone, or other digital device without their knowledge or consent—these types of spyware and viruses can secretly collect personal information that is then used in identity theft activities—and finally traffic rerouting, which involves secretly redirecting a person's online searches to a malicious destination where attackers can collect personal information for the purposes of carrying out identity thefts.

Most of the act will come into force on July 1 this year. Once the law is in force, it will help to protect Canadians while ensuring that businesses can continue to compete in the global marketplace. On January 15 of next year, sections of Canada's anti-spam legislation related to the unsolicited installation of computer programs or software will come into force. And then, the act's private right of action provisions will come into force on July 1, 2017. CASL will be enforced by the Canadian Radio-television and Telecommunications Commission or CRTC, the Competition Bureau, and the Office of the Privacy Commissioner.

The CRTC will enforce the law in respect to violations related to sending commercial electronic messages, altering transmission data, and installing computer programs without consent.

The Competition Bureau will investigate and take action against false and misleading representations and deceptive marketing practices.

The OPC will investigate the collection of personal information through illegal access to computer systems and electronic address harvesting.

I should note that a key element of the government's approach is preventing problems from occurring in the first place, and a key way to do that is to ensure that Canadians understand how to protect themselves. With this in mind, the government has set up a website, called www.fightspam.gc.ca, or www.combattrelepourriel.gc.ca.

In English it is www.fightspam.gc.ca.

The website includes information about the law itself and provides a number of information resources to Canadians. The website will also serve as the online home for the spam reporting centre, through which Canadians will be able to report on commercial electronic messages that have been sent without consent and commercial electronic messages with false or misleading content.

I would note, in addition, that a web-based advertising campaign has begun that will inform Canadians about the July 1 coming into force, and invite them to visit www.fightspam.gc.ca. You will find the introduction page from that website in your folders, as well as an image of the “Mobile Protection Tool Box.”

My own branch, the office of consumer affairs, has been involved in preparing communications efforts in respect of CASL. You will note in your packages, in your information kits, a series of infographics. The first, Worried it's SPAM? 5 Things to Look for, is geared to consumers to provide them with the basic information they need to avoid being taken in by fraud artists. It does so by setting out a number of common techniques used by spammers to obtain consumers' personal information. The infographic was printed and has been distributed to a large number of stakeholders, including other federal departments, provincial governments, with which we work quite closely on the consumer side, and community organizations.

The next three infographics in the kit, Does Canada's New Anti-Spam Law Apply?, 4 Tips for Contacting Clients Electronically, and 3 Things to Think About When Sending Messages,were created to help small and medium-sized enterprises know the basic requirements of the legislation and avoid being mistaken for spammers. These infographics, along with Worried it's Spam?, the one I just referred to, have been posted on the fightspam.gc.ca website and shared via the Industry Canada Twitter account.

Finally, an additional item in your packages is called the I.D. theft checklist.

In English, it is Identity Theft: A Checklist.

The list was prepared in collaboration with provincial and territorial officials and was distributed widely in recent years.

In conclusion, as I have noted, the government has taken a number of legislative measures aimed at protecting Canadians from identity theft. At the same time, an important part of the puzzle is awareness and education to ensure that Canadians have the right information they need to protect themselves.

Thank you, Mr. Chair.

Thank you for the question.

As the person responsible for the passport program integrity branch, I am not able to answer the question you referred to. I am not certain if that's passport related or is with Citizenship and Immigration Canada.

With all due respect, I cannot answer any more questions that have to do directly with the loss of data.

I can speak specifically to the passport program and passport program integrity.

In terms of responding to losses of data, it would be the regular processes and policies that would be in place to inform the Privacy Commissioner's office and/or the individual, depending on the situation.

Again, I am responsible for the integrity of the passport program itself and the security of the document and the security of the issuance and entitlement process.

With respect, Parliament has already done a review of the act and has delivered its views, and the government will be responding to those shortly. I think we need to get that process of reform under our belts before we look at new threats or new problems or new issues with respect to identity theft.

It is a very fast-moving area, and it is difficult to keep up sometimes with a phenomenon that literally.... This is a problem one gets generally with fraud issues more broadly; that there is constant innovation going on to try to find new ways to compromise people's identity and to use it for ill gain.

Right now, I think what we would like to do is get this next phase of the work completed and then address what the future issues would be that both Parliament and the government think are important.

I could list off, and I'm sure you could as well, a number of potential problems that are emerging. One of the problems with this area is needing to allow a certain amount time whereby we can see how these things settle out and determine the longer-term structural problems we need to address when faced with a highly innovative and constantly changing environment like this.

So as I said, right now I think the key priority is to get on with the government's own intentions to reform the act and to provide Canadians with more opportunities in that context to protect themselves.

No, I simply meant to say that the government is on the record to say that it will be reviewing the act in due course, and that date is yet to be determined. But the government is on record to say that it is intending to amend it.

Thank you.

I'm very pleased to say that among our equivalent five nations or partners, as we call them—these would include the United States, the United Kingdom, New Zealand, Australia, and ourselves—we are in the range of where those organizations are with regard to the document itself. We have a very secure document, in the world rankings, and it's an excellent book as far as the security of the document itself goes. It allows Canadians access to approximately 140 countries visa-free.

That's because of the document, but also because of the entitlement process and how we ensure that there is security in the identification of the individual and in the entitlement decision that is made to give somebody a Canadian passport. The proof really speaks in the visa-free status to so many countries around the world that Canadians have access to.

Certainly, I'd be happy to.

The ePassport is an increased and enhanced level of security in the book itself, with the chip that is embedded in the back cover. The chip includes the information that is found on page 2 of the book, including the photograph.

So biographic information and the photograph are stored inside the chip. The additional security that this provides for border agents is that they can access the chip, take a look at the information, and ensure that it is in fact exactly what you would expect to see in the book on the second page. With the individual standing there in front of them, they have a third point of reference: the individual, the photo, and the photo on the chip. That would provide the additional levels of security. That's what the e-chip is about.

As to the book itself, if you don't have a new ePassport yet, your current book has on the visa pages a number of maple leaves in sequence through every single page. The new book has vignettes on every single double set of pages.

If I may have your indulgence for a second, you can see, where I am pointing, the ultraviolet features on the pages themselves. Every single page has embedded visible and invisible security features that provide additional layers of security that you won't find in the types of security features that are in the current book.

The lost—and/or stolen, in many situations—replacement process is quite different from the credit card process. We have about 66,000 lost and stolen passports reported to us annually. Canadians domestically and around the world report lost or stolen passports. Often, it's that individuals have forgotten where they put them, have just misplaced them, or in a move have no idea which box they might be in, and they report them as lost.

Once that information reaches us in the passport program integrity branch, we automatically and immediately cancel the book. We also then, within a 24-hour period, notify our partners that the book has been declared lost or stolen and has been cancelled in our system.

We advise the CBSA daily of that information. We also advise the Canadian Police Information Centre, CPIC, which is managed by the RCMP so that all police organizations have access to that information. On a daily basis it's updated. It's subsequently updated from CPIC to Interpol, and that's through the RCMP linkage with Interpol. So around the world that information is passed along into the Interpol database.

This all happens immediately, within a day. As a result, when an individual misplaces a book and says, “I can't find my book, I must have lost it” and then comes back to us and says, “Sorry, I found it”, we advise them very clearly that they cannot use the book, because while we might be able to change the status of the book as being in the hands of the holder, all of our partners have already been informed that the book has been cancelled.

So they cannot use that book, or they will risk, if they do use it, being stopped at a border. Then they have to come back in and do a whole application for a new book.

Thank you.