Information & Ethics Committee on May 8th, 2007

Yes, it's possible that it's much larger.

Could I ask the director general of investigations, who has worked in this area with the RCMP, to give you his opinion of what's really happening out there?

You're right; it is much larger, and the problem we're having in being able to get proper statistics is the fact, as Lisa said, that there's no law in Canada against identity theft. So it's very difficult, because identity theft being used for approximately 12 to 40 different offences renders it difficult to put together some statistics. If they're used for forgery, is it because of identity theft or not? That's why it's difficult.

However, going back to what you're saying about the United States, I think in February the data clearing house stated that there were 104 million records. The total number of records that were compromised in the U.S. between January 2005 and February 2007 was 104 million. So that will give you an idea. It was 586 publicized breaches, and we have had some breaches here in Canada. Obviously we've all heard it in the news. Our offices, I think, have been notified of close to 100 cases in the last four or five years, and every one has the potential for identity theft.

Can I ask Lisa Campbell to speak to that? Yes, there are issues of Criminal Code drafting and the issue of intent, particularly.

Thanks very much. You raise a good point.

There are two things we would point out with this bill and with any legislation that you put in the Criminal Code. First, you need to prove criminal mens rea with every criminal offence, which is to say criminal intent. That's an essential element of every offence.

Second, there is prosecutorial discretion. There are many offences in the Criminal Code—I think Mr. Martin mentioned one of them—in which crown prosecutors have discretion whether or not to lay a charge and they work with the police to do that. The issues you've raised are why we're recommending a range of measures: public education; some regulations, which our office is already involved in enforcing with PIPEDA and the Privacy Act, and higher standards for organizations; and then civil remedies, which are probably what you would use the most, reserving Criminal Code offences as a necessary but probably rarer last resort.

Does that respond to your question?

Yes, you're absolutely right. Mr. Watson can talk to us about some of his experiences in cross-border fraud. This is one of the reasons I'm active in the OECD on cross-border enforcement of personal information protection rules. I don't think we need to think of going to an international court yet, but if we have rules that are recognized in other jurisdictions that have similar legislation to ours and we can probably help each other through either foreign courts or our own, I think that would go a long way.

Can I ask Mr. Watson?

The problem is definitely international in scope. The problem we have right now is that I think we're the only G8 country that does not have a law against identity theft. If we're going to have any credibility in the world, if we are going to be a world leader to try to tackle this problem, we're going to have to have a law to start with.

I think a lot of ID theft is perpetrated by organized crime, and it goes around the planet in seconds sometimes. We need cooperation so law enforcement or any regulatory organization can tackle it. We need to have the necessary legislation to be able to work cross-border. Perhaps we could do the same thing as we have with money laundering. I think the way we're working at it is a success across the planet, and I think identity theft is another issue we should look at it in the same manner as money laundering.

Can I refer that to our technological specialist, Mr. Chairman?

Thank you.

The major problem that seems to crop up in any discussion of national identity cards is proving the identity initially. For example, when you go to get a passport you produce a birth certificate, a driver's licence, a health card, what we refer to as foundational documents. These can be forged, and unless you have some very high degree of confidence that the individual who is presenting these documents has proof of identity—

I'll get to that. Unless you have a very high degree of assurance that the individual presenting the credentials is entitled to do that, what you end up doing is issuing a very secure document obtained under false pretences.

In terms of RFID, there are efforts in several countries to embed these in various forms of identity documents—driver's licences, health cards, etc., the notion being that it will make the particular transaction that the card is designed for quicker, more efficient. For example, you don't need to swipe the passport. You just need to wave it by the reader. The problem with that is that until fairly recently that communication was not protected in any way. So anybody who had access to the radio frequency spectrum could read that information.

Is your question whether FINTRAC could coordinate with the Department of Justice?

First of all, I think it's up to the Government of Canada to decide how best it should deal with this. But I would say that it's a natural role for the Department of Justice. This is a law legitimacy issue. But there are many agencies, ranging from FINTRAC on one hand, to the RCMP, to the Competition Bureau, to Industry Canada, that doubtless have a wealth of knowledge about the different forms of circulation of information and information technology and so on.

I don't know if that answers your question.

Well, I think this should be considered carefully. I don't know if it is. I would think that in order to consider it, the Department of Justice should look at this and ask what the structure is. Is it a permanent or a temporary structure? How do we set it up? How do we set it up within the Government of Canada, and then how do we cooperate with the provinces? The municipalities may have a role. The private sector has a huge role if you think of the banking and financial interests, plus internationally. There is also Industry Canada, which originated PIPEDA, so Industry Canada is another possible leader in this field.

The U.S. has the Federal Trade Commission, which enforces consumer protection laws. They don't have a national privacy act, and one of the things that hamper their fight against ID theft is that there are no national standards for personal information protection. But they do have a very efficient agency, the Federal Trade Commission, that has set up a clearing house for ID theft. I think it has been quite successful in gathering statistics and, to some extent, in educating the public and prosecuting, but not completely, which is why the President called for a special report on it.