Thank you very much, Mr. Chairman. I will do that.
I have two staff members, Valerie Akujobi and Johanne Séguin, who have prepared the overview.
Lisa Campbell is the assistant general counsel. She has worked as a criminal defence lawyer and has quite a background in criminal law. We thought that would be useful for the members because of the implications of modifications and applications of the Criminal Code.
Carman Baggaley has an extensive background in communications policy throughout the government, from different points of view.
Wayne Watson joined our staff last year. We're very happy to have him. In his previous incarnation, as they say, he was assistant chief superintendent in charge of white collar crime at the RCMP. I think he could answer your questions in a depth that I wouldn't be able to.
Steve Johnston, our chief technology and security adviser, is an engineer and has an extensive background working for the Canadian government in communications and security. He can answer all your technical questions.
As an introduction to the session then,
we're obviously talking about privacy and identity theft here.
I think it's appropriate to start by reminding ourselves that identity theft is one of the very serious privacy offences. These days, individuals must have control over their identity and over all the aspects that constitute it. That is central to their ability to participate in a democratic society and to enjoy government, financial and community services.
So as Privacy Commissioner, I consider identity theft one of the very serious invasions of privacy.
It has been said that identity theft is the ultimate privacy transgression. Unfortunately more and more Canadians and people worldwide are subjected to this privacy violation.
One of the things you'll see in our paper is that identity theft is hard to define. There's no one clear definition. I think that's one of the challenges we have when trying to come to grips with it. It certainly seems to cover the phenomenon of fraud. It covers the act of taking information from someone without their consent; but of course taking information from someone without their consent is not necessarily a criminal violation. It may be a violation of PIPEDA; however, as I understand it, until you do something with it, the law does not apply. So this is one of the challenges we have in trying to control it. The issue of intent and the issue of use are integral parts of identity theft.
With a definition that is flexible, there isn't a reliable series of statistics. We can give you various statistics. There are American, Canadian, and European statistics. We've given you here Canadian statistics for the year 2006. They're pretty impressive if you consider that $6 million of losses were reported to PhoneBusters, which is a police network run primarily by the Ontario police, the OPP.
ID thieves obtain information in many ways. I would refer you to the excellent paper that CPIC did. I think CPIC is appearing before you concerning all the ways ingenious wrongdoers can obtain your personal information. We've broken those down into three here: physical, technological, and what's called social engineering. These are the main ways in which information is obtained. Theft of your ID, theft of documents--this includes the usual phenomenon of stolen laptops, which happens throughout the public and private sector.
Unfortunately, in physical theft there is an increasingly recognized phenomenon of employee theft, insider theft, using people called moles. In French, on les appelle les taupes. These are people who, either for personal reasons or for financial reasons—because they're paid—pass inside information to outsiders. This is not a new phenomenon, but it seems to be accentuated, and both of the data spills that we're currently investigating—and Mr. Watson can talk to those—seem to have been precipitated by different kinds of insider wrongdoing.
In that group, too, I would put what's known as dumpster diving. This involves companies that don't shred or dispose of their personal information appropriately, and then people with a lot of initiative go through the dumpsters. I remember last year my fellow commissioner, Commissioner Frank Work of Alberta, was so exasperated by what reporters were finding in the dumpsters in Edmonton that he said the next person he was going to hire for his staff was a dumpster diver to police the dumpsters of the city, to make sure they got all the personal information before the ID thieves did.
With regard to technology, hacking into databases is increasing. Then there's the whole issue of spyware and malware—which Mr. Johnston can talk about—often carried by spam.
Finally, there is social engineering. That is something, unfortunately, with which I have some direct experience. This is passing oneself off as the real customer in order to get the customer's confidential information, for example, phone records kept with the telephone companies.
Bogus contests encourage people, and perhaps part of our population increasingly finds it difficult to distinguish the real contests from the bogus contests. I'm thinking about seniors. I'm thinking about people who perhaps are not following developments on the Internet for various reasons, and they can fall prey to this.
In our submission to you, Mr. Chairman, we are taking the position that this problem requires not only a global approach but also strong centralized, coordinated leadership to try to be effective in combating ID theft. We refer you to the American approach—and you have the conclusions of the presidential committee that was struck last year at the request of President Bush. It just brought down its report about two or three weeks ago. We have given you a copy of the conclusions of that report in your binder.
We'd also draw to your attention the Federal Trade Commission's identity theft data clearing house, which is a central place to report the phenomenon of identity theft, in order to understand its contours and its functioning a bit better.
What is the role of the Personal Information Protection and Electronic Documents Act, and is it adequate to counter identity theft?
PIPEDA is not a tool that, alone,enables us to combat this phenomenon. However, since it came into force six years ago, it has raised the standards of industry and commerce in Canada. In particular, it imposes restrictions on information gathering. The safeguard principle permits the secure and confidential holding of personal information. It also makes it possible to limit the time during which information may be kept, as well as the number of persons who have access to it.
In your recent report, you referred to notification of data breach. You also mentioned the extent to which such a standard was essential in the act. In cooperation with the industry, we are currently developing guidelines, pending amendments to the act.
Last fall, we established guidelines on what we call authentication. These are standards whose purpose is to enable us to allow a person to certify who he or she really is. For example, when we call the telephone company to obtain information on telephone calls, we have to prove to the company who we are. There are various type of authentication. Mr. Johnston can tell you about the standards suggested in the guidelines.
We also conducted an investigation into a number of complaints that were brought to our attention. Those investigations, I believe, have helped raise standards, particularly in the banking industry. Among other things, I'm talking about practices of sending unsolicited credit cards bearing the names of people. I believe that is a practice that disappeared a few years ago. We're also trying to investigate the practice of sending cheques accompanied by an offer of credit, if they are used, without people having requested them.
What are some of the legal sanctions that we could think of? Personally, I think we have to look at a range of measures. I don't think it's just an issue of the Criminal Code. As you know, our law administrators hesitate to use the Criminal Code: the standards of proof are higher, and the charter may apply, and so very often you have to have a fairly clear-cut case to use the Criminal Code.
That's why I think we should look at civil sanctions that are very easy to prove and easy for citizens, for example, to take to small claims courts, which may provide a more easily accessible deterrent to the growing industry of ID theft. This means, of course, that I think the federal government has to work closely with the provinces, because a lot of what happens in terms of ID theft falls within provincial jurisdiction. I think we've all heard about people in various provinces across Canada who have had their houses sold out from underneath them. This is something that basically falls within provincial jurisdiction—and I know you're going to hear from the provincial commissioners on this.
Pretexting is one of the most important ways that personal information is obtained, and it points to the fact that we need to know more about the ID theft industry: how does this work, who's making a profit from it, what is the network, who is helping it, and who is creating the demand for this illicitly obtained personal information?
My colleague the U.K. commissioner brought out a shocking report, quite frankly, on the personal information industry in the United Kingdom. We don't think those exact phenomena are in Canada, but I think the report is well worth reading. He has called for criminal sanctions and has, I think, successfully sued some of those who are in the industry of obtaining illegal personal information.
More recently here in Canada, there was a consumer report this winter on a Radio-Canada program called La Facture, documenting how in Canada's own financial industry there are moles working who are willing to sell information to a reporter posing as somebody in the personal information industry. We're following up on that, of course.
Not only is identity theft carried out in person, it's also increasingly carried out online. Some of the most common threats to your ID online include phishing. You have all received fake letters—and these are getting better and better—purporting to be from, or looking like they are from, your local bank and asking that you check your account numbers, and so on, because there has been a “problem”. These are getting more and more realistic, and again, I think there is a whole group of Canadians who are very vulnerable to them. And for all of us, it's getting harder and harder to distinguish the real from the false.
There is something called botnets. These are networks of computers that have been turned into robots at the service of a mastermind behind a criminal racket.
Trojans and worms are implanted in our computers to make them do things we can only guess at, and don't know, but which are in aid of more ID theft and fraud.
And then there is the phenomenon among young people of what one expert has called—and this is not my term—cyber exhibitionism, the latest form of socializing online at Facebook and MySpace, and so on. This means that increasing numbers of young people have all of their personal information spread over networks.
This has direct implications too for the Government of Canada, as we move to providing more and more services online through Service Canada, not just income tax but also our pensions, our queries, our veterans pensions, and so on. The threat of receiving false messages and having this network infected, I think, is rising.
You may have noticed in January, I think, there was a false message from the “Canada Revenue Agency”, or a false “Canada Revenue Agency” message, asking citizens to communicate with that agency. This was a fake message, but it looked remarkably like the real ones coming from Revenue Canada.
This could threaten online banking, and an increasing number of people do online banking.
So what can we do to prevent it? What is my office doing to prevent this?
Here we go not only to our investigation of complaints, but increasingly to public education. This committee has often stressed the importance of our role in public education. And you can see that we have a whole series of specialized brochures, fact sheets, and so on, that are reproduced for you in the binder. That's the information available to the public on our website.
We participated with the RCMP and the Competition Bureau in March—fraud prevention month—as well as with more than 20 other partners in a joint public education campaign. We stress the growing importance of encryption of personal information passing over the Internet. I was happy to see that you called for information destruction in your report on PIPEDA. That is implicitly part of the act, but I agree with you that we should make it more explicit, as too much information is just thrown away where enterprising people can find it.
To conclude, Mr. Chairman, I think we need clear leadership, the type of leadership that I'm sure this kind of committee could define. There's a federal-provincial task force on this to focus our ideas. They're setting up a clearing house with all jurisdictions. What is important is to get all the players together. It's not only the federal government; the provincial governments are extremely important. The police, federal and provincial, play a very important role. Those who prosecute—or can't prosecute, for lack of the tools—the people perpetrating ID theft have to be involved in this too.
I think we have to have the will to define and document this problem, and to find not just one magic bullet but the range of weapons, if I can use that terminology, in all the various areas—I've put some of them down there—ncluding the international area. We are being preyed on by folks across the border. Canada, as I have already pointed out to you, is the home, for example, of malicious spam that attacks people worldwide. So we have to cooperate with our neighbours and our trading partners on that.
Those, Mr. Chairman and honourable members, are the highlights of our presentation. I've brought all of these experts along to help me answer the questions you may have.
