Information & Ethics Committee on May 15th, 2007

Thank you, Mr. Chair.

Bonjour. Good morning, honourable members.

Je vais parler en anglais ce matin.

Thank you very much for the opportunity to speak today about a very serious problem that is directly affecting an increasing number of Canadians and indirectly affecting all of us.

My name is Philippa Lawson. I'm director of CIPPIC, the Canadian Internet Policy and Public Interest Clinic at the University of Ottawa. It was my pleasure to testify before you back in December on PIPEDA, the Personal Information Protection and Electronic Documents Act.

With me today is Mark Hecht, who is a professor of law and CIPPIC's lead researcher on this identity theft project.

We've submitted a written brief to the clerk, which I understand will be translated and distributed to you.

CIPPIC is part of a multi-institution research project on identity theft that's funded by ORNEC, the Ontario Research Network for Electronic Commerce, a public-private partnership, including four major Canadian banks and four Ontario universities. A number of researchers at these universities have been looking into various issues involving the definition and measurement of ID theft, management approaches, and technical solutions to the problem.

We at CIPPIC and at the University of Ottawa are looking at legal and policy approaches to identity theft, and we've been engaged in a big comparative review of what other jurisdictions are doing in this area and where the Canadian law is at.

We've published a series of working papers on identity theft, on various aspects of the problem, most of which are posted on our website—www.cippic.ca—and a couple more will be published shortly.

As you know, we've published a white paper on security breach notification, and we were very gratified to see your recommendations on that in your recent report on PIPEDA.

We've also posted a web page on identity theft, with frequently asked questions and resources for the public.

Our intention, after further research and analysis this summer and fall, is to issue a white paper, with a broad set of recommendations for law and policy reform. And we intend to do that by the end of the year.

You've pre-empted us with these hearings, so we're making some recommendations now, but we will be making more detailed ones later, including in the criminal law area, which I understand you're not looking into in these hearings.

I understand I have about 10 minutes. Do I have less? Okay, great.

The term “identity theft” is somewhat misleading, insofar as the activity we're talking about covers not just the unauthorized collection or theft of information but the fraudulent use of it. You will find that many experts talk about identity fraud when they're talking about unauthorized use. It really is a two-stage crime. It involves both the unauthorized collection and the fraudulent use. We're using the term “identity theft” broadly as it is commonly used to refer to both stages here.

Identity thieves use a number of techniques to gather personal information. There are relatively unsophisticated methods such as dumpster diving, mail theft, bribing insiders of corporations, and pretexting, which is posing as someone who's authorized to obtain the information in order to get it. There are also much more sophisticated techniques such as skimming, “phishing”, “pharming”, keystroke logging, and hacking into large databases.

A single individual may be victimized many times before he or she knows it. Indeed, victims of identity theft are often unaware of it until they apply for credit from a lending institution and are refused or start getting calls from a debt collection agency. By that time their credit rating has been destroyed and they will likely experience great difficulty restoring it. The victims experience a myriad of difficulties restoring their reputations and recovering the losses suffered, often as a result of no negligence on their part.

I know you're interested in trends. One trend worth pointing out is the use by identity thieves of the Internet to gather and trade in stolen information. It's very easy to find websites right now offering credit card data for sale. Hard drives with personal information on them are being sold on eBay, for example. The Internet, as I'm sure you know, is also used to fool unsuspecting consumers into handing over their account information using techniques such as phishing and pharming. I can explain those later if you're interested.

Unfortunately there are few reliable statistics on identity theft in Canada. PhoneBusters publishes stats based on complaints it receives, but these represent only a fraction of the problem. There are some public opinion surveys that provide insight into the problem, but again it's not complete. We have little else to go on.

Our first recommendation is that we need a national strategy for gathering reliable, reasonably comprehensive data on the incidence, types, and costs of identity theft in Canada.

On identity theft prevention, our research suggests that identity thieves are benefiting as much if not more from unnecessary collection, storage, and trading of personal information by organizations as they are from deficiencies in criminal law enforcement or consumer credulity and carelessness. In many cases there's absolutely nothing the consumer could have done to protect themselves, short of not dealing with the organization that suffered the leak in the first place.

So if we're to attack this program successfully, efforts will be needed in four key areas: data protection law enforcement, prosecution of identity thieves, consumer rights and remedies, and public education.

We have a reasonably good data protection law here in the form of PIPEDA. The law prohibits organizations from collecting more information than they need, retaining it for longer than necessary, and using or disclosing it for purposes other than those for which the individual has consented. It also requires that organizations put in place reasonable security measures to protect against unauthorized access and identity theft.

The big problem with PIPEDA is not any particular substantive deficiency—many of which you have identified in your recent report on PIPEDA—but rather the fact that PIPEDA lacks an effective enforcement mechanism to encourage industry compliance. As a result, many organizations are collecting far more personal information than they need and holding onto it for longer than they should, thereby exposing individuals to a greater risk of identity theft. There are examples of this we can talk about.

Organizations are also failing to secure the personal information they hold through effective encryption, careful employee screening, and other measures. Our study last year of 64 online retailers, which we provided to you last December, confirms that there is widespread non-compliance with even the most basic requirements of the act.

A data breach notification requirement holds some promise for creating incentives for compliance, but only if such notification is made public and only if breaches are not so frequent and widespread as to diminish the reputational damage of publicity. But even so, breach notification rules need to be supplemented with an enforcement regime that creates a real risk of financial penalty for over-collection of personal data or other violations of PIPEDA that contribute to the ID theft problem.

In our submission last December to the committee we made a number of recommendations for strengthening PIPEDA's enforcement regime, including allowing for class actions against organizations that violate PIPEDA, removing financial disincentives for individuals to pursue lawsuits against organizations for breaches of PIPEDA, and punitive damages as a possible remedy for violation of PIPEDA.

We were disappointed that none of these recommendations was adopted or even mentioned by the committee in its report. Addressing this incentive problem, the most important deficiency of PIPEDA and a key factor in the growing problem of identity theft, in our view, is critical if we want to make headway on this problem.

Turning to the issue of public awareness, there are many excellent websites and brochures explaining ID theft schemes and offering tips to avoid identity theft, but there is still a problem. Individuals continue to fall prey to these social engineering schemes, such as phishing and pharming. Young people are posting detailed information about themselves on the Internet, without appreciating the risks.

We are recommending that the Financial Consumer Agency of Canada be mandated to undertake a national public education campaign on identity theft, in consultation with financial institutions, law enforcement agencies, and consumer organizations. The campaign should focus on the most common scams used by identity thieves to gather information directly from individuals and should use mass media, as well as inserts in government mailings, posters, and brochures in store-front offices.

On the issue of consumer protection, first, victims of identity theft usually have no way of knowing the theft occurred until the damage has been done. We think data breach notification will be very helpful in this regard.

Second, even the most educated and motivated victims encounter tremendously frustrating obstacles when they try to attempt to stop the damage and regain their reputations. If such obstacles were removed, victims would be able to mitigate the damage and take preventative action more quickly. In some cases, they could also assist the police in identifying and prosecuting criminals.

Sure. Okay.

The brief mentions a number of specific consumer protection measures that we think are needed to empower consumers.

Our final recommendations are that all of the players in Canada, from law enforcement agencies to consumer protection agencies to financial institutions to consumer groups, work together to address the problem. We need to develop a national strategy for combatting identity theft, and I have seven recommendations.

First, as I mentioned, amend PIPEDA so as to create meaningful incentives for compliance.

Second, appoint a lead agency at the federal level responsible for gathering and reporting ID theft statistics and for coordinating efforts to combat identity theft across Canada.

Third, as I mentioned already, mandate the Financial Consumer Agency of Canada to undertake a national education campaign.

Fourth, establish a national ID theft victim assistance bureau, again with a mandate to gather statistics, analyze the problem, and make recommendations for legislative and policy reform.

Fifth, require credit-granting institutions to report on incidents of ID theft.

Sixth, provide consumers with rights that improve their ability to detect, prevent, and mitigate the effects of identity theft. Those rights should include allowing consumers access to the version of their credit report relied on by lending institutions, which right now is a problem because they are denied access to that, and allowing consumers the right to a credit freeze upon request to credit bureaus, which again is currently not permitted.

Finally, we need a thorough review of legislation governing credit bureaus, lending institutions, and police agencies, with a view to identifying other ways in which these agencies could assist in the prevention, detection, and mitigation of identity theft.

Thank you.

Thank you very much.

I'm here today on behalf of the Canadian Consumer Initiative, which is a group of six consumer organizations, including the Public Interest Advocacy Centre, where I work; Union des consommateurs; Option consommateurs, in Quebec; the Automobile Protection Association; and the Alberta Council on Aging. We are presenting to you today our common policy position on identity theft, which we came to agreement on in the last year.

The most important thing to take away from our presentation today is something we're going to echo Philippa's comments on; that is, we believe there's a large role to be played by business and government in attacking identity theft, which has not yet been done, and that consumers also need to be educated, but that the primary steps you can take as legislators would be to move government and business along to better protection of personal information, which will then lead to less identity theft.

I'll just give you a couple of statistics from PhoneBusters, which you probably already have from your researcher. Last year the total reported to PhoneBusters was $16 million in losses on 7,000 to 8,000 complaints, and this is approximately double the amount of money lost but half the number of victims from the year before. I'm not sure if this trend is going to continue, but it's a bit disturbing in the sense that identity theft may be becoming more profitable, and there are more ways to make money from the actual fraud related to it, to be honest.

We also wanted to underline for you that it doesn't have to be this way, because at the federal level, there's a bit of a vacuum in the sense that consumers don't know where to go. When someone gives us a call asking about identity theft, really, I have to take a deep breath and say, where should I send them first? Should I send them first to the police to get their police report? Should I send them to the credit bureau to get their credit report so they know how far this has gone? Should I send them to PhoneBusters to report it? Should I send them to their bank? The actual answer is all of those things, and yet there is no one place for someone to go to the federal government and see that this is the approach to take.

It's not so in the United States, because they have the Federal Trade Commission looking after consumer affairs, and they have taken quite a few steps at their Federal Trade Commission to provide a website that addresses both consumer and business concerns about identity theft.

Take, for example, the FTC's business guide. They have now a safeguard rule in the United States, where if you handle personal financial information you have to follow this rule. It's fairly simple, and it's a bit like PIPEDA, in fact. You have to know what information you have in your files, you have to reduce it to the minimum possible, you have to protect it with security measures that are adequate, you have to dispose of what you don't need, and you have to plan for a data breach.

We have the rule here as well under PIPEDA to do all that; it's just not being done. Our concern here, on behalf of the Consumer Initiative, is that the Office of the Privacy Commissioner of Canada has not been driving that forward, largely because the act itself requires individual complaints. The Privacy Commissioner could take steps to audit companies that seem to have a lot of leaks that might lead to identity theft but has not been terribly aggressive in doing so.

In that situation, it's difficult for us to make recommendations more than Philippa has, along the lines of giving the Privacy Commissioner more authority to act, to make orders, but that has not been suggested by the committee.

One thing we did want to get, and that was suggested in the PIPEDA report, was a breach notification rule. That will lead, we think, to a lot of identity theft being cut off at the knees, if you will, because with the amount of time it takes to actually perform identity theft, a lot of the losses occur in the first two, three, or four days. If something could be put out from the company in that timeframe, people could take some steps to lock down their accounts by calling their bank and getting their credit bureau involved.

One of the things that we suggested for legislation, besides that, was overuse of social insurance numbers, and it still continues today. Social insurance numbers are a key to getting new credit, and part of the identity theft phenomenon is opening new accounts in the victim's name, for which you usually need a social insurance number. The difficulty here is that businesses use social insurance numbers as a unique identifier of the person, and in our common position we called for business to be asked or told in legislation not to use social insurance numbers for that purpose any more and that they be restricted again to what they were originally intended for, which was employment purposes.

Now, we appreciate the difficulty of businesses coming up with a unique identifier and something they can use for credit granting. However, because of the actual nature of the social insurance number being so ubiquitous and used for so many other purposes, it is really a key to fraud. At the bottom line, our position is that we would like the government to look quite hard at the use of social insurance numbers by business and to reduce it to the minimum possible.

Another suggestion in our common position is that the provinces look at credit freezes, so that when you hear about a situation where your identity has been stolen, you can contact the credit bureau and actually disallow any new credit being granted without some extraordinary measures. That's not, perhaps, in your bailiwick, but it does lead to some questions about use of identity information by credit bureaus.

Lastly, you're not dealing with the criminal offences today, but just the mere possession of boxes and boxes of identity at the moment is not a crime, and we are supportive of the justice efforts to make that a crime.

The last thing we'd like to mention comes back to the same point about not having a one-stop shop for Canadians for identity theft. We also have no statistics that are really very detailed on this. We do rely on PhoneBusters, but again, they only take complaints from people who know they take identity theft complaints, so that cuts out a large portion right there, and many other people never actually complain to PhoneBusters.

I know there was an attempt at the RCMP to have a database called RECOL, and I'm not sure where that stands at the moment, but that seems to be an obvious place to try to start centralizing these statistics. An interesting idea that has come about in the United States is asking banks to report on identity theft so that when they get a complaint of identity theft—and they are usually advised by consumers when there's a problem—they could report that either to the RCMP or some other organization to collect statistics on that. We are supportive of that idea, although we haven't put it in our common policy position.

The last point we want to make is that, in this situation, we don't want the consumer to become further victimized, and we see two trends that are not happy ones. One is that financial institutions and others are now offering identity theft insurance, and we don't think that's a silver bullet or really a solution at all because it's not very good coverage. We've done a report on it at PIAC. It covers only your actual time off work to sort out your problems. It doesn't cover the actual identity theft fraud, the money you lose. It has a number of other very minor coverages, but at a more fundamental level, we think it's putting the burden and the cost of trying to deal with identity theft back on the consumer, and it runs counter to the incentive we'd like to give business, which is to protect information more fully.

Finally, we're concerned about the silver bullet, if you will, of biometrics or national identity cards, these sorts of schemes to try to identify a person absolutely. Because identity theft is more of a social crime involving factors like easy credit and lack of care on the part of individuals and over-collection of data, we don't think that having one unique identifier that is linked to everything will make it better. It may in fact make it worse.

So those are our submissions for the committee today, and I'm happy to take questions in English or French. Merci.

Sure. Phishing refers to e-mail communications that are made by the identify thief masquerading as a trusted institution such as a bank or eBay or PayPal or some financial institution. They request the recipient of the e-mail message to provide their account information in order to correct a problem or get access or whatever. I'm sure all of you have received these phishing e-mails. I receive them every day. They're simply ploys by fraudsters to get information that they need to access bank accounts and other accounts, in order to use them fraudulently.

Pharming refers to a similar kind of technique, where the thieves actually set up a website that very cleverly imitates the trusted financial institution or otherwise. They're able to basically redirect traffic intended to go the legitimate website to the fake website. Again, they invite people to enter their account details, etc., and then use that to engage in fraud.

There's a third new trend, which is “vishing”, which refers to voice communication. They're now using telephone communications and computerized messages to call someone. The consumer picks up the phone. There's a computer message that says it's such-and-such a bank—or trusted institution or whatever—and there's a problem with your account. Call this 1-800 number to deal with it. You call the 1-800 number, there's an interactive voice system, and it gets you to plug in all your account information. Once again, they collect it all that way.

John referred to this, too.

The PhoneBusters data suggests that is the case. I do not consider that data reliable. PhoneBusters is a partnership project by the RCMP, OPP, and the Competition Bureau. I suggest that you have someone from PhoneBusters come and testify about the stats.

We think an agency should be appointed to be responsible for that. It should be done, first of all, by requiring organizations that encounter ID theft in their operations—and I know this would be an added burden on business—to keep track of identity theft incidents that their customers have actually suffered, or they have suffered, or that they've avoided and they know about, and to report those annually.

I think that's a way of getting a much better sense of the extent of the problem.

Well, someone needs to be responsible for it.

As John pointed out, we have a problem. There is no consumer protection agency at the federal level. Industry Canada, with the Consumer Measures Committee, has some activity in this area, in particular with coordinating provincial approaches. The Competition Bureau does not consider itself a consumer protection agency. It is not particularly interested in this problem, from what I can see.

I think it's a complicated problem. It would probably benefit from a task force, something like the task force on spam a couple of years ago. I was part of that. I was involved in a couple of working groups. I think it was a really beneficial, worthwhile process. It brought the various stakeholders together, hammered out some tough issues, and came out with a really good set of recommendations, which unfortunately have not yet been acted on.

I hate to postpone things. I think there are some specific measures that can be taken right away. I've suggested some of those. I do think that if you want to look at the whole picture, this is an issue that would benefit from a task force approach.

I hate to come back to an investigation and review that you've already conducted, but we do feel very strongly that there needs to be some better incentives for businesses to comply with the data protection law.

That is the hard issue because you need a unique identifier. What you maybe don't need is a unique identifier that works for everybody. Why not have one for the credit bureaus, which is the credit bureau type of number? In order to identify yourself for credit, you become whatever this long stream of numbers is, for the purpose of credit. It doesn't have to be for all of the other purposes in society that a social insurance number is used for and has become used for. The trouble with the social insurance number is, of course, that it's used as a password for so many things.

If you create a national identity card, the concern on our part is that it will become like the social insurance number times two--used for everything and only accepted for everything. The idea of keeping things in silos is perhaps one way to go. Now, I'm not suggesting that it's the best way, because we haven't studied the actual use of that and how to get from here to there, but the idea that your identifier can work all across society and for many purposes is part of the problem.

It falls more in with the idea behind the privacy legislation, which is that you use the personal information only for the purposes for which it's been gathered. The social insurance number works like a key across so many different avenues.

I will just add that the problem of authentication is a big part of this issue. It's being addressed by industry and the marketplace and government. I'm part of a working group that Industry Canada is chairing on principles for electronic authentication. It's a huge challenge.

One accepted principle is single-factor authentication, that is, like a simple password is insufficient. It's easily cracked. We need to move, and companies are moving, to multi-factor authentication.

Another big problem is that often people want to go with a kind of simplistic form of authentication that involves collection of personal information. In fact, technologists, engineers, and computer science experts have come up with reliable methods of authentication that do not require collection and storage of any personal information. It can be done through computer algorithms, and so forth. The challenge there is to have industry adopt those measures that minimize the collection of personal information rather than the more simplistic ones that don't.