Evidence of meeting #47 for Access to Information, Privacy and Ethics in the 39th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was problem.
A recording is available from Parliament.
9:35 a.m.
Liberal
The Chair Liberal Tom Wappel
No, I'm sorry. You'll have lots of time in round three.
Madame Lavallée, sept minutes.
9:35 a.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
Thank you, Mr. Chair.
Good morning. Right at the beginning of your presentation, you told us how difficult it is to keep track of this situation. As I listen to you, I gather that several types of fraud happen over the Internet. Fraudulent activity also takes place over the telephone. I have heard of it at home, where I live. People are being defrauded in every way imaginable. In some cases, they are asked for information by people posing as representatives of their credit card institution. Copying credit or debit cards seems to be a third way to steal identities. Are there others?
9:35 a.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
Yes, there are many. We published a report on the techniques of identity theft.
It's posted on our website and it lists the many ways in which identity thieves gather personal information. I can go through more of them now if you wish, but as I said earlier, there's the whole gamut. There are the old-fashioned methods of going through the trash, all the way up to hacking into computer databases. Identity thieves are using all sorts of these methods.
One classic one for debit card theft involves the creation and use of a skimming machine that is often hidden under a counter. You hand over your debit card, and if you don't watch very closely, the guy in the store, the fraudster, will run it through the correct machine, but also through the machine that's designed to collect it for their fraudulent purposes. These skimming machines are sold openly in the marketplace.
9:40 a.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
You said earlier that there are traditional methods such as going through garbage and mailboxes, the Internet, where more sophisticated methods are used, as well as by telephone and in stores. I think those are essentially the four methods used. I am trying to get them straight in my mind.
9:40 a.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
Information theft is often done by—
insiders being bribed, so employees of organizations selling the information are handing it over to the thieves. A number of incidents have been traced to insider theft.
9:40 a.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
So identity theft happens frequently, and there are many ways to do it. I myself have received an e-mail at home that seemed to come from my financial institution. It was asking me to renew my subscription to something. I am sure that you know the technique. More and more, we hear people say that their credit card or their debit card has been copied. Along with that, we hear that banks are becoming more cautious and that they will instantly cancel the debit card or the credit card of people who have made a transaction where one of their clients' cards has been copied. I understand that financial institutions are becoming more and more cautious, but it is very difficult for consumers to lose the use of their credit card or their debit card over a Christmas weekend. So there is a real problem.
You say that you do not know how many people have had their identities stolen. You do not have any data on that?
9:40 a.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
As I said earlier, there are only two sources of information in Canada on that. One is PhoneBusters, based on the relatively few complaints they get, and the second is some public opinion surveys.
Some colleagues of mine, Dr. Norm Archer and Dr. Susan Sproule, who are part of the ORNEC-funded project I spoke about at McMaster University, are focusing on this statistics issue. They have done a consumer survey, which I believe they have the results of already and will be reporting soon. You might want to hear from them on this issue. The problem is we don't have the statistics we need.
As John did, I would point to the United States, where the FTC has been specifically tasked, through identity theft legislation, to gather and report on statistics. So if you look at the FTC, there is much more information in the United States on the extent of the problem there--still not enough, but much better than here.
9:40 a.m.
Bloc
Carole Lavallée Bloc Saint-Bruno—Saint-Hubert, QC
But even so, the banks should have statistics. We certainly see them reacting and becoming more cautious. They are freezing credit cards much more quickly than before. They must know the extent of the problem.
9:40 a.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
I believe the banks are probably the best source of information on the extent of the problem, and that's why we're recommending they be required to report on it.
9:40 a.m.
Liberal
The Chair Liberal Tom Wappel
Merci.
For the information of committee members, we have invited PhoneBusters and the people from McMaster to appear before us.
On CIPPIC's website they have—I would say this is a knife with two edges, perhaps—techniques for identity theft. There are 23 techniques listed. So any budding identity thieves, here's where you want to go to see what you can do.
9:40 a.m.
A voice
So these committees are schools for theft.
9:40 a.m.
Liberal
The Chair Liberal Tom Wappel
Somehow I feel that not too many identity thieves would be sitting and listening to our committee's deliberations, but you never know.
We'll go to Mr. Stanton, please, for seven minutes.
9:45 a.m.
Conservative
Bruce Stanton Conservative Simcoe North, ON
Thank you, Mr. Chair, and thank you to our witnesses for coming out this morning and shedding some insight on this incredible problem.
First, Madam Lawson, you made a comment in the course of your presentation to the effect that essentially—and I don't know the exact words—many consumers who fall victim to identity theft actually could not have done anything. They inadvertently found themselves in that situation; that is, there was nothing they could have done to prevent that.
At the same time, a good part of your recommendations, and others, I should say, point to the need for more consumer information.
There appears to be an essential conflict between those two points, and I wonder if you could comment on that.
9:45 a.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
The problem has many facets. We're saying that in many, perhaps most, cases, there's nothing the individual consumer could have done. In some cases, there was. In some cases, the problem occurred because the consumer fell victim to a phishing e-mail or a social engineering scheme. They could have avoided that by simply not responding to those e-mails and by just assuming that any e-mail purporting to come from a bank or financial institution is a fraud and deleting it. That's the kind of education we need to focus on.
There are a few things consumers can do. Shred documents with their personal information before putting them in the garbage. Do not respond to those e-mails. And when doing online banking or any kind of on-line financial transaction, look at that URL, the website address, and make sure it's an http address, because the pharming ones usually aren't.
There are certain things consumers can do. Some of the problem stems from consumer credulity and carelessness, but not all of it.
9:45 a.m.
Conservative
Bruce Stanton Conservative Simcoe North, ON
Thank you.
Mr. Lawford, it came as an incredible surprise that there are still organizations using SIN numbers as unique identifiers. You cited I think an example of opening a bank account. Is it not standard practice now, as far as you know, that when opening, certainly, any kind of financial account, for savings or for investments, whatever the case may be, that photo identification is sort of the new standard that financial institutions have gone to?
9:45 a.m.
Counsel, Canadian Consumer Initiative
Yes, I know that's often demanded by financial institutions, and that does add a layer of double-checking, if you will.
Part of the recommendation in the first report PIAC wrote on this was that businesses take a few more steps, simple steps like that, to try to verify identity.
Sometimes people will take your credit card from you and not even read the name or check the signature you scrawled down. A simple step is to train clerks to make sure they actually check that the signature matches, and that sort of the thing.
I'm not saying that's a bad thing. I'm thinking more of unnecessary credit checks. Someone is asked to have a credit check done for a new cellphone account. It may or may not be necessary. If it's not necessary, that SIN number gets stored in the cellphone company's database of records. If that database is then compromised, that SIN number goes out, and here we go. That's the sort of situation in which people are making credit applications part of their standard business procedure, and it may or may not be necessary. And they'll always ask for a SIN at that time.
9:45 a.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
Could I make a quick comment on that?
The Privacy Commissioner has decisively found that collecting social insurance numbers, except where required by banks and employers and so forth, violates PIPEDA. It's a violation of the law. So we come back to the problem I was talking about before. The problem is that we're not enforcing the law.
9:45 a.m.
Conservative
Bruce Stanton Conservative Simcoe North, ON
Thank you.
Surprisingly, that was my next point.
I had visions of a PIPEDA review too, as we heard your presentation this morning. We're back into similar points of discussion around PIPEDA being the driving mechanism by which we can require compliance and a certain set of practices on the part of businesses and organizations. You made the point very clearly that businesses have a role to play in this.
But the Office of the Privacy Commissioner, the Privacy Commissioner herself, clearly lands on the side of believing that the order-making powers are not as necessary and the ombudsman model, if you will, is working effectively. She points to the increase in consumer education around privacy issues. In fact, in one of your points, which I think was point number two, you suggested a lead agency on these matters, as it relates to identity theft.
I would come back to this. Why is it that you take such a separate view from the Privacy Commissioner on these issues? Wouldn't the Privacy Commissioner be the appropriate agency to do exactly that?
9:50 a.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
Sure. I can't explain why. I couldn't disagree with her more on this point.
9:50 a.m.
Conservative
Bruce Stanton Conservative Simcoe North, ON
You're at odds. You have a different point of view, and that's where we'll leave it.
To go back to consumer protection laws, we had a presentation at our last meeting from the Consumer Measures Committee. This is an organization that is really like an umbrella organization that pulls together the various provinces. We know consumer protection laws are under provincial jurisdiction.
Here we have an organization that is in fact doing exactly what you have recommended should happen. Where do you see that the gap still exists? If the Consumer Measures Committee is in fact driving it, it's an education program, and it's helping to bring it together, where is the weakness?
9:50 a.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
Yes, I think the Consumer Measures Committee is doing great work on this, but it's not enough. It's not pulling in the law enforcement side of things. The police have a lot of information. There's a lot more that they can be doing, particularly once someone has been victimized. Victims are a great source of information about the nature of the problem, as well as the extent of it.
On pulling in other players, we've talked about the banks and lending institutions and their roles. Credit bureaus are a big player in all of this. We find that as we talk to victims and look at case studies, there are problems with the way the credit bureau credit reporting system works. We need to look at that.
On consumer organizations, I think we need to look at the full picture, from the criminal, civil, private and public sector, federal, and provincial aspects. CMC has done a certain amount, but they haven't covered the waterfront.
9:50 a.m.
Conservative
9:50 a.m.
Liberal
Glen Pearson Liberal London North Centre, ON
Thank you, Mr. Chair.
I still have some questions around the SIN, but I'll let it go.
Mr. Stanton, were your questions answered on that? Was it clarified for you?