Evidence of meeting #47 for Access to Information, Privacy and Ethics in the 39th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was problem.
A recording is available from Parliament.
10:10 a.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
The Ontario Research Network for Electronic Commerce, ORNEC, which is a public-private partnership. Four of the major banks in Canada are funding it, and their funding is matched by the Ontario government.
10:10 a.m.
Conservative
Mike Wallace Conservative Burlington, ON
Sounds great.
The issue we're dealing with here on identify theft—we're trying to stay away from the criminal side of the piece. The issue for me is that if you don't hear about it, you don't see it, you don't know about it, right? So we're trying to talk about communication issues. You talk about these websites and so on. You could have the best website in the world, but if you can't drive anybody to it, it's very beautiful but very useless.
As an organization, and over the years you've been working on this, have you come up with anything unique or anything that would drive—? What would you recommend for us to recommend to drive people to this, to actually read this information?
10:10 a.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
I think you have to use the mass media to reach people.
There are three things we've thought of: using the mass media; inserts in government cheque mailings, possibly, and putting up good posters and brochures in government storefront offices; and working with the banks. The banks are doing a reasonable job, and credit bureaus too have some good public education brochures and things on this issue. But still, people are falling prey.
I think banks are in a difficult situation because they don't want to dissuade people from on-line banking. So they don't want to say you can't trust e-mail, but they have to say you can't trust those e-mail messages you're getting.
10:10 a.m.
Counsel, Canadian Consumer Initiative
Perhaps I can add that you may want to look at the Financial Consumer Agency of Canada being an agency that might take over that public education role, because they have that role for the banking system.
10:10 a.m.
Conservative
Mike Wallace Conservative Burlington, ON
Just this week my bank that I deal with—and I do a lot of it over the Internet, almost all of it—provided me with a new series of questions that I have my own personal answers to, and then every time I log on they ask me one of the questions: where my high school was—I can't remember them all. There's a series of probably 30, 40 questions they're asking. So I'd say that this particular bank has taken it relatively seriously.
Now this weekend I got an e-mail from my Internet supplier, who's a cable company, at home, saying they were shutting me down because somebody is using my e-mail address to send out spam. Is that identity theft, in your mind?
10:15 a.m.
Counsel, Canadian Consumer Initiative
That's one of the definitional issues that I hope your next study will cover.
If it leads to a further fraud, such as someone then sending out phishing e-mails and then that person can piggyback off your account, well, that's pretty close, but if you're not losing any particular money, it's not identity fraud, at least. But I still think it should be inside the identity theft umbrella.
10:15 a.m.
Conservative
Mike Wallace Conservative Burlington, ON
This might be my last question.
The other thing I have done—
10:15 a.m.
Liberal
The Chair Liberal Tom Wappel
Sorry, Mr. Wallace, here I am, conversing with our researcher and our clerk, and I've given you a bit more time. So I'm going to cut you off now.
Mr. Martin.
10:15 a.m.
NDP
Pat Martin NDP Winnipeg Centre, MB
Thank you, Mr. Chair.
Seeing that I was unable to be here earlier, may I have my earlier seven minutes added onto this five minutes?
10:15 a.m.
Liberal
10:15 a.m.
NDP
Pat Martin NDP Winnipeg Centre, MB
Thank you, witnesses. I have only two fairly brief issues, other than to thank you for the briefs.
The NDP has been worried that the new permanent voters list may create what we call an “identity theft kit”, in that it's now going to have the date of birth associated with it. Name, address, phone number, and date of birth are a pretty good package of information about any individual, if you had the inclination to use that information. It's freely distributed. In an election campaign, you might have 200 or 300 people coming and going throughout the campaign, and if they're working the phones for you, you tear off a sheet of the voters list and say “Phone these 50 people.” So it's wildly, freely distributed.
What is the view of your organizations on the use of the date of birth on the permanent voters list?
10:15 a.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
We oppose it, at least insofar as it's provided to political parties.
There may be good reason for Elections Canada to collect that information for its own internal purpose and to keep it carefully safeguarded and to ensure that it is used for no other purpose. But there is absolutely no reason, in our view, for date of birth to be provided with the list that goes to political parties, and that should not be the case. It runs completely contrary to data protection law principles and fair information practices accepted worldwide.
10:15 a.m.
Conservative
Mike Wallace Conservative Burlington, ON
I don't know if there are phone numbers on the list. I don't think they are.
10:15 a.m.
NDP
10:15 a.m.
Conservative
Mike Wallace Conservative Burlington, ON
Well, yes, you can look it up.
You're invading people's privacy, Mr. Martin.
10:15 a.m.
Liberal
The Chair Liberal Tom Wappel
We're being very collegial today, but maybe you could get to your next question.
10:15 a.m.
NDP
Pat Martin NDP Winnipeg Centre, MB
We were being pretty collegial.
The next issue is brief as well.
I notice that you identify duty to notify as a key concern in your brief. We dealt with that a lot during the review of PIPEDA, and the private sector came in with gnashing of teeth and rending of garments that this was an overwhelming inconvenience. It was impossible. We couldn't possibly tell people, just because we screwed up and lost their information or put it in a dumpster, or something. It would be unbelievable. So we ended up with a very soft recommendation on the duty to notify, leaving it quite mushy.
How far would you go? I notice that you say notice should be given if there's a breach, or even a potential breach.
10:15 a.m.
Counsel, Canadian Consumer Initiative
That recommendation was in the sense that if there has been a breach and you've recovered your hard drive, or there was a hacking attempt but you're not sure where the data has gone, you would still notify people. That remains our position, because you don't know now, when information moves so quickly; it could be out there.
10:15 a.m.
NDP
Pat Martin NDP Winnipeg Centre, MB
So you're saying notify everybody, not just the credit bureau or the police; notify the individual clients?
10:15 a.m.
Counsel, Canadian Consumer Initiative
Notify the individuals, because individuals could take immediate steps with their banks to cut off further credit or emptying of accounts. They can get a fraud alert on their credit report—we would prefer a credit freeze, but there you go. They can take a lot of steps, including, if they start seeing things, going straight to the police as soon as they know, rather than saying, “That looks funny”, and waiting for a few days until the problem piles up.
10:15 a.m.
Executive Director, Canadian Internet Policy and Public Interest Clinic
There are two purposes, in our view, of security breach notification. One is to give individuals the ability to take precautionary measures if it's the kind of situation in which they can. But the second and equally, if not more, important reason is to provide these incentives that I keep talking about on organizations to take those security measures in advance in order to prevent the security breach in the first place. The incentive there is that it's going to get out in the media and they're going to suffer reputational damage.
So I have some concerns with a regime that requires the organizations to report only to the Privacy Commissioner and not necessarily make it public. If you want to get that incentive in place, the information needs to be made public so that the media can decide whether it's newsworthy, and if so, report on it.
10:20 a.m.
NDP
Pat Martin NDP Winnipeg Centre, MB
I agree. Also, pressure from clients, because even if I didn't suffer any financial injury, if my personal information has been compromised two or three times by the same company, I'm not going to do business with them any more. I'm going to move my accounts to this group, which works a little harder to keep my information safe. So that point is very well—