Information & Ethics Committee on May 15th, 2007

Thank you, Mr. Chair.

Bonjour. Good morning, honourable members.

Je vais parler en anglais ce matin.

Thank you very much for the opportunity to speak today about a very serious problem that is directly affecting an increasing number of Canadians and indirectly affecting all of us.

My name is Philippa Lawson. I'm director of CIPPIC, the Canadian Internet Policy and Public Interest Clinic at the University of Ottawa. It was my pleasure to testify before you back in December on PIPEDA, the Personal Information Protection and Electronic Documents Act.

With me today is Mark Hecht, who is a professor of law and CIPPIC's lead researcher on this identity theft project.

We've submitted a written brief to the clerk, which I understand will be translated and distributed to you.

CIPPIC is part of a multi-institution research project on identity theft that's funded by ORNEC, the Ontario Research Network for Electronic Commerce, a public-private partnership, including four major Canadian banks and four Ontario universities. A number of researchers at these universities have been looking into various issues involving the definition and measurement of ID theft, management approaches, and technical solutions to the problem.

We at CIPPIC and at the University of Ottawa are looking at legal and policy approaches to identity theft, and we've been engaged in a big comparative review of what other jurisdictions are doing in this area and where the Canadian law is at.

We've published a series of working papers on identity theft, on various aspects of the problem, most of which are posted on our website—www.cippic.ca—and a couple more will be published shortly.

As you know, we've published a white paper on security breach notification, and we were very gratified to see your recommendations on that in your recent report on PIPEDA.

We've also posted a web page on identity theft, with frequently asked questions and resources for the public.

Our intention, after further research and analysis this summer and fall, is to issue a white paper, with a broad set of recommendations for law and policy reform. And we intend to do that by the end of the year.

You've pre-empted us with these hearings, so we're making some recommendations now, but we will be making more detailed ones later, including in the criminal law area, which I understand you're not looking into in these hearings.

I understand I have about 10 minutes. Do I have less? Okay, great.

The term “identity theft” is somewhat misleading, insofar as the activity we're talking about covers not just the unauthorized collection or theft of information but the fraudulent use of it. You will find that many experts talk about identity fraud when they're talking about unauthorized use. It really is a two-stage crime. It involves both the unauthorized collection and the fraudulent use. We're using the term “identity theft” broadly as it is commonly used to refer to both stages here.

Identity thieves use a number of techniques to gather personal information. There are relatively unsophisticated methods such as dumpster diving, mail theft, bribing insiders of corporations, and pretexting, which is posing as someone who's authorized to obtain the information in order to get it. There are also much more sophisticated techniques such as skimming, “phishing”, “pharming”, keystroke logging, and hacking into large databases.

A single individual may be victimized many times before he or she knows it. Indeed, victims of identity theft are often unaware of it until they apply for credit from a lending institution and are refused or start getting calls from a debt collection agency. By that time their credit rating has been destroyed and they will likely experience great difficulty restoring it. The victims experience a myriad of difficulties restoring their reputations and recovering the losses suffered, often as a result of no negligence on their part.

I know you're interested in trends. One trend worth pointing out is the use by identity thieves of the Internet to gather and trade in stolen information. It's very easy to find websites right now offering credit card data for sale. Hard drives with personal information on them are being sold on eBay, for example. The Internet, as I'm sure you know, is also used to fool unsuspecting consumers into handing over their account information using techniques such as phishing and pharming. I can explain those later if you're interested.

Unfortunately there are few reliable statistics on identity theft in Canada. PhoneBusters publishes stats based on complaints it receives, but these represent only a fraction of the problem. There are some public opinion surveys that provide insight into the problem, but again it's not complete. We have little else to go on.

Our first recommendation is that we need a national strategy for gathering reliable, reasonably comprehensive data on the incidence, types, and costs of identity theft in Canada.

On identity theft prevention, our research suggests that identity thieves are benefiting as much if not more from unnecessary collection, storage, and trading of personal information by organizations as they are from deficiencies in criminal law enforcement or consumer credulity and carelessness. In many cases there's absolutely nothing the consumer could have done to protect themselves, short of not dealing with the organization that suffered the leak in the first place.

So if we're to attack this program successfully, efforts will be needed in four key areas: data protection law enforcement, prosecution of identity thieves, consumer rights and remedies, and public education.

We have a reasonably good data protection law here in the form of PIPEDA. The law prohibits organizations from collecting more information than they need, retaining it for longer than necessary, and using or disclosing it for purposes other than those for which the individual has consented. It also requires that organizations put in place reasonable security measures to protect against unauthorized access and identity theft.

The big problem with PIPEDA is not any particular substantive deficiency—many of which you have identified in your recent report on PIPEDA—but rather the fact that PIPEDA lacks an effective enforcement mechanism to encourage industry compliance. As a result, many organizations are collecting far more personal information than they need and holding onto it for longer than they should, thereby exposing individuals to a greater risk of identity theft. There are examples of this we can talk about.

Organizations are also failing to secure the personal information they hold through effective encryption, careful employee screening, and other measures. Our study last year of 64 online retailers, which we provided to you last December, confirms that there is widespread non-compliance with even the most basic requirements of the act.

A data breach notification requirement holds some promise for creating incentives for compliance, but only if such notification is made public and only if breaches are not so frequent and widespread as to diminish the reputational damage of publicity. But even so, breach notification rules need to be supplemented with an enforcement regime that creates a real risk of financial penalty for over-collection of personal data or other violations of PIPEDA that contribute to the ID theft problem.

In our submission last December to the committee we made a number of recommendations for strengthening PIPEDA's enforcement regime, including allowing for class actions against organizations that violate PIPEDA, removing financial disincentives for individuals to pursue lawsuits against organizations for breaches of PIPEDA, and punitive damages as a possible remedy for violation of PIPEDA.

We were disappointed that none of these recommendations was adopted or even mentioned by the committee in its report. Addressing this incentive problem, the most important deficiency of PIPEDA and a key factor in the growing problem of identity theft, in our view, is critical if we want to make headway on this problem.

Turning to the issue of public awareness, there are many excellent websites and brochures explaining ID theft schemes and offering tips to avoid identity theft, but there is still a problem. Individuals continue to fall prey to these social engineering schemes, such as phishing and pharming. Young people are posting detailed information about themselves on the Internet, without appreciating the risks.

We are recommending that the Financial Consumer Agency of Canada be mandated to undertake a national public education campaign on identity theft, in consultation with financial institutions, law enforcement agencies, and consumer organizations. The campaign should focus on the most common scams used by identity thieves to gather information directly from individuals and should use mass media, as well as inserts in government mailings, posters, and brochures in store-front offices.

On the issue of consumer protection, first, victims of identity theft usually have no way of knowing the theft occurred until the damage has been done. We think data breach notification will be very helpful in this regard.

Second, even the most educated and motivated victims encounter tremendously frustrating obstacles when they try to attempt to stop the damage and regain their reputations. If such obstacles were removed, victims would be able to mitigate the damage and take preventative action more quickly. In some cases, they could also assist the police in identifying and prosecuting criminals.

Sure. Okay.

The brief mentions a number of specific consumer protection measures that we think are needed to empower consumers.

Our final recommendations are that all of the players in Canada, from law enforcement agencies to consumer protection agencies to financial institutions to consumer groups, work together to address the problem. We need to develop a national strategy for combatting identity theft, and I have seven recommendations.

First, as I mentioned, amend PIPEDA so as to create meaningful incentives for compliance.

Second, appoint a lead agency at the federal level responsible for gathering and reporting ID theft statistics and for coordinating efforts to combat identity theft across Canada.

Third, as I mentioned already, mandate the Financial Consumer Agency of Canada to undertake a national education campaign.

Fourth, establish a national ID theft victim assistance bureau, again with a mandate to gather statistics, analyze the problem, and make recommendations for legislative and policy reform.

Fifth, require credit-granting institutions to report on incidents of ID theft.

Sixth, provide consumers with rights that improve their ability to detect, prevent, and mitigate the effects of identity theft. Those rights should include allowing consumers access to the version of their credit report relied on by lending institutions, which right now is a problem because they are denied access to that, and allowing consumers the right to a credit freeze upon request to credit bureaus, which again is currently not permitted.

Finally, we need a thorough review of legislation governing credit bureaus, lending institutions, and police agencies, with a view to identifying other ways in which these agencies could assist in the prevention, detection, and mitigation of identity theft.

Thank you.

Thank you very much.

I'm here today on behalf of the Canadian Consumer Initiative, which is a group of six consumer organizations, including the Public Interest Advocacy Centre, where I work; Union des consommateurs; Option consommateurs, in Quebec; the Automobile Protection Association; and the Alberta Council on Aging. We are presenting to you today our common policy position on identity theft, which we came to agreement on in the last year.

The most important thing to take away from our presentation today is something we're going to echo Philippa's comments on; that is, we believe there's a large role to be played by business and government in attacking identity theft, which has not yet been done, and that consumers also need to be educated, but that the primary steps you can take as legislators would be to move government and business along to better protection of personal information, which will then lead to less identity theft.

I'll just give you a couple of statistics from PhoneBusters, which you probably already have from your researcher. Last year the total reported to PhoneBusters was $16 million in losses on 7,000 to 8,000 complaints, and this is approximately double the amount of money lost but half the number of victims from the year before. I'm not sure if this trend is going to continue, but it's a bit disturbing in the sense that identity theft may be becoming more profitable, and there are more ways to make money from the actual fraud related to it, to be honest.

We also wanted to underline for you that it doesn't have to be this way, because at the federal level, there's a bit of a vacuum in the sense that consumers don't know where to go. When someone gives us a call asking about identity theft, really, I have to take a deep breath and say, where should I send them first? Should I send them first to the police to get their police report? Should I send them to the credit bureau to get their credit report so they know how far this has gone? Should I send them to PhoneBusters to report it? Should I send them to their bank? The actual answer is all of those things, and yet there is no one place for someone to go to the federal government and see that this is the approach to take.

It's not so in the United States, because they have the Federal Trade Commission looking after consumer affairs, and they have taken quite a few steps at their Federal Trade Commission to provide a website that addresses both consumer and business concerns about identity theft.

Take, for example, the FTC's business guide. They have now a safeguard rule in the United States, where if you handle personal financial information you have to follow this rule. It's fairly simple, and it's a bit like PIPEDA, in fact. You have to know what information you have in your files, you have to reduce it to the minimum possible, you have to protect it with security measures that are adequate, you have to dispose of what you don't need, and you have to plan for a data breach.

We have the rule here as well under PIPEDA to do all that; it's just not being done. Our concern here, on behalf of the Consumer Initiative, is that the Office of the Privacy Commissioner of Canada has not been driving that forward, largely because the act itself requires individual complaints. The Privacy Commissioner could take steps to audit companies that seem to have a lot of leaks that might lead to identity theft but has not been terribly aggressive in doing so.

In that situation, it's difficult for us to make recommendations more than Philippa has, along the lines of giving the Privacy Commissioner more authority to act, to make orders, but that has not been suggested by the committee.

One thing we did want to get, and that was suggested in the PIPEDA report, was a breach notification rule. That will lead, we think, to a lot of identity theft being cut off at the knees, if you will, because with the amount of time it takes to actually perform identity theft, a lot of the losses occur in the first two, three, or four days. If something could be put out from the company in that timeframe, people could take some steps to lock down their accounts by calling their bank and getting their credit bureau involved.

One of the things that we suggested for legislation, besides that, was overuse of social insurance numbers, and it still continues today. Social insurance numbers are a key to getting new credit, and part of the identity theft phenomenon is opening new accounts in the victim's name, for which you usually need a social insurance number. The difficulty here is that businesses use social insurance numbers as a unique identifier of the person, and in our common position we called for business to be asked or told in legislation not to use social insurance numbers for that purpose any more and that they be restricted again to what they were originally intended for, which was employment purposes.

Now, we appreciate the difficulty of businesses coming up with a unique identifier and something they can use for credit granting. However, because of the actual nature of the social insurance number being so ubiquitous and used for so many other purposes, it is really a key to fraud. At the bottom line, our position is that we would like the government to look quite hard at the use of social insurance numbers by business and to reduce it to the minimum possible.

Another suggestion in our common position is that the provinces look at credit freezes, so that when you hear about a situation where your identity has been stolen, you can contact the credit bureau and actually disallow any new credit being granted without some extraordinary measures. That's not, perhaps, in your bailiwick, but it does lead to some questions about use of identity information by credit bureaus.

Lastly, you're not dealing with the criminal offences today, but just the mere possession of boxes and boxes of identity at the moment is not a crime, and we are supportive of the justice efforts to make that a crime.

The last thing we'd like to mention comes back to the same point about not having a one-stop shop for Canadians for identity theft. We also have no statistics that are really very detailed on this. We do rely on PhoneBusters, but again, they only take complaints from people who know they take identity theft complaints, so that cuts out a large portion right there, and many other people never actually complain to PhoneBusters.

I know there was an attempt at the RCMP to have a database called RECOL, and I'm not sure where that stands at the moment, but that seems to be an obvious place to try to start centralizing these statistics. An interesting idea that has come about in the United States is asking banks to report on identity theft so that when they get a complaint of identity theft—and they are usually advised by consumers when there's a problem—they could report that either to the RCMP or some other organization to collect statistics on that. We are supportive of that idea, although we haven't put it in our common policy position.

The last point we want to make is that, in this situation, we don't want the consumer to become further victimized, and we see two trends that are not happy ones. One is that financial institutions and others are now offering identity theft insurance, and we don't think that's a silver bullet or really a solution at all because it's not very good coverage. We've done a report on it at PIAC. It covers only your actual time off work to sort out your problems. It doesn't cover the actual identity theft fraud, the money you lose. It has a number of other very minor coverages, but at a more fundamental level, we think it's putting the burden and the cost of trying to deal with identity theft back on the consumer, and it runs counter to the incentive we'd like to give business, which is to protect information more fully.

Finally, we're concerned about the silver bullet, if you will, of biometrics or national identity cards, these sorts of schemes to try to identify a person absolutely. Because identity theft is more of a social crime involving factors like easy credit and lack of care on the part of individuals and over-collection of data, we don't think that having one unique identifier that is linked to everything will make it better. It may in fact make it worse.

So those are our submissions for the committee today, and I'm happy to take questions in English or French. Merci.

Sure. Phishing refers to e-mail communications that are made by the identify thief masquerading as a trusted institution such as a bank or eBay or PayPal or some financial institution. They request the recipient of the e-mail message to provide their account information in order to correct a problem or get access or whatever. I'm sure all of you have received these phishing e-mails. I receive them every day. They're simply ploys by fraudsters to get information that they need to access bank accounts and other accounts, in order to use them fraudulently.

Pharming refers to a similar kind of technique, where the thieves actually set up a website that very cleverly imitates the trusted financial institution or otherwise. They're able to basically redirect traffic intended to go the legitimate website to the fake website. Again, they invite people to enter their account details, etc., and then use that to engage in fraud.

There's a third new trend, which is “vishing”, which refers to voice communication. They're now using telephone communications and computerized messages to call someone. The consumer picks up the phone. There's a computer message that says it's such-and-such a bank—or trusted institution or whatever—and there's a problem with your account. Call this 1-800 number to deal with it. You call the 1-800 number, there's an interactive voice system, and it gets you to plug in all your account information. Once again, they collect it all that way.

John referred to this, too.

The PhoneBusters data suggests that is the case. I do not consider that data reliable. PhoneBusters is a partnership project by the RCMP, OPP, and the Competition Bureau. I suggest that you have someone from PhoneBusters come and testify about the stats.

We think an agency should be appointed to be responsible for that. It should be done, first of all, by requiring organizations that encounter ID theft in their operations—and I know this would be an added burden on business—to keep track of identity theft incidents that their customers have actually suffered, or they have suffered, or that they've avoided and they know about, and to report those annually.

I think that's a way of getting a much better sense of the extent of the problem.

Well, someone needs to be responsible for it.

As John pointed out, we have a problem. There is no consumer protection agency at the federal level. Industry Canada, with the Consumer Measures Committee, has some activity in this area, in particular with coordinating provincial approaches. The Competition Bureau does not consider itself a consumer protection agency. It is not particularly interested in this problem, from what I can see.

I think it's a complicated problem. It would probably benefit from a task force, something like the task force on spam a couple of years ago. I was part of that. I was involved in a couple of working groups. I think it was a really beneficial, worthwhile process. It brought the various stakeholders together, hammered out some tough issues, and came out with a really good set of recommendations, which unfortunately have not yet been acted on.

I hate to postpone things. I think there are some specific measures that can be taken right away. I've suggested some of those. I do think that if you want to look at the whole picture, this is an issue that would benefit from a task force approach.

I hate to come back to an investigation and review that you've already conducted, but we do feel very strongly that there needs to be some better incentives for businesses to comply with the data protection law.

That is the hard issue because you need a unique identifier. What you maybe don't need is a unique identifier that works for everybody. Why not have one for the credit bureaus, which is the credit bureau type of number? In order to identify yourself for credit, you become whatever this long stream of numbers is, for the purpose of credit. It doesn't have to be for all of the other purposes in society that a social insurance number is used for and has become used for. The trouble with the social insurance number is, of course, that it's used as a password for so many things.

If you create a national identity card, the concern on our part is that it will become like the social insurance number times two--used for everything and only accepted for everything. The idea of keeping things in silos is perhaps one way to go. Now, I'm not suggesting that it's the best way, because we haven't studied the actual use of that and how to get from here to there, but the idea that your identifier can work all across society and for many purposes is part of the problem.

It falls more in with the idea behind the privacy legislation, which is that you use the personal information only for the purposes for which it's been gathered. The social insurance number works like a key across so many different avenues.

I will just add that the problem of authentication is a big part of this issue. It's being addressed by industry and the marketplace and government. I'm part of a working group that Industry Canada is chairing on principles for electronic authentication. It's a huge challenge.

One accepted principle is single-factor authentication, that is, like a simple password is insufficient. It's easily cracked. We need to move, and companies are moving, to multi-factor authentication.

Another big problem is that often people want to go with a kind of simplistic form of authentication that involves collection of personal information. In fact, technologists, engineers, and computer science experts have come up with reliable methods of authentication that do not require collection and storage of any personal information. It can be done through computer algorithms, and so forth. The challenge there is to have industry adopt those measures that minimize the collection of personal information rather than the more simplistic ones that don't.

Yes, there are many. We published a report on the techniques of identity theft.

It's posted on our website and it lists the many ways in which identity thieves gather personal information. I can go through more of them now if you wish, but as I said earlier, there's the whole gamut. There are the old-fashioned methods of going through the trash, all the way up to hacking into computer databases. Identity thieves are using all sorts of these methods.

One classic one for debit card theft involves the creation and use of a skimming machine that is often hidden under a counter. You hand over your debit card, and if you don't watch very closely, the guy in the store, the fraudster, will run it through the correct machine, but also through the machine that's designed to collect it for their fraudulent purposes. These skimming machines are sold openly in the marketplace.

Information theft is often done by—

insiders being bribed, so employees of organizations selling the information are handing it over to the thieves. A number of incidents have been traced to insider theft.

As I said earlier, there are only two sources of information in Canada on that. One is PhoneBusters, based on the relatively few complaints they get, and the second is some public opinion surveys.

Some colleagues of mine, Dr. Norm Archer and Dr. Susan Sproule, who are part of the ORNEC-funded project I spoke about at McMaster University, are focusing on this statistics issue. They have done a consumer survey, which I believe they have the results of already and will be reporting soon. You might want to hear from them on this issue. The problem is we don't have the statistics we need.

As John did, I would point to the United States, where the FTC has been specifically tasked, through identity theft legislation, to gather and report on statistics. So if you look at the FTC, there is much more information in the United States on the extent of the problem there--still not enough, but much better than here.

I believe the banks are probably the best source of information on the extent of the problem, and that's why we're recommending they be required to report on it.

So these committees are schools for theft.

The problem has many facets. We're saying that in many, perhaps most, cases, there's nothing the individual consumer could have done. In some cases, there was. In some cases, the problem occurred because the consumer fell victim to a phishing e-mail or a social engineering scheme. They could have avoided that by simply not responding to those e-mails and by just assuming that any e-mail purporting to come from a bank or financial institution is a fraud and deleting it. That's the kind of education we need to focus on.

There are a few things consumers can do. Shred documents with their personal information before putting them in the garbage. Do not respond to those e-mails. And when doing online banking or any kind of on-line financial transaction, look at that URL, the website address, and make sure it's an http address, because the pharming ones usually aren't.

There are certain things consumers can do. Some of the problem stems from consumer credulity and carelessness, but not all of it.

Yes, I know that's often demanded by financial institutions, and that does add a layer of double-checking, if you will.

Part of the recommendation in the first report PIAC wrote on this was that businesses take a few more steps, simple steps like that, to try to verify identity.

Sometimes people will take your credit card from you and not even read the name or check the signature you scrawled down. A simple step is to train clerks to make sure they actually check that the signature matches, and that sort of the thing.

I'm not saying that's a bad thing. I'm thinking more of unnecessary credit checks. Someone is asked to have a credit check done for a new cellphone account. It may or may not be necessary. If it's not necessary, that SIN number gets stored in the cellphone company's database of records. If that database is then compromised, that SIN number goes out, and here we go. That's the sort of situation in which people are making credit applications part of their standard business procedure, and it may or may not be necessary. And they'll always ask for a SIN at that time.

Could I make a quick comment on that?

The Privacy Commissioner has decisively found that collecting social insurance numbers, except where required by banks and employers and so forth, violates PIPEDA. It's a violation of the law. So we come back to the problem I was talking about before. The problem is that we're not enforcing the law.

Sure. I can't explain why. I couldn't disagree with her more on this point.

Yes, I think the Consumer Measures Committee is doing great work on this, but it's not enough. It's not pulling in the law enforcement side of things. The police have a lot of information. There's a lot more that they can be doing, particularly once someone has been victimized. Victims are a great source of information about the nature of the problem, as well as the extent of it.

On pulling in other players, we've talked about the banks and lending institutions and their roles. Credit bureaus are a big player in all of this. We find that as we talk to victims and look at case studies, there are problems with the way the credit bureau credit reporting system works. We need to look at that.

On consumer organizations, I think we need to look at the full picture, from the criminal, civil, private and public sector, federal, and provincial aspects. CMC has done a certain amount, but they haven't covered the waterfront.

We have a number of class actions. Quebec is actually the jurisdiction in Canada that is the furthest ahead with class actions. A number of consumers have achieved remedies through that.

Class actions are in fact specifically designed to empower consumers to make it easier for consumers to stop bad practices and get redress, first of all, by allowing them to obtain legal representation without cost and to be represented automatically as part of the class, even if they make no effort to initially obtain it.

But all you need is one person who represents a whole class of consumers who were subjected to the illegal practice to take the matter to court and retain a class action lawyer. The lawyers will generally take responsibility for the case and will take it forward, typically on a contingency fee basis, and proceed with it in that way. It in fact removes the burden from the individual consumer and obtains redress for the wide class of consumers.

The FTC, at the moment, I believe, has not come out in favour of a similar situation in the States, with the Real ID Act. That idea was, again, that you would be able to use driver's licences that were approved and had a biometric in them for a lot of purposes in the United States, and I believe the FTC came out against it. I would have to check for you.

In terms of your question, how do they handle it, I'm not quite sure what you mean. How do they handle—?

What the FTC does is funnel people to one place, so they say if you have a complaint about identity theft, please tell us, we'll take statistics—and they do. It's the number one hit when you Google identity theft; you get FTC's home page on identity theft.

That's where people go. They know what they're doing. They do take action against individual businesses because they have their consumer protection legislation. Section 5 of their Federal Trade Act says you have to protect consumers, and they have had prosecutions under that; for example, I think Card Systems in the United States had a loss with ChoicePoint. They did start prosecutions. That would be helpful here if we had an agency like that. They said their total sum data practices were negligent in this situation and it was in violation of their Federal Trade Act.

So that's their approach. It's enforcement, it's information gathering, and it's tips for consumers and for business as well.

I'd have to look and see. I think they came out against the Real ID Act, which is a biometric-type of solution, but I would have to double-check for you.

I think it's usually large businesses that are implicated, or at least the cases we hear about. It's usually large databases, larger business, credit-granting institutions that run into trouble, so I'm not sure we're talking about a huge burden on small business.

Again, what we're talking about when we're looking at data protection law enforcement is doing what's common sense anyway, what's good for the business and what's good for your customers.

I absolutely support that, but I think it's only one piece of the puzzle. It's certainly not the full solution on the criminal law side, and I understand that the Department of Justice is looking at all of the potential Criminal Code amendments that could give the police the tools they need to pursue identity thieves. We know from our research that there are many more possible ways in which the Criminal Code could be amended to help law enforcement go after the criminals in this area. Pretexting, absolutely, is one of the ways, and we support Bill C-299.

I think at the end of your statement you mentioned its effect on civil liberties, and that's the main concern there: it's a bit outside the field of identity theft. We're also concerned that it won't necessarily lead to the magic bullet, if you will, about identity theft, again because it's not just that someone gets a hold of your identification; it's also that it's very easy to then obtain credit. It's difficult for the victim after they've been victimized to remove past traces of credit and to rehabilitate their credit. So the identity theft objection we have to using biometrics and national identity cards is that on one side there's, again, the public security point of view from civil society that this is not the way to go to monitor people to that extent. We're concerned that it will become a way to track you through your daily life, if you will, because you'll have to present your identity card everywhere you go, and it's then easy to trail people, and that has implications for civil liberties. Then, on the other hand, it may not solve identity theft altogether.

Could I just add one point to this? It could in fact make the problem worse, as John stated. Victims have trouble enough right now when their social insurance number has been compromised, for example, dealing with that. Imagine if your biometric identity is compromised, and I can guarantee you it will be. None of these technical solutions is perfect. It will be an absolute nightmare for people to deal with identity theft of their biometric identifier.

Very briefly, I can say that I'm not convinced that it's a good idea to leave that trail and that there are more concerns about it, especially as you combine databases. It's possible you can cross-reference your calling records with your movements that day with all sorts of things, and I think there are more implications to this that can be bad in certain situations than we're thinking about.

As far as using cash is concerned, you can't use cash over the Internet and you can't use cash in a lot of businesses—they want to take a credit card—so you're leaving a trail there.

I don't know if that answers your question.

Actually, even in English, PhoneBusters is a little old as a concept. When they started, the group was set up to deal with telephone fraud. It has evolved since and now receives complaints about identity theft. So the English name could well be replaced by something more appropriate.

It used to be an agency of the Ontario Provincial Police, but I think that now it also works with the RCMP. As I said, it is a little vague, it has evolved in the last few years. It would be best to check.

The Competition Bureau is also involved with PhoneBusters.

I do not know the organization's exact status.

It is an initiative.

In fact, it could disappear tomorrow.

Maybe it only works in English, I do not know, but there is a website where you can find information: www.phonebusters.com, I believe.

There is the Personal Information Protection Act. As the committee has mentioned, the law must be changed to make it mandatory to disclose information leaks.

I do not know whether the social insurance number is included in the act that...

Where does that come from?

It is already against the law to use the social insurance number if there is no need to. The problem does not lie in that part of the act.

The problems include enforcement—the lack of incentive and penalty for organizations that collect social insurance numbers when they shouldn't. They refuse the consumer the right to see the credit report that the privacy law says they have a right to see. TJX and Winners are swiping shoppers' credit cards—Maybe everyone should be using cash, and maybe that's what we should be recommending. But that would certainly be contrary to the government's policy of trying to encourage electronic commerce.

They are swiping credit cards and keeping the detailed information from the magnetic stripe, which they are not supposed to keep and are not allowed to keep under privacy law. They're storing it in a database in the United States for years, thereby providing a gold mine for identity thieves.

The big amendments we really need to make here are on the enforcement regime of PIPEDA. We need to give complainants more effective mechanisms to pursue their complaints in courts and to get recourse. We need to have real financial and reputational penalties for organizations that don't comply with the law.

We should also be looking at provincial laws that regulate credit bureaus and provide consumer protection. The Consumer Measures Committee has already done some work in this area, but we need to see how the laws can be improved. For example, they should provide consumers with the right to freeze their credit on the credit report. That means that no lending institution could get access to their credit report without the consumer's explicit permission. That makes sense for victims of identity theft and people who have good reason to suspect they might be victims.

They're divorced.

It's coincidental to some extent. I worked as a lawyer for 12 years with the Public Interest Advocacy Centre. The last thing I did was the report on identity theft. When I left in August 2003, the report was almost, but not quite, complete. John took it over and finished it.

In September 2003, I left the Public Interest Advocacy Centre and set up CIPPIC, Canadian Internet Policy and Public Interest Clinic at the University of Ottawa. We are completely separate organizations.

It has been recommended by this committee for data breach notification. I think that's the major one at the moment. I have to grab my recommendations at the back of it.

Yes, they funded it.

That is correct. However, for example, the rule I cited before from the FTC...they have a certain jurisdiction to enforce their general consumer protection act. Under their rule-making power, they've made a rule with financial institutions that requires them to take steps like PIPEDA in terms of safeguarding information.

Can I just add to that? The U.S. has a patchwork of sector-specific and issue-specific data protection laws. They do not have this nice, comprehensive law that we have. In fact, the biggest recommendation of consumer and privacy advocates in the United States is that the U.S. adopt a PIPEDA-like law.

The Ontario Research Network for Electronic Commerce, ORNEC, which is a public-private partnership. Four of the major banks in Canada are funding it, and their funding is matched by the Ontario government.

I think you have to use the mass media to reach people.

There are three things we've thought of: using the mass media; inserts in government cheque mailings, possibly, and putting up good posters and brochures in government storefront offices; and working with the banks. The banks are doing a reasonable job, and credit bureaus too have some good public education brochures and things on this issue. But still, people are falling prey.

I think banks are in a difficult situation because they don't want to dissuade people from on-line banking. So they don't want to say you can't trust e-mail, but they have to say you can't trust those e-mail messages you're getting.

Perhaps I can add that you may want to look at the Financial Consumer Agency of Canada being an agency that might take over that public education role, because they have that role for the banking system.

That's one of the definitional issues that I hope your next study will cover.

If it leads to a further fraud, such as someone then sending out phishing e-mails and then that person can piggyback off your account, well, that's pretty close, but if you're not losing any particular money, it's not identity fraud, at least. But I still think it should be inside the identity theft umbrella.

We oppose it, at least insofar as it's provided to political parties.

There may be good reason for Elections Canada to collect that information for its own internal purpose and to keep it carefully safeguarded and to ensure that it is used for no other purpose. But there is absolutely no reason, in our view, for date of birth to be provided with the list that goes to political parties, and that should not be the case. It runs completely contrary to data protection law principles and fair information practices accepted worldwide.

That recommendation was in the sense that if there has been a breach and you've recovered your hard drive, or there was a hacking attempt but you're not sure where the data has gone, you would still notify people. That remains our position, because you don't know now, when information moves so quickly; it could be out there.

Notify the individuals, because individuals could take immediate steps with their banks to cut off further credit or emptying of accounts. They can get a fraud alert on their credit report—we would prefer a credit freeze, but there you go. They can take a lot of steps, including, if they start seeing things, going straight to the police as soon as they know, rather than saying, “That looks funny”, and waiting for a few days until the problem piles up.

There are two purposes, in our view, of security breach notification. One is to give individuals the ability to take precautionary measures if it's the kind of situation in which they can. But the second and equally, if not more, important reason is to provide these incentives that I keep talking about on organizations to take those security measures in advance in order to prevent the security breach in the first place. The incentive there is that it's going to get out in the media and they're going to suffer reputational damage.

So I have some concerns with a regime that requires the organizations to report only to the Privacy Commissioner and not necessarily make it public. If you want to get that incentive in place, the information needs to be made public so that the media can decide whether it's newsworthy, and if so, report on it.

Absolutely. I'd say it complements market forces, in that sense.

I'm going to let Mr. Lawford jump in because I think he's done more work with the FCAC.

It's a national agency responsible, as I understand it, for bank regulations involving consumer protection issues. The nice thing about FCAC is that it's national. It doesn't cover all financial institutions, only federally regulated banks, but it has national coverage, which is what we need.

The Consumer Measures Committee has some great information on their website. They are encouraging provinces to do likewise. Some provinces have made some great strides in this area, but when it comes down to it, the CMC is a coordinator of provincial measures, so the citizens of those provinces that choose not to take those measures lose out.

At least in areas of federal responsibility, I think it makes sense to use the federal agency to provide consumers with more one-stop shopping solutions.

I'll let John add to it.

The Financial Consumer Agency of Canada has taken some tentative steps along this line. I believe they're working on phishing documents, so it would be a natural outgrowth for them to continue their work. Whether banks like it or not, they are at the centre of all this, because inevitably, identity theft is reported to them.

The Financial Consumer Agency of Canada has a mandate to educate the public on matters of financial prudence as well as security, and although it only deals with federal financial institutions, as I said, that's the crossroads for this. So it's one place you can look to in the federal government, and it's a logical place, because it doesn't seem that the Privacy Commissioner is interested in doing this stuff and it doesn't seem that the Competition Bureau is interested either.

It is an independent agency, created by an act, which reports annually to Parliament. However, it is financed by the financial institutions rather than by taxpayers.

This particular safeguard, which I've cited to you, comes out of the Gramm-Leach-Bliley Act in the United States, which requires financial institutions to take due care with regard to customers' personal financial information. That's the source of their jurisdiction, in this particular case. They also have general jurisdiction under the Federal Trade Commission Act to protect consumers. I think section 5 is the right section. So they use both of those.

I know they've had a couple of prosecutions under the section 5 power of businesses after a breach.

Unlike our Competition Bureau, the FTC has broader jurisdiction to deal with consumer protection issues. In my view, this is one of the greatest gaps in the federal regime, the fact that the Competition Bureau does not see itself as having a mandate of protecting consumers.

In the sense that businesses, like banks and credit card companies, make an effort to try to stop identity theft, that is true. On the other hand, as you said, they certainly don't have any interest in telling people when there's been a breach.

Would it be okay to just let it go? No, we don't think so, because the lost information can be used now in so many ways. Some of the ways are setting up new credit or defrauding people in other ways, people who aren't compensated. The credit card companies cover you to a $50 loss in the United States and sometimes down to zero here in Canada, but that's not true when someone uses your personal information to put a mortgage on your house. We had to pass an act in Ontario to cover that situation; a couple of people had their house stolen out from under them. That's a horrifying example.

We just don't know the knock-on effects. The immediate ones might be dealt with by the bank, but perhaps there are more for which consumers won't get redress at all. That's our concern.

That's exactly why we're recommending that we make it easier for consumers to, for example, engage in class actions against companies that have been so negligent that large numbers of consumers have suffered. We do need to take some legislative actions here to ensure that negligent organizations are held accountable. I don't think it's happening enough right now.

The Privacy Commissioner of Canada has that power now. So I'm assuming that Parliament didn't think it was that intrusive to put it in at the time. But she has a requirement that she has to have reasonable grounds.

I think when something has come out in the media two or three or four times with one organization, that might be reasonable grounds. Certainly, if we were compiling statistics or there were some other indicators that were objective and factual that might lead to a certain trouble spot or a frequent flier, if you will, on a certain retailer or a certain financial institution, it might be worth an audit, if it's a real chronic problem.

I can just say that our research shows that the penalties are simply not high enough, and it's just a cost of doing business for the criminals.

We have published a working paper on case law, which I believe covers criminal law cases as well as civil law cases in this area. I don't have it with me right now with the details. We will be publishing a further one on the issue of enforcement of criminal laws affecting ID theft.

I can just say that our conclusion is that it's very clear and it's one of the problems the police face—and I hope you'll be hearing from them on this: what's the point of spending hundreds of thousands of dollars and hours of their time investigating these often very complicated white-collar crimes when, at the end of the day, they finally catch the guy, they're successful, they've done all their work, and the court just gives them a few months' sentence or a fine that is really just a cost of doing business?

There's a risk of fatigue in that. However, I believe our recommendation to the Privacy Commissioner on that was that there be a description in the notice you get with a general indication of how serious it is. So hopefully there would be a number that were not so serious that would indicate, “I'm not so serious, we think this is not a big deal”, and others that would indicate, “Yes, this is quite serious, and perhaps you should take some action”. That's one way to approach it.

Another way to approach it, which we suggested to them, was that perhaps there should be a register of every breach. And then people can go through the registry at the end of the year and say, “Oh, actually, I did have an identity theft against me, and look, my company was on there three times”, but not necessarily get a notice unless the Privacy Commissioner, as the committee recommended, thought it was serious enough to recommend a notice go out.

Those are two ways to deal with it. Other than that, I guess we're just disturbed that if there are that many notices going out, isn't there really a huge problem?

Excuse me. We have a law saying the companies are responsible right now. The problem is it's not good enough.

If you're looking seriously at this, I would recommend that you perhaps think about calling some witnesses or hearing from some people from California, which put in place its data breach notification law at least three years ago. They've had experience with it. I've heard some people say there is a problem with notification fatigue.

I think we need, and I personally want to see, some good unbiased studies. Unfortunately, there are very biased studies. Javelin Research, for example, has been hired to do polling and reports by industry who oppose security breach notification, and they're clearly biased reports.

To get a really neutral, unbiased report on the results, how successful that particular approach to data breach notification has been, very much depends on the thresholds you set for notification. Obviously, the higher the threshold, the fewer notifications will be required. There are different ways of doing it, as you have suggested in your report, and as John is saying now, which could involve a public registry, the Privacy Commissioner as a kind of filter, and check on whether or not notification is required in that particular circumstance.

It's a question that might come up in a situation like on-line banking, where you could say this is a potentially risky activity. I don't know whether the fatigue would show up there or not. But one of my concerns is that consumers take in e-mails, and if they're from a financial institution, as Philippa said, they don't know that 99% of those from financial institutions are frauds. Perhaps they should get a list mailed to them from their bank once a year, telling them that when they get an e-mail from someone asking for account details, do not reply. I don't know if it's being done or not.

Are there other warnings you can think of?

I think the problem is that banks and other industry are quite loath to issue such warnings because they don't want to deter people from engaging in on-line commerce.

Two problems. One is that the fraudster isn't going to issue those warnings. I'm trying to think how it would technically work. What's happening is that the individual is not in fact dealing with legitimate organizations. They think they are, but they're dealing with the fraudsters. So how is the warning going to reach them at the time it needs to reach them? I'm not sure how that would work.

Secondly, as I've already pointed out, even if you were able to warn customers—actually, if you could get all customers to stop responding to all phishing and pharming and all of that, it's only going to deal with a fraction of the problem. We still have, but without the statistical support, what seems to us is that perhaps the majority of the problem here is leaks by businesses, hacking into computer databases, insider theft and such, which consumers have absolutely no power over.

Both, federal and provincial.

In terms of the class actions, we are recommending specific amendments to PIPEDA. If you look at our recommendations numbers 1 to 7 in our submission of November 28 on PIPEDA reform, we're saying the provinces, particularly Quebec, have a very effective class action system. The problem is that complainants under PIPEDA have no way of pursuing those complaints in a Quebec class action right now. You need to amend PIPEDA in a way that allows them to use the class action system to pursue their complaints.

But if problems arise with a bank that is regulated—

If it's a federally regulated institution, the matter falls under PIPEDA, as opposed to the Quebec law.

The proposed amendment is intended to make it absolutely clear that you can undertake an action or a process like that in Quebec, following your own rules.

If I can also add, it may be the case that for most cases in Quebec, consumers have the recourse and remedies they need provincially. It's not the case in all other provinces. We still need to reform the federal law for the rest of Canada, even if Quebec consumers are adequately protected.

This is one of the recommendations that many people are making for a Criminal Code amendment. It is in fact an offence under the Criminal Code right now to collect and possess credit card information without lawful excuse. I believe it may be so in some other specific situations.

The law enforcement agencies say they can sometimes catch someone with a huge amount of non-credit card data and other personal information and documents, such as social insurance numbers, names, and addresses, which it's pretty clear that person was planning to use for identity fraud purposes. But because there is no specific offence in the Criminal Code for possession of that kind of information without lawful excuse, they have nothing to charge the person with.

It is one of the possible Criminal Code amendments that I know the Department of Justice is looking at and we are looking at as well.

But I think you need to be very careful before simply creating new offences. There may be many situations in which people lawfully have information about others, with a lawful excuse. There definitely needs to be a criminal intent requirement. But it is certainly the case that much of the unauthorized collection is not a criminal offence right now.

I can't remember the amount. It was between $25,000 and $40,000.

Some of the work the Consumer Measures Committee has done since this report is consistent with our recommendations, such as creating a standard affidavit for victims.

The recommendation for the task force is just designed to try to bring everything together under one umbrella and to make sure it all gets dealt with. I think there are a number of initiatives and legislative amendments and policy reforms that clearly can be made.

I was asked what would be the most important one. Creating a national identity theft victim assistance bureau would be incredibly useful, not just to assist victims but to collect the statistics and understand the problem better.

I'm talking about an exercise similar to what occurred with the task force on spam.

Industry Canada oversaw that and put a lot of effort into it.

It would be a national identity theft victim assistance bureau.

Yes. This is to make it easier for victims. Right now, victims have to deal with many different institutions, and each institution has its own forms and requirements for authentication and proof that there was in fact fraudulent use of their information. It's an incredible nightmare and a huge task for the poor souls.

Yes, that's part of the problem. They are treated as suspects.

Yes, but we're also talking about making things easier for victims. There are ways that this can be done.