Good morning and thank you, Mr. Chairman and honourable members of the committee, for inviting me to participate in these proceedings.
As you said, I am the director of the International Centre for Comparative Criminology and I also hold the Canada research chair in security, identity and technology at the Université de Montréal, where I've studied the issue of identity theft for the past seven years or so.
In the 10 minutes that I have at my disposal, I would like to briefly address some issues about this very complex form of offending and the harms it causes to Canadians. But before I go any further I would like to maybe state that the term identity theft is perhaps a bit misleading because it implies that the victim loses access to their identity like when you lose access to a car or your cellphone when it's stolen, while in fact, the victim is more deprived of certain benefits associated with full control over their personal information such as a high credit rating or the ability to secure a bank loan. I think it would be more useful to use the terminology of identity manipulation or identity-related crime, but I guess it's way too late now to change the terminology. But I think it's an important matter as well.
So I think your task here is very important and by reading the transcripts of the sessions that were already held, one can be sure that we will learn lots in the process and in the report that you will produce. Therefore my comments today will be slightly different, as I would like to address briefly a list of four things I believe we don't know about when we talk about identity theft and how addressing this knowledge gap would help us design more effective preventative strategies and also more effective regulatory tools. These are the, if you like, known unknowns to paraphrase a very famous American politician.
The first unknown that my colleague Susan Sproule talked about is the current size of the problem in terms of the actual number of victims and the evolution of this trend. I read the transcript of the RCMP testimony and the person representing the RCMP stated that 24,000 victims contacted the organization in 2013 following instances of identity theft. This is probably a tiny fraction of the overall pool of victims because most of them, as my colleague Sproule said, never lodge a formal complaint with their police service, some of them because they don't believe the crime is important enough or will attract any interest, others because they're discouraged by their local police service, which is not equipped to deal with this type of crime especially if the amounts involved are below a certain threshold.
To provide you with a hint of a more realistic assessment, in 2009 a victimization survey conducted by Statistics Canada across a very large sample of the population evaluated that more than 870,000 Canadians had been victims of Internet bank fraud over the past year, which does not include other forms of fraud associated with identity theft. These are huge numbers but in technology terms, five years is an awfully long time and we don't have any reliable statistics on an annual basis to assess the severity of the ID theft problem and the effectiveness of current strategies to address it.
The second thing we don't know very well is that we don't have a clear breakdown of the types of ID theft by sources of stolen credentials or fraud stratagems used by offenders to exploit them. I conducted a survey very similar to the one conducted by Susan Sproule in 2007 in Quebec and this survey showed that online scams such as phishing emails only amounted to 6% of the stolen personal information, while card skimming or the theft of personal information by organizational insiders amounted to 55% of cases. Since then, I have not seen any updated information relevant to the Canadian situation, although again the technology has changed a lot during the past seven years and probably a larger proportion of Canadians conduct their business and financial transactions online.
Thirdly, we don't know a lot about identity thieves and whether they're a traditional category of offenders who have migrated to this new profitable market or a brand new breed of offenders with very different sets of criminal skills and modes of social organization.
We do know that a small number of them are very successful and are able to obtain, through elaborate cyberattacks, millions of stolen records that they resell in underground markets, such as was the case with Winners or the more recent Target hacks where tens of millions, and in certain of cases hundreds of millions, of credit card numbers were stolen from large retail companies. We still know very little about these markets, how they operate, and how much of the stolen information belongs to Canadian consumers.
We don't really know which organizations are more effective, which ones are more exposed, and which ones do a good job at preventing identity theft. We know that banks invest a lot of their money in anti-fraud technologies. They are very advanced in their capacity to identify and block attempts at ID theft. But we don't know which one of the five or six big banks perform the best, and also the worst, and what types of retail or service businesses are leaking disproportionate amounts of personal information to offenders. All organizations are not equal when faced with the problem of identity theft.
You may ask, why would this knowledge be useful? This would help us design and implement more effective prevention strategies that would target and reinforce the weakest points in the payment ecosystem first.
Second, it would also better inform us about the need to create new regulatory tools in the area that would compel companies to protect consumers' personal information and notify them when needed not only from a privacy perspective but also from a security perspective. It would also help us make sure these regulatory tools are reasonable and do not unduly burden businesses.
Finally, I think it would help us and it would especially help law enforcement agencies focus their limited resources on the most dangerous and prolific offender networks.
However, I wouldn't like to end on a pessimistic note. There are causes to be optimistic. We shouldn't be desperate about the problem of identity theft. For example, the introduction of the chip and PIN technology in Canada on our credit and debit cards over the past few years as well as advances in anti-fraud technologies deployed by the banking sector have produced tremendous reductions in related identity theft and fraud, illustrating that sometimes organizational changes can produce systemic outcomes at the national level.
For example, if you look at Interac statistics.... I took these statistics off the Internet and put them together in a slightly different way than Interac. Between 2004 and 2012 the global amounts of dollar losses attributed to fraud by Interac—if we accept that this data is accurate—has decreased by 36%. During this same period, the amount of transactions conducted by debit card had increased by 53%. So fraud is decreasing and the number of transactions are increasing.
For credit cards, we have a similar trend where the global dollar losses between 1999 and 2012 increased by 94%, and that's a lot. But this is only about half of the 212% increase in the total amount of credit card transactions over the same period.
So the average loss per dollar transacted through Interac is about 2¢ and the average loss per dollar transacted through credit cards is about one-sixth of a cent. This ratio has not really changed over the past 10 years, which is quite reassuring, because the problem of identity theft is not as dire as sometimes some private companies make it up to be.
The problem we have with the chip and PIN is that, of course, our neighbours to the south have been slower to adopt this technology. This leaves many opportunities for offenders to exploit the data captured from the back of the credit and debit cards on the magnetic stripes.
Thank you for your attention. This concludes my comments. Of course, I welcome your questions. Thank you.