Evidence of meeting #19 for Access to Information, Privacy and Ethics in the 41st Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was problem.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

José Manuel Fernandez  Assistant Professor, Department of Computer and Software Engineering, École Polytechnique de Montréal, As an Individual
Susan Sproule  Assistant Professor, Finance, Operations and Information Systems, Brock University, As an Individual
Benoît Dupont  Director, International Centre for Comparative Criminology
Philippa Lawson  Barrister and Solicitor, Associate, Canadian Internet Policy and Public Interest Clinic, University of Ottawa, As an Individual

Mathieu Ravignat NDP Pontiac, QC

Okay, right. That's a problem in and of itself.

The Chair NDP Pat Martin

Time is pretty well up, Mr. Ravignat. Again, is there anybody else who would like to remark on that last topic? We'll give an extra minute or so.

Ms. Lawson.

12:30 p.m.

Barrister and Solicitor, Associate, Canadian Internet Policy and Public Interest Clinic, University of Ottawa, As an Individual

Philippa Lawson

Chair, I'd just like to make one point on that. I think it can be helpful to separate two different categories of identity fraud here. First are these mass market credit cards where the industry has basically made a decision to risk more fraud in exchange for more transactions. The cost of that is borne by consumers in the broad base of consumers through higher interest rates and fees, as Susan Sproule said earlier. As long as the individual consumer is being reimbursed by the financial agency and not held liable for the fraud, it doesn't have the same impact as the kind of individual identity theft and fraud where the individual victim does have to deal with all of the financial fallout.

The Chair NDP Pat Martin

Thank you.

One final comment....

12:35 p.m.

Assistant Professor, Department of Computer and Software Engineering, École Polytechnique de Montréal, As an Individual

Dr. José Manuel Fernandez

It's actually worse than that because if the banks are paying, we could say it's a zero sum game. Whatever I lose, I gain back. The problem with this technology is that they actually present a threat to our privacy like we've never seen before. We cannot turn off these cards. They're not only transmitting what you're paying, they're always on. A store could set up a detector of these cards, and they would know that you are the same guy who came two weeks before to buy that hat, or that you are the lady who came the day before to ask for that fur coat, whatever. This could be done not only for marketing purposes but for tracking purposes, stalking purposes, even security breaches.

They've created a problem that is much bigger than the one concerning Internet banking fraud.

The Chair NDP Pat Martin

Thank you, Dr. Sproule.

I thought I'd go a little longer because it was the first we heard of that very interesting subject, but Chad, our clerk, just reminds me that he keeps his card in a kryptonite sleeve or something so nobody can access it.

Next for the Conservatives is Tilly O'Neill Gordon.

You have five minutes, please, Tilly.

12:35 p.m.

Conservative

Tilly O'Neill-Gordon Conservative Miramichi, NB

Thank you, Mr. Chair.

First of all, I want to thank all of you for the time you're spending with us and giving us such valuable information. We were all very aware of the Heartbleed bug, which caused quite a problem. You mentioned that this led to the unauthorized disclosure of at least 900 social insurance numbers.

I wondered, are these victims aware that their numbers have been disclosed? Would you say most victims of identity theft do become aware that they have been targeted?

12:35 p.m.

Assistant Professor, Department of Computer and Software Engineering, École Polytechnique de Montréal, As an Individual

Dr. José Manuel Fernandez

With respect to the Heartbleed incident, the press release from the CRA was that those whose numbers had been identified would be notified by mail. I believe they will do that.

In more general terms, the answer is no. From data that we've compiled over the years by penetrating black markets and also by compiling statistics of infection and so forth, we believe that for every victim of identify fraud, for every account emptied, there are probably 10 times as many that have been compromised. Fraud prevention measures of the banks are preventing cybercriminals from emptying more accounts but the criminals have a reserve of 10 times more accounts than they need, with a capacity to empty them out right now. There are many more victims of identify theft than there are of fraud. They just haven't been defrauded yet.

12:35 p.m.

Conservative

Tilly O'Neill-Gordon Conservative Miramichi, NB

Do you have something to say?

12:35 p.m.

Assistant Professor, Finance, Operations and Information Systems, Brock University, As an Individual

Dr. Susan Sproule

No. I would agree with that.

12:35 p.m.

Conservative

Tilly O'Neill-Gordon Conservative Miramichi, NB

The other thing I was thinking about is, what is the follow-up on these victims? Do they receive any support? How is the follow-up for them?

12:35 p.m.

Assistant Professor, Finance, Operations and Information Systems, Brock University, As an Individual

Dr. Susan Sproule

That'll be Pippa's question.

12:35 p.m.

Barrister and Solicitor, Associate, Canadian Internet Policy and Public Interest Clinic, University of Ottawa, As an Individual

Philippa Lawson

I have no idea what's being done by the organizations that suffered from Heartbleed in terms of proactive reaching out to victims. This is why security breach notification laws are so important. They would require exactly what you are suggesting. They would require notification to those victims, so that they could take the precautions to shut down accounts and protect themselves against fraud.

A very important point was made earlier. The fraud could happen years later. In fact, there is a growing category of identity fraud in the United States right now involving children, where the fraudsters get hold of young children's social security numbers.

If you choose and some parents do choose to get social insurance numbers at the time of birth—you can for your children—so that they can register them for educational savings plans or whatever. Once you do that it becomes susceptible to identity theft. Someone might not realize until they're 18 years old and they go to get their first job or file their first income tax return that they have been a victim of identity fraud for years on the basis of this previously issued information.

This problem of a lag between the theft and the fraud can be very significant.

12:40 p.m.

Director, International Centre for Comparative Criminology

Dr. Benoît Dupont

If I may add a few words. In the survey we conducted in 2007 in Quebec, we had a few questions about the level of satisfaction regarding the number of institutions that had dealt with victims. Among the victims of identity theft, the levels of satisfaction were much higher toward banks than toward the police.

I know the bank lobby is here, but I'm saying that we also have to rethink the way that police organizations deal with the victims of identity theft because for many police officers this is not a real crime. This is absolutely false because we know that it can also not only have financial but psychological implications for victims.

Although they are more responsible, the banks are doing a better job than the police in dealing with victims. We also have to maybe understand how we could make victims feel more welcome and treated better than they are currently.

12:40 p.m.

Conservative

Tilly O'Neill-Gordon Conservative Miramichi, NB

I know we've covered lots of ideas on this, but I'm wondering.... You referred to changes that we've made on world safety and to cards over the years. Of course, we're going to have to hopefully see the same thing happen. If you were to see one big change that you'd like implemented right away, do you have one that you'd like to see implemented?

12:40 p.m.

Assistant Professor, Department of Computer and Software Engineering, École Polytechnique de Montréal, As an Individual

Dr. José Manuel Fernandez

It's education, user education. There has been talk about the Internet driving licence. I don't think we want to necessarily restrict access to the Internet, but the government should take leadership in providing or even having some mandated educational programs for children or for adults. I understand that some of this is provincial jurisdiction, but definitely the federal government can provide leadership by providing the content.

This is probably where you're going to find less resistance. Nobody is going to say no to education. This is a good opportunity for leadership.

If you're saying let's enact some law that's going to require some standard enforcement, you will find resistance from the private sector, but at least let's get the easy win and that's education.

12:40 p.m.

Conservative

The Vice-Chair Conservative Patricia Davidson

We'll now go to Madame Borg, for five minutes.

Charmaine Borg NDP Terrebonne—Blainville, QC

Thank you.

My question is for Ms. Lawson because she commented briefly on Bill S-4. However, if other witnesses also have any comments to make I would be happy to listen to them.

Do you think that Bill S-4 represents everything that should have been done to make sure that our privacy legislation is up to date and protects Canadians against these risks in this day and age? Should anything be added to the bill? Does anything not go far enough or is there anything that shouldn't be in the bill?

12:40 p.m.

Barrister and Solicitor, Associate, Canadian Internet Policy and Public Interest Clinic, University of Ottawa, As an Individual

Philippa Lawson

I've already mentioned the breach notification provisions which can be improved, in my view. I haven't yet done a thorough review of it, but certainly, the area of enforcement, as I mentioned in my comments, is one where I think there could be more that could be done to, for example, give the Privacy Commissioner more enforcement powers herself, or to allow private individuals to hold organizations accountable for non-compliance with their data protection obligations under the act.

Charmaine Borg NDP Terrebonne—Blainville, QC

Thank you very much.

Does anyone else have something to add?

12:40 p.m.

Assistant Professor, Department of Computer and Software Engineering, École Polytechnique de Montréal, As an Individual

José Manuel Fernandez

Yes.

When there is a data breach it is important that not only the users be notified. There also has to be an analysis. However, an analysis can sometimes mean that police services or government or organizations will be investigating the incident and identifying the causes, whether they be technological causes or a lack of procedural diligence.

The goal is not necessarily to punish those who are responsible but rather to learn from the incident. We have to make sure that as a government and a society we are moving towards better practices, the most effective practices.

Charmaine Borg NDP Terrebonne—Blainville, QC

Thank you very much.

Ms. Sproule, you said that organizations that have information on an individual's identity have a certain amount of responsibility in terms of protecting that information. Obviously the government is one of those organizations because it has an enormous amount of information about Canadians. Recently the Heartbleed bug compromised personal data. I would therefore like to move the following motion:

That, as part of the study of the growing problem of identity theft and its economic impact, and pursuant to Standing Order 108(3)(h)(iv), the committee invite the Interim Privacy Commissioner of Canada to discuss the Heartbleed bug and its repercussions on all affected federal departments.

I think that it would be important to include this in this study given that this is a very recent event. We have several questions about this. A few committee members have even asked some of them. I would also suggest to the committee that we might also want to invite Canada Revenue Agency officials back.

I believe I have reached the end of my time. Have I?

The Vice-Chair Conservative Patricia Davidson

You have another minute and a half.

Charmaine Borg NDP Terrebonne—Blainville, QC

I will therefore use it.

I apologize for tabling this motion during testimony. Unfortunately that's the way we have to work in this committee.

I have a last question I would like to ask and it is somewhat related to the motion that I have just moved. Do you think that the federal government and all its departments is ensuring sufficient protection of our personal information?

12:45 p.m.

Conservative

The Vice-Chair Conservative Patricia Davidson

Excuse me for a moment. Sorry to interrupt. Are you just giving notice of motion, or are you tabling it for debate right now?