Information & Ethics Committee on Feb. 28th, 2019

Temporarily.

Good afternoon. My thanks to the chair and vice-chairs and the members of the committee for the opportunity to speak today.

My name is Ira Goldstein. I'm the senior vice-president of corporate development at the Herjavec Group. I've spent the last decade working in information security to help companies and governments secure their most critical digital assets.

I'm joined by Matt Anthony, our vice-president of security remediation services at Herjavec Group, whose remarks will follow mine.

Herjavec Group was founded in 2003 by Robert Herjavec, who immigrated to Canada with his parents from eastern Europe. A dynamic entrepreneur, Robert has built Herjavec Group to be one of the largest privately held cybersecurity firms in the world. Our experience includes working with private and public sector organizations in complex multi-technology environments to ensure their data security and privacy.

We are honoured to address the committee today on behalf of Robert, Herjavec Group and our fellow Canadians.

Our statement will address two subject areas related to the committee's study. First, I will outline why digital identity is a key building block in the transformation of government services. I will then outline steps to manage, govern and secure our digital identities.

My recommendation is for the government to tread lightly on the broader transformation path to ensure that privacy and security are top priorities. In parallel, the government should move quickly on a pilot project to expand the existing success of Canada's digital presence.

Digital government services must be built on a foundation of good identity governance. If our identities are to be digitized and managed by government, citizens expect a system that ensures security and privacy. Our identity attributes are assumed to be protected by the issuer, our federal government. In any system, physical or digital, fraud is a risk that must be mitigated through effective and ongoing assessment.

These concepts are not far from realization. When a baby is born or a new immigrant arrives, individuals may request their identity documentation online. Ultimately, physical artifacts are issued as proof of identity, but the fact that we have an online portal today to provision identification means that we have the foundation to leverage that data for use in digital government services.

Several government services are already online. One of the most critical functions of government, tax collection, is digitized through Canada Revenue Agency's EFILE system. Presumably the push to EFILE was supported by efficiency outcomes and stands as a successful case of digital transformation.

Any further steps to digitize citizen identity must consider the perception of the impact on individual privacy. Individuals may perceive digital identity as a threat to privacy despite the expected benefits. One recent example is the speed at which public perception soured over Statistics Canada's plan to collect personal financial information. Despite the involvement of the Privacy Commissioner and plans to anonymize the data, perception quickly turned negative toward this prospect.

The contrast between CRA's EFILE success and Statistics Canada's attempt to gather financial information is a guiding light for the committee. Digitizing government services will be welcomed by the public if managed and messaged thoughtfully. The upside of this effort is more access for historically marginalized groups and geography, so the opportunity cannot be ignored.

Historically, identity-proofing has required a trusted centralized authority to govern provisioning and usage. If I want to prove who I am, I need to show government-issued identification. I foresee this authoritative proof as a permanent feature of modern democracy, so despite the advances in decentralized identity, the government has an important role to play in identity management.

In sum, I strongly recommend that the committee seize the opportunity to further digitize components of citizen identity to enable the efficient and secure delivery of government services, while being cautious in the line that we must draw between centralizing data and ensuring that individual privacy is maintained.

Thanks, Ira.

My name is Matt Anthony. I'm the vice-president of security remediation services. I've been working in information security for over 20 years. I'm honoured to be here today to address the committee. I'll keep my remarks focused on two main areas.

Firstly, I'd like to address the issue of e-government, specifically the pace and volume of change. There have been great successes. Ira has already mentioned tax filing. You can do anything from tax filing to pet registrations at all levels of government. I think we're seeing real advantages from some of those, but I also see that fear of missing out and reputation enhancement are drivers for a lot of the initiatives that influence the adoption of and adaptation to electronic government services.

Mark Zuckerberg, the founder of Facebook, is famous for saying, “Move fast and break things”. While that was taken on as a mantra for global developers in all areas of business and the private sector, I don't think the Government of Canada should or could have that same kind of capability to move fast and break things. Herjavec Group's cyber-incident response teams have see the direct impact of moving fast and breaking things. We come back and sweep some of that up. Breaches are large, costly and very damaging.

Adding to that, there is a global skills shortage in the core capabilities needed to securely govern, develop, test, deploy and maintain complex software systems. Current published figures show that there'll be about three and a half million cybersecurity job openings by 2021—that's worldwide, obviously. The global digital transformation is in direct tension with that. There are more projects, more services and more data being created, stored, managed and mined. Canada and Canadian governments will feel this tension very directly.

The committee has heard a great deal about three case studies. Ira mentioned this already, and I've heard some talk in the corridors about a couple of them. They are Sidewalk Toronto, Estonia and Australia.

I want to address the Estonian example briefly, because it's been held up as a high-water mark for digital transformation, but Estonia has had a few major advantages in doing this that Canada doesn't enjoy. They have a very small population, a very small geography, a relatively green field in the post-Soviet era for technology and a relatively homogenous population accustomed to central control.

When I talk about those things, I think you can reflect on Canada not having many of those advantages in trying to do these kinds of services. The model would look very different for Canada.

While that transformation appears successful, we also don't know a whole lot about the security and privacy concerns. The political and cultural aspects of what would be expected, including how much we might learn about security and privacy aspects, might not be evident for years, or even longer than that. I caution against using Estonia as a North Star for our transformations in Canada.

You can't stand still, obviously, and we have to move forward, but my hope is that we go slowly enough to be assured that the changes we do are fully governed and secured to the appropriate level. Go carefully according to strong principles. Wait for the necessary technology, such as AI and automation controls, to support us better. Don't allow fear of missing out in international comparisons to cause us to hurry ahead of our abilities and capabilities.

Secondly, I'd like to briefly address information-sharing. I want to commend the data strategy road map, in that there are six most important things laid out in that document. I can't do much more than say that they are precise and correct. I would like to amplify them.

The concepts are simple: develop a strategy; provide clarity on data stewardship; develop standards and guidelines for governance; improve recruitment to gather the needed skills; and, develop technology systems that support the strategy. Those are all easy to say, but enormously difficult to do, individually and severally.

In 1984, Stewart Brand presciently wrote, “Information wants to be free.” At the time, he was talking about how the technology costs were going lower and lower, but now it has become synonymous with the difficult problem of keeping access control. Once information is beyond the source's control, it will tend to get distributed widely. It follows, then, that secondary and tertiary uses of the government's data need to be as acutely and astutely controlled as primary use is.

The government faces a monumental task in understanding and managing legacy data and systems. Reconciling inconsistent or undocumented consents for use, information silos, usage rules, data structures, identity platforms and administrative processes will each also be monumental in scale.

I believe that taking a greenfield approach may be advantageous, that is, by establishing rules clearly for new data collection and allowing legacy data to be integrated in the future, as capabilities such as AI and other data collection and tagging can be paired with lower costs for transformation through automation. Don't rush to data lake models, as unexpected de-anonymization and information correlations will emerge—I've seen them—some of which may be contrary to public policy, law or intent.

There are a lot of assertions being made that opportunities will emerge and efficiencies will be achieved by aggressively mining, aggregating and sharing data. I urge the committee to show evidence for that. It's easy to get caught up in the rush to take that approach.

You cannot stand still, but I advise, indeed urge, the committee and industry to slow down, be more careful and do not allow ambition to overshadow capability. Go slowly enough to fully understand, measure and manage information risks. Remember, criminals like data, and breaches are messy, complicated and very expensive.

Thank you.

Good afternoon. I am Rene McIver, chief security and privacy officer at SecureKey.

I'd like to begin by thanking the committee for giving us the opportunity to participate in its study on privacy and digital government services. My background is in crypto-mathematics, biometric standards and identity. I've spent time at the Communications Security Establishment and have been with SecureKey for the past decade.

I'm joined here today by my colleague Andre Boysen, our chief identity officer and co-founder of SecureKey. Andre's been in the fintech industry for 30 years and is a globally recognized leader in digital identity and privacy. He also serves on the board of the Digital ID & Authentication Council of Canada.

SecureKey is a proud Canadian company. SecureKey has been the provider of record for the Government of Canada's partner login service since 2012, also known as SecureKey Concierge. We are a world leader in providing technology solutions that enable citizens to efficiently access high-value digital services while also protecting the security and privacy of their personal information. We do this by building highly secure networks that span and merge the strengths of the public and private sectors.

As we know, the digital age has ushered in a host of new services, business models and opportunities to participate in the world. Not long ago, it would be unimaginable to order a shared ride from a device in your pocket, or to confidentially access government services from your home. Today, we take these things for granted and often get irritated when we come across something that can't be done online.

It's not just about citizen expectation. Companies, governments and other organizations have strong incentives to move services and transactions online in order to enhance client experiences, realize cost savings and increase business surety. An organization's ability to do this hinges on a single question: Can I trust the person or digital identity at the other end of the transaction?

This digital identity challenge is equally problematic on both sides.

To recognize clients and provide trusted access to services online, organizations typically deploy a mix of analogue and digital measures to confirm identity and mitigate risk. As we have seen, however, these solutions tend to be complex and inadequate. As a result, confidence in them has suffered.

On the other side, citizens are asked to navigate a myriad of identification methods to satisfy the organizations they seek services from, without knowing where the information's going and in the face of a steady stream of news about data breaches and online impersonators.

These concerns are well founded. Fraudsters are collecting information to know as much, and sometimes more than the citizens they are impersonating. Standard physical cards are easily counterfeited, and it's often impossible to check their validity with the issuing sources. Even biometric methods, which have often been touted as the solution to digital fraud, are targeted by hackers, increasing the risk that biometric data may also be compromised.

These factors are driving complexity up, trust in the system down, and adversely affecting privacy—exactly the opposite of what needs to happen. Our siloed system is too hard for consumers to use and too expensive to be sustained.

The challenge we face is not simply a matter of finding the best technology, the right skills or enough money to fix it; rather, everyone with a stake in the system needs to focus on solving the digital identity problem that underpins all digital services. We need to bring data and identity information back under the control of the citizen.

To solve this challenge, we must find ways to combine the prime factors of identity. These factors are the unique things we know, like shared secrets; the unique things we have, like verifiable chip cards or mobile devices; and the unique things we are, like our fingerprints or our face scans. By combining these factors, we can resolve identity and give organizations confidence that their clients are who they say they are.

Experience to date proves that single-factor methods are not up to the task. This means that trusted networks—ecosystems of trusted participants—are needed. All participants must be involved in the solution, including, and perhaps especially, the citizens, whose control over their own data and privacy will underpin its security.

Only by combining the best aspects of each system can we solve the digital identity problem and rebuild the trust that is equally required by both organizations and citizens. For example, governments are the initial issuers of individual identities, including birth registries, immigration documents, permits and licences. Governments also can link their records to a living person by issuing a driver's licence or passport. But governments are not as adept as the commercial sector at knowing if that person is actually at the other end of a given digital transaction. Banks, however, successfully conduct billions of authentications a year.

Compared to other organizations, citizens only rarely interact with governments during their lives. They may renew a licence or passport every five years or pay taxes online once a year, but they will log in to their bank accounts several times a week. This frequency generates a higher level of trust and immediacy to that interaction.

Then think about mobile devices, which are both identifiable within a cellular network and tied to subscriber accounts through the user's SIM card. All parts have something valuable to offer within a successful network.

Imagine a scenario where citizens can choose to share information securely within a network made up of organizations that they already trust. This gives the ability to use a layered approach to proving identity. The citizens would access the network using their trusted online banking credentials on a mobile device that the telecommunications operator can validate, all to share reliable information from multiple sources, including information from digitally enabled government issued documents. Using this layered approach, we get a significantly higher level of confidence in the identity of the person conducting the transaction.

The trick is how to do this without becoming a surveillance network or creating a new honey pot of data. We need to establish the basis for privacy and trust while minimizing the level of data sharing going on between the parties.

Triple blind privacy solves this challenge. The receiving organization does not need to know the actual issuer of the information, only that it comes from a trusted source. The issuer does not need to know who the receiving organization is. And the network operators are not exposed to the unprotected personal information. That's triple blind.

What this means is that none of the transaction participants actually gets a complete picture of the user transaction. This proven formula has been recognized by the privacy community worldwide, including by the office of Ontario's information and privacy commissioner.

This is not the distant future. All pieces are already in place to enable a system that has authoritative information, provides receivers of information with confidence in the transaction and allows the citizens to fully trust the system as they control their own data in a privacy-enhanced way. This type of arrangement is the cutting edge and is happening now.

With the information and resources we have, Canada has the opportunity to solve the digital identity challenge and become the model for the world. These include co-operative jurisdictions, technologically advanced telecommunications and world leadership in developing new approaches, such as privacy and security by design, developed by Dr. Ann Cavoukian, as well as the pan-Canadian trust framework that's championed by the Digital Identification and Authentication Council of Canada. We have the opportunity to build services that can provide identity validation claims from multiple parties in a single transaction while ensuring complete privacy and control for the citizen.

Key factors for any solution to be successful will be citizen acceptance and trust and the potential to reach a large user base quickly.

The responsibilities to protect privacy and to provide a sense of security to citizens are fundamental factors in the success of any solution. It is critical that Canada's approach connects together the trusted parts of the digital economy such as finance, telecommunications, government and commerce. Only this will provide citizens with the confidence they demand to use the providers they already trust and to have access to the information they want to securely share.

The cyber-risk around digital identity is high. Any solution that does not involve both private and public sectors will be of limited success. It will perpetrate the siloed approach that is currently under strain and will not have the security or public trust to enable the digital economy of tomorrow.

Thank you.

I'm afraid that's a very specific question without a very specific answer, which is how you balance a very complex, multi-variant challenge with a simple clear strategy.

When Rene Heller from the Max Plank Institute described an innovation trap, he said it doesn't matter when you might want to launch a spaceship for interstellar travel; it would always be better to wait because you'll always overtake yourself because of technological change.

We can also see that with regard wondering whether or not to buy a personal computer this month or next. That's the same kind of innovation trap.

We're faced with that in public policy as well, in making considered decisions on a case-by-case basis about what data we're comfortable with and whether we can comfortably control the necessary aspects of information security and privacy before we make the decision to move forward. You have to do the research continually, which is the go-slow part, to make an assessment about whether we're ready to go through to production, which is the move-fast part.

Go slowly until you're ready, and then move quickly when you are.

Yes. Thank you for your question, Ms. Fortier.

I would say that one of the tricks here is that cybersecurity and privacy is a very complex topic, and the challenge with the model today is that everybody in Canada has to understand how the system works in order for the security system to be effective. That to me is fundamentally bad design.

What I'd like to do is pick up on Matt's comments about Estonia. Estonia did an amazing thing for itself, but when it comes to digital ID, I'd say there are two key messages I want to deliver today. Message number one is that every government in the world wants their digital identity information to be sovereign. They don't want to be beholden to some foreign corporation beyond the reach of their jurisdiction. That's one challenge.

However, the bigger challenge is that identity is very cultural. What works in one country won't necessarily work in another. This is particularly acute in the example of Estonia. When it comes to national ID cards, I would say that there are only two types of countries in the world: the countries that have national ID cards, and the countries that hate national ID cards. I would say Canada, the U.S., the U.K., Australia, New Zealand and many parts of Europe are against this idea of a national ID card.

There are several reasons for this. Part of it is because of World War Two. We saw all of the harms that came from governments having these large databases. The government had no intent of harm when it created these systems, but when somebody came in after—the Germans—they created all sorts of unanticipated harms. We saw the danger of having all the data in one place. I would say that this, on balance, is a better scheme, but I'm not here to criticize what Estonia did. I think their model is very good, but they come from a different cultural place, and I think Matt made that point very well.

If we're going to do this right, then rather than looking at a country of a million, why don't we look at the biggest and most successful identity and authentication scheme in the world—the credit card scheme? We have six billion cards in circulation for payments around the world, and we don't see news breaking every week about a credit card being compromised here, or Starbucks having problems there, or users losing credit cards. We don't see that. Why is that?

The reason is that the global payment system is managed very differently from the online identity system we have today. As a consumer, I don't have to understand how the payment scheme works. I just have to know how to tap my card, and if I can do that, I'm good. When it comes to the cards, we've done two very clever things. One is that we made it super simple for the user—when I do this, I know I'm committing myself, so it's hard for a crook to trick me out of it. Moreover, I don't have to understand it. I know the barista can't change my $10 to $1,000 after I leave. That's the first thing that makes the global payment system safe.

The second thing that keeps the global payment system safe is that there's a trusted network operative in the middle. The crook can't pop up in the middle and say, “I'm a crook, I take Visa.” You have to apply to get into that network and you have to behave to stay in the network.

It's not the same as the Internet. On the Internet, it's very different. None of the banks in Canada send SMS messages to their customers for security. The reason is that they don't believe it's secure enough. The problem is that every other service does. Facebook does it, Apple does it, Netflix does it, Google does it. When my dad gets a message on his phone saying “Suspicious activity on your account. Please click on this URL: www.bmo.com.crookURL.com”, my dad doesn't know how a URL works, and he clicks on this thing, thinking it's going to go to BMO. Despite the fact that BMO has very good control—by the way, this is not about BMO, which has very good security controls in place—BMO's got a security breach on its hands because my dad didn't get what was going on.

So hiding the complexity from the user and having a trusted network operator is really important.

Now, I want to bring it back to something Rene said a second ago. The third thing that keeps the global payment system safe is user behaviour. When I lose my payment card, I will call the bank within minutes. I didn't call them up because I promised I would—I don't care about them, I care about me. I'm terrified that the crook who found my card is going to spend my money and I'm going to be responsible. That user behaviour, that self-interest, causes me to do the right thing and turn it off. That's what keeps the global payment system safe, which is very unlike the way we manage digital identity today.

So if we want to look to a model, rather than look at Estonia—though I do think that what they did is good for them—we should look at and learn from what we've done in Canada. We should look at our own experience here. Every other government in the world is looking at us and asking how we got this partner login service with all the banks in Canada. They all want that. Everyone else is looking here, and we're looking over there.

We have an amazing story to tell here. We need to build upon it rather than trying to reinvent.

No. In fact, I'd argue that would be a bad thing.

To go back to my example of the global payment scheme, when we look around the world, we see five to 10 global payment brands—Visa, Amex, Mastercard, Discover and others. The reason they all exist is that they all serve their constituencies in a slightly different way. Some are merchant-focused; some are more consumer-focused. Some try to do it all. They all exist because they serve in the right way.

What's good about that model is that all of us can make different choices about our favourite financial provider, and we're not stuck with that choice. If you start with one bank and you say, “I hate this bank. I want to go to another one,” you can, and you can continue on as you were.

I think having a single provider of this whole thing would be dangerous. We want to have an open scheme so that we can have multiple providers. That's quite important. And it has to be based on standards, not on proprietary, lock-in technology.

To draw the difference on that, Estonia is trying to make sure other countries do what it did, so that they're not doing their own thing—which is smart. Otherwise, if the rest of the world goes in a different direction, they're going to have to change. That's why they're out there evangelizing—and doing a good job of it, I would say.

We have that same opportunity. The challenge for us is that if we did what Estonia did, just as an example, and the U.S. decided to go in a different direction, then we'd have to change. The opportunity for Canada is to get our own house in order, get our own economy working, and then we can make this an export standard and create a gold standard for the world, because everyone else will be looking here and saying, “This is really cool. We want this.”

That's our opportunity.

I think we should look at the services that are already online and the capability that's already in the federal government. The Canadian Centre for Cyber Security was a huge step forward in bringing that capability together. There is immense capability there, even if Canadians are just now starting to learn about it publicly because of that announcement.

We should look at the government services that are already somewhat digitized, and look at how we can leverage those together to get better outcomes for citizens.

I agree with a lot of what everyone has said, but I think interacting with services outside of government may be step three or four. Step one is to enable the digitization of government services that currently aren't digital.

One of the other reasons people are so confident in the banking system is the deposit insurance. There is backing that tells me if money is lost with a financial institution, it's probably not going to come out of my pocket as long as I follow the rules of the game.

I reiterate that I think government has an important role to play as the arbiter of that identity. Let's look at what is already digitized within the government. CRA is an example; let's add to that. Let's go through the federal government services and see how we can bring those together and leverage the existing digitization.