Evidence of meeting #139 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was identity.
A recording is available from Parliament.
4:30 p.m.
Conservative
Peter Kent Conservative Thornhill, ON
It's always a hard reality.
Mr. Boysen, I'll come back to your point. The NEXUS card uses biometrics, not at every occasion, but there's a place.... And sometimes the Canadian passport does; we're using the iris or the fingerprint. Is that the sort of double perfect-positive identification that you're talking about?
4:35 p.m.
Chief Information Officer, SecureKey Technologies Inc.
Yes. What I liked about the NEXUS card is it gave consumers choice. If you told Canadians they had to get a retina scan to get a passport, there would be outrage.
4:35 p.m.
Chief Information Officer, SecureKey Technologies Inc.
However, when you gave people a choice, saying, “If you want to get through the airport faster, submit your biometrics and you can get through faster”, lots of people made that choice. By providing choice it was accepted.
I would also say your own GC login service, the partner login service, also gave choice. You did not compel Canadians to use the bank account to get to CRA if they didn't want to. They could still use a government-issued user ID and password. By giving choice, that gave comfort. You're not compelling me, so I'll try it out and see what happens. That choice element is a key component to getting the adoption of schemes like this.
4:35 p.m.
Conservative
Peter Kent Conservative Thornhill, ON
The iris identification technology in the NEXUS card, which has to be purchased, would seem to be a huge mountain for the government, for the finance minister and his budget, to climb.
4:35 p.m.
Chief Information Officer, SecureKey Technologies Inc.
I would argue that's not really a good thing for online service delivery. It feels heavy-handed to do a retina scan if I'm trying to vote. I would argue that each of these things needs to be used.... We need to look at the spectrum of services and then the level of assurance. Not all of these things are in the same kind of category.
For low-level assurance services, we don't need as much trust, so getting to that higher level is not as important. What's also important about the retina scan and the NEXUS card is that it's done in a controlled environment. I have to go to a controlled kiosk with people watching me so they can see if I'm tampering with the machine or mucking about with the card. It's that controlled environment that gives them the confidence to do it that way. You couldn't do a retina scan from home, as an example, with any kind of confidence, because it could be a replay attack.
4:35 p.m.
Senior Vice-President, Corporate Development, Herjavec Group
Yet maybe you can if we're trying to learn from the private sector and look at one of the more elegant authentication methods that exist today. On a smartphone, it's made biometrics and now face ID just ubiquitous. It is heavy-handed to do a scan of your face every time you want to unlock your phone, but do you know what? Now that's the reality, people don't seem to mind it because the technology is so good that they want access to it and it's easy for them.
I think we need to take a page out of that book. There are ways in which authentication is being handled today where they're doing a biometric every time you want to open your phone. And it's not a new system, but an existing system that's in place today.
4:35 p.m.
Chief Information Officer, SecureKey Technologies Inc.
Just to clarify, on-device biometrics is a good idea. Trying to register my biometrics everywhere is a bad idea. That's the point I was trying to make.
4:35 p.m.
Conservative
Peter Kent Conservative Thornhill, ON
Toronto hospitals, the hospital networks, have been trying for more than a decade.... The Ontario government's been encouraging them to have an online exchange of medical information for all sorts of reasons—emergency room access and so forth.
Have either of your companies worked with the hospital networks, with doctors' offices to try to come up with a safe system?
4:35 p.m.
Chief Information Officer, SecureKey Technologies Inc.
Yes, we have a pilot going on with UHN right now. One of the challenges...and I've actually done a TEDx talk on health care and identity, because as a country, the biggest need for digital identity is in health care. We need to solve this problem because we can't continue to have health care consume the whole budget.
We are doing pilots now. One of the critical elements in getting this right in health care is that a “health care only” bespoke solution won't work, because most of the population uses the health care system very infrequently, which means they're going to forget the damn password; and then the balance of the population are very heavy users of the scheme and they're always in there in person anyway.
We need a mechanism to access services online that will work for everyday Canadians. We saw how successful the government service was for CRA. We think that model can be extended to other public and private sector services.
4:35 p.m.
Liberal
Raj Saini Liberal Kitchener Centre, ON
I have one quick question. If you can't completely answer today, could you give written answers? I would appreciate that.
We keep talking about Estonia, but I know there are other countries that have begun the process. If you could give us a list of those countries or the countries you would suggest we study, and maybe some relevant reading material, we could include that in our understanding.
Second of all, this is something that fascinates me because coming from the private sector and owning a pharmacy, my technology was always cutting edge. Whatever was the newest, I had to keep up with. Now, you will have a NEXUS point eventually going forward where the private sector is going to interact with the public sector in exchanging information.
How do we keep the technology relevant, because the private sector is always going to be ahead? The public sector comes behind. You might get the policy directive right, you might get the understanding right, you can solve the issues with privacy, but eventually technology is going to be the key because one will always be out of step with the other. If this is really going to work, how do we solve that problem?
4:35 p.m.
Chief Information Officer, SecureKey Technologies Inc.
I want to pick up on Matthew's earlier comment about how you've got to go slow and then go fast when you can.
When you compare the Internet and the payment card system, what's interesting is that the way we pay for stuff has barely changed at all in 70 years. It started with a paper card and then we went to a plastic card. Then we had two problems, transaction speed and fraud, so we moved to a mag stripe. Then the crooks figured out how to do the mag stripe, and so we moved to a chip card. Since we've gone to chip card, in-person fraud has gone to zero, but we have this online problem, so now we're putting it in the phone.
What's important is that the way users pay for stuff across the globe has barely changed at all in 70 years. On the Internet, it's changing every single week. Users can't keep up.
4:40 p.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
You were talking a moment ago about face identification for logging in.
If your biometrics are compromised, what can you do about it? An example of that is the famous hacking of Angela Merkel's fingerprints by somebody who had a photograph of her.
4:40 p.m.
Senior Vice-President, Corporate Development, Herjavec Group
I would refer back to my depository insurance comment to say that, if we're actually going to roll out biometric authentication for government services, there has to be that buffer zone where citizens believe that if there were some compromise, there's a way to fix it.
How do you get new biometrics? I don't have a good answer for that. Maybe Matt does.
4:40 p.m.
Vice-President, Security Remediation Services, Herjavec Group
I will say that it's become increasingly difficult to fake a biometric, as the technology for sensors has improved. Therefore, as we move away from a thumbprint to a face print to—we're looking now at vein pattern recognition on some new phone systems.... We've had palm print technologies for a long time. It is always perhaps possible to spoof those. Any problem can be solved with enough money and technology. They can be spoofed, but they can't perhaps be overtaken, unless you don't register them yourself.
If you have your phone and don't ever register anything except a four-digit PIN and then somebody comes along and puts their thumbprint in, it's in there. That's on you, not them. The ability to actively impersonate somebody with a biometric, unless it hasn't been registered to you in the first place, is getting to the level of practical impossibility. Fifteen years ago, I could fake a fingerprint and replay it fairly easily. I can't do that anymore.
4:40 p.m.
Chief Security Officer, SecureKey Technologies Inc.
It really is about the way it's inputted into the system, again. I worked on biometric standards for about 10 years actually and it was interesting. There was always discussion about the input into the system and taking a fingerprint and putting the fingerprint in. There was always a discussion about liveness detection, but really, your input system should have a means to identify whether or not it's a live biometric. Liveness is really about a biometric, so it is increasingly complex to figure out how to accurately get the information in that isn't spoofed. It's not just a static fingerprint.
You see it in some of the face recognition algorithms. The input is that there's actually a request for you to do different things, like smile, turn your head, look down or close your eyes. There are increasingly harder ways to actually get the input.
4:40 p.m.
Vice-President, Security Remediation Services, Herjavec Group
To amplify that, I would just like to say that if the level of access that you need requires you to go to those lengths, I guarantee you there are easier ways to get your data.
