Good afternoon. I am Rene McIver, chief security and privacy officer at SecureKey.
I'd like to begin by thanking the committee for giving us the opportunity to participate in its study on privacy and digital government services. My background is in crypto-mathematics, biometric standards and identity. I've spent time at the Communications Security Establishment and have been with SecureKey for the past decade.
I'm joined here today by my colleague Andre Boysen, our chief identity officer and co-founder of SecureKey. Andre's been in the fintech industry for 30 years and is a globally recognized leader in digital identity and privacy. He also serves on the board of the Digital ID & Authentication Council of Canada.
SecureKey is a proud Canadian company. SecureKey has been the provider of record for the Government of Canada's partner login service since 2012, also known as SecureKey Concierge. We are a world leader in providing technology solutions that enable citizens to efficiently access high-value digital services while also protecting the security and privacy of their personal information. We do this by building highly secure networks that span and merge the strengths of the public and private sectors.
As we know, the digital age has ushered in a host of new services, business models and opportunities to participate in the world. Not long ago, it would be unimaginable to order a shared ride from a device in your pocket, or to confidentially access government services from your home. Today, we take these things for granted and often get irritated when we come across something that can't be done online.
It's not just about citizen expectation. Companies, governments and other organizations have strong incentives to move services and transactions online in order to enhance client experiences, realize cost savings and increase business surety. An organization's ability to do this hinges on a single question: Can I trust the person or digital identity at the other end of the transaction?
This digital identity challenge is equally problematic on both sides.
To recognize clients and provide trusted access to services online, organizations typically deploy a mix of analogue and digital measures to confirm identity and mitigate risk. As we have seen, however, these solutions tend to be complex and inadequate. As a result, confidence in them has suffered.
On the other side, citizens are asked to navigate a myriad of identification methods to satisfy the organizations they seek services from, without knowing where the information's going and in the face of a steady stream of news about data breaches and online impersonators.
These concerns are well founded. Fraudsters are collecting information to know as much, and sometimes more than the citizens they are impersonating. Standard physical cards are easily counterfeited, and it's often impossible to check their validity with the issuing sources. Even biometric methods, which have often been touted as the solution to digital fraud, are targeted by hackers, increasing the risk that biometric data may also be compromised.
These factors are driving complexity up, trust in the system down, and adversely affecting privacy—exactly the opposite of what needs to happen. Our siloed system is too hard for consumers to use and too expensive to be sustained.
The challenge we face is not simply a matter of finding the best technology, the right skills or enough money to fix it; rather, everyone with a stake in the system needs to focus on solving the digital identity problem that underpins all digital services. We need to bring data and identity information back under the control of the citizen.
To solve this challenge, we must find ways to combine the prime factors of identity. These factors are the unique things we know, like shared secrets; the unique things we have, like verifiable chip cards or mobile devices; and the unique things we are, like our fingerprints or our face scans. By combining these factors, we can resolve identity and give organizations confidence that their clients are who they say they are.
Experience to date proves that single-factor methods are not up to the task. This means that trusted networks—ecosystems of trusted participants—are needed. All participants must be involved in the solution, including, and perhaps especially, the citizens, whose control over their own data and privacy will underpin its security.
Only by combining the best aspects of each system can we solve the digital identity problem and rebuild the trust that is equally required by both organizations and citizens. For example, governments are the initial issuers of individual identities, including birth registries, immigration documents, permits and licences. Governments also can link their records to a living person by issuing a driver's licence or passport. But governments are not as adept as the commercial sector at knowing if that person is actually at the other end of a given digital transaction. Banks, however, successfully conduct billions of authentications a year.
Compared to other organizations, citizens only rarely interact with governments during their lives. They may renew a licence or passport every five years or pay taxes online once a year, but they will log in to their bank accounts several times a week. This frequency generates a higher level of trust and immediacy to that interaction.
Then think about mobile devices, which are both identifiable within a cellular network and tied to subscriber accounts through the user's SIM card. All parts have something valuable to offer within a successful network.
Imagine a scenario where citizens can choose to share information securely within a network made up of organizations that they already trust. This gives the ability to use a layered approach to proving identity. The citizens would access the network using their trusted online banking credentials on a mobile device that the telecommunications operator can validate, all to share reliable information from multiple sources, including information from digitally enabled government issued documents. Using this layered approach, we get a significantly higher level of confidence in the identity of the person conducting the transaction.
The trick is how to do this without becoming a surveillance network or creating a new honey pot of data. We need to establish the basis for privacy and trust while minimizing the level of data sharing going on between the parties.
Triple blind privacy solves this challenge. The receiving organization does not need to know the actual issuer of the information, only that it comes from a trusted source. The issuer does not need to know who the receiving organization is. And the network operators are not exposed to the unprotected personal information. That's triple blind.
What this means is that none of the transaction participants actually gets a complete picture of the user transaction. This proven formula has been recognized by the privacy community worldwide, including by the office of Ontario's information and privacy commissioner.
This is not the distant future. All pieces are already in place to enable a system that has authoritative information, provides receivers of information with confidence in the transaction and allows the citizens to fully trust the system as they control their own data in a privacy-enhanced way. This type of arrangement is the cutting edge and is happening now.
With the information and resources we have, Canada has the opportunity to solve the digital identity challenge and become the model for the world. These include co-operative jurisdictions, technologically advanced telecommunications and world leadership in developing new approaches, such as privacy and security by design, developed by Dr. Ann Cavoukian, as well as the pan-Canadian trust framework that's championed by the Digital Identification and Authentication Council of Canada. We have the opportunity to build services that can provide identity validation claims from multiple parties in a single transaction while ensuring complete privacy and control for the citizen.
Key factors for any solution to be successful will be citizen acceptance and trust and the potential to reach a large user base quickly.
The responsibilities to protect privacy and to provide a sense of security to citizens are fundamental factors in the success of any solution. It is critical that Canada's approach connects together the trusted parts of the digital economy such as finance, telecommunications, government and commerce. Only this will provide citizens with the confidence they demand to use the providers they already trust and to have access to the information they want to securely share.
The cyber-risk around digital identity is high. Any solution that does not involve both private and public sectors will be of limited success. It will perpetrate the siloed approach that is currently under strain and will not have the security or public trust to enable the digital economy of tomorrow.
Thank you.