Evidence of meeting #97 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was identity.

A video is available from Parliament.

On the agenda

MPs speaking

Also speaking

Jerry Fishenden  Technologist and Government Advisor, As an Individual

9:15 a.m.

Conservative

The Chair Conservative Bob Zimmer

Thank you.

Next up, for seven minutes, is Mr. Angus.

9:15 a.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

Thank you. This has been a fascinating discussion.

One thing I've learned in my many years in Parliament is that I've become very mistrustful of government saying they're going to come up with a great new app that's going to make everything easy and cheap, because whenever it comes to the issue of privacy, it doesn't seem to be within the operating culture.

For example, this past week I learned that the government had 250,000 breaches of private information of citizens, including their tax records, health records—all manner of other records. That was down from 2013, when there were a million breaches of personal information, which included 583,000 records of financial information on student loans.

Through each of these cases, year in and year out, the reporting rate of government officials to the Privacy Commissioner.... In Canada, if there's a major breach of privacy, you're to report it to the Privacy Commissioner, who then investigates to determine if there's been a threat to personal data. The government rate of reporting is 4% in these breaches. That suggests that when it comes to deciding the priority, it's always to protect the rear end of the minister and try to keep it out of the public eye, rather than the primacy of privacy.

From your experience with the U.K., how do we ensure that we have a government that puts privacy above sometimes protecting departments and protecting mistakes? These breaches happen year in and year out, and they're very serious.

9:15 a.m.

Technologist and Government Advisor, As an Individual

Dr. Jerry Fishenden

That's a good question.

I think part of it comes back to my concern around the issue of privacy engineering and security engineering. There could be an extent to which breaches at the technical level could be automatically reported and made visible without any human interpretation or obfuscation in the process. I'm trying to find polite ways of putting it.

Equally, I think we need to be wary of the idea that technology alone can provide the answer. I think it could certainly help. It could certainly enable us as citizens to see where, as in Estonia, records have perhaps been inappropriately accessed. It could also identify where that might be happening at scale. For example, if somebody, either an insider or an external agent, has tried to farm multiple records in rapid time, that type of thing should be caught quite quickly by a good computer system.

However, it seems that most of the breaches that come to light in the U.K. often involve insiders who have executed social engineering attacks. Even though the system has been well designed, if they bring up people's records on a screen and use analog attack methods, such as either writing down the details or taking a photograph of the screen, it's very difficult for the system alone to catch those types of things. You can spot patterns of behaviour over time, but if an official only does it as a one-off, it's going to be very hard to know.

I think there's also a disincentive in the system currently, in that the more honest the departments are, the worse they look on the leaked tables. They're seen as the departments with the biggest problem, whereas they may be the departments actually being the most honest with us.

9:20 a.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

I guess that's what my concern is. We can create the most perfect technological system that will always get rave reviews, but it depends on the human factor. The human factor in politics is always defined by politics and political pressure. In our country, certainly the tax department has multiple breaches year in and year out, with lost hard drives and USB sticks. Maybe, as we move more toward the cloud, we won't lose as many USB sticks full of financial information.

We have had cases of people inappropriately accessing their ex or their spouse. Those things will happen in departments, I guess, but how do we build a culture of accountability within government to ensure that the privacy of individual information is first and foremost? Without that trust, citizens have no reason to believe that this great new app that we're going to create is going to protect them.

9:20 a.m.

Technologist and Government Advisor, As an Individual

Dr. Jerry Fishenden

I agree. I think there are probably multiple solutions here. One is improving the quality of the training and awareness available to officials. The second is improving the design of some of the systems. For example, why do so many screens, when officials access them, reveal in plain text everything about an individual? If they need to know whether somebody's in receipt of a particular benefit or over a certain age, why reveal the person's date of birth or the particular benefits they're receiving? You could just have a confirmation flag showing on the screen, which would prevent an amount of data from being leaked.

Ultimately I guess you need stronger sanctions, such that when these things happen, people are held to account. It sounds as though you have a situation in Canada that's similar to ours in the U.K. Very, very rarely does anyone personally or individually seem to be held to account.

Worse sometimes, in my opinion, is that we see organizations fined that are part of the public sector. Let's say a health trust has had a breach; they may have a fine of several million pounds imposed on them for the breach. That seems to me like a double punishment to the innocent, because that fine will directly impact the rest of us, the people relying on medical services from that trust. It also ultimately avoids the issue of finding out who was accountable for that breach. It's as if a mysterious faceless entity was responsible.

Also, at the senior level here, we rarely have the right accountability, at the senior board or executive team level, of somebody who owns it, so that you can say, “It stops with them. They are accountable for that.” Maybe if we had greater clarity that a particular named official would be held to account and we could move away in the U.K. from the culture of fining rather than looking to see who was responsible for ensuring all of those aspects we're talking about—making sure the culture of the organization is right and the systems are well designed—people would be held to account when things went wrong and would fix them.

Ultimately, if they haven't managed to fix all those things over an agreed period, then they should be held accountable.

9:20 a.m.

NDP

Charlie Angus NDP Timmins—James Bay, ON

Thank you very much.

9:20 a.m.

Conservative

The Chair Conservative Bob Zimmer

Thank you, Mr. Angus.

Mr. Baylis, you have seven minutes.

9:20 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

Good morning—or I guess for you, Mr. Fishenden, it's good afternoon.

One of the important points you made is that the core of the system is the identity framework. Estonia has an 11-digit number. You also mentioned that in the United Kingdom, you looked at an ID card program in 2010. I got the impression from what you said that it didn't work.

Can you explain what the ID card program was and why it didn't work, or what happened to it?

9:20 a.m.

Technologist and Government Advisor, As an Individual

Dr. Jerry Fishenden

Just to clarify, the ID card program was terminated in 2010 with a new incoming government. It started in around 2005 or 2006.

It was effectively in two parts. One was a national identity registry, which was going to contain 140-something pieces of personal information, both biographics and biometrics. The idea was that citizens would have to enrol by providing their fingerprints, iris scans, and photos and things.

The card was going to be the physical manifestation of that register. Effectively, U.K. citizens would carry it around, and if they were challenged, the card could be checked. It could also talk to the central register and, if need be, bring back fingerprints and things, which would enable a law enforcement officer or whomever appropriate to validate that the individual in front of them was the same person who'd originally had the card issued to them.

9:25 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

If that had not been terminated, it could have been the core identity for moving toward a digital economy. Why was it terminated?

9:25 a.m.

Technologist and Government Advisor, As an Individual

Dr. Jerry Fishenden

There were a variety of reasons. Some of them were around civil liberties. It was seen as a single database register of every single U.K. citizen, which is alien to U.K. culture, apart from during the Second World War when people had identity cards, which finished sometime soon after the war.

There were also technical issues with the design, partly reflected in the recent discussion about whether you build one big database into which you'd put all this quite sensitive data and then run the risk of it being breached. That would cause a bigger problem.

9:25 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

That approach is somewhat different from, say, the Estonian approach, where they said they would give you an 11-digit number. That number, through what they call this “exit data”, can go and fish out this piece of information from this database, or it can go over there and fish it out, but it's not all tied to it. The people who have one pocket of data over there can't themselves go and look in other parts of the government to get that data. You're saying one approach that got people nervous was this one card, and putting everything onto it together. That approach actually made civil liberties people very uneasy. I could understand that. Is that right?

9:25 a.m.

Technologist and Government Advisor, As an Individual

Dr. Jerry Fishenden

Yes, exactly. It made the fundamental error of assuming that having a single identity number for everything would be a good thing in a highly computerized age, whereas the Estonian model, which is based around a unique ID but keeps your data segmented, if you like, logically where it makes sense to do so on the state's behalf—so maybe health, taxation, welfare, education and other pockets—means that citizens still feel that they're in control of their identity rather than the state being in control.

9:25 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

We have in Canada something called a SIN number, a social insurance number, which is a nine-digit unique identifier. Every citizen has one, but it is primarily used for Revenue Canada, our taxation net. Is there such a number that exists in the United Kingdom that every citizen has?

9:25 a.m.

Technologist and Government Advisor, As an Individual

Dr. Jerry Fishenden

We have multiple numbers. We have a national insurance number, which is issued by the Department for Work and Pensions, which is used by them primarily. We have unique tax reference numbers used by the taxation department, Her Majesty's Revenue and Customs. We have NHS, National Health Service numbers, and most other departments do have their own unique identifiers for people.

Going back to my original comment, that needn't necessarily be a problem, because there is no reason you couldn't have a number, as in Estonia, that potentially is a super-set of those to enable me to prove who I am to each of those different indexing systems, if you like, but without necessarily their being able to see across my proper identity file.

9:25 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

Yes, to your point, we also each have our own medical identity number. The challenge we have is that this is provincial. It's a different jurisdiction, but on the federal level—and we are the federal government talking to you right now—we have that SIN number, which is nine digits. Are any of these, the national insurance, the unique tax reference...? I'm asking a technical question about how big are those numbers. Are they alphanumerics? They're all unique identifiers. Is that fair to say?

9:25 a.m.

Technologist and Government Advisor, As an Individual

Dr. Jerry Fishenden

Yes, most of them are an alphanumeric mix. The NHS number might be purely numeric, but the others are an alphanumeric mix. I'm trying to think. My national insurance number is 10 digits altogether. It's a grouping of five two-digit—

March 27th, 2018 / 9:25 a.m.

Liberal

Frank Baylis Liberal Pierrefonds—Dollard, QC

You also mentioned that some people conceivably think of using bank confirmation. Basically the bank confirmation is just your bank account number.

I want to get your viewpoint on this from the U.K. You need a unique identifier. You need to choose some number or alphanumeric mix. That's going to be linked to it. The approach the U.K. took, which seemed too intrusive, is that everything was in one database and on that one number, and people said that it was starting to sound like an attack on their civil liberties. This was opposed to saying, in the Estonian way, “This is your number. This number can link you into any department and give you access to any data of that department, but those departments can't use that number to access your data, to go through the system.” It is unique to you, and there is a very strong concept that you own the data and you control it and you see when your data is used.

Would that have helped? I know you've had frustrations in the U.K., so maybe you can expand on that. Would that have helped? Would that be the right way to go if we're looking at doing something in Canada?

9:30 a.m.

Technologist and Government Advisor, As an Individual

Dr. Jerry Fishenden

Yes, I think that approach would potentially work in a way the U.K. one didn't. I think it also tackles the other issue of how to find the data about me in different silos and link it back to an identity. You issue the identity. I could turn up somewhere and prove who I am, using a passport or maybe facial recognition and things, but that still doesn't prove I own my national insurance record or my health record.

The ideal way to do this would be that the next time I see my doctor or a consultant, I can prove who I am to them and then have that linked back to that proven identity. Within a short space of time, I could have both my controlled identity, if you like, and by my actions and trusted relationship with the people who issue the other numbers, I could prove that I am the person to whom those other pieces of data relate.

We end up in a place where we need to be if we're going to enable better citizen access and control over their own data, which is both the trusted identity and the linkage between that identity and these potentially sensitive data records.

9:30 a.m.

Conservative

The Chair Conservative Bob Zimmer

Thank you, Mr. Baylis.

Next up, for five minutes, is Mr. Aboultaif. Welcome.

9:30 a.m.

Conservative

Ziad Aboultaif Conservative Edmonton Manning, AB

Thank you.

Good afternoon.

Estonia has been mentioned in many places. None of the G20 or G7 countries, supposedly, have a system or an example that we can look at. My understanding is that the witness from Estonia appeared before committee here and mentioned that in their experience they've never had an example of a breach.

Is it reasonable, in your opinion, to believe that they've never had a breach? Otherwise, they could have been hacked and they didn't know it. Can you comment on that?

9:30 a.m.

Technologist and Government Advisor, As an Individual

Dr. Jerry Fishenden

That's a very difficult question. It's the nature of computer security and systems that you only discover years later you were breached.

Based on the calibre of the people I've met and what I know of their system, they have as good a series of protections as you could possibly have on any computer system to protect what they're doing. As to whether it could turn out at some point that there's been some malicious piece of code or some compromise running somewhere in there, it's almost impossible to say.

I think they're very savvy, very aware in monitoring their own environments and looking for patterns of strange behaviour that lie outside the norms. This is a pattern we're beginning to see elsewhere, with both the online banks and insurance companies in the U.K., but also with our taxation departments.

Even when I'm logged in to my tax account, despite the fact they've accepted proof of who I am by my logging in, they are running behavioural analytics in the background to see how I behave when I'm on their website. For 15 years I've been logging in and using my tax account. They probably have a pattern of behaviour they expect to see from me. If they see something different going on, that can automatically raise flags that perhaps somebody has hacked into my account, and they can close down access.

9:30 a.m.

Conservative

Ziad Aboultaif Conservative Edmonton Manning, AB

The most successful example right now is Estonia. How long have they been using this system? Do you have any idea?

9:35 a.m.

Technologist and Government Advisor, As an Individual

Dr. Jerry Fishenden

They first started building it back in the early 2000s, I think. I'm not sure when it reached maturity. I believe they have continued to enhance it. They added some of the secure SIMs in the mobile phones more recently, so it has been an evolving program.

You're probably best to direct this back to them for specific facts.

9:35 a.m.

Conservative

Ziad Aboultaif Conservative Edmonton Manning, AB

The risk that any government can take in trying to implement something like this is to do a complete revolution in the way things are done. Then to try to embed everything in one area is heaven for hackers, in a way, who can get all the information they need from one place. The moment they break into the system, everything is beyond cost or beyond any economic measure that you can ever put there.

From your information—I read your opening statement, and I listened to it—are there any concrete examples to indicate that the proposed system is superior to what we or other countries use at the moment? Is there any evidence that going that route is better, rather than staying with the current system?