Great. Thanks again for inviting us.
I want to talk about technology, so I've surrounded myself with some technology. I have some slides to illustrate some of the concepts as we go along.
First, I want to make it clear that I love technology. I live it and work with it all the time, but my job is to understand both the strengths and weaknesses of technology—and that's what I want to talk to you about today—and to understand what technology can do and what it can't do, with a particular focus on biometrics today.
When talking about immigration and immigration safety, the key issue is identity. Who is this person entering our country? What have they done in the past, and are they admissible? Is this person who's now at my border the same person I gave a visa to perhaps months before in some foreign mission? Did that other visitor leave the country when they said they would?
Establishing identity is hard, and it's particularly hard when some people try to deceive. Technology has an important role in establishing identity and addressing this hard problem, but technology is not a panacea. An increasing reliance on technology often implies increasing privacy risks, and that leaves us concerned.
We have a profound ability now to collect vast amounts of information. For identity programs, such as immigration, this means developing large databases that contain sensitive, valuable personal information. Large databases have proven to be very powerful, but also to be a source of serious privacy risks, including security breaches, misuse of information, function creep, and data errors. Unfortunately, our ability to develop or purchase technology is often ahead of our policies, our procedures, and our ability to manage these systems.
Let's turn to biometrics. Biometrics involves measuring characteristics of the body, either physical or behavioural, in order to aid identification and verification of people. Some popular characteristics that are used in biometric systems are the face, the eye, the fingerprint, and so on.
Biometrics are a powerful tool to help solve the identity problem, but if you allow me to quote from two great philosophers, Voltaire, and Stan Lee, the creator of Spider-Man, with great power comes great responsibility.
The way biometric systems work is to compare two samples; one sample that was collected usually earlier in time, at a time of enrollment, and a second sample that's then compared against the enrollment sample when a service is being used. Biometrics are only useful when you have two viable samples to compare against each other. The value of a biometrics system is completely dependent on the integrity of that enrollment process, the time you create the first sample.
If an enrollment procedure is weak, perhaps relying on weak foundation documents that you can't trust, then they don't really help to solve the identity problem. You still need good biographical information, and you still need good intelligence about people, their history, and their intent. Using biometrics with a weak enrollment system would increase the security and privacy risks without providing any real benefits.
When considering biometrics, it is important to distinguish between identification and verification. Identification refers to the task of finding out who someone is out of the entire population of who they might be, and this often involves large databases, perhaps involving millions of records to be compared against. Verification, on the other hand, is a much simpler task of figuring out if this is the one person that this person claims to be. Verification involves comparing two biometric samples instead of millions. Verification is an easier task than identification, and it does not necessarily have to have large databases.
It's also important to realize that biometric systems are not perfect. There can be failures. There can be failures to capture samples, for example, which might be caused by bad lighting for a photographic system or worn fingerprints. There can be false matches and false non-matches.
The total failure rate of a biometric system is also related to its scale, that is, the number of people in a database that you're comparing it against. As databases grow and more and more databases are searched, the chances of making wrong decisions increase.
Let's turn to the temporary resident visa program, which is a program that I know you've been considering. CIC will be introducing biometrics into this program, collecting both fingerprints and face photos.
The real value of the program comes in verification, in verifying the applicant when they arrive at the border. The biometric sample that's collected in enrollment when the visa is granted can be compared at the border with the person who presents themselves. This is a good use of biometrics, in my opinion, but its value is limited to verifying if this one person is the person who was given the visa a while ago.
We have had extensive consultations with CIC about the temporary resident visa program. We have raised some privacy concerns about safe collection, storage, and transmission of sensitive personal information, including biometrics. We have also been discussing the role of private sector companies in the visa application process.
Another issue related to visas is the tracking of visitors while they are here in the country. Biometric samples could be used to compare a sample collected at arrival with a sample collected at departure to determine who has left and who has not. This is a difficult task. There are multiple means by which someone can enter and leave a country, and being able to compare those samples can be difficult. There will likely be privacy issues if third parties are involved in collecting the information at entrance.