Mr. Speaker, before I get started on my remarks, I would like to say hello to my mother, 87 years old, who has been ailing of late and is doing much better. They say behind that every successful man there is a surprised mother-in-law, but behind my mother there are 10 children, 60 grandchildren and 70 great-grandchildren, and we are all glad that she is still with us.
I am pleased to speak to Bill C-299. This bill was introduced by the hon. member for Edmonton—Leduc. It was supported at second reading and referred to the Standing Committee on Justice and Human Rights.
In February, the committee heard from the sponsor. During clause by clause consideration, the committee also heard from witnesses from the Department of Justice. Those discussions were very fruitful.
The objective of Bill C-299 is oriented toward a particular problem, specifically the practice which is commonly known as pretexting. Pretexting is the act of getting people to reveal personal information by various kinds of deception.
In this case, the sponsor of the bill was particularly interested in the obtaining of information about people by deception of other parties. The bill was focused on deception generally and also specifically on deception that takes the form of impersonating another person.
For example, there are many reported instances of people calling a telephone company and pretending to be a subscriber. The caller then asks for the subscriber's phone records. The telephone company, believing the caller to be an actual subscriber, releases the records. The caller then obtains the records, which reveal a significant amount of information about the subscriber.
This kind of practice can be a flagrant violation of privacy. It is also a tool used by identity thieves to obtain identity information that can be used to impersonate the subscriber in a range of different contexts.
In its original form, the bill amended the Criminal Code, the Competition Act and the Canada Evidence Act. It created new offences and other measures designed to address this form of pretexting conduct.
The justice committee of the House heard that there were some concerns with the bill as it was originally drafted. One set of concerns related to the offences that were proposed for enactment in the Criminal Code. For instance, as originally drafted, Bill C-299 would have created offences that criminalize the very act of obtaining personal information by deception of some kind, without anything more.
I mentioned previously that this kind of act can be a privacy intrusion or it can be the first step to an identity theft enterprise, but there are also legitimate circumstances in which deception is used.
For instance, deception is a legitimate investigative technique used by police. Undercover police are constantly deceiving the targets of their investigation as to their true identity, all with a view to obtaining evidence against those targets. Outside of the undercover context, the police can also use deception when they interview suspects.
There are many other legitimate circumstances in which people use deception to obtain information. Investigative journalists likely employ such techniques when they are tracking down a story. Although it may be distasteful to think about, it is probably also the case that parents, friends and spouses sometimes tell each other lies in order to uncover information.
Simply put, lying is not sufficient to amount to a crime. All of this is to say that the original wording of the offences proposed in Bill C-299 was too broad. It captured too many circumstances by also criminalizing deception that is undertaken for legitimate or non-harmful purposes.
I believe the hon. member for Edmonton—Leduc was in agreement with this assessment. As a result, the committee, with the sponsor's approval, amended those proposed criminal offences by adding an additional component.
Simply put, the additional requirement is an intent to use the information obtained to impersonate the person or to defraud someone. In the criminal law context, people obtain other people's information in order to use it to impersonate them. This is what is commonly referred to as identity theft.
Using another person's information like a key, the identity thief can then access their financial or bank accounts, sell their property, make purchases on their credit card, and so on.
While the acts of impersonating and defrauding someone are already criminal offences, the act of obtaining the necessary identifying information is not a crime, even where that is done for the sole purpose of using the information to commit an offence.
Following this logic, the committee adopted the offences that were proposed in Bill C-299 by adding a criminal intention to use the information to impersonate or to defraud someone. The result is an offence that criminalizes the deception as a tool of identity theft. At the same time, the offence would not criminalize lying in other contexts where there is no intention to later use the information to commit another crime. This makes sense.
By criminalizing for the first time one technique that is frequently used by identity thieves, Bill C-299, as amended by the committee, is a significant step forward for our criminal law and should be applauded.
However, the committee acknowledged that the offences, even as they were amended, did not completely address the problem of identity theft.
There are other tactics that identity thieves use to collect valuable information, such as rifling through garbage, hacking into computer databases, and watching over a person's shoulder as they use their cards. These methods do not rely on deception. As a result, Bill C-299 does not make these acts criminal. The committee recognized that Bill C-299 does not comprehensively address the issue of identity theft but viewed it as a good first step, and I would certainly agree.
In this regard, I would like to take the opportunity to remind members that the Department of Justice has been working on proposals to amend the Criminal Code to deal with the full range of identity theft situations. I understand that this work is ongoing. I hope that we will see more comprehensive government legislation in this area in the future.
The committee made a number of other changes to the proposed new Criminal Code offences. For instance, it replaced the definition of personal information that was previously provided. The original definition was the same as the definition from the Personal Identification and Protection of Electronic Documents Act, known as PIPEDA. That definition is “information about an identifiable individual”. This definition is suitable for a statute such as PIPEDA, which is designed to protect the privacy of personal information.
However, privacy is not the primary focus of an identity theft law. Identity theft is about protecting a person's identity from being falsely used, not about protecting privacy for its own sake, although privacy protection is certainly enhanced by identity theft laws. A definition which includes any information about a person is too broad for an identity theft offence because a lot of information that is about people is not useful for impersonating them. For instance, the initial definition would have included information like shopping preferences, a person's religion or height, and an infinite amount of other information. None of these types of information are relevant to identity theft.
The type of information that is pertinent to an identity theft law is information that is capable of identifying a person. This is a much narrower case of information than information that is about a person. For this reason, and again with the consent of the sponsor, the committee replaced the definition originally in the bill with a definition more suitable to the context.
Another change the committee made to the proposed Criminal Code offences was to expand the scope of the offences so they would cover not just the use of deception to get information from third parties, such as a telephone company, but so it captured the use of deception to get information from any person. This change means the use of deception to get a person to reveal identifying information about themselves would also be an offence. This makes good sense. We know that identity thieves do in fact get information directly from the people they intend to impersonate.
Phishing attacks are a good example. A phishing attack is an unsolicited email which falsely appears to be from a legitimate banking or other type of institution. It asks the recipient to provide valuable identifying or financial information, which the identity thieves then use. Phishing scams do not deceive third parties into revealing information; they deceive the victims directly. Bill C-299 has been reported back to the House in a form that would now capture this behaviour.
There were other elements of the original bill. There was a proposal to amend the Canada Evidence Act and proposals to amend the Competition Act.
With the agreement of the hon. member who introduced the legislation, the proposal that would have amended the Canada Evidence Act was deleted from the bill. Those proposals that pertained to the Competition Act were also deleted. It was suggested that the issues raised by those proposals would be raised with the Standing Committee on Access to Information, Privacy and Ethics for consideration as part of its legislative review of the PIPEDA legislation.
I thank the members of the committee for their detailed consideration of the bill and for their amendments to it, which I believe improve the legislation.
I again commend the hon. member who tabled Bill C-299, which represents an important first step in the battle against identity theft.