Mr. Speaker, I am pleased to speak at second reading of Bill C-27 , An Act to amend the Criminal Code (identity theft and related misconduct).
I believe it is important to debate this matter. With the development of new technologies, we are all confronted, at one point or another, with a situation where we have to identify ourselves by using personal information. For example, we use PINs when doing our banking at an ATM. Just imagine the amount of personal data and the number of financial transactions circulating on the Internet every day. Do we know how businesses and governments manage their immense data bases that contain our personal information? These issues affect everyone, without exception. Our personal information is recorded, catalogued and stored somewhere.
Attempted identity theft is a common occurrence. A thief could find a useful document in your mail. He could use it to pass for you and commit crimes in your name. Scam artists steal names, addresses, and birth dates that they use to apply for loans and credit cards or to open bank accounts in your name. Imagine the damage they could do using your name, not to mention the serious consequences for your reputation and self esteem.
That is why identity theft is a security issue that cannot be ignored. This type of fraud will only grow with the passing of time. Those watching us surely know someone who has been a victim of identity theft. It has disastrous consequences for the victim. It can even lead to misunderstandings with the law because fraudsters can commit crimes and use the identity of their victims. How does an individual whose identity has been stolen prove to the police or government organizations that they were not the one who committed the crime of which they are accused? It is an almost impossible task.
Bill C-27 would curb identify theft by cracking down on the unauthorized collection and use of personal information for illegal purposes. This includes the possession of several private identifiers, such as a name, address, social insurance number, or any personal number that could be used to obtain a service. Bill C-27 would create three new offences that could be punishable by a maximum of five years in prison.
The first offence deals with obtaining and possessing identity information to commit a crime. The second deals with trafficking this personal information and targets individuals who sell or deliberately hand over this information to a third party, knowing that it could be used illegally. The third deals with individuals possessing or trafficking another person's government-issued identity documents.
I remind members that thieves obtain personal information in different ways. Some use direct means, such as highly sophisticated phishing techniques. The RCMP says that criminals also use e-mails or websites that look official, but falsely represent legitimate businesses, financial institutions and government agencies. The goal is to obtain sensitive, personal financial information by phishing the person who receives the e-mail. The public must constantly be vigilant against this type of fraud. This is why people must always be careful when giving out their personal information. They should also find out how their information will be used, why it is being collected, who will view the information and how the information will be protected.
Getting back to Bill C-27, it makes several changes to the Criminal Code in order to curb identity theft. It also creates offences for redirecting mail, the possession of a counterfeit mail key, the possession of instruments for copying credit card data, and the possession of or trafficking in counterfeit documents. In addition, Bill C-27 clarifies the meaning of “personating a person” and renames the offence of “personation” to “identity theft”. It gives the courts a new power to order that, as part of the sentence, the offender make restitution to a victim of identity theft or identity fraud for the expenses associated with rehabilitating their identity.
Finally, the only people exempted are those who make false documents for covert government operations or who allow public officers to create and use covert identities in the exercise of their duties—meaning here law enforcement personnel.
Bill C-27 is intended to keep up with today’s realities because in the near future the identity theft problem is only going to get worse. It is imperative, therefore, to update the Criminal Code and adapt it to current realities as well as possible. According to the Department of Public Safety, identity theft has become one of the fastest growing kinds of crime in Canada and the United States.
I should emphasize, though, that we should be concerned not just about the increase in this kind of crime but also about the costs that we collectively incur as a direct result of this illicit activity.
The Canadian Council of Better Business Bureaus estimated that in 2002 alone, consumers, banks, credit card companies, stores and other businesses lost $2.5 billion as a result of identity theft. According to the RCMP, the total losses due just to credit card fraud in 2003 amounted to $200 million. The complaints filed with the Phone Busters program of the RCMP and the Competition Bureau provide a good example of the social cost of identity theft. Just in 2006, more than $16 million were stolen from Canadians by fraudsters. Phone Busters estimates, though, that this is still just a small percentage of the real losses due to fraud, perhaps about 5%.
Considering individual human beings, we must remember that victims of identity theft are often left with a compromised credit rating and a messy personal and financial situation. Everyone is affected, without exception.
I remember an Ipsos Reid poll in 2006 according to which one-quarter of Canadians or about 5.7 million people said that they had been victimized by identity theft or knew someone who had been. These figures are very telling and clearly demonstrate the need to update the Criminal Code.
However, we are faced with a fundamental problem: Criminal Code offences were defined at the time with the traditional notion of property. The big problem with identity theft is that personal information is not considered property. To apply the provisions of the Criminal Code, there needs to be a direct causal link with an economic loss or serious harm.
Unfortunately, it is very difficult to prove that a crime has been committed in the case of identity theft. Although some 40 provisions of the Criminal Code can apply to identity theft, the fact remains that the simple possession and collection of personal information does not constitute a crime. In this case, the Criminal Code becomes a cumbersome tool for fighting identity theft. Its evidence rules are quite strict as well.
On May 8, 2007, the Privacy Commissioner of Canada, Jennifer Stoddart, summed up the legal problem with identity theft quite well at the Standing Committee on Access to Information. She said:
I don't think it's just an issue of the Criminal Code. As you know, our law administrators hesitate to use the Criminal Code: the standards of proof are higher, and the charter may apply, and so very often you have to have a fairly clear-cut case to use the Criminal Code.
Bill C-27 is obviously a step in the right direction to updating the Criminal Code, but I want to reiterate that part of solution would definitely come from concerted action involving the different levels of government, private organizations and the public. Other measures will have to be implemented to effectively fight identity theft, since this is a broad issue that goes beyond the government's capabilities.
For example, the Privacy Commissioner suggested using civil sanctions instead of the Criminal Code for two main reasons: proof is easier to establish, and the procedures are easier for the public to understand.
Appropriately, the commissioner gave the example of small claims court, which could offer easily accessible ways to discourage the growing industry of identity theft.
However, the idea presupposes that the federal government will work closely with the provinces, because much of what is happening in the area of identity theft comes under provincial jurisdiction. I would remind this House that a number of solutions to the problem of identity theft are in the provinces' hands, because they have constitutional authority over property and civil rights, specifically under section 92, subsection 13, on property.
However, this minority government still has a long way to go in this area. True to form, this government, which should be working with the provinces to combat identity theft, preferred to make a few changes to the Criminal Code that do little to address the problem. Before giving the provinces new responsibilities for enforcing the Criminal Code, did the government make sure they had the resources to enforce the new provisions on identity theft?
The government should try leading by example when it comes to protecting and managing personal information. The federal government is proposing to penalize people who make fraudulent use of identity documents such as social insurance cards. Yet in June 2006, we learned that the Auditor General estimated there were 2.9 million more social insurance numbers in circulation than the estimated number of Canadians aged 30 and over. It makes you wonder.
What is more, in September 2003, six computers were stolen from the Laval offices of the Canada Customs and Revenue Agency, including a laptop containing personal information on 120,000 taxpayers and 600 federal taxation employees. I am dismayed by the government's behaviour, which tells me that a number of practices need to be reviewed.
Several federal departments and agencies are interested in identity theft, but these efforts do not seem to have produced a concerted strategy for dealing with this enormous problem. Nonetheless, identity theft is an issue that the federal government cannot tackle on its own, but this should not stop the federal government from developing a more focused strategy for channeling its efforts.
It would also be worth having better definitions of the concepts that identity theft involves. Although the subject has received a great deal of attention from the media, academics, enforcement agencies and government, there is still debate over the definition of identity theft. The term is used to include everything from simple cases of fraud when someone forges a cheque or uses a stolen credit card to purchase goods to very sophisticated cases of “synthetic identity theft” where the impostor creates a new identity using a combination of actual information and fabricated personal information.
Similarly, we do not have a clear idea of the sources of the personal information being used. Some studies have suggested that much of the information comes from within organizations; other studies claim that identity theft is usually perpetrated by people who are known to the victims. Media stories about large scale data breaches in which laptops have been lost or hackers have been able to gain access to credit card information have become commonplace, but we do not have a clear picture of how often these data breaches result in identity theft.
I would nonetheless point out that Canada has privacy legislation that places limits on the collection, use and disclosure of personal information by the private sector. It requires organizations to protect the information they collect. There are several provisions in the Personal Information Protection and Electronic Documents Act (PIPEDA) which, if the organizations covered by the Act respect those provisions, can significantly reduce the risk of identity theft.
That Act also imposes limits on how long organizations engaged in commercial activities should retain personal information. By getting rid of information they no longer need, organizations reduce the risk of identity theft. But the destruction process must involve more than throwing paper records or hard drives into the nearest dumpster, as we have seen happen.
I would conclude by saying that the Bloc Québécois will support Bill C-27 on second reading so that it can be sent to committee. Nonetheless, I, like my colleagues, strongly believe that merely amending the Criminal Code will not be sufficient to solve the identity theft problem.
Other measures will have to be developed by the various governments to combat this problem. One that we are proposing is that the public be educated in order to reduce victimization. Educating people about how to protect themselves against identity thieves is another key element to fighting this kind of fraud. As well, strengthening the regulations to provide more stringent oversight of how personal information is managed by businesses can only be a good thing.
As a final point, measures to promote greater uniformity and security in the process of issuing and verifying identification documents seem to be essential.