Appearances before Parliamentary Committees
Submission Presented to the Standing Committee on Access to Information, Privacy and Ethics
May 8, 2007
Top of PageTable of ContentsIntroduction
I am pleased that the Standing Committee on Access to Information, Privacy, and Ethics has decided to undertake a study of identity theft.
We know that identity theft is a significant problem in Canada, but it is very challenging to settle upon the exact dimensions of the problem. It is difficult to pinpoint the number of victims of identity theft, because not everyone reports the crime, and those who do often contact different organizations.
We often talk about identity theft as a financial issue. However, it is important that we understand identity theft is more than just a problem of financial loss to individuals and organizations. Identity theft can leave individuals traumatized. Those who have their identity stolen face serious consequences. For example, the identity thief may have committed criminal acts using the identity of the true owner of that identity. How does the innocent person persuade police and other government agencies that he or she is not in fact the person who committed the offence? This can be a near-impossible task.
Identity theft also has a clear privacy dimension. While there are many ways to define privacy, a central notion is that individuals should be able to control how, when and for what purposes their personal information is used and communicated to others. Individuals whose identities have been misappropriated have lost control over their personal information—over who has access to it and how it is used. Since personal information is often the key to access a range of government and private sector services, the impact of having it misappropriated can be felt for years.
Identity theft also impacts on our privacy in a much more subjective, visceral way. Individuals who have been the victims of identity theft typically feel that their privacy has been violated.
The Committee’s mandate is far reaching. You are proposing to look at a broad range of issues including the types of and trends in identity theft, measures to increase consumer protection that could reduce or eliminate identity theft, and measures to increase public awareness of and provide better education with respect to identity theft.
Identity theft has received a great deal of attention recently and there is extensive literature on the challenge of defining identity theft, the types of identity theft and trends in identity theft. We expect you will be hearing from other witnesses such as law enforcement agencies that are in a better position than our Office to comment on these matters.
We propose to focus our comments more on the root causes of identity theft and some of the measures we think are necessary to address the problem.
There are many definitions of identity theft. The Canadian Internet Privacy and Public Interest Clinic (CIPPIC) has just published an excellent series of papers on identity theft. One of the papers, “Identity Theft: Introduction and Background” lists several pages of possible definitions.Footnote 1 Almost all of these definitions refer to the use or misuse of another person’s personal information.
This personal information is obtained in a variety of ways, from relatively straightforward and not necessarily illegal means such as dumpster diving, or even rummaging through garbage to very sophisticated phishing scams. Personal information can also be obtained through:
- the theft of identification or credit cards;
- redirecting mail;
- pretexting—pretending to be someone who is authorized to obtain the information;
- hacking into computer databases;
- the use of skimming devices to capture credit and debit card information;
- shoulder surfing—looking over someone‘s shoulder when they are entering a PIN or other information into a terminal;
- the improper disposal of records;
- the loss or theft of laptops or other data storage devices; and
- unscrupulous employees within organizations.
This list is by no means exhaustive, but it clearly indicates there are a large number of ways that would-be identity thieves can obtain personal information.
As you may recall, a journalist was able to obtain copies of my telephone records without my knowledge or consent through an offshore company that used pretexting. We should hardly be surprised if individuals are becoming increasingly concerned about the security of their personal information.
Identity theft is only one of the harms that can result from the misuse of personal information. Individuals can also suffer embarrassment, loss of reputation, inconvenience, financial loss, and possibly even physical harm.
Individuals are not the only ones affected when third parties gain unlawful access to their personal information. Companies risk losing the trust of their customers; governments risk losing the trust of their citizens and when this happens we all suffer.
Because there are so many ways to obtain personal information, one has to look at a variety of ways to combat identity theft.
Top of PageTable of ContentsBetter Information
First of all, we need better information about identity theft. Although the subject has received a great deal of attention from the media, academics, enforcement agencies and government, there is still debate over the definition of identity theft. The term is used to include everything from simple cases of fraud when someone forges a cheque or uses a stolen credit card to purchase goods to very sophisticated cases of “synthetic identity theft” where the impostor creates a new identity using a combination of actual information and fabricated personal information. For instance, the impostor may use a real Social Insurance Number (SIN) with a fake name and address.
These definitional issues have raised questions about the reliability of the statistics we have about the incidence of identity theft.
PhoneBusters, a Canadian anti-fraud call centre operated jointly by the Ontario Provincial Police (OPP) the Royal Canadian Mounted Police (RCMP) and other agencies, provides statistics on identity theft dating back to 2002. It is to be commended for its work and these statistics provide a useful indicator of trends.
PhoneBusters received calls from some 7,800 identity theft victims reporting losses to themselves and to businesses totalling more than $16 million in 2. However, PhoneBusters acknowledges those statistics do not capture the whole picture. It estimates the numbers represent only a small percentage-perhaps five per cent-of the actual figures.
Much of the information on identity theft is self-reported either through public opinion surveysFootnote 2 or reports to the police, but many studies of identity theft note that people sometimes do not bother reporting incidents of identity theft.
We do not have a clear idea of the sources of the personal information being used. Some studies have suggested that much of the information comes from within organizations; other studies claim that identity theft is usually perpetrated by people—friends, family members and co-workers—who are known to the victims.Footnote 3 Media stories about large scale data breaches in which laptops have been lost or hackers have been able to gain access to credit card information have become commonplace, but we do not have a clear picture of how often these data breaches result in identity theft.
Top of PageTable of ContentsNeed for a Strong Central Focus
One reason for the lack of good information about identity theft is the lack of a centre of responsibility. Everyone is interested in identity theft, but no one is responsible for doing anything about it.
In May of 2, President Bush signed an Executive Order creating an "Identity Theft Task Force" to marshal the resources of the Federal government to fight identity theft. The Task Force is chaired by Alberto R. Gonzales, the Attorney General and co-chaired by Deborah Platt Majoras, the Chair of the Federal Trade Commission (FTC). The Task Force has just released a report, “Combating Identity Theft: A Strategic Plan” containing 31 recommendations. The FTC has previously created the “Identity Theft Data Clearinghouse” to serve as a resource for consumers and law enforcement agencies. The United States also has legislation, The Identity Theft and Assumption Deterrence Act , enacted in 1998, that criminalizes the unauthorized use of another person's identity for a felonious purpose, and provides for penalties of up to fifteen year imprisonment and a maximum fine of US$250,000.
Several federal departments and agencies are interested in identity theft, but these efforts do not seem to have produced a concerted strategy for dealing with the problem. In addition to the initiatives mentioned elsewhere in our submission we are also aware of the work that has been done by the Consumer Measures Committee (CMC) a federal/provincial/territorial forum that issued a consultation document in mid-2005, “Working Together to Prevent Identity Theft.”
As the CMC initiative suggests, identity theft may be a problem that the federal government cannot tackle entirely on its own, but this should not stop the federal government from developing a more focused strategy for channeling its efforts.
Top of PageTable of ContentsPrivacy Legislation
In one respect, Canada is perhaps ahead of the United States in that we have privacy legislation that places limits on the collection, use and disclosure of personal information by the private sector and requires organization to protect the information they collect.
There are several provisions in the Personal Information Protection and Electronic Documents Act (PIPEDA) which, if the organizations covered by the Act respect those provisions, can significantly reduce the risk of identity theft.
It is a well known concept, but one worth repeating: criminals cannot steal from you what you do not have. If an organization limits its collection of personal information to what is necessary for the purposes at hand, this reduces the risk of harm if the database is compromised by criminals. By complying with the requirement to collect only the information they need organizations can reduce their attractiveness to identity thieves. For example, businesses should generally avoid collecting Social Insurance Numbers unless it is required by law.
PIPEDA requires organizations engaged in commercial activities to adopt security safeguards appropriate to the sensitivity of the information they hold. Information that could be used to facilitate identity theft surely qualifies as sensitive information warranting particularly attention, especially given the sometimes grave consequences that can flow from identity theft. Unfortunately, as we are discovering, organizations do not always meet this requirement. Our Office is currently investigating the Talvest/CIBC and the TJX (Winners and HomeSense) incidents—the latter with the Alberta Information and Privacy Commissioner.
We are pleased that, as part of the five year review of PIPEDA, this Committee has recommended that PIPEDA be amended to impose a breach notification obligation on organizations when they experience a data breach. Our Office looks forward to working with Industry Canada to develop an appropriate way to implement this recommendation. As an interim measure, we are currently working on guidelines on breach notification that will provide guidance to organizations until PIPEDA is amended.
Requiring organization to notify individuals when their personal information has been compromised will serve at least two purposes: it will provide an incentive for organizations to take security more seriously; and it will give individuals the information they need to take measures to protect themselves against identity theft or other forms of fraud.
PIPEDA also imposes limits on how long organizations engaged in commercial activities should retain personal information. The message here is clear. Information, even if collected with the consent of the individual, is not to be stored in perpetuity by organizations. By getting rid of information they no longer need, organizations reduce the risk of identity theft. Needless to say, the destruction process must involve more than throwing paper records or hard drives into the nearest dumpster.
In short, the risk of identity theft in the private sector would be significantly reduced if organizations engaged in commercial activities simply follow the dictates of PIPEDA and use common sense when dealing with personal information.
Privacy legislation is important, but it is only one part of the solution. PIPEDA applies to organizations engaged in commercial activities, but it does not apply to individuals. Stronger legal sanctions may be a more appropriate way to deal with those who engage in identity theft.
Top of PageTable of ContentsStronger Sanctions
Identity theft is clearly an important law and order issue. Increasingly, individual criminals and criminal organizations are relying on technology and the weakness of existing systems in organizations for protecting personal information to extract huge sums of money; it is much cleaner than a bank holdup, much less physically risky, and likely much more profitable. And it can be done from anywhere in the world.
In October 2004, Justice Canada issued an “Identity Theft Consultation Document.” The purpose of the document was to solicit views on whether there is a need to create specific Criminal Code offences to deal with the various activities related to identity theft. Justice issued another consultation document in June 2, “Identity Theft: Consultations on Proposal to Amend the Criminal Code.”
The Justice Consultation documents suggest that identity theft should be viewed as two step process:
- the first step involves the unauthorized collection of personal information. As discussed above, this can occur in many different ways: by theft, fraud or deception. The information can be used immediately, stored for later use or sold for use by someone else.
- the second step involves the fraudulent use of that personal information typically for economic gain often at the expense of the individual to which the information belongs.
Our understanding is that the first step—the obtaining of the personal information— is not necessarily an offence. The second step—the fraudulent use of the information—may be an offence in certain circumstances. Section 403 of the Criminal Code contains provisions dealing with fraudulent personation with the intent of gaining an advantage, causing a disadvantage or obtaining property or an interest in any property. Subsection 403(a) has been described as “undeniably broad”Footnote 4 and it has been used for a number of prosecutions. However, it does not seem to have been used widely to deal with identity theft and similar frauds, perhaps because of the inherent difficulty in demonstrating intent.
We would strongly urge the Minister of Justice to move forward with amendments to the Criminal Code to strengthen section 403 or introduce new measures to more effectively punish those who engage in identity theft.
Top of PageTable of ContentsPretexting and the Obtaining of Personal Information
One of the ways in which individuals can obtain personal information about others is through “pretexting.” Pretexting is a form of social engineering in which an individual, armed with some information about a person, is able to obtain additional information about the person from an organization. This is typically accomplished by pretending to be the person whose information is being sought, by pretending to be a relative or agent of the person, or by pretending to be an employee or someone authorized to obtain the information. Pretexting is sometimes used to obtain the personal information, such as telephone records, of a specific individual, but it can also be used on a much larger scale.
In early 2005 it became known that a group of “well-organized criminals” posing as legitimate businesses was able to trick the American company ChoicePoint into providing personal information on more than 150,000 consumers. ChoicePoint is a large national provider of identification and credential verification services. Following an investigation by the Federal Trade Commission, ChoicePoint agreed to pay $10 million in civil penalties and contribute $5 million to a fund to reimburse consumers for expenses resulting from identity theft caused by ChoicePoint’s security breach.
One of the ways in which organizations can protect themselves from pretexting is using appropriate authentication procedures to ensure that individuals requesting information are who they claim to be. My Office has developed guidelines that provide advice on authentication procedures.Footnote 5
Pretexting as such is not an offence in Canada—it only becomes an offence if it can be established that the person did so for fraudulent purposes. Mr. Rajotte, your colleague from Edmonton, attempted to fill this gap with his private member’s bill, C-299, An Act to Amend the Criminal Code, the Canada Evidence Act and the Competition Act (personal information obtained by fraud).Footnote 6 Mr. Rajotte should be congratulated for bringing for bringing this issue before Parliament. As originally drafted, it addressed a very important and growing problem—obtaining personal information from a third party by means of a false pretence or fraud.
As you may be aware, changes were proposed to the bill in Committee to address a number of concerns including the view that criminalizing pretexting may not be appropriate. We are not experts on the Criminal Code so I am not in position to comment on the merit of these concerns. My mandate is the protection of personal information and I am pleased that this bill has raised some fundamental questions about the most appropriate way to further this objective. Since C-299 no longer deals with pretexting, I would urge the Minister of Justice and his Cabinet colleagues to explore other means to address the problem.
Top of PageTable of ContentsOn-line Threats
Measures are needed to halt the dramatic proliferation of spam—an invasion of privacy because it involves the collection and use of personal information, specifically e-mail addresses, without consent. Spam is proving difficult to deal with effectively—a fact made plain by the growing volume of spam reaching individual mailboxes. The international non-profit group Spamhaus lists Canada as No. 6 in the top ten worst countries for originating spam. Much more than a mere nuisance, spam has financial consequences for our economy, affects productivity and undermines confidence in electronic commerce. It is often used by ID thieves to launch "phishing" attacks, where e-mails that look like they come from legitimate organizations are used to trick people into revealing personal information.
To date, however, the federal government has not implemented any of the recommendations of its Task Force on Spam. Canada is now the only G-8 country without anti-spam legislation, which may make Canada even more attractive to spammers. I have written the Minister of Industry urging him to adopt measures to fight spam.
Top of PageTable of ContentsUpdating the Privacy Act
We have previously drawn this Committee’s attention to our 2006 proposals for much-needed amendments to the Privacy Act. Although much of the focus on identity theft is on the use of private sector information, it is also important to protect information held by government institutions. We have recommended that the Privacy Act be amended to require government institutions to appropriately safeguard the personal information they collect, use or disclose. We have also called for the Act to promote better accountability and stronger systems development, both of which would help eliminate the conditions that facilitate identity theft.
Top of PageTable of ContentsPublic Education
Educating people about how to protect themselves against identity thieves is another key element to fighting this kind of fraud. We can remind people about the importance of protecting wallets, credit card numbers, passports and other important evidence of their identity. We can teach them how to protect their identity on the Internet. We likely cannot prevent people from being careless with their identities in every circumstance. They may end up learning the hard way.
My Office has undertaken a number of public education initiatives in this area. We have produced a series of fact sheets dealing with identity theft—for example, an identity theft checklist, a guide for businesses and an identity theft primer. We have also funded research on identity theft.Footnote 7 As you can well understand in light of recent well-publicized losses of personal information, I also frequently mention identity theft issues in my speeches as I travel the country.
Top of PageTable of ContentsConclusion
Identity theft is a complex problem. There is no simple or single solution to identity theft, in part because it has so many root causes. Much of the onus lies with the organizations. Organizations need to do a better job of protecting personal information and training their employees. Retaining information after it is needed simply exposes more people to more risks. Individuals also have a role to play in protecting their personal information, for example, by providing only the minimum amount of personal information necessary to organizations and shredding documents containing sensitive data such as credit card numbers.
Organizations and individual can only do so much. Government has an important leadership role to play by developing a strategy to fight identity theft, by co-coordinating the efforts of different stakeholders and by creating a legal framework that gives law enforcement agencies the tools they need to fight identity theft and gives individuals the ability to seek redress when they are harmed. One way that government can show leadership is by creating a federal-provincial task force.