Mr. Chair, members of the committee, good morning.
My colleague Robert Frelich and I are pleased to appear before the Standing Committee on Access to Information, Privacy and Ethics.
We are pleased to provide you with information that will assist you in your study on the growing problem of identity theft and its economic impact upon citizens and businesses, and the steps that businesses and law enforcement agencies are taking to protect Canadians from identity theft.
One of my duties as Assistant Deputy Minister of Integrity Services at Service Canada is to implement processes and administrative measures linked to the issuance of social insurance numbers.
As you may know, Service Canada is the service delivery arm within Employment and Social Development Canada. The department delivers over $100 billion in programs and services every year related to different programs, such as employment insurance, Canada student loans, Canada pension plan, and old age security. And the social insurance number is used by all of these programs.
But the use of the social insurance number is not limited to Employment and Social Development Canada. Many other federal departments and agencies, such as Canada Revenue Agency, RCMP, Canada Border Services Agency, and Department of Justice, use the SIN and the social insurance register, or the SIR, on a daily basis.
As the SIN is an important element to ensure that the right benefit is provided to the right person at the right time, it plays a central role in identity management.
Today I will explain how our practices in the issuance of the social insurance numbers and the administration of the social insurance register improved over the years to increase the integrity of the social insurance number program and to reduce the impact and the incidence of identity fraud.
The evolution of the SIN program can be broken down into four periods with respect to integrity measures put in place to protect the SIN.
The first period is what I call the early years, from 1964 to 1976. The SIN program began in 1964 as a register for two federal government programs: unemployment insurance, now employment insurance, and the Canada Pension Plan.
Shortly afterwards, its use was extended to the Canada Revenue Agency for tax reporting purposes. Since then, the SIN program has grown to become a unique identifier for more than 50 federal programs or services and is a staple in the lives of Canadians.
At that time, there was little integrity in the issuance of social insurance numbers. For example, employers were allowed to ask for SINs to be issued to employees, clients were not required to present identification, and if someone had lost their SIN, another number was issued and assigned to them.
The second period is from 1976 to 1996. I will qualify that period as a time of increased integrity of the paper-based processing of SIN issuance.
Starting in July 1976, the SIN program began requiring clients to provide identification documents to prove their identity, and applications for a SIN had to be made by the client. Employers could no longer request a SIN to be issued for their employees.
At the beginning, a large number of identity documents were accepted for SIN issuance, including secondary identity documents, such as a driver's licence. However, at the end of this period, almost all secondary documents were no longer accepted for SIN issuance, and SIN agents were using primary documents such as birth certificates and documents issued by Citizenship and Immigration Canada.
In the period spanning from 1996 to 2006, we began transitioning from a largely manual and paper-based approach to integrity towards system changes that would begin to automate integrity measures.
In November 1996, the first of such changes was implemented. An electronic link with Citizenship and Immigration's database was established, allowing for the verification of identity and status of permanent and temporary residents who arrived in Canada after 1972.
In 1998, the Office of the Auditor General began looking closely at the SIN program. I would like to take a few moments to share with you the various conclusions the office reached, because that period was a seminal moment in the administration of the SIN and the SIR.
In its 1998 and 2002 reports, the Auditor General's main findings were that the proof of identity procedure needed to be improved, that existing information sources had to be used more effectively, that the information in the SIN database was not always complete and accurate, and that there were more SINs in circulation than there were Canadians over the age of 20.
To address these issues, important initiatives were implemented with regard to the administration of the SIN and the SIR which had positive consequences on government efforts against identity theft and fraud. We implemented the dormant flag, introduced an expiry date for social insurance numbers issued to temporary foreign workers, and developed a proof-of-identity internal intranet reference website.
The dormant flag identifies SINs that have not been active for a period of five consecutive years or more—meaning that there was no income-related activity, such as filing taxes, or interaction with government programs during this period. Since then, someone with a dormant flag on their SIN file must provide original proof of identity to have their SIN reactivated, an original birth certificate if born in Canada, or Citizenship and Immigration Canada documents if born outside of the country.
This reactivation is done either in person at a Service Canada centre if they reside in Canada, or by mail if they reside outside of Canada. In addition, to better assist agents in detecting potential identity fraud and theft, the SIN proof-of-identity internal Intranet reference website was developed in 2003. Through this website, agents responsible for the issuance of SINs have access to detailed information on what to look for in identity documents to ensure their authenticity.
Building on the recommendations to make better use of different sources of information, the department signed agreements with all 10 provinces, beginning with Ontario in 2005, to develop electronic links between provincial vital statistics agencies and the Social Insurance Register. Under these agreements, we are able to validate the information found on provincial birth certificates, as well as to receive death data from provinces which is matched against the SIR. This allows us to identify records of deceased individuals, preventing further payments from federal programs from being issued.
Moreover, these agreements integrate the ability for parents to apply for a SIN for their child at the same time as they register the birth with provincial authorities.
Finally, in the most recent period, since 2006, the department put in place two important features to assist the administration of the SIN: the certified training of agents and the SIN code of practice. Through our certification program, agents are specifically trained in the issuance and administration of social insurance numbers, and since 2006, only certified agents can issue SINs to clients. The SIN code of practice, which is a public document available on our Internet site, provides standards and guidance to users of the SIN—individual Canadians, employers, or other stakeholders—in understanding their responsibilities with respect to the SIN.
For instance, the code advises employers on how to handle employee information, especially social insurance numbers. It emphasizes employers' key role in detecting and preventing SIN related fraud, as illegal employment and income tax evasion are two of the main motives for this type of fraud. In the code, employers are prompted to immediately report suspected misuse of a social insurance number to Service Canada.
We began receiving birth and death data electronically from Ontario in 2006.
The first province to have validation of birth certificate information was British Columbia in 2008. Currently, there are electronic links with eight provinces, with the remaining two planned to be in place by 2016.
We are pleased to report that our work and efforts were recognized by the Office of the Auditor General in 2009 and 2011. The Auditor General recognized the measures taken by the department to address concerns of past audits, indicating that the department achieved significant improvements on the issues that have been raised.
Now, l'd like to talk about the two most recent initiatives made to the SIN program aimed at increasing its integrity: the redesign of the SIN mail channel and the termination of the SIN card. Given that SIN applications by mail represented only 4% of the 1.5 million SIN requests processed in a year, that approximately 55% of these requests were rejected due to errors in the application forms, and that the mail channel's identity management measures were not as robust as those of the in-person channel, SIN requests can no longer be made by mail, except for individuals in remote areas, or by those who have extenuating limitations, or by those who are from outside the country.
The department was also aware of integrity issues related to improper use of the SIN card. The SIN card was never intended to be an identity card as it does not contain any security features or identifying attributes. However, the convenient wallet-sized format of the SIN card led many recipients to carry it in their wallet, despite the department advising not to do so. As of yesterday, individuals no longer receive a SIN card, but instead receive their SIN in a letter. This initiative will contribute to the prevention of identity theft and fraud related to the potential loss or theft of SIN cards.
The social insurance number is central to the administration of many programs. Since 1964, we have made much progress in developing a robust social insurance number program that assists departments and governments in the administration of their benefits, while protecting clients from identity theft and fraud.
We are continually working with key stakeholders, such as other government departments, the provinces and territories, and the private sector, to identify what more can be done to reduce risks of identity fraud and theft. We are also regularly assessing our processes and policies to make them more secure and more robust, while providing a high level of services to Canadians.
We would be pleased to answer any questions you may have.
Mr. Chair and committee members, thank you for the invitation to appear before you. We are pleased to contribute to your efforts to gain a better understanding of identity theft in Canada.
My name is Lu Fernandes. I am the director general of the passport program integrity branch at Citizenship and Immigration Canada. I'm accompanied today by Peter Bulatovic, director of the investigations division of the passport program integrity branch.
With more than 5 million applications a year and approximately 23 million valid Canadian travel documents in circulation, our passport is truly one of the most recognizable symbols of Canadian citizenship around the world. We share the concern that these documents should only be issued to Canadian citizens who are entitled to hold them.
By way of background, I should note that effective July 2, 2013, the Minister of Citizenship and Immigration Canada assumed overall accountability for the Passport Program. This includes issuing, refusing to issue, revoking, withholding, recovering, and providing instructions on the use of Canadian passports. The minister is also responsible for providing guidance to missions issuing passports abroad and supervising all matters relating to Canadian travel documents.
On that date, the delivery of the domestic services under the Passport Program came under the responsibility of the Minister of Employment and Social Development Canada, while the Department of Foreign Affairs, Trade and Development continues to provide passport services to Canadians abroad.
This move to CIC places the passport issuance at the end point in the continuum of services provided by a department that facilitates access to those who wish to visit, study, work, immigrate, and ultimately become Canadian citizens. It also places the domestic delivery of these services in the hands of the government's service delivery arm, Service Canada.
As we continue to modernize the Passport Program, these changes also provide opportunities to take advantage of existing technology investments, such as the CIC Global Case Management System, and leverage the extensive network of Service Canada offices across the country.
I would now like to spend few minutes speaking about the direct responsibilities of the Passport Program.
July 1, 2013, marked the launch of our electronic passport, or ePassport, as well as the inauguration of Canadians having the choice to apply for a five-year or ten-year validity passport. The new ePassport meets the latest international norms set out by the International Civil Aviation Organization, which represents the gold standard for travel documents.
The electronic chip embedded in the ePassport adds an additional layer of security to guard against identity theft. The chip stores the information found on page 2 of the passport, including the bearer's photo, providing border control personnel with an additional tool to validate the passport holder's identity. By accessing the information on the chip and comparing it with the information on page 2 of the book, a border agent can ensure that the information or photo has not been modified.
The design of the visa pages in the ePassport provides another layer of security, making the book more difficult to counterfeit. The pages are made up of unique pairs of vignettes that depict recognizable themes, places, and persons in Canada's history. The different images on each page, along with a variety of visible and invisible security features, make it very difficult and extremely expensive for counterfeiters to reproduce a book or substitute a page.
The Passport Program's commitments to protecting the security and integrity of Canadians travel documents is crucial to maintaining their international acceptance and facilitating extensive visa-free travel for Canadians worldwide.
Supporting the integrity of the documents themselves is the Passport Program's strict regime for determining identity, eligibility and entitlement to a passport. First-time passport applicants 16 years of age and over are required to submit an application form along with authenticated photos, proof of Canadian citizenship, supporting identity documents and a guarantor declaration.
Individuals who are already in possession of a Canadian passport can use the simplified renewal process. This involves a shorter application form and requires the applicant to submit their previous passport and new photos. Proof of citizenship, supporting identification, and guarantor support are not required as the passport program already has this information on file.
Before a passport is issued, various processes are applied to authenticate identity. The passport program uses a combination of trained officers and technology to verify applicant identity.
At the time of application, personal information, photos, and signatures are manually compared with information provided in previous passport applications, documentary evidence of citizenship, and supporting identity documents.
Facial recognition software is used to compare photos of every applicant against the database of all passport holders to counter attempts at identity fraud.
Other automated verifications include comparison of personal information with the program's central database and against the program's watch-list.
Where the applicant's identity is in question, additional verifications may be completed, such as guarantor, reference, and occupation verifications, validation of citizenship and identity documents, or Canadian Police Information Centre, CPIC, queries. In fact, there is a daily electronic exchange with Correctional Service Canada to obtain details about federal offenders.
The Passport Program works closely with other government departments, law enforcement and intelligence partners for the refusal and revocation of Canadian passports when necessary.
For example, travel documents are canceled for persons who are incarcerated or have other mobility restrictions. An individual who is charged or convicted of a serious offence, or who owes child support can have his or her passport revoked and can be refused passport services.
The passport program also has the capacity, within the passport program integrity branch, to conduct administrative investigations to determine ongoing entitlement to a passport or entitlement to future passport services.
Individuals who have been refused a passport or whose passport has been revoked may challenge the decision taken by this program through judicial review before the Federal Court.
The passport program continuously reviews its policies and procedures to ensure they meet evolving standards and program integrity requirements. We are committed to leveraging technology and working with other government departments, provincial vital statistics agencies, international partners, and law enforcement agencies to counter attacks against the passport program and limit any opportunities for identity theft and fraud.
Of course, Canadians must do their part in guarding against identity theft by keeping their travel and other important documents safe and by protecting against unnecessary disclosure of personal information.
I hope that these remarks have given you some insights into the Passport Program identity authentication and fraud prevention activities.
We would now be pleased to take your questions.
Thank you for the invitation to speak to you today regarding identity theft.
As you mentioned, I'm the director general of the office of consumer affairs, which is a part of the strategic policy sector at Industry Canada.
I would like to discuss a number of the activities and initiatives that the department is involved in with a view to protecting consumers in regard to identity theft.
I will begin my remarks by touching upon the Personal Information Protection and Electronic Documents Act, and describing how this law helps to protect Canadians from identity theft. Secondly, I'd like to briefly discuss certain elements of Canada's anti-spam legislation, a law for which a number of federal actors are responsible. Finally, I'll touch briefly on certain information initiatives with which my office has been involved, including initiatives to help with public awareness in connection with the implementation of the anti-spam legislation.
First, I'd like to turn to the Personal Information Protection and Electronic Documents Act, or PIPEDA, as we call it. This law sets rules for the collection, use, and disclosure of personal information by private sector organizations, such as banks or phone companies, in the course of commercial activity. While the Minister of Industry is responsible for the law, it's the Privacy Commissioner of Canada, operating at arm's-length, who is responsible for enforcing and administering the act. As such, I would defer to the Privacy Commissioner for any issues respecting application of the law. That said, I will take a few moments to provide a brief overview of the act and how its requirements help to address identity theft.
The rules are based on 10 international and recognized principles for how organizations should best manage the personal information of their clients and customers. Many of these rules help protect consumers against threats like identity theft.
For example, the act requires that organizations only collect the information they need and retain it only for as long as necessary, to make sure that they are not maintaining databases of personal information that are not necessary and that would be vulnerable to loss or theft.
The act also requires that organizations put in place appropriate security safeguards to protect the personal information they hold against unauthorized access, loss, or theft. Such security measures, including the use of passwords or encryption of consumer data, help prevent the loss of personal information that is being used in identity theft.
In response to the first parliamentary review of PIPEDA, the government has committed to amending the act to create a new requirement for organizations to notify individuals if their personal information has been involved in a potentially harmful data breach. These amendments would ensure that consumers are informed when their personal information has been lost or stolen and would give them the information they need to protect themselves against identity theft, fraud, financial loss, or other forms of harm. The government remains committed to making these amendments, along with other changes recommended by Parliament in the first review.
I will now turn briefly to Canada's anti-spam law.
The law prohibits sending commercial electronic messages without consent. It also prohibits the installation of software on an other person's computer without consent. Together, these new prohibitions address nuisance spam messages.
Major concerns that the new law is intended to address include phishing messages, which are designed to lure recipients to counterfeit websites and trick them into revealing personal information, such as usernames, passwords, and account information; malware, which involves the installation of software on a person's computer, smart phone, or other digital device without their knowledge or consent—these types of spyware and viruses can secretly collect personal information that is then used in identity theft activities—and finally traffic rerouting, which involves secretly redirecting a person's online searches to a malicious destination where attackers can collect personal information for the purposes of carrying out identity thefts.
Most of the act will come into force on July 1 this year. Once the law is in force, it will help to protect Canadians while ensuring that businesses can continue to compete in the global marketplace. On January 15 of next year, sections of Canada's anti-spam legislation related to the unsolicited installation of computer programs or software will come into force. And then, the act's private right of action provisions will come into force on July 1, 2017. CASL will be enforced by the Canadian Radio-television and Telecommunications Commission or CRTC, the Competition Bureau, and the Office of the Privacy Commissioner.
The CRTC will enforce the law in respect to violations related to sending commercial electronic messages, altering transmission data, and installing computer programs without consent.
The Competition Bureau will investigate and take action against false and misleading representations and deceptive marketing practices.
The OPC will investigate the collection of personal information through illegal access to computer systems and electronic address harvesting.
I should note that a key element of the government's approach is preventing problems from occurring in the first place, and a key way to do that is to ensure that Canadians understand how to protect themselves. With this in mind, the government has set up a website, called www.fightspam.gc.ca, or www.combattrelepourriel.gc.ca.
In English it is www.fightspam.gc.ca.
The website includes information about the law itself and provides a number of information resources to Canadians. The website will also serve as the online home for the spam reporting centre, through which Canadians will be able to report on commercial electronic messages that have been sent without consent and commercial electronic messages with false or misleading content.
I would note, in addition, that a web-based advertising campaign has begun that will inform Canadians about the July 1 coming into force, and invite them to visit www.fightspam.gc.ca. You will find the introduction page from that website in your folders, as well as an image of the “Mobile Protection Tool Box.”
My own branch, the office of consumer affairs, has been involved in preparing communications efforts in respect of CASL. You will note in your packages, in your information kits, a series of infographics. The first, Worried it's SPAM? 5 Things to Look for, is geared to consumers to provide them with the basic information they need to avoid being taken in by fraud artists. It does so by setting out a number of common techniques used by spammers to obtain consumers' personal information. The infographic was printed and has been distributed to a large number of stakeholders, including other federal departments, provincial governments, with which we work quite closely on the consumer side, and community organizations.
The next three infographics in the kit, Does Canada's New Anti-Spam Law Apply?, 4 Tips for Contacting Clients Electronically, and 3 Things to Think About When Sending Messages,were created to help small and medium-sized enterprises know the basic requirements of the legislation and avoid being mistaken for spammers. These infographics, along with Worried it's Spam?, the one I just referred to, have been posted on the fightspam.gc.ca website and shared via the Industry Canada Twitter account.
Finally, an additional item in your packages is called the I.D. theft checklist.
In English, it is Identity Theft: A Checklist.
The list was prepared in collaboration with provincial and territorial officials and was distributed widely in recent years.
In conclusion, as I have noted, the government has taken a number of legislative measures aimed at protecting Canadians from identity theft. At the same time, an important part of the puzzle is awareness and education to ensure that Canadians have the right information they need to protect themselves.
Thank you, Mr. Chair.
Well, in your package here, we have a number of suggestions about what you can do to protect yourself online, particularly with things like phishing tactics and so forth.
The biggest piece of advice, I think, is to be very careful. The fundamental issue is this: don't reveal personal information online unless you understand very carefully who it is you're dealing with. If it's someone who you know and trust, then that's one issue, but certainly most respectable businesses and institutions do not request that you send in valuable personal information cold, online.
Unfortunately, criminal practitioners in this area often do prey on these kinds of emotional appeals. For example, the typical kind of stratagem is an email that you would receive that would look very official, from a bank, for example, saying that there's been some problem with the security of your account and asking you to contact them online. When you contact them online—or even in some cases, phone them, but certainly contacting them online—you're asked to present personal information. Banks never do that.
So really, it's about being extremely careful about situations in which you provide your personal information. You do that only in circumstances where, for example, you're applying legitimately for a piece of identification, or a credit card, or some other situation. But the point is to be very aware of out-of-the-blue, unsolicited inquiries and entreaties to engage with somebody, in the course of which you're asked for some kind of sensitive personal information. That's when you always need to be careful.
In other words, if you initiate it yourself, that's fine. You want to apply for a credit card and you go to a bank, you fill in a form, and so forth. But when someone contacts you out of the blue, even when it is the bank, and says that something's gone wrong and they need your personal information, don't respond to that. Go directly back to the institution yourself and inquire with your own bank branch, for example, if there is a problem, because you need to be very careful when people ask for personal information out of the blue. That's the bottom line here.