Good afternoon. We're going to begin.
I would like to make an announcement first. There has been an uprising and I am the new captain of this committee. The anarchists have arrived.
An hon. member: Temporarily.
The Vice-Chair (Mr. Charlie Angus): Welcome, my friends, to the Standing Committee on Access to Information, Privacy and Ethics. This is meeting 139, pursuant to Standing Order 108(3)(h)(vii), for the study of the privacy of digital government services.
Today, we have two groups of witnesses. We have, from the Herjavec Group, Matthew Anthony, the vice-president, incident response and threat analysis, and Ira Goldstein, senior vice-president of corporate development. We also have, from SecureKey Technologies Inc., Andre Boysen, chief information officer, and Rene McIver, chief security officer.
Each group will have 10 minutes to present. We are pretty reasonable here, but when you get close to the 10 minutes, I will start to jump up and down very loudly, not to distract you, but just to let you know. Then our first round of questions will go for seven minutes and then we will go to a five-minute round.
Is the Herjavec Group ready to begin?
Good afternoon. My thanks to the chair and vice-chairs and the members of the committee for the opportunity to speak today.
My name is Ira Goldstein. I'm the senior vice-president of corporate development at the Herjavec Group. I've spent the last decade working in information security to help companies and governments secure their most critical digital assets.
I'm joined by Matt Anthony, our vice-president of security remediation services at Herjavec Group, whose remarks will follow mine.
Herjavec Group was founded in 2003 by Robert Herjavec, who immigrated to Canada with his parents from eastern Europe. A dynamic entrepreneur, Robert has built Herjavec Group to be one of the largest privately held cybersecurity firms in the world. Our experience includes working with private and public sector organizations in complex multi-technology environments to ensure their data security and privacy.
We are honoured to address the committee today on behalf of Robert, Herjavec Group and our fellow Canadians.
Our statement will address two subject areas related to the committee's study. First, I will outline why digital identity is a key building block in the transformation of government services. I will then outline steps to manage, govern and secure our digital identities.
My recommendation is for the government to tread lightly on the broader transformation path to ensure that privacy and security are top priorities. In parallel, the government should move quickly on a pilot project to expand the existing success of Canada's digital presence.
Digital government services must be built on a foundation of good identity governance. If our identities are to be digitized and managed by government, citizens expect a system that ensures security and privacy. Our identity attributes are assumed to be protected by the issuer, our federal government. In any system, physical or digital, fraud is a risk that must be mitigated through effective and ongoing assessment.
These concepts are not far from realization. When a baby is born or a new immigrant arrives, individuals may request their identity documentation online. Ultimately, physical artifacts are issued as proof of identity, but the fact that we have an online portal today to provision identification means that we have the foundation to leverage that data for use in digital government services.
Several government services are already online. One of the most critical functions of government, tax collection, is digitized through Canada Revenue Agency's EFILE system. Presumably the push to EFILE was supported by efficiency outcomes and stands as a successful case of digital transformation.
Any further steps to digitize citizen identity must consider the perception of the impact on individual privacy. Individuals may perceive digital identity as a threat to privacy despite the expected benefits. One recent example is the speed at which public perception soured over Statistics Canada's plan to collect personal financial information. Despite the involvement of the Privacy Commissioner and plans to anonymize the data, perception quickly turned negative toward this prospect.
The contrast between CRA's EFILE success and Statistics Canada's attempt to gather financial information is a guiding light for the committee. Digitizing government services will be welcomed by the public if managed and messaged thoughtfully. The upside of this effort is more access for historically marginalized groups and geography, so the opportunity cannot be ignored.
Historically, identity-proofing has required a trusted centralized authority to govern provisioning and usage. If I want to prove who I am, I need to show government-issued identification. I foresee this authoritative proof as a permanent feature of modern democracy, so despite the advances in decentralized identity, the government has an important role to play in identity management.
In sum, I strongly recommend that the committee seize the opportunity to further digitize components of citizen identity to enable the efficient and secure delivery of government services, while being cautious in the line that we must draw between centralizing data and ensuring that individual privacy is maintained.
My name is Matt Anthony. I'm the vice-president of security remediation services. I've been working in information security for over 20 years. I'm honoured to be here today to address the committee. I'll keep my remarks focused on two main areas.
Firstly, I'd like to address the issue of e-government, specifically the pace and volume of change. There have been great successes. Ira has already mentioned tax filing. You can do anything from tax filing to pet registrations at all levels of government. I think we're seeing real advantages from some of those, but I also see that fear of missing out and reputation enhancement are drivers for a lot of the initiatives that influence the adoption of and adaptation to electronic government services.
Mark Zuckerberg, the founder of Facebook, is famous for saying, “Move fast and break things”. While that was taken on as a mantra for global developers in all areas of business and the private sector, I don't think the Government of Canada should or could have that same kind of capability to move fast and break things. Herjavec Group's cyber-incident response teams have see the direct impact of moving fast and breaking things. We come back and sweep some of that up. Breaches are large, costly and very damaging.
Adding to that, there is a global skills shortage in the core capabilities needed to securely govern, develop, test, deploy and maintain complex software systems. Current published figures show that there'll be about three and a half million cybersecurity job openings by 2021—that's worldwide, obviously. The global digital transformation is in direct tension with that. There are more projects, more services and more data being created, stored, managed and mined. Canada and Canadian governments will feel this tension very directly.
The committee has heard a great deal about three case studies. Ira mentioned this already, and I've heard some talk in the corridors about a couple of them. They are Sidewalk Toronto, Estonia and Australia.
I want to address the Estonian example briefly, because it's been held up as a high-water mark for digital transformation, but Estonia has had a few major advantages in doing this that Canada doesn't enjoy. They have a very small population, a very small geography, a relatively green field in the post-Soviet era for technology and a relatively homogenous population accustomed to central control.
When I talk about those things, I think you can reflect on Canada not having many of those advantages in trying to do these kinds of services. The model would look very different for Canada.
While that transformation appears successful, we also don't know a whole lot about the security and privacy concerns. The political and cultural aspects of what would be expected, including how much we might learn about security and privacy aspects, might not be evident for years, or even longer than that. I caution against using Estonia as a North Star for our transformations in Canada.
You can't stand still, obviously, and we have to move forward, but my hope is that we go slowly enough to be assured that the changes we do are fully governed and secured to the appropriate level. Go carefully according to strong principles. Wait for the necessary technology, such as AI and automation controls, to support us better. Don't allow fear of missing out in international comparisons to cause us to hurry ahead of our abilities and capabilities.
Secondly, I'd like to briefly address information-sharing. I want to commend the data strategy road map, in that there are six most important things laid out in that document. I can't do much more than say that they are precise and correct. I would like to amplify them.
The concepts are simple: develop a strategy; provide clarity on data stewardship; develop standards and guidelines for governance; improve recruitment to gather the needed skills; and, develop technology systems that support the strategy. Those are all easy to say, but enormously difficult to do, individually and severally.
In 1984, Stewart Brand presciently wrote, “Information wants to be free.” At the time, he was talking about how the technology costs were going lower and lower, but now it has become synonymous with the difficult problem of keeping access control. Once information is beyond the source's control, it will tend to get distributed widely. It follows, then, that secondary and tertiary uses of the government's data need to be as acutely and astutely controlled as primary use is.
The government faces a monumental task in understanding and managing legacy data and systems. Reconciling inconsistent or undocumented consents for use, information silos, usage rules, data structures, identity platforms and administrative processes will each also be monumental in scale.
I believe that taking a greenfield approach may be advantageous, that is, by establishing rules clearly for new data collection and allowing legacy data to be integrated in the future, as capabilities such as AI and other data collection and tagging can be paired with lower costs for transformation through automation. Don't rush to data lake models, as unexpected de-anonymization and information correlations will emerge—I've seen them—some of which may be contrary to public policy, law or intent.
There are a lot of assertions being made that opportunities will emerge and efficiencies will be achieved by aggressively mining, aggregating and sharing data. I urge the committee to show evidence for that. It's easy to get caught up in the rush to take that approach.
You cannot stand still, but I advise, indeed urge, the committee and industry to slow down, be more careful and do not allow ambition to overshadow capability. Go slowly enough to fully understand, measure and manage information risks. Remember, criminals like data, and breaches are messy, complicated and very expensive.
Good afternoon. I am Rene McIver, chief security and privacy officer at SecureKey.
I'd like to begin by thanking the committee for giving us the opportunity to participate in its study on privacy and digital government services. My background is in crypto-mathematics, biometric standards and identity. I've spent time at the Communications Security Establishment and have been with SecureKey for the past decade.
I'm joined here today by my colleague Andre Boysen, our chief identity officer and co-founder of SecureKey. Andre's been in the fintech industry for 30 years and is a globally recognized leader in digital identity and privacy. He also serves on the board of the Digital ID & Authentication Council of Canada.
SecureKey is a proud Canadian company. SecureKey has been the provider of record for the Government of Canada's partner login service since 2012, also known as SecureKey Concierge. We are a world leader in providing technology solutions that enable citizens to efficiently access high-value digital services while also protecting the security and privacy of their personal information. We do this by building highly secure networks that span and merge the strengths of the public and private sectors.
As we know, the digital age has ushered in a host of new services, business models and opportunities to participate in the world. Not long ago, it would be unimaginable to order a shared ride from a device in your pocket, or to confidentially access government services from your home. Today, we take these things for granted and often get irritated when we come across something that can't be done online.
It's not just about citizen expectation. Companies, governments and other organizations have strong incentives to move services and transactions online in order to enhance client experiences, realize cost savings and increase business surety. An organization's ability to do this hinges on a single question: Can I trust the person or digital identity at the other end of the transaction?
This digital identity challenge is equally problematic on both sides.
To recognize clients and provide trusted access to services online, organizations typically deploy a mix of analogue and digital measures to confirm identity and mitigate risk. As we have seen, however, these solutions tend to be complex and inadequate. As a result, confidence in them has suffered.
On the other side, citizens are asked to navigate a myriad of identification methods to satisfy the organizations they seek services from, without knowing where the information's going and in the face of a steady stream of news about data breaches and online impersonators.
These concerns are well founded. Fraudsters are collecting information to know as much, and sometimes more than the citizens they are impersonating. Standard physical cards are easily counterfeited, and it's often impossible to check their validity with the issuing sources. Even biometric methods, which have often been touted as the solution to digital fraud, are targeted by hackers, increasing the risk that biometric data may also be compromised.
These factors are driving complexity up, trust in the system down, and adversely affecting privacy—exactly the opposite of what needs to happen. Our siloed system is too hard for consumers to use and too expensive to be sustained.
The challenge we face is not simply a matter of finding the best technology, the right skills or enough money to fix it; rather, everyone with a stake in the system needs to focus on solving the digital identity problem that underpins all digital services. We need to bring data and identity information back under the control of the citizen.
To solve this challenge, we must find ways to combine the prime factors of identity. These factors are the unique things we know, like shared secrets; the unique things we have, like verifiable chip cards or mobile devices; and the unique things we are, like our fingerprints or our face scans. By combining these factors, we can resolve identity and give organizations confidence that their clients are who they say they are.
Experience to date proves that single-factor methods are not up to the task. This means that trusted networks—ecosystems of trusted participants—are needed. All participants must be involved in the solution, including, and perhaps especially, the citizens, whose control over their own data and privacy will underpin its security.
Only by combining the best aspects of each system can we solve the digital identity problem and rebuild the trust that is equally required by both organizations and citizens. For example, governments are the initial issuers of individual identities, including birth registries, immigration documents, permits and licences. Governments also can link their records to a living person by issuing a driver's licence or passport. But governments are not as adept as the commercial sector at knowing if that person is actually at the other end of a given digital transaction. Banks, however, successfully conduct billions of authentications a year.
Compared to other organizations, citizens only rarely interact with governments during their lives. They may renew a licence or passport every five years or pay taxes online once a year, but they will log in to their bank accounts several times a week. This frequency generates a higher level of trust and immediacy to that interaction.
Then think about mobile devices, which are both identifiable within a cellular network and tied to subscriber accounts through the user's SIM card. All parts have something valuable to offer within a successful network.
Imagine a scenario where citizens can choose to share information securely within a network made up of organizations that they already trust. This gives the ability to use a layered approach to proving identity. The citizens would access the network using their trusted online banking credentials on a mobile device that the telecommunications operator can validate, all to share reliable information from multiple sources, including information from digitally enabled government issued documents. Using this layered approach, we get a significantly higher level of confidence in the identity of the person conducting the transaction.
The trick is how to do this without becoming a surveillance network or creating a new honey pot of data. We need to establish the basis for privacy and trust while minimizing the level of data sharing going on between the parties.
Triple blind privacy solves this challenge. The receiving organization does not need to know the actual issuer of the information, only that it comes from a trusted source. The issuer does not need to know who the receiving organization is. And the network operators are not exposed to the unprotected personal information. That's triple blind.
What this means is that none of the transaction participants actually gets a complete picture of the user transaction. This proven formula has been recognized by the privacy community worldwide, including by the office of Ontario's information and privacy commissioner.
This is not the distant future. All pieces are already in place to enable a system that has authoritative information, provides receivers of information with confidence in the transaction and allows the citizens to fully trust the system as they control their own data in a privacy-enhanced way. This type of arrangement is the cutting edge and is happening now.
With the information and resources we have, Canada has the opportunity to solve the digital identity challenge and become the model for the world. These include co-operative jurisdictions, technologically advanced telecommunications and world leadership in developing new approaches, such as privacy and security by design, developed by Dr. Ann Cavoukian, as well as the pan-Canadian trust framework that's championed by the Digital Identification and Authentication Council of Canada. We have the opportunity to build services that can provide identity validation claims from multiple parties in a single transaction while ensuring complete privacy and control for the citizen.
Key factors for any solution to be successful will be citizen acceptance and trust and the potential to reach a large user base quickly.
The responsibilities to protect privacy and to provide a sense of security to citizens are fundamental factors in the success of any solution. It is critical that Canada's approach connects together the trusted parts of the digital economy such as finance, telecommunications, government and commerce. Only this will provide citizens with the confidence they demand to use the providers they already trust and to have access to the information they want to securely share.
The cyber-risk around digital identity is high. Any solution that does not involve both private and public sectors will be of limited success. It will perpetrate the siloed approach that is currently under strain and will not have the security or public trust to enable the digital economy of tomorrow.
Yes. Thank you for your question, Ms. Fortier.
I would say that one of the tricks here is that cybersecurity and privacy is a very complex topic, and the challenge with the model today is that everybody in Canada has to understand how the system works in order for the security system to be effective. That to me is fundamentally bad design.
What I'd like to do is pick up on Matt's comments about Estonia. Estonia did an amazing thing for itself, but when it comes to digital ID, I'd say there are two key messages I want to deliver today. Message number one is that every government in the world wants their digital identity information to be sovereign. They don't want to be beholden to some foreign corporation beyond the reach of their jurisdiction. That's one challenge.
However, the bigger challenge is that identity is very cultural. What works in one country won't necessarily work in another. This is particularly acute in the example of Estonia. When it comes to national ID cards, I would say that there are only two types of countries in the world: the countries that have national ID cards, and the countries that hate national ID cards. I would say Canada, the U.S., the U.K., Australia, New Zealand and many parts of Europe are against this idea of a national ID card.
There are several reasons for this. Part of it is because of World War Two. We saw all of the harms that came from governments having these large databases. The government had no intent of harm when it created these systems, but when somebody came in after—the Germans—they created all sorts of unanticipated harms. We saw the danger of having all the data in one place. I would say that this, on balance, is a better scheme, but I'm not here to criticize what Estonia did. I think their model is very good, but they come from a different cultural place, and I think Matt made that point very well.
If we're going to do this right, then rather than looking at a country of a million, why don't we look at the biggest and most successful identity and authentication scheme in the world—the credit card scheme? We have six billion cards in circulation for payments around the world, and we don't see news breaking every week about a credit card being compromised here, or Starbucks having problems there, or users losing credit cards. We don't see that. Why is that?
The reason is that the global payment system is managed very differently from the online identity system we have today. As a consumer, I don't have to understand how the payment scheme works. I just have to know how to tap my card, and if I can do that, I'm good. When it comes to the cards, we've done two very clever things. One is that we made it super simple for the user—when I do this, I know I'm committing myself, so it's hard for a crook to trick me out of it. Moreover, I don't have to understand it. I know the barista can't change my $10 to $1,000 after I leave. That's the first thing that makes the global payment system safe.
The second thing that keeps the global payment system safe is that there's a trusted network operative in the middle. The crook can't pop up in the middle and say, “I'm a crook, I take Visa.” You have to apply to get into that network and you have to behave to stay in the network.
It's not the same as the Internet. On the Internet, it's very different. None of the banks in Canada send SMS messages to their customers for security. The reason is that they don't believe it's secure enough. The problem is that every other service does. Facebook does it, Apple does it, Netflix does it, Google does it. When my dad gets a message on his phone saying “Suspicious activity on your account. Please click on this URL: www.bmo.com.crookURL.com”, my dad doesn't know how a URL works, and he clicks on this thing, thinking it's going to go to BMO. Despite the fact that BMO has very good control—by the way, this is not about BMO, which has very good security controls in place—BMO's got a security breach on its hands because my dad didn't get what was going on.
So hiding the complexity from the user and having a trusted network operator is really important.
Now, I want to bring it back to something Rene said a second ago. The third thing that keeps the global payment system safe is user behaviour. When I lose my payment card, I will call the bank within minutes. I didn't call them up because I promised I would—I don't care about them, I care about me. I'm terrified that the crook who found my card is going to spend my money and I'm going to be responsible. That user behaviour, that self-interest, causes me to do the right thing and turn it off. That's what keeps the global payment system safe, which is very unlike the way we manage digital identity today.
So if we want to look to a model, rather than look at Estonia—though I do think that what they did is good for them—we should look at and learn from what we've done in Canada. We should look at our own experience here. Every other government in the world is looking at us and asking how we got this partner login service with all the banks in Canada. They all want that. Everyone else is looking here, and we're looking over there.
I'll now speak for seven minute. Just to be fair, I will put the gavel beside the clerk and if I go over the time, he will hit me with it.
I find this fascinating, and Mr. Anthony seemed to tread lightly. I find that very surprising.
I used to be a digital believer, and in the digital believing world things were going to be better, we were going to move faster. The longer I am in this job, the more wary I get. I think “tread lightly” is a very interesting example.
I just want to talk a bit about my sense of how Canadians see privacy and digital innovation. I was talking with tech people in the U.S. and they were marvelling about and saying that we really take this stuff seriously.
We had a serious digital copyright battle that involved citizens and letter writing campaigns. The net-throttling issue was a big issue. It was Canada that did the first investigation of Facebook, but at the same time, as Mr. Boysen has pointed out, people here hate identity cards. I think of my voters and they would be up in arms over this.
We look at Statistics Canada as a good example of how not to do this. Statistics Canada has a worldwide reputation and the trust of Canadians. They thought they were doing something in the public interest, but it struck Canadians the wrong way.
What would your advice be to a government that may think that gathering more information is in the best interest? You talked about the danger of the opportunities they say will emerge from increased efficiencies from mining, aggregating and sharing data, but you're saying that we need to require evidence to show that. What are the parameters we need to be looking at on this?
—and I'll try to set it out.
Firstly, I'll say that when you collect data, it's an addictive process. It's easy to do. You collect large amounts of data and you can't lose what you don't have. When I say “go slowly”, I want to reiterate that I see people on their worst days very often dealing with breach management. I see the outcome and aspects of the failure to do the things that I am advising to do.
How to balance out the issues of what data to collect, why you're collecting it, making sure that there is consent for its use are the real keys to answering your question, I think.
When we have historical data, consent to use might be very difficult to derive. I can't tell you what consent I gave to the data I gave to the federal government five years ago. I don't remember and can't tell you. I don't remember signing anything away. It was probably in the fine print. You can make a studied case that I did somehow give you, the government, my consent to do that, but if I didn't have clarity about that, if it weren't communicated correctly to me, then I am going to be very unhappy with you when you use the data exactly the way you said you might.
I think that communication and clear consent is probably at the centre of the Statistics Canada case in particular. But I would say, don't collect data you don't need, and be very clear about how you're going to use it and get clear consent for how you're going to use it if it's personal information.
Yes. The short answer is, yes, it's a problem.
I think we have to think about this in a very different way.
The challenge we have today with the architecture of the Internet is that every web service delivery organization is on its own when it comes to registering customers online. We can see what that's produced for all of us in the room. Some of us have ten passwords, some of us have 25, some of us have 100. Some of us have 100 but it's really just one, because it's all the same password.
So what we see in this model is that when everybody is by themselves, the only way we can have confidence that someone is really who they say they are is by having a very thorough enrolment process. This is particularly acute in government because your duty of care is so high. The consequence is that oftentimes the customer can't get through this process, and when they do, the problem is that you have all of the data. So when you get breached, you have to remediate all of the data.
We only have this problem online. In person, it's not as much of a problem. In person, we already collaborate and co-operate when it comes to identity. When I want to get a bank account, I bring in a government-issued ID and something from somewhere else and I can get a bank account. When I want to prove I've lived in Ontario for six months, I bring my bank statements to show I've been living at that address for that long. We already co-operate in the real world in doing these identity services. It's only online where we have this challenge.
So one of the things I would put to you is that one of the things you should be thinking about is not merely solving this from the government point of view but thinking from an economy point of view. The challenge, and one of the reasons the banks are here and they want to be in on the scheme, is that from a banking point of view, this is not that interesting from a revenue point of view. They want to be able to open bank accounts online and they want to take the risk problem down. The challenge they have is that they can't verify that the driver's licence is real. What the crooks do is to take a real driver's licence like mine, scratch my photo out, stick their photo in it and go get a line of credit; and they're defenceless against that type of attack.
What the banks want the government to do is to get its house in order and to make all government-issued documents ready to participate in the digital economy.
Back in 2008, Minister Flaherty put together a task force here in Canada to talk about how we were going to make digital payments work. That task force ran for about two years. I participated in it and the report that was produced by Pat Meredith—who did a very good job of running the task force—said that you can't have a digital economy and can't do digital payments without having digital identity.
With digital identity, the point is that it has to work across the economy. It's not about solving health care. It's not about solving the CRA's problem. It's about solving it for the consumer across the economy, because when you look at your own life, the counter is that you have to show up with your driver's licence to get the thing you want, and that takes a long time.
But as you said—and I agree with you wholeheartedly—or I think Mr. Anthony said, the population of Estonia is 1.3 million. They had a lot of greenfields. They had no legacy systems from the previous regime that they had under Russia. They have four million square hectares of land, half of which is forest. So they don't have any problems compared to what we have.
However, eventually, we will have to move to some sort of digital identifier. I'm asking you this question, Mr. Boysen, because I know your company. I'm looking at a March 2017 press release. In that press release, you wrote that IBM and SecureKey were working together to enable a new digital identity and attribute-sharing network based on IBM blockchain.
I really don't know what that means—
Some hon. members: Oh, oh!
Mr. Raj Saini:—but it sounded good. The reason I mention this is that blockchain would be one of those processes we could look at to see if there's any deviation. You mentioned credit cards. I'm a retailer, a pharmacist, so I know how difficult it was even to get credit card machines in my store, because of all the knowledge, all the paperwork and everything that had to be sent to them. Could blockchain, that technology.... Maybe you can highlight, now that you've been working with IBM for a year, how that has come forward. Could the government not adapt that?
The short answer is yes. The scheme we're proposing actually sees the government, at both the federal and the provincial level, being a key participant in the scheme. You're required to make it more successful. It could run without you, but it would be way more successful if you participate.
However, your point is right that we already have these documents that we use. We use the documents we have to get the things we want. That's how the current model works. We use the stuff we have to get the new service that we don't yet have and we want.
That's the way the real world works. It's only online where we have this problem because the documents aren't digitize. One of the asks is actually to digitize the government documents so it can participate in the scheme with the banks, the telcos, health care, insurance and the rest of them.
To get to your question about blockchain, there are a couple of things I hear. The first thing I would say is that the best way to be successful with blockchain is not to talk about blockchain, because the problem is that it is very laden. There are a lot of different ideas about what it is and what it isn't.
Secondly about blockchain, one of the things I would bring on is the privacy component. One of the properties and benefits of blockchain is that it's immutable; it will never change. The challenge is that when you put that together with the GDPR, with my right to be forgotten, if I sign up for your service and then say “I want you to forget me”, the only way to honour my agreement is to blow up your blockchain.
Putting personal information on blockchain is a really bad idea. This is standard industry wisdom now. However, what it is good for is integrity proofs.
I want to go back to the credit card example I gave you a few minutes ago. The challenge is, Raj, if I know enough about you today, I can be you on the Internet. The organization that I'm trying to fool is defenceless, because I have all your data. I got it from the dark web.
We don't have that problem in the credit card scheme. There are two types of payments in the credit card scheme. When I go to the store and I pay in person, the risk of fraud is almost zero for the reasons I outlined earlier. However, when I go online and buy something at Amazon, Amazon didn't get to see my credit card, so that transaction is riskier. It's called “card not present”. Today, all e-commerce is “card not present”. It's riskier.
Here's the thing: All identity today is “card not present”. We have no idea if these assertions that are being presented to us at the counter are real.
I just want to add to that by saying that it's not about having a single identifier; it's about having confidence about who's on the other side of the transaction. I have today already in my real life, both online and in person, lots of identifiers, and what's good about that is it allows me to segment and compartmentalize my life so that I can only share this much information with this organization and this much information over there.
A single identifier will allow somebody to see everywhere that I've gone across the Internet. The service that we have with the Government of Canada is that the thing you originally asked for was a service that had a single identifier. You wanted an MBUN service, a meaningless but unique number that I could use across government, and when we looked at this we said this is a terrible idea because you're going to create a surveillance network. You're going to be able to see everywhere: they went to the beer store, the doctor, the beer store, the doctor, the tax department. You could have followed me everywhere. I don't want this thing. We designed triple-blind privacy to solve that problem. It's not about getting to a single identifier. In government, the service we built actually gives you a plurality of identifiers.
When I go to each government department, I have a unique identifier that I only use there and that's a better scheme because my relationship is contextual. I don't have a global view of my data. I have very contextualized, compartmentalized view of my life and I want it to stay that way. I don't want a big honey pot somewhere. Giving people the tools and the capabilities to do this is important.
I just want to pick up on Mr. Anthony's comments for a moment, though. The passport is not an authentication document. We use it for identity to prove that you're in the government's book of names. Let me just share something that's really important when you get to identity. When you are asking who somebody is, you're asking two questions that have to be answered at the same time. The first question is: Does such a person named Andre Boysen exist? The government, without dispute, is the author of that record and has domain over that record.
The second question has to be answered concurrently: Is he Andre Boysen? If you can't answer those two questions at the same time, you can't do a good job. Awesome authentication that's really strong but you don't know who it is, it's not that helpful. You have to be able to bind it to who did it. If you can combine it with self-interest, then the users will do the right thing when they lose access to the credential, which means the crook gets shut down. An identity is three components and they need to be kept separate.