HRPD Committee Meeting

STANDING COMMITTEE ON HUMAN RESOURCES DEVELOPMENT AND THE STATUS OF PERSONS WITH DISABILITIES

COMITÉ PERMANENT DU DÉVELOPPEMENT DES RESSOURCES HUMAINES ET DE LA CONDITION DES PERSONNES HANDICAPÉES

EVIDENCE

[Recorded by Electronic Apparatus]

Wednesday, February 3, 1999

• 1542

[English]

The Chair (Ms. Albina Guarnieri (Mississauga East, Lib.)): Seeing a quorum, we'll begin.

[Translation]

We have a lot of work to do this session, and I know that everyone is eager to get to work.

[English]

We have two rounds of round-table sessions on SIN for the next two weeks, as agreed in December, and next week we'll schedule a steering committee to determine the agenda according to the motion passed in December.

I understand Mr. Flaherty and Ms. Cavoukian have planes to catch, so without further ado, we'll proceed. We've invited witnesses here to explore the issue of social insurance fraud, and we've identified two major areas of concern: one, how to prevent people from using SIN numbers of Canadians who are deceased or never existed, and second and more important, how to stop the use of SIN cards and identity fraud.

So I invite our august panel to offer their recommendations. We have with us today, and I understand they'll be speaking in this order at five-minute intervals: David Flaherty, information and privacy commissioner, Province of British Columbia; Ann Cavoukian, information and privacy commissioner, Province of Ontario; Rita Reynolds, director of corporate access and privacy office, City of Toronto; Catherine A. Johnston, president and CEO of the Advanced Card Technology Association of Canada; and Mr. Jim Savary, professor, Consumers' Association of Canada.

Thank you all for being here. Please begin.

Mr. David Flaherty (Information and Privacy Commissioner, Province of British Columbia): Thank you, Madam Chair. Ms. Cavoukian, on the basis of my antiquity compared to hers, has allowed me to go before her, as my fellow commissioner, so I'm going to start.

I've given you copies of the text of what I have to say from a privacy perspective. I'm the first British Columbia information and privacy commissioner, and although I'm approaching the end of my term, I still am a very strong privacy advocate. You'll see the various hats I wish to wear in my presentation to you today. I'm still a professor at the University of Western Ontario, I've always been a privacy activist, and I now am an official commissioner.

I appreciate the opportunity to appear before the standing committee on this important issue. I'm especially grateful for the recognition of the role of provincial privacy commissioners and territorial commissioners on the issue of controlling the use of the SIN from a privacy perspective. I'll avoid cheap jokes about SIN; I'm obviously referring to the social insurance number.

• 1545

I have considerable background on the issue of controlling the use and abuse of social insurance numbers. In 1981 I had the great fun of writing for the Privacy Commissioner of Canada a piece on the origins and development of social insurance numbers in Canada. In 1987 I was a consultant with my colleague, Murray Rankin, to the Standing Committee on Justice and Solicitor General on the first review of the Freedom of Information and Protection of Privacy Act. Some of the recommendations we made on controlling the use of social insurance numbers were adopted by the then Conservative government. I'll come back to these recommendations at the end of my testimony, because the government didn't accept all of our recommendations, and I'm going to encourage you to move in that direction.

I also published a book as an academic, in 1989, entitled Protecting Privacy in Surveillance Societies. I advanced the concept that we don't want to live in a surveillance society where we're being watched all of the time. My argument is that the personal identification number—the cradle-to-grave number—is something to be avoided in any society, including Canada, if you want to avoid the creation of a surveillance society. In that book I did treat our social insurance number as a linchpin of the surveillance society.

That same theme of being opposed, as a privacy advocate, to a cradle-to-grave, unique personal identification number is a theme that Bruce Phillips brought before you in his testimony in November.

Except for the limited uses of social insurance numbers that Parliament has approved and that Treasury Board Canada continues to authorize, I am strongly opposed to the collection and use of the SIN for other processes of identification, whether in the public or the private sector.

If any information system requires numerical identification of individuals as such, rather than depending on names, addresses, birthdates, and other variables for unique identification, each system should develop its own numbering system to discourage unauthorized surveillance of individuals by such practices as data-matching.

For example—and this is a very current example—if I wish to enter into a more direct, personalized marketing relationship with a financial institution than I currently have, this should be based on my consent on the basis of a transparent understanding of what the business relationship implies, and on the basis of a personal identification number that is not the social insurance number, but a unique number created for that purpose.

I am strongly opposed to the creation or further development of a system of unique personal identification that would be in standard use for each and every resident of Canada. In my opinion, the abuse of the social insurance number, by the private sector in particular, has already moved too far in that direction. Each organization, in any sector, that requires a numbering system should develop its own, unless there is an overpowering case to the contrary for the use of the SIN.

Our wallets and purses are filled with cards and numbers used for different purposes. From a privacy perspective, that is how the world should be organized. If a person wants a lifelong telephone number, for example, he or she should choose it, not have it imposed by the government or the private sector.

I've developed my views on this issue in a paper entitled “Privacy and Identity”, which is on my web site, and I've made some copies available here today. The paper asks, why do we want to control the disclosure of our own identity as individuals?

Since my appointment as the first privacy commissioner for British Columbia in 1993, I have made it my business to regulate the use of the social insurance number by the thousands of public bodies that are regulated by our legislation. My office systematically approaches public bodies to enquire about their authority for the use of the social insurance number. B.C. Hydro, for example, stopped using SIN as its identification number for residential clients, as did a number of educational institutions. And I persuaded the Chief Electoral Officer not to collect the complete social insurance number, even for purposes of voter registration. He collects half a SIN, which is kind of entertaining.

I am satisfied that authorized uses of the SIN by public bodies—anywhere from municipalities to hospitals to schools to crown corporations to central government—subject to our act in British Columbia, are under control. Anyone who does not think so should make a privacy complaint to my office, and we will investigate the matter.

I noticed one of the testifiers before you in November thinking how wonderful it was that in New Brunswick, where they don't have a privacy commissioner, they had given the provincial vital statistics data to HRDC, Human Resources Development Canada. I can assure you that if any such exchange were to take place in British Columbia or in provinces with commissioners, it would not occur in that way, where a wholesale database would be given to the federal government.

I remember complaining to Mr. Scott 18 months ago, or perhaps even two years ago now, when he was at a conference in Fredericton, his home base, that New Brunswick, my home province by birth, didn't have a privacy commissioner. But I understand it's in the works and the ombudsman is going to fulfil that function. I think she will not be happy to hear that vital statistics in New Brunswick have already been given to the federal government.

• 1550

From the perspective of being a privacy watchdog for the privacy interests of British Columbians, I remain concerned about the extensive unauthorized use of the SIN by the private sector in particular. I have no major problems with the use of these numbers for purposes related to personal income taxation, income assistance, pensions, and unemployment insurance, which approximate the uses Parliament had intended and has approved. I'm aware that as a privacy advocate, I perhaps am a little weak in accepting that many uses of the social insurance number. Bruce Phillips certainly raised with you the issue of life without SIN, which is a rather appealing concept.

However, it is completely unacceptable that residents of Canada are being forced to provide a SIN in order to receive a service from the private sector and risk being denied a requested service if they do not provide a SIN. Parliament must act to control such abuses of the privacy rights of individuals.

If Parliament and the provinces are going to permit the use of the SIN for certain authorized purposes in the private sector, such as Equifax's use of it for credit reporting, then the matter has to be carefully studied and publicly debated on a national basis and a list of approved uses must be drawn up. Furthermore, individuals who are denied access to goods or services as a result of their refusal to provide a SIN for an unauthorized purpose deserve statutory protection and some recourse. I was pleased to see a similar point made before you last November.

It is also up to individuals in this country to protect their own privacy rights by being alert to misuses of their social insurance numbers. They have a right to enquire whether the SIN is being collected and under what authority, whether it will be kept confidential, and whether they can provide an alternative form of identification. Unless the SIN is being collected to comply with a legal statute or regulation, residents of this country have the right to choose whether they will disclose it. As an act of privacy resistance, I would encourage them to do so.

In testimony before the Standing Committee on Industry last October, I strongly endorsed Bill C-54, the Personal Information Protection and Electronic Documents Act, which is currently before Parliament. The issue is whether in practice this bill will strengthen the privacy protections currently offered against abuses of the social insurance number. I think it will help.

The fair information practices at the heart of Bill C-54 are derived from the Canadian Standards Association's Model Code for the Protection of Personal Information. In my written testimony in paragraph 12, I've given you a series of bullets from the legislation that I argue would assist any federal, provincial, or territorial privacy commissioner or ombudsman, as the case may be, to apply this set of fair information practices to the proposed or existing collection and uses of SINs in the commercial sector, which would include the private sector.

My expectation is that this would considerably lower the privacy anxieties of Canadians with respect to unauthorized use of their SINs and also reduce the actual uses of SINs by the private sector. But it's really a question for you and for the Office of the Privacy Commissioner of Canada whether a bill such as Bill C-54 or other legislation should more specifically address the use of the social insurance number.

In addition to encouraging members of this standing committee to support Bill C-54, I urge you to take two additional steps.

You should commission a study or examination of the uses of the SIN by the private sector, broadly defined. I was pleased that the Auditor General agreed on the need for such a feasibility study in his appearance before you.

It is also essential that Parliament establish the necessary controls on the uses of SINs that should have been put in place in 1963 and 1964, when the numbering system originated.

As a starting point, I simply repeat the specific 1989 recommendations of the Standing Committee on Justice and Solicitor General.

First, it should be unlawful for any federal, provincial, or local government or the private sector to ask any person for his or her social insurance number unless such a request is authorized by law.

Second, it should be unlawful for any federal, provincial, or local government or the private sector to deny any individual any right, privilege, or benefit provided by law because of such individual's refusal to disclose his or her social insurance number, unless such disclosure is required by federal statute. I was pleased that the gentleman from HRDC supported that concept when he appeared before you on November 26.

Third, any federal government institution that requests an individual to disclose his or her SIN shall inform that individual of whether that disclosure is mandatory or voluntary, by what statutory or other authority such a number is solicited, and what uses will be made of it.

Thank you for the opportunity to share my views with you.

• 1555

The Chair: Thank you.

Ms. Cavoukian.

Ms. Ann Cavoukian (Information and Privacy Commissioner, Province of Ontario): Thank you very much, Madame Chair.

I'm going to try to speak very briefly and not repeat the points made by my colleague, Mr. David Flaherty, and Bruce Phillips, the Privacy Commissioner of Canada, whom you heard from in November.

Broadly speaking, the two issues identified by the chair have to be addressed by your committee.

First are management, control-related, and process-oriented issues relating to the abuses of the SIN, such as poor administrative processes, lack of data integrity, unreliability, inaccuracy, a far greater number of social insurance numbers than eligible people, and absence of security. These problems are clearly unacceptable and must stop now.

We are in 1999. We're about to go into the year 2000, the next millennium. I mean, please, how long does it take to say, “These are the problems; this isn't brain surgery; fix it”? We can talk about various solutions, but these problems are unacceptable, and there are ways to address these.

You should give a mandate to the responsible agency; I think it's HRDC. Give them a limited timeframe, such as a year—some very controlled time period—for them to review, recommend options, and implement those options on how to reduce these types of issues related to process, management, and control of the social insurance number.

The second issue is a much more difficult issue, and it's not as black and white, unfortunately. It is the issue my colleague has just spoken of, relating to the widespread use of the social insurance number for a variety of purposes that are clearly unrelated to the initial purpose for which the number was designed. We call these secondary uses of personal information.

Under what we call fair information practices, which are a set of practices that guide the use and disclosure of personal information, it is unacceptable to have this type of widespread use of the social insurance number for a variety of purposes that were never contemplated. As you know, in 1987 the SIN was restricted to about 20 statutes, regulations, and programs, federally speaking. But we all know there's far greater use of that in the private sector and various provincial governments.

I want to look forward just for a moment to how the federal government intends to deal with this issue: by changing the number, eliminating it, or adding security features. There are a number of options. This must of course involve much discussion and public debate through the parliamentary process. It is a very difficult issue. There are a number of complexities. I'm not going to review them, because my colleague and Bruce Phillips very eloquently explored the variety of problems associated with this issue in terms of privacy.

What I am going to do, though, is raise another flag, because it is again something that must be addressed sooner rather than later. In the next decade, in the next millennium, the public, I believe, is going to demand better, stronger, more secure identifiers. I think what you're going to see is a reversal in what you are seeing now.

I believe the public is going to look to you, the federal government, to provide very strong identifiers, and I think they're going to hold you liable to the abuses that have become epidemic throughout the United States and Canada associated with poor identifiers. I'm talking here about identity theft issues.

Let me just make one distinction. I'm talking of the difference between a unique identifier versus a universal identifier. The distinction is a critical one. We can talk about the intricacies of this later, but unique identifiers are going to be, in my view, an essential component of the next century. We have to have strong, effective ways in which to identify ourselves in such a way that someone else, an impostor, cannot acquire the same means of identifying and then impersonate me. This is a huge problem. You haven't even seen the tip of the iceberg.

In the United States a number of jurisdictions have now introduced legislation specifically on identity theft. With the growth of the Internet, the ease of accessing information, connectivity, and data integration, you will begin to see this again and again, where acquiring a key piece of personal information such as a social insurance number will then open doors into a variety of databases and create enormous problems.

• 1600

I think today's concerns relating to unlimited surveillance by the state through a tool such as the social insurance number are actually going to shift. They must be addressed, there's no question, but I think you're going to have new concerns associated with personal identifiers, of the type I've just mentioned.

I'm going to review what we've done in Ontario, a few made-in-Ontario initiatives that are exemplary and relate to identification.

In Ontario in 1991 we had the Health Cards and Numbers Control Act. This accompanied the release of the new health number, which was introduced in 1991, and here's what happened. This number, your Ontario health number—if you live in Ontario, you will have a health card—which is a cradle-to-grave number, is far superior to the social insurance number as being a personal identifier, but it has not gone the route of the SIN. Why? The answer is very simple: because we insisted, at the time that this number was created, that an accompanying piece of legislation be passed that would prohibit the use of the number for any other purpose unrelated to medical purposes.

The act has been very successful. It's a very short act. I've never seen one that short; it's one and a half pages. It simply says you may only use the health number for these prescribed purposes relating to medical use and medically related programs and for no other. It created stiff penalties for abuse and it created an offence. It was an offence to use this information in any other way.

Here we are, almost nine years later, and we in my office have not received one complaint relating to an abuse of the health number for some other purpose. Compare that to the path of the social insurance number, which has been widely abused. I submit to you that the reason for that is quite simply placing these types of legislative controls on the use of such numbers at the time they are created. It is a very effective method of controlling the information and is very far-reaching.

In terms of social insurance number use in Ontario, my office has created a publication called IPC Practices. I have one here I can show you if you wish. It outlines to provincial government agencies what uses are permissible and what uses are not permissible, and advises to restrict one's use of the information if it is for anything other than a permissible use.

Gladly, we have had some small successes in our department recently. There's something called the workforce information network in Ontario, which is the human resources information system of the government. They recently announced that they are no longer going to be using the social insurance number as their employee identifier. This was a relatively big deal, after years of attempting to get them to change to a unique employee number.

We've also recently been advised that the Ontario Civil Service Credit Union is replacing their use of the social insurance number, which has been used as a method of allocating payroll deposits, with a unique number created for that purpose.

Slowly we're beginning to see changes. It takes much time. We've been urging governments and various agencies to do this. It's a slow process; it's one we continue to do. The thing to keep in mind is that it is not so much the fact of an identifier, the existence of an identifier, but the way in which it is used, the controls that must be placed on its use—because absent control, it will be abused, no question—and the fact that in the next decade, in the future, I think there's going to be an unprecedented demand for very reliable, secure forms of unique identifiers.

Thank you very much, ladies and gentlemen. I'd be glad to answer your questions at the end.

The Chair: Thank you.

Ms. Reynolds, you have the floor.

Ms. Rita Reynolds (Director, Corporate Access and Privacy Office, City of Toronto): Thank you.

I appreciate being invited to appear before the standing committee and address issues relative to the social insurance number. My comments are from the perspective of a privacy advocate who has corporate responsibility for the practical application of privacy legislation to programs and services delivered by the City of Toronto.

The city delivers a full range of direct services to approximately 2.5 million people. These include infrastructure services such as roads and water, fire and ambulance, and policing; and programs such as health, welfare, children's services, homes for the aged, hostels, and public health.

The Auditor General's report expresses particular concern about the SIN's increasing use, by both the public and the private sector, as a universal identifier for income-related transactions and benefits. Use of the SIN now extends far beyond the intentions of the Parliament of 1964.

• 1605

Despite the legislative and policy framework that restricts its use, the SIN has become the de facto national identifier. This expansion in its use is simply an expression of the unmet need for an accurate means of identification that securely links an individual to their own personal information.

The need for an accurate means of identifying individuals is part of the natural evolution from living in an isolated village to living in a modern state. In a village there was the practical protection of individuals recognizing each other on sight and being able to conduct transactions face to face. The modern state must rely on other means to ensure the integrity of many social, benefits, and business transactions.

Parliament's introduction of the SIN as a file identifier was an acknowledgement of the void in our ability to protect the integrity of transactions between the individual and the state.

The SIN is a national identifier and has been so for almost 25 years. It's a national identifier without being a proof of identity. We therefore have the worst of both worlds.

The reluctance to acknowledge its status as a national identifier while of necessity relying on it as evidence of identity has meant that the privacy protections that technologies offer are not being utilized. The lack of such protections means that individuals are subject to fraud and theft of identity and governments are left to grapple with the constant drain on our resources.

The SIN does not meet the standard required in a national identifier. In addition to built-in privacy protections, a national identifier must constitute proof of identity. Most of our current identification systems are inferential, including the SIN. This means the individual holding the identification is presumed to be the rightful owner.

To protect the privacy of an individual and the integrity of transactions, there must be a secure link between an individual and their own identification. In the absence of such a link, the individual and the state remain vulnerable.

In my work of protecting the privacy of the citizens of Toronto, I am most affected by the plight of children who are living in poverty and/or who are at risk. I know of them through reviewing files of the social welfare system, through our public health services, and through Children's Aid issues. In many cases we cannot accurately identify these children.

The changing structure of the family, children who are moved from one caregiver to another, and differing cultural views on family responsibilities for caregiving all result in a significant challenge to delivering support to children, particularly children at risk. Children are moved from province to province, largely unseen, and most do not have a social insurance number.

Poor as it is as an identifier, if all children had a SIN, it would provide an accurate means of coordinating and delivering services to children in need across Canada. Accurate identification of children is a compelling need, and this lack makes more difficult the challenge of addressing child poverty.

When I hear of the social union talks and the efforts to repair the social safety net in Canada, I think of the value of being able to accurately identify children and coordinate the provision of programs and services to children on an interprovincial basis. The key is a secure link between these children and their own personal information, regardless of location.

In the absence of an accurate, privacy-protected means of identifying children, the health card number has become a substitute tool in the effort to provide services to vulnerable children. It is not adequate to that task.

The largely unregulated use of the SIN in the private sector is also a result of the common need to identify individuals and protect organizations from fraud. Fraud and theft of identity cause distress and cost to individuals as well as organizations. The public has a right to the privacy of their transactions, and both individuals and organizations need reasonable protections against identity-based fraud.

The SIN, as it is currently managed and used, fulfils neither of these functions well. The lack of privacy and security features in the SIN has paved the way for private sector abuses, in addition to supporting identification-based fraud.

In considering the issue of keeping or eliminating the SIN and finding an alternative solution, I am mindful of the cost. Arguably the cost of revamping the SIN, adding privacy and security features, and reissuing cards could approach that of starting anew.

• 1610

In my view, the strongest argument for an entirely new solution is that it presents the best opportunity to effectively eradicate private sector abuses. We would then be in a better position to establish, under statute, permitted private and public sector uses of a national identifier. I'd like to suggest one way of doing it.

While there are many ways to approach implementing control mechanisms, one way might be to consider a system of licensing. This would involve requiring organizations to apply for a licence to collect the identifier and provide justification and details of the physical, technical, and administrative protections for the information. An application and licensing fee could be established, which would be used to fund the program. A compliance audit component would form part of the necessary framework.

The SIN is of necessity being used as a national identifier to support a complex web of social, financial, and benefits transactions. It was not designed to ensure the integrity of these transactions, to protect against broader theft of identify, or to support the use of privacy-enhancing technologies. Because the need for a national identifier has drawn the SIN into uses for which it was not designed, it is to be expected that these circumstances of fraud, theft of identity, and errors would accumulate.

If the need for an identifier is now recognized, it will permit the creation of an alternative solution that can be designed to meet the individual's and the state's common need for an accurate, privacy-protective, national identifier. To guard against fraud and theft of identity, the identifier should provide a secure link between the individual and their own personal information. It is essential that privacy-enhancing technology such as encryption be used as part of a privacy framework supporting the identifier.

Strong legislative controls on a national identifier are part of building the foundation to address concerns and guard against potential misuses, such as a surveillance society, as David and Ann have most eloquently pointed out.

Serious consideration should be given to strengthening the authorities of the provincial privacy commissioners related to enforcing compliance with relevant legislation. These should include establishment of significant financial penalties for breaches of privacy rights and the ability to levy fines.

A continuing weakness in the fabric of privacy protection in Canada is that the Privacy Commissioner of Canada does not have the authority to order the federal government to cease a collection practice. It is essential that the Privacy Commissioner of Canada have this power. Public trust in a system of national identification is dependent on a comprehensive set of protections being in place, which includes corrective mechanisms that are independent of government.

Thank you.

The Chair: Thank you very much.

Ms. Johnston.

Ms. Catherine A. Johnston (President and Chief Executive Officer, Advanced Card Technology Association of Canada): Mesdames et messieurs, ladies and gentlemen, I would like to thank you for the opportunity to discuss this topic with you. It is one that my association has monitored over the past 10 years.

The Advanced Card Technology Association of Canada is a non-profit association that represents new card technologies such as smart, optical, and capacitive cards. We do not represent the industry or the marketplace but rather provide a voice for these technologies. This allows us to talk to you without prejudice towards any specific technologies or vendors.

Today I would like to touch on the growth of card fraud globally and in Canada, outline how others have dealt with this problem, offer a suggestion of how to secure our social insurance number card, identify some elephant traps, and put forward a proposal on how to fund a new card.

Before I start on these, however, I would like to state on behalf on my association that we are strongly in favour of Bill C-54 and would hope for a quick passage and enactment.

Let's take a look at global card fraud. In the past 50 years we have seen technologies introduced at increasingly rapid rates. With these technologies we have enjoyed new products and services. In the world of cards, magnetic stripe technology has made it possible for us to enjoy credit cards and, more recently, debit cards. When these cards were first introduced, no one would have predicted how rapidly they would become a mechanism for fraud.

In the early stages, the limited number of cards in use precluded widespread fraud, as it would have been too visible. As the number of cards in use grew, they became a target. In 1994 worldwide credit card fraud losses were in excess of $3 billion U.S. A mere three years later, in 1997, it had grown to more that $5.3 billion. Ladies and gentleman, card fraud is a growth industry.

• 1615

There are two significant factors here: approximately 45% of the fraud is related to counterfeit cards, and most significantly, card fraud is primarily committed by organized crime. It is not casual or random fraud.

Many cards, including our social insurance number cards, have value, and organized crime who defraud these cards use the proceeds to fund their other businesses, including drugs, gambling, and prostitution. This type of fraud offers a good return on investment. The materials to create new cards are readily available and very inexpensive. Risks are minimal, as judiciaries around the world tend to view credit card fraud as a victimless crime.

How does Canada rank in card fraud? In 1997 credit card fraud losses in Canada were $126.5 million. Based on figures from the first two quarters of 1998, it is estimated that the year-end losses will be approximately $215 million—an increase of 70% in one year. This can be attributed to the state of the global economy. As the Asian economy suffered, fraud shifted to other areas.

In December the RCMP conducted a raid in Toronto and seized 5,000 gold Visa cards. Each of those cards would generate approximately $3,000 in revenue for the counterfeiters. You must wonder what this has to do with our social insurance number cards. Organized crime does not restrict their activities to credit cards. During this raid the RCMP also seized citizenship card templates, Government of Canada cheque plates, blank driver's licences, and social insurance number card templates.

The counterfeiters were also engaged in debit card skimming, a process of reading information from valid debit cards to allow the creation of counterfeit cards. Debit cards are also a growing target for card fraud, and no one can claim it is victimless. If you are the victim, your first indication may be an empty bank account.

For the record, consumers are the primary underwriters of credit card fraud, but the charges are not obvious to cardholders.

In the Toronto raid, two groups were working together, one to supply the numbers and data, and the second to build the cards. Organized crime has no problem sharing information if it helps them make money, nor are they hampered by any legislation that would prohibit that sharing.

I offer all of this information to point out that the Canadian government should not be faulted for prior abuses of social insurance number cards. The time has come, however, to acknowledge that the existing cards are no longer secure in light of today's criminal attacks.

Why would anyone counterfeit a Canadian social insurance number card? I'm sure you all have an answer for that. Ironically, in addition to the fraudulent cards, another part of our problem is that our legitimate numbers are used improperly as identification for activities other than employment- and revenue-related transactions. Twice in this past month, retailers have asked me for my number as I bought products and services.

Many Canadians are unaware of who may legitimately request their number and are equally unaware of the consequences of that number being misused. A rapidly growing fraud, as has been mentioned often today, is the theft of identity. Social insurance number cards are used to falsely obtain driver's licences, health care cards, and credit cards, and all of this leads to a very expensive ripple effect, with many Canadian social programs suffering from the resultant fraud.

As I said, I don't believe anyone could have foreseen the extent of today's card fraud when the social insurance number program was put in place. However, today's government must find a way to deal with the problems I've mentioned.

Thankfully there are solutions that have been successfully implemented by others, and they employ a card technology called smart cards. These cards bear a similarity to the credit cards and other pieces of ID that each of you likely carry in your wallet. International standards are set to determine the physical characteristics of the cards. Where they differ from the cards you carry today is that they use an embedded computer chip rather than a magnetic stripe. This chip allows the card to function much in the same way as a personal computer works. In other words, they are a PC on a piece of plastic.

• 1620

This computing capability provides much more security than any existing card technology and also allows you to offer more functionality on one card. This is valuable, as Canadians have expressed a great desire to trim the bulk from their wallets. Today's “one card for each program” has resulted in Canadians carrying many more cards than they want.

Smart cards are not a new technology but have been in existence since 1969. Over that 30-year period they have become smarter, can carry more information, and have become much less expensive. As a result, countries around the world have implemented them for financial, telecommunications, transit, retail, government, and other applications.

Smart cards in North America totalled 13 million in 1996. Schlumberger Electronic Transactions expects this to grow to 273 million cards by 2001 and a staggering 543 million in North America by 2005. By that time, 3.75 billion chip cards will be employed worldwide.

This technology also allows you to secure the data on the card so that only authorized persons have access to the information the card holds. Today most information is printed on the face of cards, where anyone can see it.

In the case of multiple-application smart cards, you might have information related to more than one program—for example, a social insurance number, voter registration, and an electronic passport. In this scenario, access to data in one application would not necessarily allow you access to others unless you were authorized. Your employer, who is authorized to access your social insurance number, would not be able to view voter status or passport information. In this way, multiple-application smart cards work like mainframe computers, where your access is restricted to the specific data you are authorized to use.

Let's take a quick look at smart card implementation where security was the primary component, called cartes bancaires. In 1989 a study of credit card fraud in France showed that fraud was growing by 10% annually. It was projected that by 1992 it would be $155 million U.S. To counter the fraud, they implemented, over an 18-month timeframe, 21 million new bank cards, 14 million of which were smart cards.

In the first year, they saw a 46% reduction in fraud. Correspondingly, fraud increased in every neighbouring country that was still using mag stripe cards. This is a typical result, as each time a country or an organization enhances its security, fraud moves to the next weakest area. For Canada it means we always need to keep ahead of the United States. We cannot afford to have their fraud shift to us.

There would have been an even greater reduction in card fraud were it not for the fact that French bank cards still carry a mag stripe used to turn the card into a credit card when citizens travel outside of France. In fact this foreign use accounted for 35% of the total remaining fraud.

In Canada we now have an opportunity to re-address who should have access to social insurance numbers and whether there is merit for citizens to have another number that can be used for general identification. I would strongly recommend that you investigate the use of smart card technology to protect social insurance numbers, and furthermore, take advantage of the card's capabilities to add additional protected information.

This card might also carry an application to facilitate or authorize citizens' access to the government's new community access Internet program. Let's quickly look at what that would entail.

It would start with a feasibility study and determination of what a new card would carry. A privacy impact assessment would be conducted in conjunction with the design of the application or applications. A risk analysis would be done.

Global standards are already in place that deal with cards, applications, operating systems, and reader-writers. Globally, Visa, MasterCard, and Europay have announced their intention to move all their credit cards from mag stripe to smart—sometimes referred to as chip—technology. To do this, they have developed the EMV standards for the card applications, the transaction processing, and the reader-writers.

• 1625

In Canada, financial institutions have taken those and developed what are called the IMV standards. Interac, MasterCard, and Visa have done this to facilitate a national infrastructure. Using these IMV specifications, others may benefit from that national infrastructure.

Many benefits will be identified during a feasibility study. One I would like to emphasize today is that the emergence of smart card technology in North America will be very similar to the introduction of PCs in the 1980s. This is an area of tremendous employment potential.

Canada is currently ahead of the United States in the introduction of the technology, and Canadians can develop expertise in this technology, as we have with others in the past.

There are many elements to paying for any new system. In my presentation today I referred to sharing the “real estate” on the card between applications and ministries. For example, a voter's status would allow us to finally eliminate very costly enumeration. Instead of paying to assess every citizen's status every election, we could save significant costs by dealing only with voter status exceptions.

Whenever applications that formerly required separate cards were combined on a secure, multi-application smart card, we would enjoy production and distribution savings.

Additional significant savings are to be realized through reducing fraud in many social programs. By using card reader-writers that conform to standards, you need not build and pay for the complete infrastructure, but can leverage your investment.

All of these contribute to a positive business case and would also allow you to provide more secure and privacy-enabling cards.

I've covered a lot of information in a short time. I'll be very happy to address questions later. I would like to thank everyone who worked to organize today's meeting and each of you for your interest and your attention. I wish you well in your future endeavours and will provide any future information you request.

Thank you.

The Chair: Thank you very much.

Mr. Savary:

Professor Jim Savary (Consumers' Association of Canada): Thank you, Madam Chair. I will be brief.

On behalf of the Consumers' Association of Canada, thank you for inviting me to meet with you today.

The Consumers' Association of Canada is an independent, non-profit, volunteer-based organization that has represented the interests of consumers for more than 50 years. Its mandate is to inform consumers, to protect their interests, to educate them on marketplace issues, to advocate for consumers with government and industry, and to work to develop solutions to problems in the marketplace.

All CAC policies on specific issues are set with certain key principles in mind. These principles are the right to choose, the right to be informed, the right to safety, the right to be heard, and the right to redress.

Let me turn now to the Auditor General's report as it affects the SIN number. As members are well aware, the Auditor General has brought to the government's attention a number of issues concerning the management and use of the SIN number. I don't propose to go into these one by one. Rather I would like to highlight his general conclusions and then turn to the public policy issues to which these give rise.

The central conclusion reached by the Auditor General is that we have a system that is open to fraud on the one hand while not respecting privacy on the other. He asks whether the present system can be fixed, and if so, whether it should be fixed or whether we should start from scratch to build a new system, and if we build a new system, whether it should be based on a unique national identifier.

These are not easy questions. They raise issues of cost, of crime prevention, of efficiency, and of privacy. The Auditor General has asked for a national debate on the issue. I am grateful for the opportunity to bring you the views of the Consumers' Association of Canada.

The Auditor General made two key recommendations among a large number of specific ones: first, that every effort be made to clean up the SIN file by cross-checking with other data sources, such as provincial vital statistics data; and second, that the government re-examine the SIN from the perspective of its role, its objectives, and its uses. In doing so, the government needs to specify what standards of data integrity and privacy need to be maintained. Let me look at the implications of these.

From a consumer perspective, there can be no objection to efforts to clean up the files. This should be done in any case, since it can be done at relatively low cost. It's not expensive, as colleagues around the table today have mentioned, to correct the present problems. HRDC in its testimony to you earlier made that very clear. It can be done at relatively low cost. The question is whether it should be done, and that is a much more interesting question.

• 1630

In any case, in a system in which the number is simply an account number for government services, data integrity is clearly important. It is much more so now that the SIN is becoming a de facto personal identifier.

The Auditor General's second recommendation gives rise to a number of public policy issues that will need careful examination. Paramount among these are those that arise in making a choice between the SIN as a simple account number and the SIN as a universal identifier.

As with most public policy initiatives, there are costs and benefits to be considered. The benefits of the universal identifier that are most often cited include the prevention of crime, particularly fraud; efficiencies in data-handling in both the public and the private sector; and easier and more certain methods of authentication in electronic transactions. The primary cost is the threat to privacy, and that is a very real threat.

When the case is put this way, the policymaker will typically weigh the quantifiable gain in crime prevention plus the documented savings in data-handling against the unquantifiable or difficult-to-quantify cost in surrendering a portion of the privacy that we've been used to enjoying.

In all too many cases, the assumption will be made that, since we can't quantify the cost in terms of privacy forgone, we can ignore it. Therefore we implement the policies that will maximize the quantifiable benefits. This is, I suspect, what those who advocate a single national identifier are doing implicitly.

Such a policy would be wrong. Survey after survey has shown that Canadians are concerned about the growing threats to privacy as the world becomes more electronic. Cynics go so far as to suggest that the love-in between the government and the private sector over the promotion of electronic commerce is based more on their mutual desire to exploit ever-more-comprehensive databases than on any newfound love for each other.

While that may be letting cynicism go too far, the fact remains that the failure of business-to-consumer electronic commerce to grow at anything like the rate forecast is due to consumer suspicions that their data is insecure and their privacy is at risk.

The Consumers' Association takes the position that there is no compelling case for a national identifier. Whether one considers privacy to be a human right, as is the case in Europe and Quebec, or as simply a good among others, the fact remains that it is a good. The fact that it is difficult to put a value on privacy is no justification for compromising privacy in an effort to make efficiency gains elsewhere.

The Consumers' Association makes the following recommendations.

First, all reasonable steps should be taken to restore and ensure the integrity of the database of SIN numbers.

Second, the government should reaffirm the original intent of the SIN—that is, that it simply be an account number for the individual to access specified government services.

Incidentally, the beginning of the problem, when the toothpaste began to squeeze out of the tube, was allowing National Revenue to use the SIN number for its own purposes. That's what got the private sector into it, because of the fact that financial institutions were then compelled to demand it for virtually every financial transaction. Had we not done that, the SIN would have remained an account number like any other number, a bank account number. You could have several of them. Who would care?

Unfortunately, it's going to be difficult to get that toothpaste back in. I think we can. We should try, but whether we can or not remains to be seen. In any case, the original intent should be reaffirmed by the government.

That brings me to recommendation three, which is that legislation be passed prohibiting all other uses of the SIN in the public and private sectors.

Finally, recommendation four is that the government repudiate the notion of a universal client identifier.

Madam Chair, that concludes my formal remarks. I would be happy to join with my colleagues in answering any questions and, I suspect, debating some of these points I've raised. Thank you.

The Chair: Thank you all. You've certainly given us much to think about, and thank you for agreeing to this forum, which helps us maximize our time.

Mr. Johnston, we'll begin our 10-minute round.

Mr. Dale Johnston (Wetaskiwin, Ref.): Thank you, Madam Chairman.

The Chair: Just ask if there's anyone specifically who you'd like to have answer the questions.

Mr. Dale Johnston: I certainly appreciate the information the panel has brought to us today, and I also appreciate the stance you have been taking as far as privacy is concerned.

One of the things I heard here today is that we don't want to live in a society where we are under surveillance all the time. If I could just enlarge on that, I certainly don't want to live in a society where you have the potential to be under surveillance all of the time. If even the potential is there, we know someone will master the technology to put you under surveillance if they so desire, if it's profitable for them to do so.

• 1635

I know the social insurance number originally was brought in to deal specifically with CPP. At that time the debate raged in the House of Commons: had they taken into consideration that perhaps this number could be used by Revenue Canada? Of course at that time they were assured, “No, no, no. That will never happen.” Well, now you get asked for it for just about everything, except I don't think you have to show it to your bartender. Other than that, just about everybody else asks for it.

When I read through the list of statutes and regulations, it covers just about everything, so it is a far larger problem. The analogy of the toothpaste coming out of the tube and it being tremendously difficult to get back in is an excellent one. You've presented us with a lot of things to mull over and debate, and I'm glad to see you've also come up with some recommendations that I certainly can agree with.

I don't have any specific questions at the moment, but I'd like to ask a broad question of all of you. Do you think it is possible to have a unique identifier that cannot be abused, pirated, or exploited by someone for their own gain?

Ms. Ann Cavoukian: I can take a shot at that.

The clear answer would be no, one could never make such promises and offer such assurances. However, if I could rephrase the question, could there be an identifier that would meet an acceptable level of risk such that people would feel comfortable using it? We have to talk about what is a manageable risk and what is acceptable to the public.

I presume you put your money in a bank. You do financial transactions with various institutions. Banks are still broken into occasionally and funds are taken away by robbers, but the level of risk is such that you find it acceptable to put your most valuable possessions into safety deposit boxes and money into a bank. So despite the fact that one can break into those organizations, it's a minimal risk and you're willing to take that risk.

I offer the same analogy in terms of information and identifiers and techniques we have now to protect such information through encryption, for example. There are methods of maximizing the safety of these features and minimizing the risk, and that should be the goal. Attempting to eliminate risk is impossible, but it is very possible and feasible to advance to a stage where the risk is manageable and acceptable.

Mr. Dale Johnston: Well, it—

The Chair: Mr. Savary has a point to make, if you would permit.

Mr. Dale Johnston: Okay, good, perfect.

Prof. Jim Savary: I just wanted to suggest that may not be the right question. I quite agree with Ann that you never can get 100% security and you can never get 100% perfection, but I'm not sure that's the right question.

Even if I could have a universal national identifier that was 100% secure, the question I would ask is why would I want it? What would be the benefit to me of having such an identifier, especially as the more we reduce risk, the more costly it is to reduce it? So at some point if we decide, for example, a 5% risk of abuse is acceptable, it's going to cost so much. It will cost a tremendous amount more to move that to 1%, and I don't think it's money well spent.

• 1640

Mr. Dale Johnston: I see this group is way out ahead of me.

The Chair: It's a lively group and a lively discussion.

I think Mr. Flaherty has a point to make here.

Mr. David Flaherty: I'd simply point out to you that everybody born in this country does have a unique personal identifier on our birth certificates. Unfortunately it isn't used anywhere except in Prince Edward Island as a unique personal identifier.

My perspective is not to have a personal identification system, because inefficiency at a certain level protects our privacy, but the inefficiency in the social insurance number registry is absolutely shocking. How that ever could have been allowed to happen baffles me, and it raises something I've observed in British Columbia: that after five or six years, there's nobody around to take responsibility for what happened.

Mr. Dale Johnston: Which leads me to the next question. My original question about the security was leading to the fact that if we have one of these computer chips embedded in your card, that comes as close as we can to the security. The next logical step after that is to simply embed the chip under your skin somewhere, and then when you go through the scanner—

Mr. John O'Reilly (Haliburton—Victoria—Brock, Lib.): We see it all the time in agriculture.

Voices: Oh, oh!

Mr. Dale Johnston: That's fine in agriculture. I, as a guy who's husbanding cattle, want to know exactly where they are. But I certainly don't think Big Brother has the right to know exactly where I am all the time.

That's what I see wrong with this whole idea of a unique identifier in the first place. No matter what you come up with, it can be pirated or used some other way in which it's not intended to be used, so the natural evolution of things is that you're going to improve on the security of this to the point where you absolutely sacrifice all of your privacy.

The Chair: If you'll permit me, Mr. Johnston, if I could direct your comment to Ms. Reynolds, I understand she has some practical application of what you've just outlined.

Ms. Rita Reynolds: I've struggled with this issue of a national identifier from a position of being a privacy advocate and also someone who has to actually apply the legislation to real-world situations. What I see is that failure to use these kinds of technologies to protect privacy and to secure our systems of identification leaves the individual at the mercy of the unregulated criminal sector. I have concerns about government as Big Brother, but I don't see that as a reasonable justification for not providing secure means of identification, because that's really what we're talking about here.

Individuals are victimized related to their identification. Organizations of course lose money. Individuals lose much more when those kinds of situations happen. So I don't think it's adequate to say we shouldn't do these things because we will be a means of conducting surveillance. One always goes the second step to say that if there is a potential there, it will be used. The way it is now, it is being used, and by people I have a great deal less trust in.

Mr. Dale Johnston: I would have to counter by saying that the more plastic, for lack of a better word.... Someone said we carry around more and more plastic all the time, and I agree; it's getting to be a burden. The more of that we have, the more potential we have of being ripped off. If we didn't have any of that—if we had, as Mr. Flaherty has suggested, simply our unique identifier as the birth certificate.... That's probably the most difficult one. You can't get into my bank account with my birth certificate and you can't invade my privacy with it either. So the possibility of absolutely no unique identifier is one we should look hard and long at.

• 1645

The Chair: Ms. Johnston, feel free to jump in here.

Ms. Catherine Johnston: Chips under the skin. Well, let me hasten to assure you that there are already more than 38 things about your body that are unique. In fact every body around the room, I would hasten to add—

A voice: You've surveyed them, have you?

Mr. Dale Johnston: Let's not go there.

Voices: Oh, oh!

Ms. Catherine Johnston: Everything from your fingerprints to your retina scan to the way you type when you sit at a keyboard is absolutely identifiable and unique to you. We could get into the specific body chemistry and odours one has, but I choose not to.

The Chair: Thank you for that.

Ms. Catherine Johnston: Some very interesting points have been raised here. I'll try to condense it.

Different applications or different things you want to do as a citizen require different levels of identification to confirm that truly it is you getting into your bank account, for example, and not someone else, or it is you asking for government-paid health care, not someone else. Depending on the value of what transaction you're processing, it dictates the level of identification required.

It's no longer good enough today to have a PIN number for something, because it's been proven to be ineffective. Now you pretty well have to have something and know something. The very fact that you have the token isn't enough.

In England right now, in addition to having a bank card, they no longer use PIN numbers; they use retina scans. For the consumer, the advantage is that there are no longer low limits on the amount of money you can take out of your bank account every day. You can take anything you want, because the bank is assured that it is you putting the card into the slot.

As to whether there should be one number, I will say in response to Jim's comment that you have to make it easy for people to remember numbers. How many of you have stood in line behind someone who has their PIN number written on their card? I personally like the idea of having different numbers that identify me for different uses, but I want it to be easy so that it's secure. That's what we need to work towards.

The Chair: Thank you.

[Translation]

Go ahead, Mr.Crête.

Mr. Paul Crête (Kamouraska—Rivière-du-Loup—Témiscouata—Les Basques, BQ): Thank you for your very interesting presentations on this highly complex issue.

I have two concerns. Efficiency is one, obviously, but I'm also concerned about the best way of dealing with Big Brother in the future.

We saw one rather blatant example of this recently. In its quest for money, the Department of Human Resources Development decided to match data on unemployed workers who move from one region to another. Although there exists a very clear legal ruling to the effect that the department cannot do this, it nevertheless pressed ahead. A ruling was needed to counter this action.

I have here an excerpt from the 1996-1997 annual report of the Privacy Commissioner of Canada concerning one-stop shopping, the common client identifier. It states the following:

While more efficient delivery of government services is a noble goal, in its pursuit, we may well demolish the walls so carefully constructed around personal data files.

... Protecting privacy in this context requires, to paraphrase an American Supreme Court decision, "protecting the fragile values of a vulnerable citizenry from the overbearing concern for efficiency that may characterize praise-worthy government officials no less, and perhaps more, than mediocre ones".

In your opinion, how can we resolve this dilemma to ensure that in future, we have a system where the state doesn't always have the upper hand on people?

[English]

The Chair: Mr. Flaherty.

[Translation]

Mr. David Flaherty: If you don't mind, Mr. Crête, I'll answer your question in English.

[English]

You've raised a very fundamental question, and it's a sign of the times that your cell phone rings as I start.

Voices: Oh, oh!

The Chair: We do have a policy of not having our cell phones on.

Mr. Paul Crête: Excuse me.

The Chair: It's our electronic leash.

Mr. David Flaherty: Cell phones are certainly part of Big Brother in this day and age.

You've raised the very fundamental issue of the constant vigilance required to prevent the creation of a surveillance society where Big Brother is after us all of the time. It's as simple as that.

• 1650

I'm quite satisfied that we now have privacy commissioners in most of the provinces and territories of Canada, except for Nova Scotia, Prince Edward Island, and Newfoundland. That is creating privacy watchdogs, such as the two of us here, who are, with small staffs, working, as does the Privacy Commissioner of Canada, for that purpose.

I'm the information and privacy commissioner in British Columbia, and my situation is not much different from that of Monsieur Paul-André Comeau with the Commission d'accès à l'information in Quebec. We have very small staffs of 25 to 50 people. There are 30,000 or 40,000 public servants just at the provincial level in British Columbia who are promoting efficiency doing this, that, and the other thing.

One of the reasons I'm pleased to be before a group of MPs is to have the chance to remind you of the importance of privacy as a fundamental value in Canadian society, as recognized by the Federal Court of Canada in its very important decision in favour of the Privacy Commissioner of Canada that you mentioned in your initial statement.

It's very important for MPs in particular, whatever your party backgrounds, to be sensitive to the privacy issue, because it's so much at the heart of the daily lives of your constituents. So I thank you for that comment.

[Translation]

Mr. Paul Crête: I'm pleased to hear that, but now, I'd like to know if you have any solutions to propose.

[English]

The Chair: I think Ms. Johnston is about to attempt that.

Ms. Catherine Johnston: In part.

Technology will go a certain way towards protecting information, but where it normally fails is where the processes surrounding the technology are compromised. We do not tend to think about how we collect data and where we store it. If we collect it on a piece of paper and then key it into a computer, what do we do with the piece of paper? We need to re-educate everyone to think about cradle-to-grave information.

The other thing I find very lacking in my country is that we're not very good at punishing people when they break the rules. Technology people would like to make money very quickly, so if they don't know what the rules are up front, they won't build technology or they won't build applications that meet the objectives you have. They need to know what the rules are. They need to know that if they break those rules, there will be a penalty and the penalty will match the offence. That needs to be there. It needs to be seen. We need to be far less tolerant of people who abuse our privacy.

If we do all of those things and employ technologies as they come out for that component, then I think we have a solution. But it's not easy.

[Translation]

Mr. Paul Crête: You seem to be advocating a very punitive approach. I don't believe that human beings are fundamentally bad. I believe they are good. We have to start with that premise, not the opposite one.

[English]

Ms. Catherine Johnston: We are good. The people who committed $200 million worth of credit card fraud do not share our values.

The Chair: Ms. Cavoukian.

Ms. Ann Cavoukian: Unfortunately I do not have one answer for you, but let me give you the opposite: what will happen if we don't attempt to find a solution.

I've been with our office for about 12 years, and there have been times when we've worked with the government in Ontario and have raised the questions and have not tried to find any workable solutions. Those are usually the times when privacy has been ignored the most, because the government is not the expert in privacy either. So we raise questions, they raise their hands, and the issue gets ignored; privacy is not protected and the program continues in an attempt to find greater efficiency.

We have had instances where we have changed that strategy to try to assist government and propose solutions that we think are workable, being very mindful of privacy—we are the experts in privacy—but recognizing that the government of the day has business that it must advance. So that means we have to recognize at some level some of the objectives that need to be met.

I offer you just one example. Dare I say the word “biometrics”? In this case, the use of fingerprints has been implemented in the city of Toronto. My colleague, Rita Reynolds, has led the program. We have worked with the city, because they also come under our jurisdiction, and we have developed a wonderful set of privacy protections and controls that have been enshrined in statute.

• 1655

A bill called the Social Assistance Reform Act was passed last year. It has the tightest privacy controls imaginable relating to privacy in biometrics. Worldwide it's unprecedented. But what it also does is permit biometrics to be used for very narrow purposes to authenticate the identity and eligibility of welfare recipients in the city of Toronto.

These are very difficult decisions we have to make, but I believe in the course we took. I believe it is the right one. When I now look at the difficulty with which the city is moving the program forward because of these privacy controls, I believe they're working, because it has been incredibly difficult for them to move ahead because of all the restrictions we've placed upon them.

So that is my humble view on one possible solution.

The Chair: Mr. Savary, I see you signalling. Maybe you'd like to interject.

Prof. Jim Savary: Yes, just very quickly.

Technology has the potential to improve privacy, and the way it has the potential to improve it is by giving control of the data back to the data-owner, and that's the consumer. I have great hopes for developments along the line of digital signatures, which will allow my identifier to be absolutely unique to me, but I will be the one who decides when I give it, for what purpose, and to access what data, and it will be strictly limited to that. If we can control the use of our data, we'll have gone a long way.

The Chair: Ms. Reynolds, feel free.

Ms. Rita Reynolds: On the other side, speaking from the City of Toronto's perspective, I totally support what Ann has said. I don't think that implementing biometric technology could have been done as well without the involvement of the Information and Privacy Commission and without the support of very strong statutory controls.

The city is faced with the same thing that every other level of government is faced with: downsizing, restructuring, doing more with less. The commissioners have spoken about their small staffs. My office, equally, has an extremely small staff for the task that faces us.

But one thing I would like to add is that I really do feel strongly that the commissioners don't have adequate authority to be able to require institutions to make changes before you get to a situation like the one you've just faced in the last few days. If the Privacy Commissioner of Canada had had the authority to order an institution to cease a collection practice, they would have thought twice about going down that road in the first place. They would have, as I have done many times, though about a program that was put forward to them.

I've worked with the staff to develop appropriate privacy protections. I've used the Information and Privacy Commission absolutely shamelessly in order to get the institution to listen, because I stand in between protecting privacy, working with the commission, and yet I have of course a bureaucracy that is under enormous pressure to do more with less.

It's difficult for everyone, but I know if the commission has the authority to order an institution to cease a collection practice, I can simply say to the institution, “Do you want to hear it from me first? You don't like what I'm saying, but we can certainly go forward and you can hear it from the commission after great sums of money have been spent.” I feel strongly that in any issue of identification, you have to first look at what the foundations are and what is in place.

One of the things I often deal with is the issue of public trust. Public trust in government is strengthened when government gives up some of its power. I would strongly suggest that you look at the option of strengthening the Information and Privacy Commission and giving additional powers to the commissioners before you think of implementing any large change and going forward with your program and with what you're going to do, before it gets held too closely to anyone's heart, because once it is, it's very difficult to make the changes required.

• 1700

[Translation]

Mr. Paul Crête: Thank you for these excellent suggestions. I've understood two or three things from what you've said. First of all, protecting personal information must take precedence over the interests of the state. The burden of proof should be reversed. If the state wants information, it should have to prove that this information is necessary. Citizens shouldn't have to defend themselves when this information is used for other purposes. I think that these are some interesting proposals. Thank you.

The Chair: Mr. Dubé.

Mr. Jean Dubé (Madawaska—Restigouche, PC): I'd like to thank today's witnesses.

If there's one thing on which we can all agree today, and that is a rarity in this House, it's that social insurance numbers have been greatly misused. Now we are talking about solutions.

[English]

We're talking about solutions here. Obviously privacy is number one. We all know that. But solutions, where do we start?

First, why should we use social insurance numbers? Should they be used federally? Provincially? At banks? We have to determine that.

David, you mentioned in your remarks that there should be an identifier for federal government programs, and if the private sector, the banks, want to create their own identifier, they should have their own. That would be a safe way, as far as I hear today, of building on that new process.

Are we so far advanced now with the social insurance number abuse that we should start fixing the social insurance number, or should we just scrap it?

I'm reading the Privacy Commissioner's statement in the annual report for 1996-97. He says:

...any proposal that builds on the existing SIN is in for heavy weather. Never was a personal identifier so compromised....Constructing a common client identifier on the SIN is building on sand.

So should we not look at a whole new system?

Mr. David Flaherty: I leave office in six months, because my term is non-renewable. If I thought there were a real program in Canada, at any provincial or federal level, to promote a unique personal identification number for Canadians, I would be delighted to devote my energies and resources as a volunteer to fight that effort.

You have the federal social insurance number for federal purposes. You've restricted it to about 20 uses. The RESP is the latest one. It's a crummy number. There are too many cards out. The Auditor General has identified the problems. HRDC has five task forces working on fixing it up and cleaning it up. Use it for what it's legitimately allowed to be used for.

Certainly in British Columbia, at the provincial level, they're not using it for purposes that are not legitimate, anywhere where I have regulation. There was one area where I allowed it to be used by the Workers' Compensation Board for audiology testing, because the costs of phasing in an alternative immediately were too expensive.

My concern is with the private sector. There may be some legitimate uses in the private sector. I have no problems with the banks sending to Revenue Canada a notice of the fact that you have $12 in interest on your Canada savings bond. It's in our interest, as taxpayers, to have people comply with the tax laws.

I know that the banks, however, don't use the social insurance number as a common client identifier. What I want you to do is identify who in the private sector is using it for that purpose. At one point Domino's Pizza was using it as a delivery item. At one point in the 1970s you couldn't get your dirty diapers returned to a diaper cleaning service in Ottawa unless you used your social insurance number. That was just a convenience to the private sector.

It raises privacy anxieties among Canadians. At the end of the day, as you heard in testimony in November, even if I had your SIN, what could I do with it? I could try to steal your identity, but I couldn't call the SIN identification number unit in Bathurst or Moncton and say, “Tell me something about Monsieur Dubé.” They'd tell me to get lost. So it's a symbolic privacy issue.

The most constant source of complaints to the Office of the Privacy Commissioner of Canada is the abuse of the social insurance number. What a waste of his time and that of his staff, playing with that issue.

• 1705

Mr. Jean Dubé: I'm from New Brunswick, and you are also; it's a great province. In New Brunswick presently—and Andy, you would know this as well—when you renew your driver's licence, you go into a computer and sign your name, and from the computer, your signature is transferred to your licence. So now the Province of New Brunswick has your social insurance number and your signature. It's getting dangerous.

I have a comment on the smart card computer chip. I'm a little nervous about that as well. We all have heard about computer hackers, and this can happen here as well, yes or no?

Ms. Catherine Johnston: The one area where smart cards do not work like PCs is in this area of security. If I go into your office and take your PC, I have all of your data. If you have encrypted your data today, you have likely stored your encryption key on your hard drive. If I'm a good hacker, I will get it and I will use it.

In this card, having physical possession does not get you the data. You have to prove to the operating system that you're authorized to specific pieces of data. Behind that operating system, there are nothing but random ones and zeros. Only the operating system can translate it back into anything meaningful.

Also, I hate to say this out loud in this room, but every chip in the world has a unique number that's used for security. It helps protect the privacy of the card.

Mr. Jean Dubé: There you go. You answered my question.

Ms. Catherine Johnston: There is one other element. Different manufacturers use different methods to do this, but if you try to attack the card using electronics, this card will do what the old Mission Impossible tapes did: it will destroy itself. You will not get the sexy puff of smoke that you used to see on TV, but it will close down the communication link. There has never been a counterfeited smart card, and that's part of the reason.

Mr. David Flaherty: You have all read in the last 10 days about the fact that Intel was going to release its new chip with a unique personal identifier that would track each and every one of us as we went through web sites. In yesterday's Report on Business, Eric Reguly's column was on that issue. It required massive resistance from privacy advocates in the United States to get Intel to change its mind, and it proposed some software solution to the issue.

The fact is that our personal information, our digital profile, is increasingly valuable to the private sector in particular. They want to trace us. The data from the Safeway club to get discounts is stored in Salt Lake City. That's not very good for me, as a resident of Victoria trying to articulate my privacy rights with my grocer, who, thank God, doesn't sell liquor, but sells lots of other sensitive things.

Voices: Oh, oh!

Ms. Ann Cavoukian: Monsieur Dubé, returning to your question, I want to give an answer.

The enormity of the task we would face in attempting to replace the social insurance number with something else.... First of all, we don't even know if we want something else. It requires enormous public debate. It is such an enormous task, and I think it would take 10, 20, or 30 years, knowing the way governments move and their speed, or lack thereof.

As a first short-term solution—and I use “short-term” loosely—fix the problem we have now. We know how many people are dying; find a way to connect that and get rid of the illegitimate cards. There are such simple solutions that could be effective. Within a year, you could have a cleaned up system that would be far superior to what there is now. There would still be a lot of problems, such as widespread use in the private sector. You'd need to introduce some legislation and make it an offence. There are things you can do. If Bill C-54 passes, that will address a number of the problems.

You have something in place. It's far from perfect, but it can be fixed and used to address the legitimate uses, and I think we would all acknowledge there are some.

As for attempting to do something else, certainly the debate can begin, but I don't even begin to know what the answers would be or even the questions. You would have a divergence of use, as you should rightly have, and I think it would take five to 10 years, if that. I don't know how long it would take to even contemplate what it would go to.

• 1710

I'm not suggesting that debate shouldn't take place, but I am saying that in the interim, the answer isn't that you should do nothing until that debate takes place. It's far too late. Something should have been done by now. So let's fix this problem and perhaps have in parallel a debate as to the future of the card and the number.

The Chair: Thank you.

Mr. Dubé, you have two more minutes. We're under time constraints, unfortunately.

Mr. Jean Dubé: All right.

As we speak, our numbers are out there. Somebody has our numbers. How do we clean that up?

Ms. Ann Cavoukian: Do you know how much is out there? The reality is, the least of your worries is your social insurance number, in terms of what's out there. If you've done any browsing of any web pages, there's a lot of information about you. There are hundreds of files on you.

The notion that you're going to bring the genie back into the bottle has to be dispelled. We are where we are now. Technology has acted as a tool of surveillance thus far, but we now have technology that can be used in an enabling way to for once take the control out of the hands of government and the private sector and put it where, in my view, it rightly belongs: in the hands of the individual.

You now have privacy-enhancing technologies that can be introduced. You can try to view technology now as an enabling tool instead of it being used solely as a tool of surveillance. That's where the shift it. I don't think you can pull it back. It's all out there. But there are ways you can put walls on, restrict the use, keep it to yourself, and keep others out. Those are perhaps the more appropriate questions.

The Chair: Ms. Johnston.

Ms. Catherine Johnston: To very quickly answer, you can't use the numbers that are out there now. You can't fix it. It's broken beyond repair. You do a re-registration, you come up with a better number, a more complicated number, and you reissue.

Prof. Jim Savary: Why would you want to reissue a bank account number equivalent? It's a number for government services. Why go to the expense?

Ms. Catherine Johnston: Because as Ann said, there needs to be a number, and as David said, it's used for my tax reporting. The current number is broken, and it needs to be fixed before it becomes more of a problem.

Prof. Jim Savary: If somebody wants to pay my taxes for me, I'm happy.

Mr. David Flaherty: The reality is, you should be asking, as members of Parliament, whether the public servants in front of you are using the best available technology, and second, whether they really need a number. We don't really need the social insurance number. There is enough in the social insurance number registry about each of us to exactly match me rather than another David Flaherty. Sophisticated data-matching makes it unnecessary, really, to have numbers.

But that's like talking about biometrics. It's not where we're at right now. Biometrics are wonderful, and we have a really good case study in Toronto, but we really need just to clean up and fix the SIN.

I think in the testimony before you someone said that issuing new numbers might cost $0.25 billion. Thank you very much, I can't see the Honourable Paul Martin coming up with money for that sort of thing.

Ms. Ann Cavoukian: And the process is a nightmare. We went through it in Ontario for the issuing of the new health number in 1990-91, and in my view, they did it very poorly. They didn't require any proof of identity. Anybody could fill out a form and send it in and get a number. Apparently people filled forms out on behalf of their dogs, and the dog got a number. I'm serious.

Mr. John O'Reilly: Now all they need is a MasterCard.

Voices: Oh, oh!

Ms. Ann Cavoukian: So re-registration in itself is a problem, and then ensuring that the proper proof of identity exists and that there is proper security is very costly.

Ms. Rita Reynolds: If I can just add to that, some very good arguments have been made for an alternative solution. The fact is, as Monsieur Dubé pointed out, it is out there. The social insurance number is out there. It is being used extensively in the private sector. You are not going to get that genie back in the bottle, because they do have that number.

We can improve the security on the cards, but I totally agree with what Ann is saying: fix what you can fix now with the social insurance number, but begin the debate about an alternative solution that will be privacy-protective and will allow us to render that number out there meaningless. That's the only way you're going to get a hold of the private sector abuses: come up with an alternative solution and start again.

The Chair: Thank you very much.

Unfortunately we only have 10 minutes remaining for this meeting. I see four of our Liberal members very eager to ask questions.

• 1715

Mr. O'Reilly, you're first. Could you share your time with the remaining members who wish to ask questions?

Mr. John O'Reilly: Thank you very much, Madam Chair. I promise not to talk about my dog's credit card or my friend's cattle all having chips in their ears so that they know how much they milk every day and all that, because that technology is already used quite widely.

I want to get into fixing the SIN number, which is what we're here for. I have a debate going here. I always think the most secure system we have, when all else fails, is to go to our passport. So I look at that type of system: a five-year renewable type of photo ID with maybe a thumbprint or some other facility to come up with an electronic signature, but I prefer the thumbprint.

So if I can get another debate going with you—and you're doing great—the duplication of that type of system into the reissuing of the SIN number may be the answer we're looking for. I'm not sure. I don't think there's going to be an answer, because I'm not sure we can find one right away that's going to satisfy everyone.

I'm suggesting, or maybe you're suggesting, from what I hear, that we need more than one type of card. We need more than one way of identifying ourselves and we need more than one category. Forget about having only one card, because you're going to need some type of identification, and I would ask how many categories there are. There's banking, health and welfare, travel, and those types of things.

So in fixing the SIN number, should we be looking at something that has to be renewed, and are you suggesting more than one type of card for different transactions?

By the way, I didn't thank you for coming. It's a very interesting panel. I'm quite impressed at the depth of your.... You've managed to confuse us all a lot more. I don't know that I'm going to rip up my dog's ID or my MasterCard for my dog, but in struggling with this, I see more than one solution, and yet some of them look very easy.

Mr. David Flaherty: Can I give a very simple start to this? I'm looking in my own wallet. I have several credit cards, a health care card from British Columbia, a driver's licence, and that's about it. I don't have my social insurance number with me, although I have the original card from about 1958, when I acquired it.

I am happy to control the disclosure of my own identify by having these identification forms with me. That's the kind of identification system I want. I guess there's a Canadian citizenship card that Mr. Phillips mentioned. I suppose I could have that too if I wanted it. But I do have a passport.

As someone sensitive to his privacy, I choose how to identify myself to the state, and that's what I want to do. I don't want a number emblazoned across my forehead or embedded in my hand, but I would be quite happy to have a smart card. In fact I would be quite delighted—and I've written about this, and it's on my web site—to have one smart card that would replace all of these cards. Perhaps in 10 years' time, she'll be a multimillionaire and I'll have one smart card.

Voices: Oh, oh!

Mr. John O'Reilly: I don't know if that answers my question.

If I may add to that, there are some people who do not need a bank card. When you're dealing with certain agencies, the last thing on a person's mind is a bank card. So you can't have something that would give someone access to a bank card if they don't need it. Some people don't need a passport, so they don't need access to that. That's what I was getting at. Each person has individual needs for different cards.

Ms. Catherine Johnston: The analogy that goes with that is that each person who uses a PC has different requirements for the PC. They choose the software they want, but they load all of those different packages on one PC, which is what you can do with this card. If you don't have a bank account, then you don't have banking information. It's like a filing cabinet with drawers. You don't assign a drawer for banking, but you might assign one for your social insurance number, because your employer is going to require it.

What I want to see, though, and what relieves you of the cost and the complexity of reissuing them all the time, is this: take the information off the front of the card and put it where only someone who is authorized can get at it, but where I as the citizen can actually see what my government thinks it knows about me. Then I would have an opportunity to say that my health information is complete and accurate or I could go and report it and ask it to be fixed if it's inaccurate, which it often is, because it's outdated. You can do all of those things. You can customize it to the individuals.

• 1720

Would you reissue a card right now with nothing but a SIN number on it? I wouldn't advise it. You have a number of initiatives through the government where a card will be issued across the country, and you should piggyback on some other ministry's expense.

The Chair: Mr. Flaherty and Ms. Cavoukian, would you like to depart? I understand that you're—

Mr. David Flaherty: I don't want to leave these people alone.

Voices: Oh, oh!

The Chair: How very sporting of you.

Mr. John O'Reilly: Leave your credit cards.

Voices: Oh, oh!

The Chair: All right, then we'll continue, and if you'll bear with us, we'll just give our other colleagues a chance to ask their questions very quickly.

Mr. John O'Reilly: Mr. Savary had an answer also.

The Chair: Mr. Savary, please feel free.

Prof. Jim Savary: I just wanted very briefly to say that to me what's important here is not the actual platform, whether we go with smart cards or one smart card, as I think Cathy would like to do, until she loses it, and then with all that data on it, God knows what happens next.

Ms. Catherine Johnston: I never said one, for that reason, Jim. Don't put words in my mouth.

Voices: Oh, oh!

Prof. Jim Savary: All right.

Anyway, the issue of whether you have one, three, or whatever is not an important issue. What's important—and Cathy made the point; I just want to reinforce it—is that control of the data should be in the hands of what we euphemistically call “the data subject”. In other words, I want to be able to decide who gets my data, whether they get it from a smart card or whether they get it from some central computer somewhere, but only with my digital signature or some other way of accessing it. That to me is the important part.

Mr. John O'Reilly: Thank you very much.

The Chair: We're going to go in this order: Mr. Wilfert, then Mr. Scott.

Could you all put your questions and then they can all answer in one shot?

Mr. Bryon Wilfert (Oak Ridges, Lib.): Okay.

Voltaire said there's no privacy where the state is concerned. I'd suggest there's no privacy where the private sector is concerned today. The fact is we've gone a long way from what there was in 1964.

You talk about the short-term fix. For example, on the issue of death, the provinces are very slow, in fact often uncooperative, in giving us the information we need.

Ms. Ann Cavoukian: [Inaudible—Editor]...an agreement, with controls in place, tomorrow.

Mr. Bryon Wilfert: Well, I would say that is one of the problems right there: we don't get the information from the provinces. Whether that's the provinces' fault or our fault, we need to fix it, and we need to fix it right away.

I would suggest we need to replace the SIN number. There has to be the political will. I don't think there is the political will, but there needs to be if we're going to get on with the abuses.

On the other hand, though, there are abuses to the system. That is why in some respects getting that information is so critical, because there are people who abuse the system, as in Quebec, where 75,000 people didn't re-register for their health card, because they weren't entitled to it in the first place.

You mentioned in your presentation, Mr. Flaherty, the 1987 recommendations. Were these recommendations adopted?

Mr. David Flaherty: They were adopted unanimously by the Standing Committee on Justice and Solicitor General, given to Brian Mulroney's government, and he cherry-picked a few of them. For example, the SIN was used for the armed forces at that point in time, and it was replaced. But they didn't go for all of the recommendations of the committee.

Mr. Bryon Wilfert: They didn't go for them all?

Mr. David Flaherty: That's why I've repeated them here.

Mr. Bryon Wilfert: Okay. Essentially we're saying the SIN doesn't do what it's supposed to do, so your suggestion is: one, basically, let's improve in the short term the sharing of information so that we can deal with the immediate abuses that we can deal with; and in the long term, the smart card is probably....

I have some reservations about the amount of information that's given out, but with technology, maybe, although we ask for too much information about everything in this country. Then again, on the other hand, we are not well educated in terms of what we can do. Even if you say to somebody that you don't want to give them your SIN number, they can say, “Well, then you don't get the product.” There is a problem there too. How do we educate those who in fact...? There's no point in saying, “I won't give it to you”, because then they say, “Well, you're not getting the product”, and therefore you're out of luck.

We clearly are in a situation where, yes, we need to control the data, but the fact is that even if the individual controls that data, the kind of information that person has.... I like the idea of a fingerprint and I like the idea of a passport or something that is much more difficult to replicate.

Ms. Rita Reynolds: I'm pleased to hear your comments, because to me the big hole is the link between the individual and their own personal information.

• 1725

It's fine to put in a system, and we need a system in place, where the individual can exercise control over their own personal information, with the ability to correct it, change it, and complain about excessive collection or use—the whole myriad of things in the privacy spectrum. But unless you have something that allows an individual to uniquely demonstrate that they are who they say they are, that that is their personal information, then there is no way you can effectively prevent abuse, fraud, and theft of identity.

That is the critical piece. While you work through all the other solutions of who gets what other information, how much you're going to collect, and what are the permitted uses, that is a fundamental underpinning of it, so that individuals can protect themselves from both the state and the private sector.

The Chair: Mr. Flaherty.

Mr. David Flaherty: With all due respect to you, Mr. Wilfert, if we had a society in which fraud was impossible, we would have a totalitarian regime. That is not a pro-fraud statement on my part, but we have the capacity to create a total surveillance society in Canada, and most of us do not want to live in that kind of society.

Mr. Bryon Wilfert: On the other hand, we have to prevent abuses, though, sir.

Mr. David Flaherty: As much as possible.

Mr. Bryon Wilfert: We want to get those who cheat in our society. On the one hand, we want to go after all those cheaters—welfare cheats or whoever they happen to be. We say we want to go after them, but on the other hand we say we don't want to give up the amount of privacy, which I certainly agree with.

Yes, we can have a totalitarian state. I'd certainly never advocate that, but we've have been talking about this for eons, and quite frankly, we get to the point where rhetoric should end and there needs to be the will. But you tell me that in 1987 we had recommendations and they were cherry-picked. This seems to be the pattern around here. I deal with reports I've read that are 10 years old, and their recommendations are basically the same things I'm hearing today.

Ms. Ann Cavoukian: Well, imagine how the public feels, the taxpayers.

Voices: Oh, oh!

Mr. Bryon Wilfert: I'm a taxpayer.

Mr. Jean Dubé: It was their government.

Mr. Bryon Wilfert: Your government cherry-picked, so it's your fault. You could have done it in 1987.

An hon. member: Tories!

Voices: Oh, oh!

Mr. Andy Scott (Fredericton, Lib.): At the risk of compromising the political debate—

Voices: Oh, oh!

Mr. Andy Scott: There seems to be a consensus that the genie is out of the bottle, out of the room, perhaps on another planet, and my question is simple, particularly to the privacy advocates.

Given the degree to which this thing is beyond us, well beyond us, beyond us to a point that we don't even know how far it is beyond us, how willing are you to compromise those values that have been compromised in order to restore the integrity of the system? The fundamental question here is a real one, for the government at least: To what extent is it necessary to in fact violate those exact values that we are concerned with in order to restore the integrity of the system? I'm curious.

Mr. David Flaherty: I will start, if I may. I went along with substantial data-matching on income assistance recipients in British Columbia, which has substantially reduced the amount of welfare assistance fraud in the province, and we do it without social insurance numbers. Our view, as official privacy advocates, is that we articulate the privacy interests of individuals, somebody else articulates the welfare, the law enforcement, or whatever else it is, and the legislature and members of Parliament decide where the balance is supposed to be drawn.

Mr. Andy Scott: Could I just correct myself a little bit?

Ms. Ann Cavoukian: We have one minute and we have to leave; I'm sorry.

Mr. Andy Scott: When I speak of correcting, I'm not talking about the abuses we're talking about here. I'm talking about the integrity of the information system for the moment, not what you would be prepared to do to deal with abuse.

The Chair: Mr. Scott, I'll give them the last word, and then we'll adjourn.

Ms. Ann Cavoukian: What you always have to remember is that a balance must be struck between these at times conflicting values. No one is suggesting that there aren't times when compromises have to be made.

As Mr. Flaherty indicated, in my province I've authorized a number of data-matching agreements where the explicit purpose has been reducing fraud in government programs. The case has been made to us. We have a procedure that is followed: the government has to make the case; we review it; we make a number of suggestions with respect to protections, controls, and restrictions on the data exchanges; and then we authorize it.

So I don't think what you're hearing is that privacy commissioners are saying we want to continue fraud. There are ways in which to strike the balance without necessarily compromising either value.

• 1730

The Chair: Thank you very much. This forum has proven more entertaining than crossfire.

Voices: Oh, oh!

The Chair: I thank you all for coming, and I hope we'll be in contact, because you can see we have a lot more questions down the road.

Thank you all. The meeting is adjourned.