CIMM Committee Meeting
Notices of Meeting include information about the subject matter to be examined by the committee and date, time and place of the meeting, as well as a list of any witnesses scheduled to appear. The Evidence is the edited and revised transcript of what is said before a committee. The Minutes of Proceedings are the official record of the business conducted by the committee at a sitting.
For an advanced search, use Publication Search tool.
If you have any questions or comments regarding the accessibility of this publication, please contact us at accessible@parl.gc.ca.
37th PARLIAMENT, 2nd SESSION
Standing Committee on Citizenship and Immigration
EVIDENCE
CONTENTS
Tuesday, November 4, 2003
¹ | 1535 |
The Chair (Mr. Joe Fontana (London North Centre, Lib.)) |
Dr. Ann Cavoukian (Information and Privacy Commissioner of Ontario) |
¹ | 1540 |
¹ | 1545 |
¹ | 1550 |
¹ | 1555 |
º | 1600 |
The Chair |
Mr. Grant McNally (Dewdney—Alouette, Canadian Alliance) |
º | 1605 |
Dr. Ann Cavoukian |
Mr. Grant McNally |
Dr. Ann Cavoukian |
The Chair |
Dr. Ann Cavoukian |
º | 1610 |
The Chair |
Mr. Sarkis Assadourian (Brampton Centre, Lib.) |
Dr. Ann Cavoukian |
Mr. Sarkis Assadourian |
Dr. Ann Cavoukian |
Mr. Sarkis Assadourian |
Dr. Ann Cavoukian |
The Chair |
Dr. Ann Cavoukian |
º | 1615 |
Dr. Ann Cavoukian |
The Chair |
Dr. Ann Cavoukian |
The Chair |
Dr. Ann Cavoukian |
The Chair |
Ms. Madeleine Dalphond-Guiral (Laval Centre, BQ) |
º | 1620 |
Dr. Ann Cavoukian |
Ms. Madeleine Dalphond-Guiral |
Dr. Ann Cavoukian |
The Chair |
Ms. Raymonde Folco (Laval West, Lib.) |
º | 1625 |
Dr. Ann Cavoukian |
º | 1630 |
Mr. Brian Masse (Windsor West, NDP) |
Dr. Ann Cavoukian |
Mr. Brian Masse |
º | 1635 |
Dr. Ann Cavoukian |
Mr. Brian Masse |
Dr. Ann Cavoukian |
The Chair |
Mr. Massimo Pacetti (Saint-Léonard—Saint-Michel, Lib.) |
Dr. Ann Cavoukian |
Mr. Massimo Pacetti |
Dr. Ann Cavoukian |
Mr. Massimo Pacetti |
Dr. Ann Cavoukian |
Mr. Massimo Pacetti |
Dr. Ann Cavoukian |
Mr. Massimo Pacetti |
Dr. Ann Cavoukian |
Mr. Massimo Pacetti |
The Chair |
Mr. Massimo Pacetti |
Dr. Ann Cavoukian |
Mr. Massimo Pacetti |
Dr. Ann Cavoukian |
º | 1640 |
Mr. Massimo Pacetti |
Dr. Ann Cavoukian |
The Chair |
Mr. Massimo Pacetti |
Dr. Ann Cavoukian |
The Chair |
Mr. Jerry Pickard (Chatham—Kent Essex, Lib.) |
Dr. Ann Cavoukian |
Mr. Jerry Pickard |
Dr. Ann Cavoukian |
Mr. Jerry Pickard |
Dr. Ann Cavoukian |
Mr. Jerry Pickard |
Dr. Ann Cavoukian |
Mr. Jerry Pickard |
Dr. Ann Cavoukian |
Mr. Jerry Pickard |
Dr. Ann Cavoukian |
Mr. Jerry Pickard |
Dr. Ann Cavoukian |
º | 1645 |
Mr. Jerry Pickard |
Dr. Ann Cavoukian |
Mr. Jerry Pickard |
Dr. Ann Cavoukian |
Mr. Jerry Pickard |
Dr. Ann Cavoukian |
Mr. Jerry Pickard |
Dr. Ann Cavoukian |
Mr. Jerry Pickard |
Dr. Ann Cavoukian |
Mr. Jerry Pickard |
The Chair |
Mr. Jerry Pickard |
Dr. Ann Cavoukian |
º | 1650 |
The Chair |
Mr. Chuck Strahl (Fraser Valley) |
Dr. Ann Cavoukian |
Mr. Chuck Strahl |
The Chair |
Mr. Chuck Strahl |
The Chair |
Mr. Chuck Strahl |
The Chair |
Mr. Chuck Strahl |
Dr. Ann Cavoukian |
º | 1655 |
The Chair |
» | 1700 |
Dr. Ann Cavoukian |
The Chair |
Dr. Ann Cavoukian |
The Chair |
Mr. Grant McNally |
Dr. Ann Cavoukian |
» | 1705 |
Mr. Brian Masse |
Dr. Ann Cavoukian |
Mr. Brian Masse |
The Chair |
Mr. Jerry Pickard |
» | 1710 |
Dr. Ann Cavoukian |
The Chair |
Mr. Sarkis Assadourian |
Dr. Ann Cavoukian |
» | 1715 |
The Chair |
Mr. Chuck Strahl |
Dr. Ann Cavoukian |
Mr. Chuck Strahl |
Dr. Ann Cavoukian |
Mr. Chuck Strahl |
The Chair |
Dr. Ann Cavoukian |
The Chair |
Mr. Sarkis Assadourian |
The Chair |
CANADA
Standing Committee on Citizenship and Immigration |
|
l |
|
l |
|
EVIDENCE
Tuesday, November 4, 2003
[Recorded by Electronic Apparatus]
¹ (1535)
[English]
The Chair (Mr. Joe Fontana (London North Centre, Lib.)): Bonjour, collègues. Good afternoon.
Pursuant to Standing Order 108(2), we are considering the national identity card.
It is my privilege to welcome the Information and Privacy Commissioner of Ontario, Ann Cavoukian, to join us today to talk to us about a national ID card.
As colleagues will remember, privacy commissioners not only from across Canada but from around the world have been good enough to talk to us as a committee about this national debate that we're having with regard to national identity cards and biometrics.
Ms. Cavoukian, on behalf of the committee, let me welcome you to Ottawa and thank you very much. I see that you've brought your assistant, our own Privacy Commissioner for Canada, Mr. Marleau, who made a presentation, as you know, some time ago. So I welcome you both.
Dr. Ann Cavoukian (Information and Privacy Commissioner of Ontario): Thank you so much.
It's very kind of Mr. Marleau to be here today. I assure you, it's my pleasure to have him here.
Thank you very much for your invitation to share my thoughts on a national identity card and biometric technology. Both concepts, as you know, have profound implications for citizens of this country.
I do have a prepared written text, which will be distributed shortly. I just want to highlight a number of the issues presented in the text, and then afterwards we can have a discussion.
Let me start by making a very clear distinction between a national ID card on the one hand, and biometric technology on the other hand. They are not one and the same.
I would like to just put aside a national ID card after a few remarks, because it's a non-starter. There's absolutely no need for one, and I hope to convince you of that by the end of my remarks. So I will just spend a few moments speaking on the ID card.
The interim federal Privacy Commissioner, Mr. Robert Marleau, who is kindly here with us today, has made an excellent presentation to you on this subject, and he covered extensively, in great detail, the arguments against the creation of such a card. I refer you to his excellent submission. I'm only going to highlight a few of those arguments here today.
First, there has been no business case or justification presented to Canadians for the existence or creation of such a card. Strong justification is absolutely essential, given the enormous cost of creating an identity card scheme, both financially and costs to privacy. I'm sure you've all heard that such a card could cost in the vicinity of $5 billion to $7 billion, and my guess is that's a conservative estimate.
A national identity system, with the associated enormous databases and network and infrastructure that will be required, as was outlined by Mr. Marleau in his submission, and the inevitable demand for access to the information collected and retained in these databases by various departments within government creates significant privacy and security vulnerabilities. If the Pentagon can be hacked into, I assure you that this has to be considered a real danger, and collecting that much personal information and maintaining it in one database will function very much like the Fort Knox of personal information and databases. It will function as a magnet.
I digress. I will return to that point.
The potential abuses include the misuse or compromise of very sensitive personal data by insiders as well as outsiders. I believe you know that roughly 80% of abuses of information are inside jobs, security breaches by rogue employees, for example. There is great concern that organized crime will also take part in this, not to mention the concern over inappropriate tracking and profiling of citizens of this country.
The only justification that has been presented thus far that even remotely comes close to a reason we might consider the need for such a vehicle is the need to comply with upcoming American legislation, specifically the Enhanced Border Security and Visa Entry Reform Act. This law mandates that citizens of countries who are not required to obtain visas to travel to the United States must have machine-readable passports with biometric identifiers no later than October 2004. So by the end of next year, under this law citizens of many countries will be required to have a biometric identifier in order to travel into the United States.
I understand, however, that Canada is very likely to receive an exemption from this requirement. As recently as yesterday I was in Washington and I discussed this matter, and there appears to be no question that Canada will be exempted from this requirement.
However, just for the sake of argument, let me continue as if we may be required to have a biometric identifier on travel documents. I would submit to you that surely an existing travel document such as the Canadian passport will be far preferable to include a biometric on, as opposed to creating an entirely new system, an entirely new scheme that is not only going to be costly but can function very much as an internal passport that Canadians would have to use, potentially, within this country of ours.
¹ (1540)
Not only would adding a biometric to an existing travel document, such as a passport, be far less expensive, but the collection of the biometrics could also be limited to those that could be used by Canadians who choose to travel abroad. In this way, it could be a voluntary device, so that if you are planning to travel abroad and you make the decision consciously to obtain a biometric attached to your passport, then so be it. It is not the same as a compulsory or mandatory requirement that one must have a biometric, and use it internally.
Now, having raised the question of biometrics, I'd like to spend the remainder of my time focusing on how privacy protections must be built into any kind of biometric system that we consider for this purpose, for travel purpose, for other purposes, or whatever, across the board.
Let me emphasize that I've always taken the approach that biometrics, if designed and implemented with privacy principles from the outset, can indeed be deployed in a manner that protects personal information or privacy. I know that sounds like an oxymoron sometimes, but it is in fact possible—and we can explore how that will be the case. To do this, however, a number of challenges have to be met. This is not a simple exercise; it is something we have to spend a great deal of time studying and reviewing.
Allow me just to take a few moments, if I may, to review the basics of biometrics with you now, because key to understanding the impact of the biometric system is the distinction between authentication, which is a one-to-one comparison—as I'll explain in a moment—and identification, which is a comparison of one to many biometrics.
Authentication is the preferred choice, if you will, if you must have a biometric system. The reason is quite simple. What a one-to-one comparison means is that you would have, for example, a biometric—let's use the fingerprint, just for a point of reference—on your passport. So when you went to the border, you would present your passport to the inspector and he would put your passport in a reader that would read the biometric. You would also put your finger on a reader that would scan your live fingerprint. Your fingerprint would be compared with the biometric template contained in your passport, in a one-to-one comparison, which would serve to authenticate your identity. It would say “Yes, this finger belongs to the fingerprint attached to this passport”.
With one-to-one comparison, you have far greater accuracy rates and far more protection of privacy, because it does not require the creation of a central database of thousands and possibly millions of fingerprints. I'll talk about the problems associated with that in a moment. But the one-to-one comparison does not require the creation of a central database containing a great deal of sensitive information.
The identification, or one-to-many, database biometric system is the following. One fingerprint is compared with a large number of fingerprints that are held in a database, to see if I am someone who is a terrorist or a potential terrorist. Am I on a watch list somewhere? So you want to see if you can detect the bad guys before they enter your country—a very laudable goal.
I just have to emphasize, and I can't emphasize this strongly enough, when it comes to large-scale applications in excess of 1,000 fingerprints in the database—we're talking about millions of fingerprints—this system of one-to-many comparisons will not work, full stop. One of the fundamental problems with using biometrics for purposes of identification, as I've just described, is that although the accuracy rates can appear to be very high, as high as 99.99%, this is still totally inadequate for airport security purposes or for checking an individual biometric against a watch list, for example, of terrorists or criminals.
I contacted a noted cryptographer and security expert, who is highly acclaimed. He is like the master in the field. His name is Bruce Schneier. For your information, he's just written a new book called Beyond Fear: Thinking Sensibly About Security in an Uncertain World. I know Mr. Schneier, and contacted him because I wanted to ask him if he would be kind enough to give me a quote that I could read to you here today. In this book, Beyond Fear—which I recommend as must reading for anyone who's interested in this field—he outlines very carefully why this one-to-many comparison simply will not work.
¹ (1545)
I said to Bruce, “I'm appearing before a standing committee. I don't want them to just take my word for this. I want them to hear it from the leading expert in the field.” Here's the quote he gave me. I'm going to read it, and then I will explain it a bit further: “If you have a 1 in 10,000 error rate per fingerprint”—that's a 99.99% accuracy rate, or highly accurate—“then a person being scanned against a million-record data set will be flagged as positive 100 times.” What that means is that I would put my finger on the scanner to be compared against a database of one million fingerprints, and it's going to give 100 false positive readings. It's going to go bing, bing, bing, bing, bing, so 100 names are going to match my fingerprint.
I return to the quote: “And that's every person. A system like that would obviously be useless because everyone would be a false positive. I could build a similarly effective system much cheaper. Every time someone walks through an arch, a red light goes off. Every time. My $10 system would be just as effective at catching terrorists as your biometric system.”
In short, it would not be effective at all. It would have zero effectiveness—or less than zero, because if you're going to have 100 matches to every person, you're going to have a whole body of clerical staff and assistants trying to determine what this is.
I will be glad to expand on this during the question period. Suffice it to say, biometrics are not foolproof. They're not as they are presented in the movies, such as Minority Report, which I loved. We're not there. Until we're there, or until the technology matures, it's simply not a viable system for catching anybody—bad guys, good guys, or anybody—at airport security.
The premise is that as you add a large-scale application, it simply falls apart. You will not only have no accuracy, but you will also have a system that will tie down airports, traffic at airports, and travel. It's just untenable; it surprises me that we're even discussing it.
Just as a point of reference, the FBI fingerprint database contains more than 46 million fingerprints. The Canadian equivalent, under the authority of the RCMP, contains roughly 2.7 million fingerprints. If you're talking about watch lists extracted from these databases or other intelligence, or if you're even thinking in the hundreds of thousands or millions, forget it. It won't work. I haven't even started talking about the privacy reasons why you shouldn't do this, but from a pure technical perspective, this system will fail.
So I think Mr. Schneier's example illustrates the fallacy that biometrics are ideally suited for identification for large-scale applications.
The reality is that biometric systems do an excellent job of authentication, using one-to-one comparisons in answering the question, does this biometric belong to this person? But biometrics have a much harder time answering the question of whether this biometric belongs to anyone in a database of terrorists or criminals.
The problem is exacerbated when the system then goes outside of that database of known terrorists and tries to search other databases as well, in order to determine whether this person a potential terrorist or threat to security—checking against the FBI database, for example.
Despite all of these reasons not to use biometrics for identification purposes in terms of large-scale applications, if the Government of Canada nonetheless decides to proceed with developing such a biometric system, then we have to turn our minds to the issue of false positives.
¹ (1550)
A false positive is when I am compared against the database.... Let me first give you a false negative. Osama bin Laden shows up at Pearson Airport and wants to gain entry into our country. You have a biometric system in place, and he runs his finger against a one-to-many comparison. Let's say it works really well and he gets a false negative reading. What it means is that he is actually in the database and is one of the known bad guys, but his comparison is negative and he gets let through. He is not identified as Osama bin Laden. It's a false negative because he's really the guy in the database and there's no bad match. It's a negative match.
A false positive would be when I come to the airport and I'm checking in as Ann Cavoukian and it compares me against the database and falsely identifies me as Osama bin Laden. Forget the sex difference for a moment. They're not going to be looking any more, you see. It's going to be automatic.
I'm making this, hopefully, a bit humorous, but I assure you that my life or anyone's life would be miserable. Imagine one of your sons in this room being identified as Mr. bin Laden or any other terrorist. That's a false positive. He is falsely identified as someone who is in the database of a watch list. It's a horrific scenario for those falsely accused.
An equally horrific scenario is when a known bad guy, like Mr. bin Laden, gets through the system as a false negative.
Okay, I will return to my text here.
There are significant problems created, of course, for citizens who are falsely identified. They are subject, at a minimum, to the inconvenience and embarrassment of being wrongly identified as a security threat, but this embarrassment pales by comparison to the more serious consequences. Significant delays will also be encountered in flying plans. Your travel will be delayed or postponed. This can be costly at a number of levels, both human and financial, not to mention that the individual will be subjected to further interrogation, which will exact an enormous emotional toll.
Then imagine the difficulty of trying to extract yourself from the database on which you are now captured. You have to convince someone that you have been falsely accused and don't belong on this database. There has to be a way you can make your case, convince someone, and then have the error corrected. These are extremely difficult things to do. In the United States, if you are incorrectly put on a database, for biometric or other purposes, it is extremely difficult to extricate yourself. I would shudder at the thought that Canada would follow suit.
We also have to recognize the difficulty of convincing security staff that a biometric match is incorrect when it's supposed to be infallible.
There are so many things that I could go on, but I'll try to cut this short.
In addition to the problems created for thousands of innocent individuals, consider the practical problems of a large number of false positives for airport security. Additional staff, resources, and facilities would be required for the secondary screening of those falsely targeted individuals, at a bare minimum. Also, the high number of false positives would eventually numb security personnel looking for matches against data sets of pictures, which are often of poor quality.
This issue of average Canadians being falsely identified as security threats shows the importance of building due process into any biometric system that we use. Even a one-to-one system would require this, because you will always have errors. Individuals will have to have a quick and ready method by which they can establish their true identity and disprove a false biometric match.
Let me touch on the issue of identity theft for a moment, and try to dispel this myth. One of the more misunderstood justifications for biometrics relates to identity theft. I say this because I believe that it was an argument in favour of introducing identity cards and of thinking that having a biometric would reduce identity theft. I would suggest that the opposite will in fact take place.
Any unique identifier, such as a biometric, held in a huge database and used to link disparate pieces of information will increase the risk of identity theft. One reason is that a biometric is the equivalent of an unchangeable PIN number, the PIN number that you use at your ATM machine, for example.
Don't think for a moment that you can't compromise biometrics. You can. I outline a very simple technique in my statement using gummy bear candies.
¹ (1555)
Once a biometric is compromised to steal one's identity, the time and effort to reassert an innocent victim's identity will stretch far beyond the fourteen-month norm that it presently takes for clearing up a relatively simple case of identity of theft resulting from the theft of a credit card number or a PIN number. The payoff for acquiring an identity with a biometric is much greater. We also can't discount the very attractive target presented by databases with personal information linked through biometric templates.
As I mentioned before, this will be the Fort Knox of databases and will attract as a magnet attracts. Any databases designed to hunt terrorists will be irresistibly attractive to those very individuals. We should never underestimate the time and resources an attacker will use to break such a system.
There are systems now existing, not by the terrorists, but by people in the field, brilliant cryptographers who are engaged in cracking systems. If you look at cryptographers in the field, at times they will look disparagingly at biometrics and the ease with which you can in fact spoof a biometric online to assume someone's identity.
As I mentioned, these risks include the risk of a biometric system being tricked into accepting a false biometric through, for example, the use of fingerprint impressions, such as those that can be left on a gummy bear candy.
As I mentioned at the beginning of my remarks, I am very open to the use of biometrics for the purpose of authentication, the one-to-one comparison, as long as you have proper privacy safeguards in place even for those. Solutions to the problems that I've raised do in fact exist.
Let me give you one example. In 1994, when the city of Toronto, which is in my jurisdiction in Ontario, contemplated using biometrics to reduce fraud in its welfare system to attempt to avoid double dipping, they approached my office and we worked with them. We worked with the city of Toronto and the Ontario government for a number of years to create a set of requirements that were then adopted in a law, the Ontario Works Act.
We said to the government that if they want to introduce a biometric for this purpose, here are the criteria they're going to have to meet. Here's the standard that must be met in order to be privacy protective and sufficiently protective for us to consider this. Then we wanted them to enshrine that standard in legislation, because this was too serious a matter to be left to a policy decision.
To their credit, they did that. The Ontario Works Act, to the best of my knowledge, represents the most rigorous legislative framework in existence, anywhere in the world, for the deployment of a biometric by a government agency.
The legislation states a number of things, but it states that in order to deploy a biometric as part of a social assistance scheme, a number of criteria have to be met. These include the following: the biometric must be stored in encrypted form; the original biometric must be destroyed upon encryption; the stored biometric can only be transmitted in encrypted form.
This is the most important clause, so I'm going to read it verbatim: “Neither the Director nor an administrator shall implement a system that can reconstruct or retain the original biometric sample from encrypted biometric information or that can compare it to a copy or reproduction of biometric information not obtained directly from the individual.”
What that last clause states is that you would not be able to have any type of “function creep” from the use of the biometrics in that database because they could only be used for the stated purpose. The system that created them would literally have to be incapable, at a systemic level, of enabling a comparison to another database for other purposes.
Let me end with five key requirements that I believe need to be met before considering the introduction of any type of biometric in Canada.
One, the government needs to clearly state the problem that it intends to solve with the use of biometrics. Forgive me for stating the obvious, but it appears to need to be stated.
Two, broad public consultation needs to take place, allowing many constituencies in Canada to voice their opinions and views.
Three, legislation is required that defines a narrow purpose for the use of biometrics and that sets clear limits for the collection, use, and disclosure of biometric information.
º (1600)
Four, there must be strong, independent oversight over the use of the biometric--for example, through the office of the federal Privacy Commissioner of Canada.
Five, there needs to be a comprehensive privacy impact assessment and an evaluation of the system to test its privacy strengths and weaknesses.
As I mentioned earlier, I believe in the value of a properly designed and managed biometric system. With a strong legislative framework, privacy design correlates, and oversight, I believe biometrics can be deployed in a privacy-protective manner. However, it can also become a de facto identity system for Canadians in this country if mishandled and deployed improperly, and it could pose a potentially lasting corrosive effect on our society. I just don't think it's the Canadian way.
In closing, ladies and gentlemen, thank you so much for inviting me to share my thoughts with you on this issue. I have appreciated very much your kind attention and your time this afternoon. This committee is engaged in a vital public debate on a topic that will affect every single Canadian. I applaud your efforts, and I can't tell you how important privacy is to so many Canadians in this country. Our freedoms are at the heart of what we hold dear in this country, and privacy is among one of the most cherished freedoms.
I thank you very much, and I'd be happy to answer any questions you may have.
The Chair: Thank you, Ann, for your most comprehensive brief. No doubt you come to it with a great deal of experience and thought, and we appreciate your time and effort to come here and talk to us and give us your experience, especially with the issue of biometrics.
So on behalf of the committee, again, thank you for the most invaluable information you've given us today. I'm sure we have all kinds of questions.
Grant.
Mr. Grant McNally (Dewdney—Alouette, Canadian Alliance): Thank you, Mr. Chair.
Thank you, Doctor, for your presentation.
I guess if we're going to go ahead with a national identity card we also need to ban gummy bears as well.
I guess, really, the salient point of that part of your presentation is that technology can be fooled, and in essence we're putting some false hope in a system that really is not going to give us what we want, and that is enhanced security.
You talked about authentication being the most favoured form of biometrics if there were to be any biometrics. Yet even with that system, if someone were to falsely acquire the foundation documents required for a passport--i.e., a false SIN number or a driver's licence or something of that sort--it could be used to get a passport. Aren't we really, then, building that same flaw into the biometrics program?
º (1605)
Dr. Ann Cavoukian: Yes, you're absolutely right. Authentication will do a one-to-one comparison. It will ensure that the person who has the travel document matches the person with the finger. But in order to ensure the true identity of the person with the travel document, you need to have a very strong enrolment system. The enrolment process is when identity is established. So it would indeed be possible for someone at enrolment to come with false documentation and obtain a passport with his biometric on it.
I'll use myself as an example. I obtain false documents and I appear as Ann Smith. I obtain a passport as Ann Smith. Then from that point on, I will be Ann Smith, and my biometric will match the biometric of Ann Smith on the passport. I will authenticate that identity.
The notion of how to establish true identity is one of the most difficult questions we will have to grapple with as a society. How do you establish true identity? It is an amazingly difficult and complex question. But I want to assure you it is not dispelled by the notion of a biometric either, because people can spoof biometrics; people can obtain documents at the time of trying to establish their true identity that could also be fraudulent. I'm not suggesting that it is a simple exercise, establishing true identity at the enrolment process, but we need to turn our minds to how to best, at a global level, ensure that travel documents are in fact given to the correct people.
It's a very complex question. It is not as simple as saying they have a biometric and we can compare it.
Mr. Grant McNally: In your opinion, would the best allocation of our resources then be to make the security of those foundation documents better, versus pouring potentially billions of dollars into a program that's going to give us a false sense of hope, and according to your testimony, widen the gap for all kinds of security breaches with the private information of individuals leaking into these other areas?
If we go ahead with this national identity card program, are we not going to make the system worse, not better? Should we put that money into--
Dr. Ann Cavoukian: I think we would make the system far worse. You would then have, I suppose, some false sense of security in place, which would be completely unfounded.
Someone asked me, pretend you're on a debate: if you were on the other side, could you give me an argument in favour of the national ID card? I'm pretty resourceful, but I couldn't come up with an argument. I honestly couldn't. Because there is no basis in fact to introduce a system like that, to deploy billions of dollars and have less than nothing to show for it.
The Chair: I could find a couple of people who would want to argue with you on that point.
Dr. Ann Cavoukian: Oh, and I look forward to that. That's why I'm here. This is my personal view.
But I agree with you, I think we could devote our resources to working with other countries to find the best system to ensure that the enrolment process, where you identify who you are, is as strong and secure as possible. You know, in a number of other jurisdictions.... If you look at El Al and the Israelis, in terms of how they determine if you're a security risk or not, they rely a lot on the human factor, human intervention, human reading. So I think we have to factor in some of those things.
There's no magic bullet here. To think you're going to turn to technology, especially in the form of biometrics, to do that is just mistaken. If you talk to biometric experts around the world--and I picked Mr. Bruce Schneier because I think he's one of the foremost leaders--when you go any of them, you talk quietly. What I'm saying is not controversial. They'll all tell you, for large-scale application, forget it--it's never going to work. But it just doesn't seem to be articulated. I'm hoping this is the beginning of that process.
º (1610)
The Chair: Sarkis.
Mr. Sarkis Assadourian (Brampton Centre, Lib.): Thank you very much.
Welcome to this hearing. I'm really delighted to see you here. I've known you for many years, and it's good to make a reaquaintance.
I also noticed you have big brother behind you there. Robert Marleau is watching you.
Ann, two weeks ago there was a documentary on TV, I think it was on CBC, about car licence plates. If a criminal gets hold of your plates and spends $200, they can get all the information about you, whatever they want. And I think it was you or someone from the Ontario government who said that has happened, that's correct, but the benefit is far greater than the few criminal elements who use the information to steal your identity. I want your comment on that.
I have a few questions, so I'll go through them.
You mentioned that this card will cost about $5 billion to $7 billion. Do you have any idea how much an Ontario driver's licence costs--again, an estimate? You don't have to give me an answer now; you can give it to me in the whole answer.
You mentioned also that 99.9% accuracy is not good enough. My question is if the technology were there, would you go with a biometric card if it were 100%, not 99.9%?
My final question is you said Israel uses human judgment to judge whether a person is a terrorist or whatever. The U.S. government has been doing that for the last two years. I've been stopped two or three times and insulted just because I was born in Syria. It wasn't my fault I was born in Syria. You probably--
Dr. Ann Cavoukian: I've had my share of stops.
Mr. Sarkis Assadourian: So this is human judgment, not because of what I do, but because of my name, my birth place, my passport. They checked my passport. They said “You've gone to Arab countries?” I said “Yes. Why? As a member of Parliament, I travel. What's the big deal?” They asked why I go there, and I said “Well, excuse me, why don't you come and listen here?”
This human intervention is totally unfair when people abuse it.
I also want to mention that today I was speaking about the Arar case. We were told with Arar, the wrong identity was used, or there was a mix-up with his middle name. The guy said he never had a middle name.
Situations like these can be corrected if proper ID is used--biometric ID.
There are four or five questions for you.
Dr. Ann Cavoukian: Mr. Assadourian, let me start at the last one. I could not agree with you more.
Since 9/11--and I go to the United States quite frequently to speak at a variety of functions--I am stopped regularly. I am Armenian, as is Mr. Assadourian. We were born outside of this country. And I am sure it is no accident that those factors serve to have us stopped for secondary screening.
I assure you, I don't like it any more than you do. It is very difficult to go through, and you have to be very calm and say “Of course, feel free to ask whatever questions you want”. It is very difficult. I share with you that concern.
What I am going to tell you is that at this point in time, if we introduce a biometric system for identification purposes of the one-to-many kind, not only will you and I be stopped every time, but so will everyone in this room and everyone in the country. You will have that kind of intrusion into the lives of average Canadians on a daily basis. It will be untenable. In fact, it wouldn't happen. You would try it for a week and there would be such an outcry that it would disappear. So you would spend billions of dollars and it would disappear.
I do not know--I honestly don't, sir--what the cost of the driver's licence is. I honestly don't know, so I'm not going to hazard a guess. But I will--
Mr. Sarkis Assadourian: Well, excuse me. How do you know $5 billion to $7 billion for the--
Dr. Ann Cavoukian: Oh, the $5 billion to $7 billion are estimates that have been--
The Chair: Those are the estimates.
Dr. Ann Cavoukian: Yes, from a variety of sources. I have the same estimates you have, so that's what I'm using.
I don't want to make a big deal of the gun registry, but I understand that cost in excess of $1 billion, and it's a relatively simple exercise. It's a database of names and addresses, who has what guns where. That's simple, and it cost $1 billion so far, and it's not working.
Do you honestly think you're going to have a complex system like this for as little as $7 billion? I mean, in my mind, it will be ten times that. I think the cost will be incremental, because the errors will be so high and we'll keep introducing--
A voice: About $70 billion?
º (1615)
Dr. Ann Cavoukian: I know I'm exaggerating, but it would not surprise me in the least. All I'm saying is I don't think those costs are excessive at all.
With respect to the driver's licence in Ontario--the licence plate numbers--the reality is that anyone can access a licence plate number, write down the licence plate number, go to the Ministry of Transportation and obtain information relating to this. My office, and I have been there since 1987, has tried to introduce some changes to that system.
We worked with the Ministry of Transportation and we were successful in achieving one small modest success, but I think it was something. We used to receive complaints that women, for example, would go to a bar and have a nice time on the weekend and then drive home. And perhaps a man would approach a woman, seeking her name and address, and she would say “No--goodnight”. They would then follow the person to the car, get the licence plate number, go to the Ministry of Transportation and get the name and her address--the most critical piece of information--then give that person a hard time. This was obviously unacceptable.
We worked for years with the Ministry of Transportation and succeeded in having the personal address suppressed. So if someone were to do that now, they would never get an individual's address. That may not appear as a big success, but it took a long time for us to do it.
There are many reasons why that information is made available to the public, to law enforcement, to the police, public authorities, parking authorities, ambulances. There's a long list of reasons, and I'd be glad to discuss it with you. We have papers on this subject. We have been trying to make it a more privacy-protected system.
As it is, in our society some information is made public for reasons that are said to be to the advantage of that society.
Thank you.
The Chair: Doctor, I'm asking you to be a little shorter with your answers.
Dr. Ann Cavoukian: I am sorry. I tend to speak and--
The Chair: I have everybody who wants to ask you a question, and we only have about an hour left.
Dr. Ann Cavoukian: I'll keep it short. Thank you.
The Chair: Thank you.
Madeleine.
[Translation]
Ms. Madeleine Dalphond-Guiral (Laval Centre, BQ): First of all, I would like to thank you for coming here this afternoon.
I was very interested in listening to your presentation, which I had had time to read almost in its entirety. I was delighted to hear that you were very critical about implementing a central registry. Personally, this is the aspect that most disturbs me. I am, therefore, reassured to note that I am not alone. Moreover, you pointed out the need to hold broad consultations before implementing such a significant system. Implementing some type of identity card for social welfare recipients in Toronto might be viewed as a pilot project.
On this issue, I would like to ask you how, in practical terms, the city of Toronto carried out its consultations. Were they limited to the city of Toronto or did they include the entire province of Ontario?
In addition, I would like to know whether, after using such a system for 10 years, you can tell us whether the results are such that you can say that you're glad that you made such a choice.
You will certainly be able to answer these questions very easily. I have other questions I would like to ask you later on, providing that the chairman will allow me to have the floor.
º (1620)
[English]
Dr. Ann Cavoukian: Thank you very much, Madame.
Let me explain about the city of Toronto. There actually is no system in place.
It was confined to the city of Toronto. They did extensive public consultations with people in the city. They had hearings at the city hall and they had members of the public in, different groups. And to their credit, as I mentioned, they consulted with us extensively and they did create, with the Province of Ontario, the requirements.
I will tell you I was surprised, because the criteria that we created for a biometric in order to be privacy-protected was a very high standard. To us that was the only acceptable standard, and they accepted that.
There were several reasons why the city of Toronto project did not continue. There were a number of contractual reasons. They couldn't find the right vendor. Theirs was a one-to-many comparison. They wanted to compare welfare recipients who were coming to the door against a database of welfare recipients who were already collecting welfare to ensure that the person wasn't trying to get welfare a second time.
I forget the exact number, but I think it was several hundred thousand fingerprint templates in the database. So if you recall some of my comments earlier, that's a very difficult comparison. It's fraught with errors, problems. They had an enormously difficult time finding a successful vendor who had done anything like this on that large scale. Finally they found someone who contracted with someone else, and I think it got to the pilot stage and they were doing some pilot testing and it didn't work. It was fraught with errors, fraught with problems.
The privacy considerations weren't even an issue at that point. We would have gotten to them, but we didn't get to them because the system never advanced beyond the problems in terms of the design, so it was abandoned. I was pleased, because we had wonderful legislation out of it that has been hailed worldwide as state of the art. So that was the good result.
There is no system, so I can't tell you anything further on that.
[Translation]
Ms. Madeleine Dalphond-Guiral: We have a bill that appears to provide for some interesting parameters, but until such time as this bill comes into effect, all of this will remain, for all intents and purposes, quite hypothetical.
In my opinion, we have not made very much progress: we have this great idea, but since we have done nothing with it, it is like we don't have anything.
[English]
Dr. Ann Cavoukian: I'd like to respond to that for just a moment.
You have an excellent framework in this legislation. My fear is that if legislation were to be written today, it wouldn't be as strong because the City of Toronto and the Government of Ontario really wanted, at the time, to advance this and try it, and they were very poised to make it work. So they didn't want privacy to be the obstacle.
When they approached us they were very motivated to finding a solution. When we advanced our criteria of privacy requirements they accepted them. I don't know if that would be the case today. It is a very strong framework.
You're right, it has yet to be tested. I would be delighted to put it to the test. I think if we could maintain it as the standard, we'd be in great shape.
The Chair: I think Mr. Marleau has already volunteered to write the legislation for us if in fact we go down that road. I see him enthusiastically replying to that.
Raymonde.
Ms. Raymonde Folco (Laval West, Lib.): Thank you, Mr. Chair.
I went down to Washington last spring, and a number of people in the U.S. government talked to me about biometrics and how they use it internally within the large complex of government. That meant identity cards for absolutely every single American and in some cases for non-Americans who work for the Government of the U.S.A. anywhere on the globe. Whether it was in the Philippines, in Haiti, or in Washington, everybody had, or was going to have in the very near future, a biometric card that would state his identity, and it would say whether he had entry to building A but did not have entry to building B, and so on and so forth.
Now, I would think that this would be a very large database, because there are more than several thousand American public service employees in the world. You probably know about this. I would like you to address this in terms of the one-to-many comparison. You've come out saying there is a one-to-one comparison and there is also a one-to-many comparison, and the two should not be confused because they're two very different cases. I agree on this. So perhaps you'd like to comment on that, in the first place.
In the second place, regarding what you've called the enrolment process and what we call the “foundation documents”, birth certificates and so on, in Quebec we have just gone through a revision of the law regarding these documents. It hasn't been easy. It's very difficult to ascertain identity.
If it's difficult to ascertain identity for somebody who's born in Quebec or in Canada, imagine trying to ascertain the identity of somebody who is born outside the North American continent or outside the United States and Canada, in a country where possibly identity, a relationship within the family or within the larger community, is not as static as it is in our culture. Without naming the country, I think you understand what I'm talking about. That is certainly a big problem, the foundation documents.
Now, we did have a problem here in government, and I think it was two years ago. I'm referring here to the possibility of the central database, where we found that HRDC, Human Resources Development Canada, had facilitated different systems talking to one another so as to make it easier to render services to the Canadian population. We know that as a result, we were obliged to dismantle the whole system and to give back all the data to the people who it concerned. It was millions and millions of pieces of data.
These are all bits and pieces that I'm putting together, obviously.
How do you in Ontario see the control in the monitoring of such databases? Because you do have databases. You have the driver's licence. The driver's licence isn't a one-to-one thing. I don't think Mr. Assadourian actually put his finger on any machine. You also, I think, have a health card, which is also not a one-to-one comparison.
Given a number of the factors that I've just mentioned, how do you control the authenticity of the document, that it is really who it is? And secondly, how do you control the creeping...so that it does not creep into something else and become Big Brother?
º (1625)
Dr. Ann Cavoukian: You're absolutely right. You raise excellent points.
Concerning the notion of function creep, it's that information that was collected for a particular purpose would later be used for other functions or purposes in an unauthorized manner—that shows where the creep takes place.
It's something we as privacy commissioners are concerned with every day. You don't have to resort to a biometric to have that concern. What we do now is ensure the government departments under our jurisdiction follow the requirements of the privacy laws we all enforce.
We enforce compliance with the privacy law in Ontario, for example. It states very clearly: you collect information for this stated purpose; you identify the stated purpose to the data subject, the citizen; you then restrict your use of the information to that purpose unless you have the consent of the data subject for a subsequent purpose.
This isn't easy to do. But the way we do it when we work with government departments that say “We have all this program information”—health has program information; transportation has driving information, taxation has revenue information.... And they understand it has to be kept separate; the information simply cannot be combined, or you will lead to an HRDC scenario.
However, they say to us: “It would be really helpful and convenient to the citizens of this province to have things like name and address. If you do a change of address, wouldn't it make sense to have one point of entry where a citizen can go to say they've changed their address, and that information would be sent out to all the different programs?”
We listen to that. It makes sense to me. We call it the tombstone data, the fundamentals. We listen—we pride ourselves on being reasonable—and we say: “Okay, that makes sense. I'm a citizen; I'd like to do that as much as anybody else. Why don't we treat it this way?”—much like a wheel, with the hub and the spokes of the wheel. You can create a system where you have one data entry point for tombstone data—name, address, telephone number, things you would have to communicate to all government departments—but that is the only thing you share. That information can flow out to departments, but the various departments cannot then flow back information to the one central hub.
You may have heard that Ontario under the former government was considering developing a smart card. It was intended to do something like this, harmonize tombstone data and have one point of application. Tombstone data is the basics—information. When we spoke to them—we want to be reasonable and listen to their concerns—we insisted that the program information that actually pertains to your health information, your driving records, your taxation records, cannot ever be combined, cannot be shared, cannot be even potentially subject to function creep. We have found our government departments very responsive to that.
I think what happened with the HRDC happened over time. I shouldn't speculate, but that is the outcome. That is what can happen potentially and why you have to remain ever vigilant.
Mr. Fontana asked me to cut it short, so I'm just going to say one more thing about foundation documents. You're absolutely right; I think the most difficult issue our society will grapple with is the issue of identity management and the proper use and creation of foundation documents that are secure—and in fact real, and matched to the live person: an extremely complex problem. I don't even want to suggest to you I have the answers for it. I have some thoughts. I think that will be the subject of another submission like this, and I'd be happy to discuss it with you further.
º (1630)
Mr. Brian Masse (Windsor West, NDP): Doctor, you had a good summarization in your presentation. Another interesting point that sometimes is lost is why we're doing this. There's a cost-benefit analysis that needs to be done, well noting the United States as the instigator requiring us to debate this.
Can you tell us a little more about your recent trip to Washington and what you've heard? There is concern that Canada will be required to participate. We may get an exemption or we may be delayed from the exemption. What is your best guess as to the current status and what will happen on this subject? There are several consequences that can really affect the social and economic well-being of our country.
Dr. Ann Cavoukian: My best guess--and it is just that--is that we will be exempted from the requirement to produce a biometric identifier to travel into the United States by October 2004. That is the date before us now.
I say this because when you talk to the Americans, they do view us as their neighbours. We share a huge border with them. They don't want to impede our travel into their country for a number of reasons, not the least of which are economic. Think of all the snowbirds who go to Florida, California, and Arizona. Do they really want to restrict that travel and make it any more difficult?
I remember that shortly after 9/11 there were stricter requirements imposed at border crossings, understandably, and the people who yelled the loudest were the border cities in the United States--Detroit and Windsor, and there are many across the country--because their trade was impeded. They weren't getting the same business that they normally used to get from the Canadians. They shouted loud and clear to their legislators, who changed things.
So I think what we forget sometimes is that the Americans want us to travel there as much as we want to, and that they do view us as a friendly neighbour. But obviously we have to sort out the issues of security. We share a huge border. So I think if we could view them perhaps in a different light, in terms of a cooperative approach as to how we can both address this issue of identity management and secure travel documents, we could work together very strongly.
I did not sense at all that there was any desire on the part of the Americans to keep us out, make life more difficult, or do a biometric identifier. That was not my sense at all.
Mr. Brian Masse: And it's good to hear you note the aspect that they need the trade as well. We have a significant contribution to 38 or 39 states where I believe we're their number one in trade. I'm from Windsor, Ontario, myself, and I can tell you how it has affected our city.
It's interesting, because I know Mr. Assadourian was talking about the NSEER program. It's something that I've been raising and that this government, I believe, has not done nearly enough about, the 17 nations, I believe it is, that basically have a sub-citizenship categorization. They're Canadian citizens from Lebanon, from Syria, from a series of countries that are not allowed to enter into the United States without fingerprinting and photographing.
In my constituency I have literally doctors, lawyers, people who save lives during the day, who are considered security risks when they cross the border. It's a hypocrisy.
What would happen if their biometric information went on a card with that nationality history, and how would we deal with that in terms of a country having obviously a series of nations where they're Canadian citizens, they have their citizenship, and their nationality then would create a different categorization for them in a biometric system? And how would we best deal with that privacy information? Because there would be immediate segregation of them if they travelled to the United States because they would obviously be pulled up right away for their nationality.
º (1635)
Dr. Ann Cavoukian: But I think that must take place now--and I speak as someone who is of Armenian descent. I was not born in this country, although if my parents had waited just four more years I would have been born here, so I wish they had. I always say that on a passport document I wish there was a note section, where you could note things like that.
Your place of birth is on the passport already. So while it may not be your nationality, I think that information is already shared. That's the national protocol, internationally.
I think if you had a biometric and it was a one-to-one comparison, that could make life simpler in that regard, because a one-to-comparison, as I said, is not foolproof, but it has a much higher level of accuracy, and if the government accepted it, then it could make it much easier.
Think of the CANPASS system. There's a system now. You can go into the States. I believe it's hand geometry that's used, and it's a voluntary system, which is the beauty of it. I've actually contemplated it, because it would make life so much easier. You just go right through. If your biometric is acceptable and it is a one-to-one, then that would facilitate your entry.
So it may actually make it easier. It may not eliminate problems, but minimize the need for other personal information of the kind you're describing.
Mr. Brian Masse: What we'd have to do is have them accept that our Canadian nationals of such descent are not threats to their country, which we still have to prove anyway. That's the bottom line, I suppose, that would happen.
Dr. Ann Cavoukian: Yes.
The Chair: Thank you, Brian. You've had your bottom line.
We're moving to Massimo.
Mr. Massimo Pacetti (Saint-Léonard—Saint-Michel, Lib.): Thank you, Mr. Chair.
It's a pleasure meeting you.
Just quickly, you started by saying that there are two separate issues here, the ID card and the biometrics aspect of it. Do you think we need an ID card, the national ID card?
Dr. Ann Cavoukian: No, full stop. Absolutely not.
Mr. Massimo Pacetti: So if somebody doesn't drive or somebody doesn't travel, how are they going to be identified?
Dr. Ann Cavoukian: In Ontario, there is something called an age of majority card, something, I understand, for precisely that reason, for people who don't drive and don't want to use a passport as a travel document.
I think there are other methods.
Mr. Massimo Pacetti: As a travel document, fine, but I'm saying, for an ID card, we don't have one in Canada. That's what I've realized. We don't have a system to identify ourselves, except for a medicare card that all provinces have. But if somebody doesn't drive besides that....
In Quebec, we added the picture on the health card and on the licence as well only in the last five years or so.
Dr. Ann Cavoukian: I see no reason why we would want to have a national identification card. I don't think we should have a compulsory card that requires us to identify ourselves to whoever asks.
Mr. Massimo Pacetti: That's fair enough.
I have just a couple of quick questions. If we do go via the ID card and we're going to go with a database, I understand that you're okay with the one-to-one system.
Dr. Ann Cavoukian: I prefer that to a one-to-many.
Mr. Massimo Pacetti: But is that not still going to have a database?
Dr. Ann Cavoukian: No, and that's why when I said, even with the one-to.... Let me explain. I have to explain that--
Mr. Massimo Pacetti: No, let me explain. On the passports--
The Chair: Massimo, let her explain, and then I'll give you a chance.
Mr. Massimo Pacetti: Well, no, I'm going to be quicker. That's why.
On the passport--
Dr. Ann Cavoukian: I can be quick.
The beauty of the one-to-one is that it does not require a database. In fact, the whole point of it is not to have a database.
That doesn't mean there may not be a back-door shadow database that emerges, but that's why you have a privacy protocol in place and privacy audits and transparency with the system, to ensure that you don't have a database behind the scenes.
Sorry.
Mr. Massimo Pacetti: Is the passport, as we have it now, a one-to-one?
Dr. Ann Cavoukian: It's not a one-to-one. It's a system of international standards where there are computers that record that information.
º (1640)
Mr. Massimo Pacetti: So the one-to-one would have no other database. They would print a card, and that would be it. The picture would not be on file anywhere.
Dr. Ann Cavoukian: No, I'm talking about the biometric component of it. I'm not suggesting that we alter the international standards for passports. I don't profess to have that level of expertise or knowledge to suggest such a thing. I'm just suggesting that if you add a new component of biometric that is far more sensitive than any of the other information on it, that takes the form of a one-to-one. I'm also suggesting that because a one-to-many simply will not work.
The Chair: That's the way to do it, very rapid-fire questions and answers.
Last question.
Mr. Massimo Pacetti: They're quick questions. I don't overdo it.
My problem is that if the government doesn't get hold of this or do something.... We already have tons of databases within our departments, such as Revenue Canada or CCRA, the passport, and there are, outside, the banking institutions. Everybody already has all this data, and because of the sensitivity of this data--the Internet, our phone records--shouldn't we at least monitor this data or somehow control it?
Dr. Ann Cavoukian: I think that monitoring takes place right now. You have provincial and federal privacy legislation.
In January, the federal private sector legislation, PIPEDA, will be rolling out to all provincial businesses. So in this country, you will have private, personal information protected--privacy legislation for both public and private sectors. That's an amazing amount of oversight and laws that are exercising control over this information.
It's our job as privacy commissioners to ensure compliance with those laws, and we go to great lengths to do that. I'm not suggesting it's a perfect system, but we already have a lot of oversight over those databases, and the beauty of keeping those databases disparate instead of having one central granddaddy of a database is precisely to minimize the access to a huge body of personal data.
I know you can access data on the Internet, and you could surreptitiously go to this database and that one and connect it, but it's much easier if it's in one central repository and you go to one place.
The Chair: Mr. Pickard.
Mr. Jerry Pickard (Chatham—Kent Essex, Lib.): Thank you very much, Mr. Chair.
I'm going to slip back to a couple of things that were presented.
You did suggest that costs could range from $5 billion to $7 billion, and you said it could actually be ten times that. I hope we don't end up with a debate over $70 billion next. In my mathematics, I don't know how detailed you are or how much empirical evidence you have, but that would be about $270 per citizen to issue a card. Our information shows that there's nowhere near any of that kind of cost, either from a professional level, from our experience with our immigrant cards, with other Maple Leaf cards or other operations.
Do you have any evidence in Ontario that your driver's licence cost $270 or your health card cost that? Where the heck did you come up with that kind of figure?
Dr. Ann Cavoukian: I honestly don't know for the $270 figure, so I apologize. I don't have....
Mr. Jerry Pickard: I just take 30 million people, divide them into $7 billion, and you'll get $270. If you want the number, that's what it is.
Dr. Ann Cavoukian: So 30 million into $7 billion?
Mr. Jerry Pickard: With 30 million people in the country, you said it would cost $7 billion.
Dr. Ann Cavoukian: I have not done the quantification of the costs of this. I have been relying, as I believe your committee has, on others who have done that.
Mr. Jerry Pickard: Others have speculated; I haven't seen any empirical evidence that is accurate.
Dr. Ann Cavoukian: Then I can't offer you any empirical evidence, sir. I do not have that.
Mr. Jerry Pickard: So you're just stating another rumour.
Dr. Ann Cavoukian: I am stating what others have stated in other reports. That's right.
Mr. Jerry Pickard: That's really what I was trying to say, that you have no evidence that what you've stated there is accurate.
Dr. Ann Cavoukian: Although, with due respect, sir, if the gun registry cost over $1 billion to--
Mr. Jerry Pickard: The gun registry has nothing to do with this.
Dr. Ann Cavoukian: It is much simpler than what we're contemplating: $1 billion, and nothing has happened, and you're telling me that this--
º (1645)
Mr. Jerry Pickard: The gun registry has nothing to do with this, in all due respect to you.
Dr. Ann Cavoukian: Why not? I'm a taxpayer. I'm a citizen. Why can't I comment on it?
Mr. Jerry Pickard: What's the gun registry got to do with an identification card?
Dr. Ann Cavoukian: If the cost of that database, which is a relatively simple database to construct, is $1 billion and it doesn't work, don't tell me that a much more complex database is not going to cost at least seven times that. I don't accept that.
Mr. Jerry Pickard: Pardon? You're saying that you can extrapolate the costs by the costs of the gun registration base?
Dr. Ann Cavoukian: I can extrapolate, looking at the gun registration database as one example and at these two other reports that have been produced at $5 billion and $7 billion. I can tell you that I will accept that as a reasonable estimate.
And I did not quantify it; you're absolutely correct.
Mr. Jerry Pickard: You have no evidence--clear.
Dr. Ann Cavoukian: That's correct.
Mr. Jerry Pickard: Thank you.
When it comes to trying to identify people, I agree that the only way you can identify anyone is with really good, solid base documents, and that's very important. Whether you get a driver's licence, you need that series of base documents.
By making an application for a driver's licence or a health card, or any kind of passport, governments usually have processes whereby they can deal with those issues in a very good fashion. My view is that we're much better off spending money on making sure that the base documents for anybody carrying a Canadian passport are all studied, recorded, and put together properly, so that person with the passport is properly identified and that passport then does have a very good value.
Dr. Ann Cavoukian: I agree with you completely.
Mr. Jerry Pickard: When we're looking at a national identity card, it is my view that anyone who would receive a national identity card must, without any question, have the best base documents you can put forward, and have people who have time at that place to study them, look at them, and make sure they're as correct and as right as possible.
Yes, I agree with you that some errors could be made; there's no question about that one. Whenever you're building a system for 30 million people, there is a possibility of making errors. However, if we're trying to identify Canadians adequately and properly, are we not better off to go through a very careful organized process?
I'm not talking of any type of identification outside of just a national identity card. I'm not talking of biometrics or other additions that could be used as further protection, but I'm talking about having a proper card, properly put together, because if we do that—if we have the proper cards in place—then I believe we can spend.... Where a person's going across the border or applying for a driver's licence, or applying for other things, if you can guarantee that the person who is in front of you is the person who is there, it saves a whole lot of time and effort. The majority of extra work can then be spent on those who don't have the identity card, or those who haven't gone through the security process. As a result, if it's done adequately and properly, you can have a card that does identify Canadians in a very specific way and does it very well. We could continue on the passport and go further on that basis, and just extend that privilege out.
The Chair: I wonder if we could have her answer that preamble of yours.
Mr. Jerry Pickard: With all of that in mind--the other point that you made--we can silo information and make sure that transfer of information from one department to the other.... It's protected by law, and I'm sure we can put it in place so it doesn't happen. What is wrong with a good national identity card if all the work is done appropriately, correctly, and it is reasonable in cost?
Dr. Ann Cavoukian: I think the first question that still needs to be answered is why we would institute that process, as opposed to strengthening the foundation documents we already have. Because I agree with you: strong, secure identity documents are very important, and have to be properly ensured on a factual basis. We have existing foundation documents now, and I think strengthening the process leading to them and the issuance of them, as Ontario recently did with respect to birth certificates, is a very laudable goal and something we should all pursue.
I simply don't think we need to create an entirely new infrastructure to do so that also has privacy implications in addition to financial costs. I would suggest that trying to work with what we have and tightening the processes, as you suggested, as strongly as possible, introducing secure protocols, would be preferable, in my view.
As I mentioned earlier, the only justification that I heard from Minister Coderre for the existence of a national ID card was the requirement that Canadians travelling to the United States at the end of 2004 will require biometric identification. That is what has been advanced to me from the minister's office as the justification for an ID card, and that, to me, is not significant justification. That's the reason.
º (1650)
The Chair: Thank you, Mr. Pickard. If I can get back to you, I will.
Chuck.
Mr. Chuck Strahl (Fraser Valley): Thank you, Mr. Chairman, and thank you, Doctor, for coming today.
It's a little unnerving here. You beat around the bush so much we hardly know whether you're in favour of this or not. Anyway, it's kind of refreshing, but it's a little unnerving here. We're not used to this kind of chattering here. We like a long, long explanation with no particular conclusion in sight. So you're an anomaly around here, I must tell you.
Dr. Ann Cavoukian: I apologize.
Mr. Chuck Strahl: We need more of that.
It seems to me that the problem is not with the card, it's the fact that it's an entire system. You can't only get a card out of this and have it be very effective. You need the creation of an entire system. That's been the problem with the gun registry. I know it's not entirely related here, but it does seem to me that this is the problem. It's also what makes many of us nervous.
We talk about this, because we've all read examples. We all have personal examples in our ridings where somebody's been mailed the information from the gun control centre, sent to the wrong address, containing all sorts of personal information about someone, including a list of all their firearms and where they keep them, sent to the wrong address. And this is really important to me, because it's a firearm, and now somebody else knows about it. It could get stolen. It could be targeted. It's nobody else's business anyway, and all that worrisome stuff.
What concerns me is that when you start down the road of this biometric system, regardless of how many billions it costs, you're also going to have those errors. They're inevitable, and people are going to have a false sense of security.
Mr. Chairman, simpy think of getting a card in the mail. You assume your information is correct, you don't know. It's only a card. You've never used it before. You're going on your one and only trip to Hawaii for your 50th anniversary. You show up at the airport and the thing doesn't swipe properly.
The Chair: You can certainly think of the problems.
Mr. Chuck Strahl: You would stay there for the rest of your born days, it would be so bad. I mean, that's as a Canadian in a Canadian system.
The Chair: Forget what the Government of Canada would do to you; it's your wife I'm worried about.
Mr. Chuck Strahl: Well, yes, that's true. I don't even want to think about it.
It seems to me that this is an atrocious thing.
You're so absolutely and obviously opposed to this, full stop, no, it shouldn't go ahead. Why didn't we hear from you initially during Mr. Coderre's first consultative process? Were you not available to kind of balance some of the other ideas? Or were you not--
The Chair: Chuck, to be fair, that's an unfair question, and I'll tell you why. This committee has been debating this issue since May, and we've had a lot of privacy commissioners, including the former and the present. We've had them from B.C. When we've travelled we've heard the privacy commissioners of every province and those around the world where we attended. So it's not as if Ann hasn't come forward. It's simply been a matter of scheduling it in.
Mr. Chuck Strahl: Well, okay then. Thank you. You can answer that if you feel there's something else you need to add.
My other question or comment, then, maybe is.... I mean, we're not going to get anything out of you; you're absolutely opposed to this. But perhaps two questions come to mind. One is that people will argue that it will reduce racial profiling and make it better for people like yourself who are born in different countries. It will make it easier for such people to cross the border. Can you maybe knock that one in the head again?
Finally, just deal with the whole idea of ID theft. That's a big issue in my riding. Mail theft is a huge problem in Chilliwack. Thousands of pieces of mail have gone missing. People have had their identities stolen. Organized crime is behind it. They use it. They sell this information to other organized crime units. In Chilliwack, thousands of people have been affected already. I'm worried what they will do with a card like this in an organized crime fashion. If it's worth hundreds of millions of dollars, then organized crime will spend that much money to get access to it.
Dr. Ann Cavoukian: In order of your questions, first of all, I assure you my voice has not been silent on this subject. I was simply not invited to Mr. Coderre's gathering, despite my repeated attempts to appear there.
On the question of racial profiling, if you had a one-to-many system, where you're comparing identification, one person against a database, that will not eliminate racial profiling concerns at all, because you will have so many false positives, false errors, for each individual that you will be forced to then go to a manual system to sort out all the false positives. The electronic system or the online system alone will not do it. It will generate a lot of errors, as Mr. Schneier suggested in his quote. What will then happen is you'll have to go to plan B, which is back to the manual system of sorting and eyeballing and doing all that. So that will not eliminate racial profiling whatsoever.
With respect to identity theft, there is nothing worse than identity theft. We hear from people all the time, as you have heard, that it is the fastest-growing form of consumer fraud in this country. The problem with the biometric is if you have a biometric residing in a database, a database of biometrics, these will be accessible to identity theft just as will a database of social insurance numbers, or credit card numbers, or anything else. But the harm is far greater--it will be tenfold--because if someone steals your biometrics, and all of us in society are thinking biometrics are so foolproof, then try to dispel the fact that you are a victim of identity theft, dispel the fact that this is in fact a real biometric being used by this person. So for victims of identity theft it will be ten times harder to get their stories straightened out.
That's the part that I think people miss. They think that if you have a biometric, it's yours, and there's no way someone else can steal it. That's not true. If you talk to cryptographers, they talk about online systems now. Very simply, there are systems of encryption that require challenge response, which simply means that if you send something and it's not accepted as being you and there's some kind of challenge to that, then you have to prove whoever it is, in terms of digital signatures, for example.
A biometric, for the most part, is not a challenge response system. There's one answer: it's me. If I send my biometric and they spoof it online, that's me, that's it, they have the motherlode. To dispel that is going to be extremely difficult. It will, in my view, exacerbate the problem of identity theft, not eliminate it.
º (1655)
The Chair: If I could, I have a couple of last questions.
The legislative framework that you had put in place, as you said, ten years ago was very timely even then, but I think it was very appropriate. I thank you for those guidelines. Let me just ask you some basic questions to fill in the gaps that some people have asked about.
You're the protector of privacy in Ontario. This whole issue is about how we protect privacy and preserve it. How can we ensure that in fact by protecting privacy we can also identify or authenticate who we are?
We all might think that there is privacy, but I think it's a misnomer now, because it's all compartmentalized. It resides in various databases now for health cards, drivers' licences, SIN cards, and so on and so forth. The fact is that no one has been able to link it, which has been the safeguard, because everybody is worried about a national database, and so on and so forth.
Do we really have privacy?
» (1700)
Dr. Ann Cavoukian: Yes, and I'll tell you why in a moment.
The Chair: The credit bureau can tell you everything you ever want to know about Joe Fontana. You can go to SIN or various people. All it would take is a little bit of time for someone to sit down and question all of these government departments, provincial, federal, and municipal, and credit card companies. The whole mosaic and picture will show up.
It's not going to be easy, but I applaud the fact that we need to protect privacy. At the end of the day, privacy is about who we are. If we don't have any privacy, then that's it; identity goes out the window. I want you to answer whether we really do have privacy.
Secondly, with regard to your foundation document, this committee is well aware of it, and testimony has even indicated that foundation documents have to be proven. The problem is that we don't have a national foundation document. Birth certificates are provincial. Drivers' licences are provincial. We have a passport, which is voluntary, but that's only for travel purposes. A citizenship card is not available to those who are even born here.
Where is the national foundation document through which we can deal with something, if in fact we need one? We would agree that we need to fix the foundation documents.
Lastly, when it comes to privacy, I think I'll use your example and Sarkis' example as to what has happened in the world since September 11. As an example, we could change the passport to say that place of birth is not important. Why is it important that they know where you were born, or where Chuck, Madeleine, Brian, and Joe Fontana come from? The fact is, we're Canadian citizens and we carry Canadian passports. What difference does it make whether or not we were born in Timbuktu, Italy, Armenia, or wherever? From a privacy issue, can you tell me what you would think about that?
Dr. Ann Cavoukian: I would love that. If you could pull that off, boy, would you have my support. I say that as a personal individual in terms of my place of birth not happening to be where my place of residency is, or my citizenship. I would value that enormously.
But the reason I don't attempt to do that is because the international protocols, from my understanding, that have those requirements in place are so strong that for me to attempt to alter the existing structure for passports is too lofty a goal, and I don't think I would be successful at it. So I would far rather protect the privacy within our country, within my jurisdiction, which I believe we can do successfully.
I want to challenge you on the view that we have no privacy, because I travel to the United States regularly, I travel to Europe, and we have more privacy now, in my view, after the European Union directive on data protection; after the creation of the federal law in Canada, PIPEDA; after the creation of a number of provincial laws that are following suit; with the United States creating the safe harbor framework in response to the EU directive, and the fact that they will be responding to PIPEDA.
You have more privacy now from a business perspective because there are heightened expectations of privacy on the part of consumers. Consumers just aren't buying it any more. If you look at the figures associated with electronic commerce, business to consumer, BtC, e-commerce, they are abysmal; they are a failure. They do not match at all the heights of success that they were hyped to scale in the early 2000s and late 1990s.
The reason for that, quite simply, is that the unbridled collection of personal information, without any restrictions or controls, that happened after the creation of the World Wide Web simply resulted in a consumer backlash. People weren't buying it. They've had it. They know personal profiles are being created. They know their information is being shared and their clickstream traffic is being tracked, and they don't want it. So they said stop.
What happened after 9/11 was very interesting. For a temporary period, especially in the United States, people were far more trusting of government because people were afraid. Fear is a very strong motivator. But the surprising thing was that the distrust of government shifted onto the private sector. There were heightened expectations of consumer privacy on the part of consumers looking to businesses. Trust was phenomenal, the need for trust, and trusted business relationships. So all of a sudden, the business community is coming to me, coming to others, and asking, what do I do to protect my customers' privacy? For some reason, they want all this privacy and they want their personal information protected like never before.
I am an optimist, but I think you're going to see much more privacy. That's not to dispute your very well-taken point that there are collections of databases containing personal information all over the world. We have automation, we have technology, we have the growth in networks. That's not going to stop. But what is paralleling that is the development of privacy-protected business practices. Not only government, but businesses now realize good privacy is good business, and in fact to treat privacy as an information management tool, as a significant business differentiator that will increase their competitive advantage over the other guys, that's the message now in business. So when business sees that there could be an economic impact, something to be gained by protecting privacy, they're in there. This is going to enhance their bottom line, and they're doing it.
So I say stay tuned, because I think we could actually see great improvements in privacy, not the opposite.
The Chair: Grant, Brian, and Jerry, I think.
Mr. Grant McNally: Thanks, Mr. Chair.
I wanted to go back to the only argument you received from the minister, that being that the U.S. is going to have this requirement for biometric documentation. What would be your rebuttal to that, or an alternate solution whereby we could then dispel all the arguments being put forward by the minister?
Dr. Ann Cavoukian: I would say quite simply that we have to be certain of the fact that the U.S. is going to require biometric identifiers from all Canadians by the end of 2004. I think to proceed before knowing that is premature. So let's start with that.
If in fact the answer to that is yes, we are going to need a biometric identifier, and Canada is not going to be miraculously exempted, then I would say let's explore adding a biometric, a one-to-one biometric, on an existing travel document such as the passport. That is, in my view, the safest way to go, it's the least expensive way to go, and I think it will be the most acceptable to the United States.
» (1705)
Mr. Brian Masse: I have one question related to something in your presentation, the notation that the databases would present an attractive target. How secure is the data, and do you have any idea of what the cost would be to ensure that the data we accumulate and store on people could be protected? Has there been any work done on what that ongoing cost is going to be to ensure the sanctity of the system?
Dr. Ann Cavoukian: There is no limit to that cost. And I don't mean to be cavalier about that, but when I made references to places like the Pentagon or Microsoft, Microsoft has been hacked. You can imagine the security that Microsoft could afford to protect their databases.
Security is an extremely difficult goal to achieve, and it's a laudable goal. We must all do it. In my office we have firewalls, we have encryption. We have all this stuff, and I still get spam. So this is a difficult thing, and spam is trivial in terms of the security goals we have.
So it would have to be an ongoing expense. It's not something for which you can build all this protection at the front end one time--firewalls--and then you stop. It's like a chess game: point, counterpoint. You develop good security, and the bad guys create methods of breaking that security, cracking the code. Then the “white hackers”, if you will, will develop better cryptography to protect that. So it's a constant chess game and point, counterpoint: you move forward and it's trying to be two steps ahead of the other guys, and you remain constantly vigilant. Mr. Schneier refers to it as a process that is unending.
Mr. Brian Masse: Thank you.
The Chair: Jerry, and then Sarkis.
Mr. Jerry Pickard: Technology is always going to be changing, and I think we have to accept that. Technology will move, whether we wish to stay as we are or not. But going back to the direction that I think is important, everybody links all kinds of things to a card.
This committee is looking at a national identity card, and we're looking at it in a very open, broad spectrum. I haven't heard any arguments why a national card for a Canadian isn't a good thing if we identify all Canadians at the best level we can and make sure they have a national identity card.
At this point in time, you might be able to pull a driver's licence from British Columbia--as the chair has said--or a health card from Nova Scotia, or if you're not over 16 you may not have any identification at all. If you're 70 you may not have any identification at all.
What is wrong with all Canadians having a foundation card, well checked out, as well documented as we possibly can, put in place without all of these other arguments around privacy? A card. You are there, you're identified. You're identified to the very best level we can possibly identify a person and here is that card.
That card may not be used as a travel document such as our passport. That card may not be used for something else. That card is a national identity card saying you are a Canadian, and it only identifies you and it doesn't link you into your credit card or it doesn't link you into a billion things for which people can speculate those linkages occur.
It seems like once you say “card”, then everybody has their own translation as to the million things that could be linked in and shared. I honestly don't believe it is an issue we need to deal with on that basis. Obviously you, as a privacy commissioner, said that absolutely no way do we want to see those linkages. I believe most Canadians would agree with that. But that doesn't say that most Canadians wouldn't agree with having a card to identify themselves as Canadian, one that's been checked out and they've been carefully scrutinized. The foundation documents don't exist for anyone, as a Canadian, at this point in time.
» (1710)
Dr. Ann Cavoukian: I don't know why Canadians would welcome a card like that when the purpose it would serve would be something that is not required right now.
Let me play devil's advocate. The reason you have all the cards that you have now is for particular purposes related to, generally speaking, a driver's licence. It's not an identification card. It's used for that, but it is issued to you to certify that you are permitted to drive a motor vehicle in the province of Ontario. It's a certification card, if you will. A credit card allows you to purchase things. A social insurance number has another purpose. None of these cards are issued to identify you, as you indicated.
As Canadians, I don't know why we require them. We don't have the type of system that exists in third world countries or in totalitarian countries, where you must identify yourself and carry your papers with you. Often the production of that card is a requirement.
We enjoy such freedom in this country. A hallmark of Canada is the freedom that we enjoy. To have to identify yourself, if it's not related to a particular purpose such as driving, crossing the border, or something like that, I don't think is the Canadian way. I'm speaking personally, but I don't think that would be welcome by Canadians.
What would be the purpose? Why do we need to identify ourselves just for the sake of identifying ourselves, unless we're travelling somewhere or there is a particular purpose linked to that identity?
As laudable as the goal is that you would only create an identity card that would not be linked to any other databases or used for other purposes, that's how identity cards always begin.
If you look at the origins of the social insurance number, in 1967 Prime Minister Diefenbaker said that there were only two purposes for that social insurance number: for the Canada Plan, and for unemployment insurance benefits--there were two reasons, and it would never be used for any other purpose. You know how many purposes it's used for. It has become the de facto identity card in Canada. It is used by both the private sector and the public sector alike. The government tried to withdraw or rescind the number of uses a number of years ago. It has been very difficult to do that.
I believe you when you say that you would only create it so that it would serve as a national identity card. I think that the temptation to use it for other purposes will be too great, especially when you bring in the whole issue of security. I don't think it's a realistic goal.
The Chair: Sarkis, and then that's it.
Mr. Sarkis Assadourian: Thank you very much.
Very briefly, first of all, I think that the principles you mention on pages 7 and 8 are wonderful principles. I hope our researcher will take note and put that in the final report in the way you describe it here.
Have you ever compared what we're proposing here with EU countries that have similar standards to ours? Have you ever had a meeting with them? I know that my colleagues travel to Europe. They discuss this issue with other jurisdictions and other countries. I'm sure they have similar concerns, whatever the case may be. Have you ever had any contact with them? If you have, how do you evaluate their approach to this?
I'm told that some of them are trying to establish ID cards in the way we're discussing. Why is it okay for them and not okay for us? If you've ever had contact with them, could you enlighten us on the subject?
Dr. Ann Cavoukian: You're absolutely right. Other countries, some of the EU countries, have identification cards.
What concerns me, if you look at a country like Spain, for example, which has an identification card with a biometric on it, is that the uses of that information are not only used for identification purposes. There is a whole notion of private sector access to that information to strengthen the base of commerce. The uses are far greater than we would envision here.
I don't know if it began like that, but I understand that the only legislation that governs it was introduced in 1947. It causes me great concern. I've travelled to Spain. When I talk to them about the identity documents, the perception of the documents and the treatment are very different from our country.
We value our freedom so much. I emphasize that because I wasn't born in this country. My parents emigrated here and loved this country because of the freedoms we have. It's something we don't take for granted, neither of us.
When I look at the freedoms that we enjoy in this country, that we take largely for granted because we enjoy them on a regular basis, they are predicated on the absence of having to demonstrate who you are to various officials when required to do so. That is at the foundation. People don't often think of that as privacy, but it is privacy.
Think of a totalitarian state, a police state. The first thing that you lose is your privacy. There is a system of surveillance imposed by the state upon you. Often it is done through such identity schemes as identity cards because it enables the government and law enforcement officials to keep track of your various activities and movements.
I'm not suggesting that would happen in Canada, truly I'm not, but that's the beginning of it. Our job in a free and democratic society is to remain ever vigilant to ensure that we preserve the rights we hold dear.
I fear the slippery slope. I don't know why we would go in that direction when I see no need for an identity card to begin with.
» (1715)
The Chair: Chuck, you had one comment.
Mr. Chuck Strahl: The other day I had to book a flight; it was actually through DND. They would not book the flight till they had my social insurance number.
As a citizen I've given up. I give my information to everybody. I'll bet you every organized crime outfit in the country has my information.
Dr. Ann Cavoukian: Don't do it.
Mr. Chuck Strahl: Yes, I know. It was interesting. I left it off the application form and someone phoned back and said “We're booking your flight. We have your passport number. We have everything, basically. We still won't book your flight till I get your SIN number.” That's just where it goes. That's my concern. I share your concern.
My question, though, is how would the system actually improve? Say it was all the reasons you've listed of why it would be dysfunctional. I agree with them all. How would it work to actually improve the system? If the concern is with foreign terrorists coming to the country, the assumption then is that every foreign terrorist would have to register and do a similar biometric thing, supposedly sponsored, I guess, by a similar foreign government, some of which also already sponsor terrorists.
It would be like a licence to come into the country with permission to travel freely without questions being asked.
Dr. Ann Cavoukian: It's an excellent point. It could actually legitimize terrorists or potential terrorists and give them legitimate documents that they lack now.
I should also point out, as I know you realize, that the perpetrators of 9/11 used their real identities. It wasn't as if they were using all these false things. They weren't. We don't know who the bad guys are in terms of the terrorists. We don't have the ability to predict, on any kind of algorithm, who these people are.
So to think that we have the capacity to develop these sophisticated systems to identify these people is premature. It's a point well taken.
Mr. Chuck Strahl: Thank you.
The Chair: Thank you, Doctor. Again, let me thank you for this very engaging discussion that we've had. The committee has been discussing this with Canadians. We're still in the middle of this broad debate about national identity and biometrics. Your experiences and your thoughts and feelings obviously are very important to this committee, so on their behalf I want to thank you very much for your presentation.
Dr. Ann Cavoukian: Thank you so much. I really appreciate the invitation. I'm honoured.
The Chair: Members of the committee, as you know, Thursday morning we will be meeting with the new chair of the IRB. I think Madeleine will be chairing the meeting, because both Jerry and I will not be here.
I want to remind this committee that it has been a year since it was fully constituted and some of the finest work, I believe, in Parliament has been done. If I don't get an opportunity of telling you publicly, I want you to--
Mr. Sarkis Assadourian: Will you buy us dinner, Mr. Chairman?
The Chair: Sure, I'll buy you dinner, Sarkis.
I want you to keep this in mind. Of the committees of the House of Commons, I want to tell you that we worked very hard. We had seven reports, four of which were very substantial, 81 formal meetings, 16 informal meetings, three foreign delegations, over 300 witnesses, plus international travel, all in the name of the country.
So I want to take this opportunity, as it's a year since we started this endeavour, to say that we've done some very fine work. I want to thank each and every one of you for your time, your hard work, and your dedication.
See you on Thursday, and beyond, who knows?
This meeting is adjourned.