Proceedings of the Standing Senate Committee on
Legal and Constitutional Affairs
Issue 8 - Evidence for May 14, 2009
OTTAWA, Thursday, May 14, 2009
The Standing Senate Committee on Legal and Constitutional Affairs, to which was referred Bill S-4, An Act to amend the Criminal Code (identity theft and related misconduct), met this day at 10:47 a.m. to give consideration to the bill.
Senator Joan Fraser (Chair) in the chair.
[English]
The Chair: The Standing Senate Committee on Legal and Constitutional Affairs will continue its study of Bill S-4. We have the great pleasure of welcoming as our first witness Mr. David McMahon, who is Advisor, National Security — Bell Canada, and who is representing the Information Technology Association of Canada. In other words, he understands how the crooks do what they do, and he is here to explain it to us.
[Translation]
Mr. McMahon, we are pleased to have you with us. I believe you know how things work. You will make your opening remarks, and then, we will move on to questions. The floor is yours.
David McMahon, Advisor, National Security — Bell Canada, Information Technology Association of Canada: Thank you very much for inviting me here today. I am representing the Information Technology Association of Canada. They asked me to speak on the subject of identity theft. Specifically, my area of expertise is looking at the cyber threat over the last 20 years and the technological focus as it is implicated within identity theft.
To summarize the rather sophisticated concept around identity theft, it has been around in some form for hundreds of years, if not thousands. What makes it different in 2009 are how technology has implicated itself and the growing importance of technology in facilitating identity theft on vast scales.
Within the centre of a technologically assisted identity theft ring is money. There are types of identity theft that are not associated with money, but they are few and far between, considering that nearly everything bad that happens on the Internet at this time has a financial goal at the other end. That is also to say that all the bad things that happen within cyberspace do not necessarily include identity theft. In some cases, criminals will look at trying to get at the money as fast as they can. If they can get at it by theft of goods and services, they will. If they have to, they will go after identity theft, and if they are able to acquire the identities of persons, they are able to fence those off in the global market.
How does this generally occur in this day and age? The most traditional way, which you may have heard about, is credit card skimming, taking advantage of breaches that occur — surreptitious breeches, disclosures within various communities of interest, and also harvesting what people put up about themselves on the Internet. A typical example would be Facebook, where what people put up about themselves can be harvested and then used.
The other way, which is becoming much more prevalent, is the use of robot networks that infiltrate and harvest goods and services off people's computers, essentially taking over peoples' computers. The first modus operandi is to use those computers to generate money for organized crime. The second purpose is to take whatever identity they can accrue from those Trojanized computers and be able to peddle those off on the black market. A whole industry has developed within the criminal enterprises that, first, collects the information from bits and pieces through different means, and second, is then able to make use of it. The two are not necessarily connected. The people who collect the information are not necessarily the ones who use it.
Going after these criminal networks requires a two-tier approach: monitoring the people making the end use of personal identity and then going after those behind the scenes collecting the identity in the first place.
I am available to answer any specific questions you might have on a technological basis.
The Chair: You are faced with a group of people not including engineers and technological experts, but I am sure that we will have questions for you, Mr. McMahon.
Senator Wallace: Welcome here today, Mr. McMahon. Thank you for your comments. As you know, the focus of this committee and this hearing is Bill S-4. I am certainly not a techie when it comes to Internet technology and all the things you are well familiar with.
I will start off with an easy question, or at least easy from my perspective. With the issues that you are involved with and the technological challenges and the infiltration by organized crime and the impact that has on identity theft, which is a terrible scourge of our society, I am wondering what your reaction is to Bill S-4. How do you feel it responds to this problem we have?
Mr. McMahon: Having had a chance to look over the bill briefly and consult with my colleagues beforehand, I think part of the problem is solved or ameliorated by legal documents and the ability to prosecute people, especially within Canada. The other part is a technical solution.
Without speaking too directly to the legal aspects of it, I think it is important that we have instruments that allow prosecutors to bring people to account for things like having 1 million or 10,000 identities built up on their computer. Clearly something is not right. To give you an analogy, it is not illegal to own a ski mask and crowbar and essentially what we would consider break and enter tools, but any police officer would be in the right to arrest someone sitting outside a home at two o'clock in the morning dressed in a ski mask and carrying those sorts of things. We need to have legislation that provides analogous powers to be able to prosecute.
It is also a pragmatic question. I think that if someone has on their computer, for example, 10,000 identities, as I understand it the courts must bring in all those individuals and have them testify as to whether they gave that person the right to have their identity on that computer. We need to change that around so that the person who has accumulated all those identities is called to question to justify why he or she has those.
Legislation only works so far as you are prosecuting criminals you can get your hands on within Canada. A great number of the attacks and activity, at least in one part, if not the entire operation, is conducted abroad, as well as where Canadians' information lies. If you have a Hotmail account, Facebook or things like that, the information is not necessarily within Canada.
Senator Wallace: As you point out, each of us at times could be in possession of identity information of someone else, and the issue becomes why you have that and what the purpose of that is. The purpose of Bill S-4 is to deal with identity theft at the stage of that possession or that collection. It is not simply the fact that an individual has that information, but just looking at proposed section 402.2, that the individual possesses another person's identity information in circumstances giving rise to a reasonable inference to commit a crime. There is a requirement that there be this reasonable inference. It is not simply black and white.
Do you feel that this is a significant issue in terms of the technology that you deal with on a day-to-day basis? Is this issue of identity theft a critically important issue that we as parliamentarians should be acting upon immediately, or can it be left for another day?
Mr. McMahon: I think it is an important issue, one that will be emerging as a more critical issue specifically because of the cyber aspect. The easiest form of identity theft is credit card fraud. Credit cards now have smart chips in them, which is now driving a lot of the fraud online, so strong legislation is one part of a solution to going after this sort of thing. Identity theft and cybercrime are becoming extremely profitable on a very large scale.
Senator Wallace: Is that activity under the control of organized crime or has it been infiltrated to a large extent by organized crime?
Mr. McMahon: It used to be, 20 or 10 years ago as the Internet emerged, that you had hackers hacking for the sake of controlling computer systems. Organized crime had not really gone on the Internet and become users of Internet technology. In the last five years, organized crime has essentially taken over nearly everything bad that is happening on the Internet right now. That came about primarily when people were able to make money from the Internet.
Senator Wallace: As you point out, it is not a problem that exists only within the boundaries of our country or any other; it is an international problem. It is one that requires an immediate approach here in Canada, I believe.
Mr. McMahon: Absolutely.
The Chair: Did I understand you to say that these new credit card chips increase the risk, the likelihood or the number of identity thefts?
Mr. McMahon: No, they shift the vector that the threat agents, like organized crime, are going after. Specifically, if organized crime had a certain amount of time in their day to steal, let us say 50 per cent was spent online and 50 per cent was spent going after credit cards. Now credit and bank cards are becoming much harder. In Europe, they switched over earlier and they noticed a dramatic increase in crime moving online, so we have known for a time. That is where it has shifted right now.
The Chair: Thank you.
Senator Milne: We have heard about the methods of stealing debit and credit card data. We have heard about synthetic identity fraud and we heard last night about theft of courier bags. Now, you have added two more: collecting IDs and using IDs.
I assume Bell is particularly concerned about the collecting of IDs because this happens over the phone lines and over the Internet, whether that on a phone line or not. At Bell, do you have any methods that would help identify when this is happening over your network?
Mr. McMahon: This is a bit of a two-part answer. One, a great many transactions happen every second — a massive number of transactions — as well as malicious activity. There is so much malicious activity that it can be overwhelming. In a traditional sense, let us say you went to the police with a very large fraud, $1-million fraud. You would get their attention and they would start an investigation. On the other hand, suppose you went to the police now and said, "I have $1-million fraud but it is happening in $1 increments, so I have a million $1 frauds." Investigating those requires a completely different set of skills as well as the ability to prosecute.
We are finding that, although anything is technically possible in terms of monitoring threat activities, it is a challenge, and the question is whether you should spend your time chasing down crimes after they have occurred or devote more of your time to proactively trying to prevent these things from happening.
By the way, monitoring is something the financial community does. To a certain extent, telecom organizations monitor the types of threat activity that occur over the network from a technological network basis.
Senator Milne: Are you being proactive in prevention?
Mr. McMahon: Yes. For example, about 94 per cent of email traffic is spam-related and malicious content. Most of that is filtered out before it is passed out to the consumer base. Spam is important because it is one of the means where organized crime, for instance, can get pieces of malicious code into someone's system and be able to steal their identity or take over their system. A proactive means would be stopping that before it happens.
Blacklisting known threat agents or groups and identifying organizations by their IP address and domains are problems. That is acting more proactively in terms of trying to stop that.
That being said, as we know, identity fraud online still persists. Part of the challenge there is balancing a citizen's right to privacy and Net neutrality and how far one goes in policing the content and where people go and what they do online.
Senator Milne: Does Bell ever say to the police, "We know this is happening over our system"?
Mr. McMahon: I think all the carriers, including Bell, have an ongoing dialogue with the police as well as with government and other carries around the world. It is an ongoing, daily dialogue.
There are many challenges in how to tackle the problem, especially given that most of the attacks of this nature are happening from a foreign base of operation.
Senator Milne: Madam Chair, if I ever collected all the multi-millions of dollars I have been offered over the Internet for interceding with someone in Africa with a bank —
The Chair: Just give them your bank account number and the millions will be deposited.
Senator Milne: I hope Bell will be able to do something to stop this. Are you doing anything to stop that kind of spam?
Mr. McMahon: Absolutely. Bell publishes a responsibility report in which we look at the initiatives we take — everything from child safety to "stop spam" initiatives. We sit on all the international committees on spam, as well as taking profound technological measures. We are reducing it significantly, I would say. "Significantly" meaning reducing 90 to 94 per cent of spam that goes to our consumer base.
Senator Bryden: What is there in Bill S-4 that will make the preventative measures you have just been describing more successful?
Mr. McMahon: The bill is obviously intended for a Canadian audience and Canadian perpetrators. The literature tells us a Canadian identity is most usefully exploited within a Canadian context. If someone had my identity, he could probably get the most out of it by trying to use it to open a Canadian bank account and buy Canadian goods, rather than trying to use my account and identity in Thailand, for example.
When it comes to protecting Canadians, part of the solution — though not the whole solution — will reside within Canada. To that extent, I think the bill is extremely useful in allowing prosecutors to take down the people we can actually reach out and touch.
There are other ways and means we can look at for working collaboratively with the United States and other partners to put down identity theft around the world.
Senator Bryden: Within Canada, specifically, what is in this bill that makes it easier to catch the Canadian people who are doing that versus what is available to you now?
Mr. McMahon: I am speaking from a technological basis. From what I understand from talking with my legal colleagues, this bill goes one step further down the road to helping them prosecute cases involving identity theft, or at least raising it up to the consciousness.
Part of the challenge is always how you map the technological modus operandi that someone has used with the letter of the law. I think I am probably out of my range talking about that.
Senator Bryden: I have one small point. It was mentioned yesterday that the types of offences described in Bill S-4 are at the lower end of the seriousness level. That is one of the reasons the penalties are not very high. Maximums are basically $5,000.
It is a problem with police in other areas that if the potential penalties are very low, like the penalties listed in Bill S-4, and the police are busy, they simply do not or will not take the time to go after those activities. It is simply not worth the policeman's time when there are many more rewarding things for a professional police force to deal with and much demand.
Will that be a problem? Do you have difficulty in having police trace down these users of other people's identities on a regular basis currently?
Mr. McMahon: The inherent challenge is that tools, methods, techniques and modus operandi change very rapidly. There are technological ways to perpetrate crime on the Internet that we are not sure there are laws to cover or, at least, legal interpretation to circumvent.
Another challenge is that instead of big heists, we are talking about millions of small heists and a widely distributed criminal network. It is easier, relatively speaking, if you have one criminal with one large heist within Canada. You can take that person down. If you have many people involved in tens of thousands or millions of small heists where none of the victims realize that they were victims and are not coming forward to the police, that becomes a big challenge, especially when no one has reported it to police. It exists on the Internet and you may get some insight into it.
This type of crime requires non-traditional policing covered by non-traditional legislation. Some creativity in how prosecutors will interpret the law and police will eventually be able to enforce it is needed. It definitely will rely on cooperation of different communities of interest, such as the financial community, Internet service providers, carriers, and the retail industry to provide that operational situational awareness for the police as to where to start looking.
Senator Joyal: I will wait my turn since the explanation given by the witness is covering elements that I wanted to raise.
Senator Baker: The Personal Information Protection and Electronic Documents Act, PIPEDA, that we passed in Parliament recently, apart from the Privacy Act, applies to telephone companies because they are a federal work under the act. That came into effect in January 2001. I have noticed several judgments involving Bell and other telephone companies. Yesterday Senator Nolin brought to our attention a provision in Bill S-4 involving the rights and the extent of those rights given to police officers in that they are excluded from certain sections of this act.
As I recall, the Privacy Act and PIPEDA also have exceptions regarding police investigations. If you were telephoned by some police force from a small community anywhere to give them privacy information, would that normally be restricted under the legislation?
Mr. McMahon: Yes, senator. There are clear black and white areas that are very easy to determine. For example, one black and white area is where a law enforcement agency wants to put up a wiretap. It requires a federal warrant.
Senator Baker: That is a warrant. I am not talking about warrants.
Mr. McMahon: Yes, exactly. That is one side that is very clear. The other side would be when a police force wants a general picture on the nature of cybercrime. That is a professional consulting engagement.
It is the items in the middle where we have the privacy debate, security discussions and things like this. Almost all times it can be resolved one way or the other and people and law enforcement can get what they need.
Some of the challenges are pragmatic. It depends on how much information the police need and whether they have a priori the information we require in order to go look for more information, or whether the questions are too vague and require more investigative support. For example, child safety issues and online exploitation of children are usually dealt with very cleanly. If the question is vaguer and it becomes a fishing expedition, then we would have questions. We would be balancing the privacy of our clients and subscriber databases with the needs of law enforcement.
Senator Baker: You have within the cellular and land line operations a special office that deals with law enforcement.
Mr. McMahon: Yes, absolutely.
Senator Baker: In other words, when the police come to you with a number recorder warrant under section 492.2 of the Criminal Code, you have that person in that office deal with the police. That is a warrant to get telephone numbers.
Mr. McMahon: Yes.
Senator Baker: That office would also deal with a warrant when you want to tap someone's telephone.
However, I am particularly interested in this act as it relates to that person or persons in those offices talking on the telephone to police and giving out persons' addresses, unlisted telephone numbers, and other information. This appears to be a practice with all telephone companies. Is this because you interpret that PIPEDA does not to apply in the case of police officers asking for information? Do you have any thoughts on that?
Mr. McMahon: How much information you would provide in the absence of a very specific warrant would depend on the circumstance and the urgency of the case.
Senator Baker: I am not talking about a warrant. I am talking about information given voluntarily by telephone companies to anyone who phones, specifically a police officer.
Suppose they are using a "swamper" that collects cellular telephone numbers in a specific area. Police telephone your office to set up to deal with them and ask for the name, address and all of the information you have concerning that number. It is given without warrant. I am wondering how that takes place without judicial authorization.
Mr. McMahon: Typically we would have a warrant to provide that sort of information.
Senator Baker: Are you saying it does not happen?
Mr. McMahon: Not from my office. However, I do not deal specifically with that or identity theft.
The Chair: Senator, may I put you down for a second round?
Senator Baker: I have one more question relating to another subject.
The Chair: It will come on a brilliant second round.
Senator Joyal: Mr. McMahon, you mentioned in your presentation that the technology is moving fast. How much of an element of flexibility to adapt to new technology should we try to bring into this legislation, so that it is not obsolete in two or five years down the road? I ask because the system will have been refined by then and become more sophisticated, and it will be easier for hackers to move into it and steal the credit card numbers or someone's identity.
You have read the legislation, I am sure. Is there an element in it that you would suggest to us to think twice about and ensure we are able to be responsive, either in the definitions or in the other aspects — the way the offences are defined?
Mr. McMahon: I went through a similar exercise a number of years ago looking at wiretap laws and other types of legislation in the Criminal Code that had a technology bias to them.
The best advice I had for myself at the time was to try to keep the legislation open enough and not nail it down to specific technologies, means, modes or methods because those evolve so rapidly. That gives the prosecutors or the legal community the ability to rationally interpret the laws to the evolving technology. That is the first part of the answer.
The other part of the answer is that there are things that need to occur outside the technology in order to help us deal with identity theft. Those are about developing countermeasures to identity theft and include everything from security awareness campaigns for the public and disclosure. It also includes various public-private partnerships in developing technologies that would provide a safer online environment.
There are many different things. The legislation is one part of it, of course.
Senator Joyal: How much are you involved in the responsibility to develop, as you said, counter-approaches to the ones the offender would like to have in order to protect the public?
I have a concern and I will give you an example. When we around this table were concerned about child pornography, a responsibility was put on Internet service providers. Could we make a similar or analogous reasoning stating that we know that there is a break and entry in the system and, as a provider of that service, you, to a point, have a responsibility to make it tight?
In this bill, should there be anything analogous to the one we did for child pornography? Or should we not spell out a responsibility for the provider of those services. Did you pay any attention to that in the past?
Mr. McMahon: Child safety is a good example. We block explicit child pornography from the Internet to the best of our ability. Right now, we are using a list provided by Cybertip.ca, and that has been a fairly successful program.
The way that providers and carriers around the world handle the threat is very much like a large ecosystem with predators. Our response to predators is to essentially balance itself out. It balances itself out so all the carriers put security mechanisms in place to reduce the amount of online fraud, the theft of bandwidth, the amount of spam and things like that.
It will come to a point where it becomes difficult to clean the pipes any further. Right now, that is around 94 per cent. There are a number of reasons behind that. There are fiscal reasons. It becomes cost-preclusive at a certain point; you get logged in diminishing returns in the security mechanisms you put in. It also gets harder to get the last few per cent. The other one is the lack of clients asking for it, especially because most of them do not know they are victims. Therefore, there are market forces that balance it out, as well.
Net neutrality and privacy issues also come into play. People want to be able to go places, download things, visit sites and so on. There is a limit to what restrictive security policies any carrier can uniformly put on the Canadian public. A bank, for instance, may have very stringent policies that we can put in place, and their networks can be a lot cleaner. The same goes for any particular enterprise. However, when you are providing bandwidth for the general public, you are riding a fine line as to how much security you provide without impinging upon people's privacy issues and providing their ability to operate on the Internet, and get themselves infected in a lot of cases.
That is an ongoing discussion now. Legislation is probably not the answer to moving that bar. We had put forward a proposal for tax credits where we could accelerate programs to provide cleaner pipes, as opposed to trying to create programs and then find a client to help pay for those.
A lot of stuff has been happening, obviously. I think it has been accelerating because of the cost of bandwidth, as well as providing value-added services in providing cleaner pipes and more trustworthy connectivity for clients.
Senator Joyal: In relation to the first question, are there any clauses of the bill where you feel the technology terminology is too limited and not open enough to allow for further interpretation that would adapt to new developments?
Mr. McMahon: I do not think so. I think it would be limited more by the creativity and how much risk a prosecutor is willing to take in interpreting technology — our ability to articulate what is happening in real time in cyberspace, from a threat perspective, to people with a legal background that can make that interpretation.
Senator Joyal: Do you feel that all the areas of biometrics that we are talking about are spelled out in sufficiently general terms to allow the bill to be effective years down the road, with all the development that we can expect in relation to that technology?
Mr. McMahon: I think so. I have not looked at the bill with that perspective. Again, I would only caution against becoming too technical in a bill because, as soon as you put in a technical solution, you are likely to be outdated within months — six months to a year.
The Chair: I want to explain that it is not from lack of interest that I keep moving people along. It is just that we do face time constraints and everybody wants to get a chance to put questions to you, Mr. McMahon. That is our difficulty.
Senator Nolin: My question is more of a curiosity because you are here representing the Information Technology Association of Canada. I am sure among your membership, you may have the answer.
Most of us travel and hotel rooms open with a card. We have been told to watch out for those cards, that they may contain information that could be used against us. Is that true, and how does it work? I cherish that card. I keep it in my drawer in my office just to ensure nobody will see it. What is in there? Is my credit card number on it? What is on that card that I should protect?
Mr. McMahon: What is the card you are referring to?
Senator Nolin: The card that opens your hotel door. Are you familiar with that technology? Is it just a signal that opens the door?
Mr. McMahon: It is a difficult question to answer because there are so many different card technologies involved.
Senator Nolin: That is why I do not know the answer.
Mr. McMahon: Very simply, certain cards will contain more information on you than others. It is really up to the discretion of the people building and using the cards as to what to put on. There are several basic cards. I put them in two or three categories: one is a card with a magnetic strip that you can put anything you want on; another has some sort of chip technology that encrypts the information and allows a more secure exchange of information.
More and more, we are moving to cards of interest, like bank cards and credit cards, using chip technology, which has now placed the work factor for prosecuting and attacking those cards into an area where it is more difficult to deal with those than it is to do things other ways. With just a plain card with no chip, the challenge is whether it is worthwhile for any particular threat agent to skim those cards in the presence of other means of making money in the time available. The problem criminals have now is an embarrassment of riches.
Senator Nolin: Should I keep storing those cards and not giving them back to the hotel clerk?
Senator Campbell: That is only with keys.
Senator Nolin: Try to find one that uses a key.
Mr. McMahon: I do not know without looking at the specific information they stored on the card.
Senator Nolin: My other question refers to the exchange of information. Within your association, I see an important group of corporations. Do you exchange data? At Bell Canada, do you have a list of information that you are asked to share with others in your association? Do you have a list of names and addresses of people who are breaching the use of Bell Canada services, and are you asked to share that information with other members of your association?
Mr. McMahon: The simple answer is that we do not share any subscriber information with anyone without legal authority. Even if we wanted to, the quantity of information of malicious activity occurring in cyberspace in Canada is so massive that they would not have an Internet pipe big enough or computers large enough to store it. We do typically share summarized reporting regarding the trends of the modus operandi, latest trade craft, the types of things you would see on a Symantec report, taking a vast amount of information and boiling it down to an executive summary of the general themes.
Specific information as to who is doing what to whom is the sort of thing we would discuss with law enforcement, and even then we are both of us moving together in this environment where we have a lot of information but it is just not practical or correct to hand it all over. Now it is mostly exchanged verbally or in reports.
Senator Nolin: Yesterday we asked the Department of Justice whether there was an intent to create a data bank to be shared by the law enforcement organizations across the country, and the answer is no, but I was wondering whether technology could help on that. Obviously not. What you are sharing amongst your membership is trends and techniques used to breach your systems.
Mr. McMahon: Yes. The challenge we have is that the pace and magnitude of the things going on are so great that the analysis must occur within those communities that have access to that primary data. If you are in a financial environment looking at the financial fraud metric, you see that those activities are happening very fast, and it is the same in the telecommunications environment. If you can imagine, these are very large pipes and very large systems. There is no easy way of boiling that down and summarizing it in real time for people. It takes many people and a fair bit of time to massage it and produce a report and provide that information, which we do regularly.
Senator Nolin: I understand that Bill S-4 will help you in doing your job.
Mr. McMahon: It certainly does not hurt.
Senator Dickson: I would like to preface my question or my remarks with two statements: one, I am a victim of credit card fraud, which I can explain quickly; and two, my daughter works at Bell Canada. I should declare my interest right off. I should have done that first.
The background is that all of a sudden I get a credit card statement, and there I am debited $8,700. What do I do? I go to the bank, rather upset, and explain that I am down $8,700. That is quite a party. I knew I did not incur that. The bank said that the first step was to go to the local detachment of the RCMP or the police. I will not comment on the local police, but the RCMP were very accessible and available, so I reported it there. I called the credit card company back and told them I filed the report, and luckily I got the credit on the card, so I was not responsible for the debt. The bank in turn found the branch through some mechanism in their system — it was a branch in Edmonton — and the identification of a person to whose account the money was transferred from my account.
I understand from the clerk of the committee that credit card companies and probably banks will be invited here, but from the associations that you deal with, there must be codes of practice where you cooperate with the banks and the credit card companies, as well in relation to online banking. Are there effective, technical mechanisms, or could there be better mechanisms in place there?
Mr. McMahon: Yes, there are, senator. The telecommunication companies and the banks work together very closely. They share a partner relationship as well as a client relationship. We tend to manage their networks. We also are implicated or involved in being victimized ourselves. Most of the attacks on the financial industry or their clients and most of those online attacks are perpetrated through the infrastructures that we manage, so we have shared interests, absolutely. We do meet. We do talk. We do exchange information, in some cases, real time.
In trying to track down things like identity fraud, there are two lines of investigation. One is to follow the money, and the other is to follow the communication. You have an IP address, an Internet protocol address or domain name associated with someone who is doing things on line. You may have a financial tracking of the information of where it goes. Those systems are not necessarily integrated. That interface is occurring almost face to face. There may be a time in the future where we can do online correlation to figure out where something has gone off the Internet and where that money trail is happening.
Right now, we are doing analysis. Banks do their analysis following fraud and money laundering, and we are doing analysis as to what people are doing bad things on the Internet, where the sources of evil are. The two are being put together at a higher level, an executive summary level, and in some cases, such as in the case of phishing, for instance, we share specific attack factors, such as this attack came from this person or this group.
Senator Dickson: Is there any way this bill could be improved regarding whether or not there is an obligation or an onus on the bank or on Bell Canada to initiative prosecutions, to go to the Mounties and lay a charge?
Mr. McMahon: This is a personal opinion because I am not a legal expert, and I am not speaking for Bell here but mostly for the association.
Nature is sort of taking its course where the critical infrastructures — for instance, communications, telecommunications and finance — recognize that there is a high degree of interdependency and risk associated between the businesses and those two infrastructures. Cooperation is naturally occurring as a result.
The biggest challenges, as I see them, between bringing law enforcement into that is not that we do not talk; we talk every day about the most sensitive issues and on the biggest cases. The challenge is how to get the information in the form it is collected into a form that police forces are accustomed to dealing with in cases. One is looking at bits and bytes travelling across the Internet at huge speeds, and then you are looking at case files. It requires people, processes, technologies and cultural changes to be developed in order to allow that exchange to happen.
Senator Campbell: Is there a concern on your part about obtaining information between peers in a manner that would allow you to take it to court? In other words, you are talking to peers; you are not talking in the context of laying a charge or a criminal offence. You are exchanging information dealing perhaps with crime on the Internet. Is there any concern on your part that that information can then be transferred into the legal system without any difficulties?
Mr. McMahon: The way a telecommunications infrastructure looks at malicious activity is all based upon IP addresses, domain names and technical speak such as that. The actual person at the other end that is perpetrating the crime is not always evident.
Even with respect to the way it is resolved, the help desk will be involved in helping resolve incidents of a malicious nature, and it tends to be based upon IP addresses and user accounts, things like that. It is not necessarily in a format that lends itself to easy prosecution or the way the RCMP would look at something, such as a crime took place and this is how we want to go about prosecuting. In many cases, it is easier to stop the attack than to figure out who is causing it. In many cases, if there is a massive attack coming from another country, you would block that attack rather than try to investigate who is behind it and why.
Senator Campbell: The only question I have is regarding going forward to try to stop these attacks. There was a phrase used in legal investigative circles many years ago, "I will show you mine and you show me yours," and it was not from a point of view of laying a charge so much as it was sharing information in order to continue on the investigation, and that information in fact would never form part of your charge. Is that the kind of situation you find yourself in?
I get the sense you are at a much higher level with just the IP addresses and domains, and your concern is more about stopping an attack coming through your network than it is about actual criminal charges or catching someone; your concern is more based on business.
Mr. McMahon: I think that is correct. If one of our subscribers or clients is behaving poorly, then there is a fairly easy way of dealing with it because we know who it is and we will be able to take that to the authorities, if not deal with it directly with the client.
The other issue refers to criminal intelligence, whether that is environmental scanning in developing a situation. A typical example would be a police force asking about what is happening in the criminal intelligence world with regards to cyber crime. Who are the bad guys? We need enough information so we can start an investigation because we do not know who to look for.
That is a great deal of discussion, as it would start, let us say, with publishing a white paper or publishing threat reports on a macro-scale, eventually getting down to the point where there is enough information that the RCMP can use it within an investigation, at which point there will be a cut-off. When you start asking for specific people's names and Canadians are involved, a warrant is sought and it enters into an investigative stage.
The first page of that stage would not be dealing with private information, but more dealing with means, motives, methods and perhaps identifying threat groups, locations and things like that.
The stuff in the middle is always a matter of discussion because that is where one must tread carefully in terms of satisfying the needs of law enforcement with developing a background for an investigation, the privacy needs of citizens and the neutrality in the middle. That is where a lot of the discussion happens between legal groups and operational groups.
Senator Bryden: I would like to follow up and ask one question. High-speed Internet connection can be accessed by land line, but it can also be accessed by satellite. Is one of those two modes more prone to attack? Is it easier to attack satellite mode than land line mode or vice versa?
Mr. McMahon: That is an excellent question. If you are trying to take over a computer, you want a computer that is nice and fast. You do not want to necessarily steal the identity, but you want to use it as a launching point for things like quick fraud, spam runs and things like that. If you get the person's identity in the meantime, that is a bonus, but you are looking at using the computer as a launching platform. You would therefore want bandwidth.
On the other hand, you have to be able to take over the machine. Some of the most un-patched machines are actually dial-up because it takes such a long time to download all the latest patches; they therefore tend to be un-patched machines.
On the one hand, we see a lot of dial-up connections that are infected, and that is balanced with high bandwidth connections and powerful machines that are infected but for two completely different reasons. As dial-up becomes less obvious, we will see a bump in high bandwidth solutions providing the biggest threat, with the most malicious traffic. The next bump will be the introduction of broadband, high-speed, 4G systems which appear on hand-held devices in order to operate at fast speeds. We suspect that will also add to some of the noise.
Senator Bryden: Could I get an answer to my question? Is it more risky for me to have a dial-up, which is what I have now because that is all I can get, than satellite feed into my house? Do you know?
Mr. McMahon: I do not know precisely. I would suggest that it probably would be very similar. We have only noticed the other observation about dial-up versus broadband connections. I have not made the assessment between satellite and DSL connections.
The Chair: I will ask senators and Mr. McMahon to be as concise as we can because we have more witnesses to hear from this interesting morning and we will soon bump up against a Senate sitting, at which point we must adjourn this meeting.
Senator Baker: Since we are on television and we have the author with us, I wanted to say that I think the book is called Cyber Crime. Is that the name of your book?
Mr. McMahon: Cyber Threat.
Senator Baker: It is an excellent book, written in layman's language. Everyone can understand it. It would make a great Christmas present for someone.
My question to you is this: You referenced in each question put to you by the senators the effect of the bill. Yes, in one case you said that it certainly will not do any harm, and so on. Of course, your point is well-taken that much of the crime occurs outside the borders of Canada. Have you given any thought or what would you say to the committee as far as there being a provision in this bill applying to prosecutions outside of the country that use identities that are obtained within the country? According to you, that involves the majority of identity theft with which we are dealing.
Mr. McMahon: That is an interesting question, senator. I have given a lot of thought to how to tackle the problem. I have not considered legislative instruments and legal instruments as being a huge part of that, mostly because my sphere of control and influence is mostly on the technological side as opposed to the legal side.
I can say only that I have been involved in conversations where my legal colleagues have been perplexed or upset about the lack of power they have to prosecute or even investigate cases abroad. In some cases, the solution has been that it is more pragmatic to stop the attacks and identify the attacks rather than to try to go after them after the fact. There are also many discussions about how one might go about carrying on those cases abroad.
Senator Wallace: I would like to come back to a point that Senator Joyal made earlier. It was a good point. With your technological background, I am sure it is one that would mean a lot to you. As we move forward to deal with this issue of identity theft, we should not limit ourselves to the technologies that we know today; we should leave it more open than that. That makes sense.
In my reading of Bill S-4 and, in particular, the definition of "identity information" and how that relates to identity theft, I do not believe that it is limited to any medium in which that information is stored or to any particular technology. I thought from your comment earlier that you would agree with that, but I wanted to confirm that. Is there anything in the bill that you feel limits the scope of technology in defining what would constitute identity information?
Mr. McMahon: I personally do not think so. My experience over the last couple of decades dealing with the legal community is that some lawyers would be very creative and find a way to prosecute within the bounds of the written law; others would interpret it differently and in a very risk-averse manner.
Senator Wallace: We will follow your opinion, I think.
Senator Milne: You have described to us that crime is really moving from identity theft and credit card or debit card threat increasingly to methods over the Internet of stealing $1 from one million accounts instead of large amounts from a few accounts. I simply cannot see how either the police or you will ever be able to track this kind of crime. The people or the companies who have the money stolen from their accounts will not even realize. A $10 amount here or there happens; people can forget how much they have.
The bill addresses a type of crime that will be decreasing rather than increasing. I cannot see that those million people who have had $10 stolen from them will ever complain or even realize it. I am beginning to realize what will be the effect of this bill.
Mr. McMahon: That is a very insightful observation. I think that what it does tell is that the traditional way of finding one victim — that is, someone sitting at home that has their bank account raided — will shift towards, in a typical case, going after and identifying an organization within Canada. For example, there is a celebrated case in Montreal where none of the victims were aware that they were victims, but, through other investigative means, the police were able to identify that a group had stolen tens of thousands and millions of credit card information and were using it.
This bill would allow them to prosecute that case. The challenge, from what I have heard articulated to me, is that the police have difficulty informing all those victims and then bringing them all to court to testify. It would be much easier if they could bring the people they are intending to prosecute to court and ask them to explain why they had a million credit card numbers sitting on their computer.
The target of the crime will not be based on a victim complaining but, rather, on some very active, pro-active policing, I think.
Senator Milne: A previous incarnation of this committee heard from the online gambling people that IP providers, service providers and telephone companies were really just facilitators. They were not talking to the police. However, we are now hearing from you that you are talking to the police all the time. I am beginning to wonder exactly what the situation is.
Mr. McMahon: It varies between police forces and between various telecommunications companies. When you are looking at tier one carriers and main national police forces, there is good cooperation. If you are looking at a tier three provider and a local police force, I cannot speak to how good their relations are.
The Chair: It gets more and more interesting, but our time has run out, Mr. McMahon. We thank you very much. This has been extremely useful, as Senator Baker observed, all in language that we could understand, which is very helpful.
We are now pleased to welcome, from the Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic, Mr. David Fewer, Acting Director; and Mr. Tamir Israel, articling student.
I believe you know how we operate. We ask you to make an opening statement and then we will go to questions.
David Fewer, Acting Director, Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic: Thank you for the opportunity to bring us here to speak about a serious problem that is directly affecting an increasing number of Canadians. It is indirectly affecting us all through the costs that are passed on to consumers and through the preventative measures that we all now must take.
Our clinic is a technology clinic at the law faculty at the University of Ottawa. Our mandate is to speak on behalf of the public interest at the intersection of law and technology. You can understand why we are here today.
We have done a great deal of work in this area in the past. We have been part of a multi-institution research project on identity theft that is now completed but was funded by the Ontario Research Network for Electronic Commerce, which is a private-public partnership that includes four major Canadian banks. Over the course of the last four years, we have been researching legal and policy initiatives in this area. Colleagues at four other Ontario universities have also been examining issues involved in the definition and measurement of identity theft, as well as approaches to technological solutions to ID theft.
On our website, at cippic.ca, we have published a series of working papers on various aspects of ID theft. These include an introduction and backgrounder, a working paper on techniques, a working paper on legislative approaches to identity theft, an overview of case law on identity theft, policy approaches to identity theft and enforcement of identity theft laws.
We have also published a white paper on security breach notifications, which we would say is one measure that the Canadian government could be taking steps on that would help address identity theft issues quite apart from what we are here today to speak about.
We have also posted a web page on identity theft that includes all these documents and more, in addition to frequently asked questions and resources for the public. Later this year, we will issue a final white paper that tries to pull together all of this work with specific recommendations for law reform and for policy reform.
We are pleased to address you today on the topic of Bill S-4. Our comments will touch on three topics: first, Bill S-4's proposed changes to the Criminal Code; second, some proposed changes to the Criminal Code that are not in Bill S-4 but would go a long way, we think, towards helping to address identity theft issues; and, finally, wider proposals to address identity theft.
I saw from the grilling that you gave my friend Mr. McMahon this morning that you have a lot of questions on this topic. I propose that I will abbreviate the comments that I was going to give and get right to it.
Our position on Bill S-4 is that we like it. This is good. Bill S-4 addresses wrongful activities and fills gaps in the current law with respect to preparatory acts involved in identity theft — thumbs up. It will also provide law enforcement authorities with much better legislative tools with which to catch and convict identity thieves. Again, thumbs up. We are particularly pleased with the amendment providing for victim restitution.
What is not in the bill? I do not want the Canadian government to pass this bill, this law, and think, "Okay. We are done with identity theft. We have done what we can do." This is just the beginning. This bill goes a long way in saying that these acts are wrongful. They are contrary to the Criminal Code and we have measures in place for law enforcement to address them, but much more could be done, even within the Criminal Code.
We would like to see amendments to the Criminal Code to provide for victims to have the right to obtain a police report. This will go a long way towards helping victims follow up with law enforcement agencies and do away with an impediment to the fast action that is required for victims to repair damage and prevent further damage. That is one of the interesting things about identity theft. It is the crime that keeps giving or taking, again and again.
Second, we would like to see the Criminal Code amended to provide for the right of a victim to obtain a court order indicating factual innocence. Again, this goes to the point that victims of identity crime have to go back again and again to creditors, to banks, and to other institutions that they are dealing with saying, "No, that was not me. I am a victim of this crime the same way that you are." A court order declaring innocence would go a long way towards helping victims address those issues.
Finally, we would like to see stronger sentencing guidelines developed for offences involving identity fraud. Our observation has been, particularly earlier in the evolution of this crime, that penalties were relatively low. The attraction for organized crime in particular to regard these sorts of penalties as the cost of doing business is just unacceptable. We would like to see guidelines on sentencing that show that this is in fact a harmful crime and that those convicted should be sentenced to significant penalties.
Finally, with respect to extra criminal measures, we really want to emphasize that the Criminal Code is capable of addressing only a small part of the identity theft problem. If we are to attack the problem of identity theft effectively, we need to do much more than just establish crimes for which police can charge offenders. First and foremost, we think there is a need for better data. We have a difficult time in Canada getting an understanding of the scope of the problem, the quantum of harm, and the length of harm associated with identity theft. We think we can do much more in gathering that data.
The primary means to do so, in my view, would be the establishment of a federal-provincial-territorial task force on addressing identity crime issues. This approach was adopted in other jurisdictions and has resulted, in my view, in a much more comprehensive and coherent policy approach to dealing with identity theft. Canada should follow those approaches. We have done so before in other contexts, particularly with respect to the anti-spam task force a few years ago that has now resulted in Bill C-27 before the House of Commons, which addresses not only spam but also other privacy-related online threats, such as spyware.
Second is resources. My guess is that this committee has heard or will be hearing from law enforcement who will tell you that having the resources, both the technological expertise and the financial resources, to address identity theft issues is an impediment to the resolution.
Third is addressing sources. This is a huge issue. If it were not so easy to get consumer information to commit identity theft, it would not be such a problem for consumers. This means, to a certain extent, that consumers must be more aware of what they can do to limit identity theft, but it also means addressing the institutions and organizations that hold consumer data. We could do a lot more in the area of security breach. What kind of obligations are on institutions to safeguard all of our personal data? What kind of obligations do they have to disclose to consumers when a breach occurs? To whom should that disclosure occur? We can do a great deal in this area.
Fourth is mitigation. I have touched upon this a bit with respect to the scope for mitigation provisions within the Criminal Code, but I think we can do more as well. Consumers should be given rights empowering them to mitigate damages when they find themselves victimized or at risk of being victimized. For example, we should have the right to be informed of a security breach issue. Right now, we are not.
I was interviewed by the CBC just a few days ago and found out that credit card companies do not tell consumers where the source of a breach has occurred, if there has been a breach at a business they deal with, and this is because credit card companies are in an inherent conflict of interest. They have a double-sided business. Consumers are the customers, but the businesses consumers deal with are also their customers, and the credit card industry does not have an interest in disclosing which of its customers has a compromised security breach area. We can do more.
The finally point is an identity theft victim assistance bureau. If you have ever met or spoken to someone who has been a victim of identity theft, you know it is a very difficult process to remediate. We could do an awful lot to help victims in this area, and I do not think we are doing anywhere near enough.
Those are my initial comments. I would welcome questions on any of those things, and, obviously, of course, on Bill S-4 as well.
The Chair: Thank you very much indeed.
Senator Wallace: I compliment you on the detailed work that you have done, the comprehensive review that you have given this topic and the studies that are online. Certainly we will be looking at those.
I was interested to hear you say that the work that you have done has involved the banks. Of course, the banks are greatly concerned and are really at the front line of identity theft. As Senator Dickson pointed out earlier, being a victim of credit card fraud puts you in direct contact with your banks. They hear the complaints and deal with the financial reality of it. I am curious about the response that you have heard directly from the banks in regards to Bill S-4. I have had discussions with them, and I wonder how you find their reaction to this bill and the level of support they have for this bill.
Mr. Fewer: I have not heard any opposition to the bill from the banks, not directly, though I do have to confess that I personally have not discussed this issue with the banks, this legislation or Bill C-27 before it, or even Bill C-299, the impersonation bill that preceded this one as well.
Tamir Israel, Articling student, Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic: I do not think we consulted with the banks on this.
Mr. Fewer: I do not have a great answer for you on that.
I should introduce Tamir Israel, SCIPPIC staff. He has done a great deal of work in the area of confidential information and personal information and has an interest in identity theft.
Senator Wallace: Thank you. With many of the recommendations that you have made and included in your presentation and the analysis you have done, have you had a detailed analysis of other jurisdictions? Have you looked at how they have dealt with the issue, and does that form part of the basis of the opinion you shared with us this morning?
Mr. Fewer: Absolutely. We have done quite a bit of comparative legal research. We are a bit behind the curve in addressing this legislatively. If you look down to the United States in particular, which is a jurisdiction we deal with a great deal and with which we have significant cross-border issues, you see that they are ahead of us in centralizing responses to identity theft issues. The Free Trade Commission, FTC, is kind of the one-stop-shop in the United States for addressing identity theft issues. Also, within states, California in particular has been very progressive in legislating responses to identity theft. We have done a fair amount of work looking at those approaches and comparing them to what we have here in Canada. Bill S-4 goes quite a bit of the way towards adapting many of the approaches in the California law in particular.
Senator Wallace: With many of your recommendations and getting a structure in place and protection in place for citizens, would some of those mechanisms more properly be found outside of the Criminal Code? Has that been your experience in looking at other jurisdictions and how they have dealt with this and having a centralized data repository for some of these issues? Is it fair to say that these should not necessarily all be dealt with within the Criminal Code?
Mr. Fewer: That is absolutely true.
Senator Wallace: Has that been the experience you have seen in other jurisdictions?
Mr. Fewer: Absolutely.
Senator Wallace: Thank you very much. I appreciate that.
Senator Baker: We just heard from a witness prior to you gentlemen who said that the majority of identity theft crime of Canadians actually takes place offshore in other nations. Therefore, if we are passing legislation and it means something, then of course we have to at some point address that problem.
Before I continue, are you the same David Fewer who took the Privacy Commissioner to Federal Court and won on this issue?
Mr. Fewer: Yes.
Senator Baker: Oh, excellent. We passed the PIPEDA law. Within the law, the jurisdiction of PIPEDA was Canada. You took PIPEDA to the Federal Court, section 18.1 of the rules, as a judicial review, and you won. According to my recollection of the judgment, it was only last year or the year before that.
Mr. Fewer: It was not long ago.
Senator Baker: As a result, they now have to investigate this crime in the United States. Could you share with the committee the scheme that you concocted with somebody else to actually initiate this? You went on the Internet and fed somebody's name to an agency that promised to tell you everything you needed to know about this Canadian citizen, their criminal record, their psychological profile and everything, all their personal information. Could you explain to the committee what you did in order to change the law of Canada relating to PIPEDA?
Mr. Fewer: I would first say that perhaps the honourable senator is overstating the impact of the decision and the argument.
Senator Baker: You would not overstate it.
Senator Campbell: Senator Baker never overstates.
Mr. Fewer: We had a concern in that case that the Privacy Commissioner was effectively fettering herself and effectively restricting the scope of her jurisdiction under the act. It is not that PIPEDA protects Canada; it is that PIPEDA protects Canadians. We urged the commissioner and the court to take a view that the law should protect Canadians in those circumstances where there is a violation of the act in the presence of real and substantial connections to Canada.
In this case, it was basically an information broker who offered a service. I cannot remember the exact name of it, but it was the Canadian information service and had a little Canada flag there as well. It was advertising and saying that if you want to find information out about a Canadian, come to this service and it will give it to you.
Senator Baker: In a foreign nation.
Mr. Fewer: This organization was in the United States, though plainly it had to have agents or conduct investigations in Canada, so there were some connections to Canada. It is difficult to say you are going to investigate a Canadian's telephone records if you are not actually going to in some way engage with a Canadian telephone company. There had to be some connections to Canada, unless the company was just a fraudster, just taking your money and making things up, which, with respect to the psychological reports, may well have been the case.
Senator Baker: They were not right on your psychological report?
Mr. Fewer: I unfortunately did not get one of myself. My former colleague, the former director of the clinic, assures me that her psychological profile was off. I hope it was. Let us put it that way.
Those were the circumstances of the case. It does make it difficult for the Privacy Commissioner to investigate foreign crimes, but this happens all the time in the criminal context and in civil contexts and in other regulatory contexts. We have ample agreements with the United States to basically cooperate with one another on these kinds of investigations. In that particular case, it was not a difficult matter. The FTC had jurisdiction to look into the very same kinds of issues that we were asking the Privacy Commissioner to investigate, and that is what subsequently happened after we got the court decision that said yes, the Privacy Commissioner had jurisdiction. The Privacy Commissioner and the FTC basically cooperated in their investigation. We understand that the FTC will be issuing a finding shortly, and we anticipate it to be something that most Canadian consumers will be happy with.
Senator Baker: We congratulate you on your success in extending the jurisdiction of the Privacy Commissioner of Canada to the collection of identify theft material in the United States and in a foreign jurisdiction. It was a marvellous case.
In this particular bill, you praised the question of damages. That is, when the sentence is being given, an award shall be given, as I understand the wording, relating to damages suffered because of the identity theft. In your submission, you say that collecting damages is a costly venture. Under PIPEDA and our Privacy Act, directly in the act, an application to the Federal Court for damages is allowed.
Now we have in the legislation, together with another piece of legislation under PIPEDA, two routes to go for compensation, and the cost involved with going to the Federal Court. However, do you still think that what is in this legislation takes precedence over what is already on the books?
Mr. Fewer: This is better than what PIPEDA has to offer, absolutely.
Senator Milne: When I was first appointed to the Senate in another committee at another time, we heard evidence from one of these information collectors in the United States that they could, if you wanted, provide for a fee the name and address of every single left-handed fly fisher in the United States. That is how much information they have collected about every single person. It is absolutely incredible. I congratulate you.
Senator Campbell: Mr. Fewer, you should know that it is rare that the Svengali of case law in this committee, Senator Baker, genuflects, but I did see a slight motion on his part, so you should be quite honoured by that.
My simple question has to do with the police report. If you are involved in an investigation and you make a police report, you will get a case number from the police. If you ever need to refer to that for whatever reason, it would simply be a matter of giving them the case number and that could be confirmed.
Why is it so important to get the police report? Regarding the difficulties involved in a police report because of the Privacy Act, you will get a police report but it will be black except for the words "a" and "the." Everything else will be blacked out except, perhaps, your name. Why would the case number alone not be sufficient?
Mr. Fewer: In our more detailed comments, we think that the police report will help streamline the process by which victims will be able to remove fraudulent activity from their various records — financial, criminal, medical, and so forth. That streamlined process would also assist consumer reporting agencies, businesses, collection agencies and others who need to deal with the consequences of identity fraud.
The report is more than just a number. To a certain extent, the report is an authenticated, trustworthy document, something that businesses can rely upon and use to make better decisions about how to respond to remediation requests.
Senator Campbell: It will not tell you anything. If you have seen a police report after you have asked for one, it will not tell you anything. At the end of the day, it will just be a blacked out document with your name, date, address and phone number. That is what I am saying.
I understand why you would want something that says, "I am innocent; my name is clean." However, I do not see how the police report would do that, nor do I see that that is the responsibility of the police. You could be waiting years for that final police report to be concluded. I understand the need for that. If you are in a situation where each time you use your credit card, someone says, "Oh, sorry," and you have to then phone and say, "No, it was not me," I do not think the police report will get that for you.
You did a great job on the rest of it.
Senator Joyal: Mr. Fewer, I believe we have a phenomenon that we have not addressed specifically. It is the following: Companies have been building information on individuals through recoupment of all kinds of sources, and then they sell that information. We will have more of that because it is becoming a marketing tool. If you want to sell blue-rimmed glasses, a company will tell you to which customer you should offer blue-rimmed glasses on the basis of the information that they have compiled in data banks.
There is a free market of information. It is a free business. Anyone can compile information about anybody and sell it. At the same time, we have not defined the responsibility of those companies to ensure that they do not break into that information and use it for creating or stealing identities.
If we want to show the public that we are aware of what is going on, we have to be aware that this is the reality now. You have studied it better than any of us here around the table.
We are concerned about addressing the specific case of somebody who steals a passport and pretends to be the other person. That is the easy thing, and I believe there are now a small number of cases. That is not where the problem lies in terms of volume.
There is more volume in breaking into a computer where all kinds of data are stored, or in being connected to eBay and being able to hack the credit cards of people who buy on eBay. Any one of us knows stories like that. My assistant who buys on eBay has told me his credit card has been used fraudulently three times.
Those are the kinds of problems we have. It is not enough just to tell companies that they have to be prudent and they have to work with the police. There must be a new responsibility there.
As much as this bill has objectives to which all of us ascribe, I have the perception that we will remain short of what will come and develop in the years to come.
I am supportive of the bill, as you are, and as some other witnesses have been. However, as you know, it is very difficult to have legislation passed in Parliament and have it adjusted later on. In this legislation, especially, there is no obligation on Parliament to review it after a while to ensure that it still meets the objectives. Therefore, we should be concerned with trying to deal with the problem that is emerging through the way the system develops.
You alluded to it in your brief when you mentioned the data protection law and so forth. As you said quite clearly, this problem is not addressed in the legislation.
Mr. Fewer: I would agree with everything that you have said. This legislation is good for what it does. It should not even pretend to be a comprehensive attempt to address identity theft issues. The security breach side, when an organization that collects and uses personal information then does not use appropriate safeguards or does use safeguards or uses inadequate safeguards or has breached through no fault of its own, is a problem. That harm has been known for some time. I would take the government to task a little bit for not having introduced data-breach legislation at this point. I understand the issues are a little difficult, but the problem has been identified and we need to move forward to address it.
Senator Joyal: It seems to me that this is a key issue with the way the technology is evolving. The worst of the scenarios is that those data banks are stored somewhere other than in Canada. It is so easy for the information to travel around the world. If I were an ill-intentioned person, I would never establish my working base in a country where there is legislation; I would go to countries where the legislation is more lax. If you say the United States has better legislation, I would go somewhere else. I will not name any countries. I do not want to offend anyone.
We know, for instance, that today the information centres for many Canadian companies are located in Asia and around the world. It is easy for someone who wants to break into those data banks to do it, especially if they operate from countries where the legal system and the police are more lax than ours.
It is not as if the guy we are trying to find is across the street or in the neighbouring town. The people we sometimes want to find are located thousands of kilometres away. It seems to me that we should be concerned about reflecting that reality, and we know that it will be emerging and developing in the future.
I am not sure that this bill, as much as it is good, is just the preliminary of what should be our comprehensive approach to fighting Internet crime, generally speaking, which is linked to what we want to achieve because most of that stolen information is stolen through the Internet. The largest number of cases comes through the Internet.
Mr. Fewer: That point goes back to a point raised earlier about the limitations of criminal law for addressing all of these aspects. Spyware, spam, phishing and pharming are all exotic names for new Internet crimes. All of these behaviours have international components to them. To a certain extent, the international community is doing a reasonable job of coordinating on some of these issues. However, much more could be done. I would agree that a final solution to these problems requires an international cooperation, public-private partnerships and both criminal and regulatory responses.
Senator Joyal: On page 3 of your brief you mention that clause 11 of the bill provides for restitution to victims of identity theft, and you make two recommendations after having commented that the benefits of the restitution for victims are minimal in clause 11. You recommended in your conclusion, in the fourth bullet on page 8, two additional provisions to the Criminal Code: "Adding provisions within the Criminal Code granting victims of identity crimes a right to a local police report and a right to a judicial order of innocence."
Since you are a jurist, could you explain more about how you would phrase that in the Criminal Code?
Mr. Fewer: My quick response is to look at California again. My suggestion for both the police report and for the court order comes from California legislation that consumer advocates have found to be helpful. I do not have a copy of the legislation in front of me. Do you have it, Mr. Israel?
The Chair: If you could even give us the name of the relevant act we can probably find it on the Internet and I will ask our researchers to do that.
Senator Joyal: Not in a data bank.
The Chair: No; nor with any of our names attached.
Mr. Fewer: I do not have it on hand immediately, but I will undertake to provide it to the clerk following this and she can forward it to the members.
The Chair: That would be appreciated.
Senator Joyal: On the other issue of the crime of breaking into a data bank, could you provide us with comparative legislation that you might have at hand so that we could reflect upon the need to have a similar provision or comparable provision in the code, considering that this is one of the key elements of crimes related to identity theft and other related crimes?
You advocate the creation of a national identity theft victim resource and assistance bureau. Do you see that as a national institution? Could you explain in larger terms what you mean by that?
Mr. Fewer: The issue is that identity theft is a crime that keeps victimizing the victim over and over — every time you go to get a new credit card or you apply for a loan for your house, or if you are just doing nothing and you find out that, again, your documents have been used to commit some further fraud. The question is how we can help victims in this space. It turns out it is incredibly difficult for victims to remediate, to clear their name, to put a stop to continuing frauds. You have to go from institution to institution. At each institution you may have to educate anew because you are dealing with someone at the help desk who has never had to deal with an identity theft issue before. That person does not understand. He or she suspects that you are a fraudster and again you are victimized.
Our view is that this crime is becoming common enough and is harmful enough to justify putting some public resources towards helping victims clear their names and prevent further frauds from occurring. It makes sense to do it nationally because so many of our institutions are national. It makes sense as well not to have to duplicate resources. Even for institutions that are not national the issues are still the same. Regardless of where your bank is or where your credit card is issued from, the issues will arise in the same way, and it would be very helpful to consumers if they had a resource that could basically take them by the hand and take them through the process of remediating and clearing their name and clearing the fraud.
Senator Joyal: How do you see that office or registry being financed? Do you see that through contributions from credit card companies or banks or financial institutions that provide or will collect that information?
Mr. Fewer: To be frank, I would like to see the institution arise. As to how it is funded, I am very flexible. It could very well be funded through organizations that would benefit from that institution; banks, credit card companies, mortgage lenders, those kinds of institutions.
It may be the kind of thing that we characterize as an investment. Such an institution certainly could have the mandate of remediation, but it could also have the mandate of consumer education, helping consumers understand how to prevent such crimes from arising in the first place. It could also help organizations with security breach issues, helping them understand how they could prevent such crimes from happening in the first place.
The Chair: On a supplementary, are you familiar with a federal-provincial body, which does exist, called the Consumer Measures Committee?
Mr. Fewer: I am.
The Chair: What you are talking about, at least part of it, sounds a lot like what I understand to be their mandate, including doing research and analysis and developing consumer education initiatives.
Mr. Fewer: My understanding of the CMC is that it does not have a desk. There is no place I can go to and say, "I am a consumer and I have a problem." It is not a complaints organization or a consumer-assistance organization. It operates at a higher level. It is an excellent organization. As a consumer advocate, I would love to see its mandate expanded and its reach lengthened. That may be an appropriate venue for this kind of initiative.
There are other appropriate venues as well. This is not far off from what the Privacy Commissioner does. The Competition Bureau similarly takes complaints from the consumer, although they do not often have a consumer-assistance mandate. The Canadian Radio-television and Telecommunications Commission, CRTC, to a certain extent also takes complaints. Through the CRTC, we now have the do-not-call registry, which is a much more consumer-facing issue. The CRTC also oversees the implementation of the telecommunications complaints ombudsperson, which is another consumer-facing bureau. All of these institutions have some problems. None is quite the institution we have in mind for this.
Senator Joyal: As I was listening to the witnesses, it occurred to me there is a principle that inasmuch as data banks develop, someone holds them as they continually grow. At some point in time, the responsibility of that person must be called into action because the risk is bigger as a result of the amount of data involved. There must be a signal somewhere that you can do this, but you must take additional measures and initiatives to be sure that the banks are protected. In addition, you share the responsibility if there is a break-in at some point in time and you must be part of the compensation scheme.
I see more the system as a whole than trying to pinch one element or pinch another element, running after amending sections of the code each time a new problem arises. It seems to me that we have to have an approach that is comprehensive in how reality operates today.
Mr. Fewer: I would agree. I would not want you to leave this meeting thinking that our position is that the consumer should be absolved of all responsibility. This is true in almost every area of harmful Internet behaviour that we look at, such as spam, spyware, phishing or pharming. Consumers must take responsibility for their actions.
To a certain extent, however, we must be reasonable in that call. Consumers need to be informed of the risks associated with what they are doing. We think that most businesses have incentives not to be as forthright or upright as they could be in disclosing the risks associated with entering into transactions with them. I say that for two reasons. First, it might scare some consumers off from doing business. Second, on the back side, if businesses do something wrong, what harm is there? In other words, if they breach their obligations often and disclose to consumers about the nature of the information they collect, how they use it and to whom they disclose it, what is the penalty?
You have seen in our brief, and we have articulated consistently before other legislative committees, the need for better enforcement of our privacy laws against organizations that collect, use and disclose personal information. We think if there were better enforcement on the back side, there would be better consumer information on the front side, which would lead to a reduction of harms.
The Chair: Senator Joyal put at least two of the questions that were troubling me, so I thank him for that.
There is one further question I would like to ask. You are concerned about the need for people to be notified when there has been a security breach or when their identity has been stolen in whole or in part. You suggest that be done in federal privacy laws. The bill before us affects the Criminal Code, and I take it that you do not think that requirements for notification of security breaches belong in the Criminal Code.
Mr. Fewer: No.
The Chair: Why not?
Mr. Fewer: No, I do not believe they do because the kind of behaviour we are talking about here, the kind of fault we are talking about is regulatory or civil; it does not belong in the Criminal Code. We have a fairly comprehensive code to address commercial dealings with personal information of Canadians, and that is under PIPEDA.
The security breach issue strikes me as a gaping hole in what is otherwise a comprehensive regulatory approach to personal information, so it is best addressed there.
The Chair: This came up last night in our hearings, and I was puzzled as to why it might not perhaps, in addition, be addressed in the Criminal Code because of the immense damage that can be suffered by someone who is unaware that their identity has been stolen.
Therefore, if someone, your bank or some institution, knows that that identity has been stolen and that the person is at risk of great damage, failure to notify — I do not want to use the word "criminal" because that is technical and it pre-judges the answer — but it is such an immensely offensive and damaging act that I wonder where the dividing line would be to say this is or is not criminal.
Mr. Fewer: That is an interesting approach. Keep in mind we are talking about commercial behaviour, commercial entities engaging in applying business judgments to their dealings with personal information. We usually reserve criminal law for those most extreme violations of the public trust, especially in the commercial setting, such as the Enrons and the deliberate polluters, these kinds of things.
Where it is a case of negligence, I query whether that rises to the level that we want to be putting our public criminal resources towards it. Thankfully, I do not think we have had to deal with issues of commercial entities going beyond negligence so that they are deliberately putting consumers in jeopardy. If organizations are involved to that degree of malfeasance with respect to personal information, usually they are up to other things that are no good.
The Chair: You can get them some other way?
Mr. Fewer: We can catch them under fraud, counterfeiting or some other bad behaviour, yes.
The Chair: Thank you very much. Thank you to both our witnesses. You have been very helpful and very interesting. We will bear in mind your various representations as we go forward.
Our next meeting will be on Wednesday, May 27, in this room at 4 p.m. or when the Senate rises.
(The committee adjourned.)