Skip to Content
 

Proceedings of the Standing Senate Committee on
Legal and Constitutional Affairs

Issue 9 - Evidence for May 27, 2009


OTTAWA, Wednesday, May 27, 2009

The Standing Committee on Legal and Constitutional Affairs met this day, at 4:16 p.m., to study Bill S-4, an act to amend the Criminal Code (identity theft and related misconduct).

Senator Joan Fraser (Chair) is in the chair.

[Translation]

The Chair: Honourable senators, welcome to the Standing Senate Committee on Legal and Constitutional Affairs. We continue our study of Bill S-4, An Act to amend the Criminal Code (identity theft and related misconduct).

It is a very interesting subject; this bill has been introduced in the Senate by the government, which it is not necessary the case with all bills. Most are presented before the House of Commons and come here later on. In this case, the bill was presented in the Senate.

[English]

As we continue our study of this most interesting bill, we are delighted to have with us as witnesses Mr. Gord Jamieson, Head of Payment System Risk at Visa; Ms. Vanessa Giuliani, Fraud Specialist, Consulting Solutions at Equifax; and Mr. Rick Rennie, Vice-President of Customer Security and Risk Services at MasterCard.

Thank you for waiting while our start was delayed for a few minutes. We are grateful to you for your patience and for being with us today. You have agreed among yourselves that Ms. Giuliani will be the first speaker followed by Mr. Jamieson and Mr. Rennie.

Ms. Giuliani, you have the floor.

Vanessa Giuliani, Fraud Specialist, Consulting Solutions, Equifax: Thank you and good afternoon. I am the senior fraud consultant at Equifax Canada.

I would like to start by thanking the committee for the opportunity to speak in support of Bill S-4. I would also like to congratulate the government for taking such a positive step to help stem the growth of identity-related crimes in Canada. Canadians benefit from coordinated strategies that involve government, law enforcement, industry and consumers. Bill S-4 is an excellent example of that.

Identity-related crimes have increased steadily since about 1998 with the increased use of electronic delivery channels and networks. The theft of personal information needs to occur to set up and prepare before an identity- related crime can be perpetrated. Bill S-4 is welcome legislation to help stem the flow of stolen information by making it illegal to possess it before the information has been used to commit that crime.

We, at Equifax Canada, have noticed a substantial increase in the amount of personal information stolen from a variety of sources such as rogue employees and other unauthorized access. We know this through joint investigations conducted with the police and finance service agencies.

The industry has taken a number of steps to mitigate the effects of this crime when it comes to prevention. However, the electronic transfer of personal information is critical when processing financial transactions in Canada. Only so many steps can be taken by the industry. Indeed, thousands of personal credit reports are electronically transmitted every day, which are acquired, secured and used lawfully.

There have been cases where rogue employees or foot soldiers will take credit reports from their place of employment and, much like a narcotics trafficker, sell them to organized criminal groups. In many of those joint investigations, police services report that stolen personal information is frequently found in traffic stops and other lawful searches. There is little to no legitimate reason for anyone to possess piles of credit reports, financial information or other identity-related documentation. With Bill S-4, the person in possession of this information will have to answer for that.

I would like to provide a little more information on identity fraud statistics and trends in Canada. Since 1998, Equifax Canada has been documenting the exponential growth of identity-related crimes. Between 1998 and 2003, Canada experienced a 500 per cent growth in identity theft reports where applications were submitted and damage incurred to a legitimate Canadian consumer. From 2004 to 2005, the growth rate levelled; but in 2008, the numbers climbed back up to the 2003 high, and fictitious identity crimes started to blossom.

Fictitious identity crime occurs when personal information is stolen and components of that information are used to create a non-existent person. The perpetrator does this by taking personal information, such as the Social Insurance Number of someone who is deceased or perhaps not yet part of the credit-granting system, and builds a non-existent identity. The perpetrator then monitors the progress of this fake identity by pulling credit reports and conducting hundreds of thousands of dollars in financial transactions before abandoning the fake identity of the person they created.

Of further note is the fact that we commonly see tens or even hundreds of fictitious identities being operated by the same person or group at the same time. Without question, regular or more traditional identity fraud, as well as fictitious identity creation, is on the rise and hundreds of billions of dollars are being siphoned by organized criminal groups each year.

I would like to pause for a moment and provide you with a recent example of a case involving fictitious identity fraud to try to help underscore the sophistication of this type of crime. This case is from about two years ago, and it was a joint investigation between Equifax, several members of the financial services community and the Metropolitan Toronto Police Fraud Squad.

Police from the Toronto Fraud Squad were tailing a vehicle that they believed to be participating in a different type of crime. Unfortunately, they lost the trail of that vehicle and then thought they had found the vehicle again. As it turned out, they had found a completely random vehicle that fit the exact description of the one they were trailing and realized that afterwards. By that time, they had uncovered, quite by accident, 15 credit reports sitting in the back seat. Those 15 credit reports were then given to Equifax to start a full investigation, and what we found was that three rogue employees from three reputable organizations had built 500 fictitious identities.

I brought ten examples of those fictitious identities with me today. To give you a sense of how lucrative this type of offence is, the average financial gain from each identity is approximately $250,000. If you multiply that by the 500 identities that these three people had created, that is over $125 million from a single case.

Bill S-4 is an opportunity for legislators to truly stem the increase in identity-related crimes and all of its modern manifestations. When law enforcement has the right to recover stolen information and prosecute the persons in possession, it will deter others with access to personal information from participating in this type of crime. Where penalties are in place for trafficking in stolen information, perpetrators are more likely to be influenced by the consequences and rethink their foot soldier role in the crime.

Thieves are stealing and building fictitious identities as we speak, and this problem will not go away without a confluence of legislation, law enforcement and solutions from organizations like Equifax. With that in mind, we are very encouraged to see Canadian legislators moving forward with this bill and we offer our full support. The financial services and credit industry continue to do our part by responding to victims of identity-related crimes and investing millions of dollars each year in trying to detect identity-related crimes as quickly as possible.

Identity crimes have grown to a level that affects all Canadians either directly or indirectly. Unlike 10 years ago, I am hard-pressed to find a person today who has not had a debit or credit card copied, worked with an employee who was terminated for dishonest behaviour or had applications submitted using their identity.

Combating identity-related crimes is a battle that transcends politics, and on behalf of Equifax Canada, I commend you for helping to address the growing problem of identity-related crimes in Canada.

The Chair: Before we go on, you said you had brought with you ten, I think it was, cases. If you could give those documents to the clerk, we will have them circulated to the committee members.

Gord Jamieson, Head of Payment System Risk, Visa: Good afternoon. I am senior business leader in Visa's Payment System Risk Group. On behalf of Visa Canada, I am pleased to participate in the Senate of Canada's review of Bill S-4. Visa Canada supports the government's proposed legislation because, at its core, it is the criminalization of identity theft that will provide greater protection through the Canadian Criminal Code to all Canadians.

Identity theft is broader than and different from payment card fraud. We emphasize this distinction to ensure that the law targets those activities that are most likely related to that offence. We believe that Bill S-4, subject to our technical comments, does have the right focus.

Before I speak to our specific comments, I would like to clarify Visa's role within the payment system and in insuring the security of electronic payments.

Visa operates the world's largest retail electronic payments network, providing processing services and payment product platforms. This includes consumer credit, debit, prepaid and commercial payments, which are offered under the Visa, Visa Electron, Interlink and PLUS brands.

Security is a priority for Visa. We have made significant investments to protect the payment system and cardholder information. Visa cardholders can be confident when they use their Visa card to shop in person or online because of the fraud prevention and security features that exist on the card as well as on the payment system itself.

In Canada, these include: Zero liability, which means that consumers do not pay for transactions they did not make; the Verified by Visa service, which, through the use of a personal password, gives consumers added protection when they shop online with participating merchants; neural networks that monitor Visa card transactions 24/7, looking for unusual purchase situations; Chip cards, which are virtually impossible to copy to another card and help protect cardholders and retailers from lost, stolen or counterfeit card fraud; the three-digit code, which is also referred to as CVV2, is used by merchants to ensure that the purchaser is using a genuine card; and lastly, the Account Information Security Program, commonly referred to as AIS, which is a standards-based compliance validation and education program designed to help protect data at all points in the Visa payments system. To achieve compliance under AIS, merchants and service providers must adhere to the Payment Card Industry Data Security Standards, which is also known as PCI-DSS.

Protecting consumer confidence and delivering on our brand promise of convenient, secure, reliable electronic payments are important priorities for Visa. While consumers are protected against fraudulent charges on Visa cards with zero liability, we understand that the impact of identity fraud can extend beyond Visa payments. At the very least, victims experience the inconvenience and the stress of completing police reports, requesting replacement cards and working with reporting agencies.

Beyond ensuring consumers benefit from zero liability on Visa cards, we also help coordinate responses with our card issuers and gather critical information when an event occurs. On the prevention side, Visa develops compliance programs and standards aimed at squeezing fraud out of the payment system. We also provide consumer information on our website, work with law enforcement, and through the Competition Bureau's Fraud Prevention Forum, help educate cardholders about steps they can take to help protect themselves.

Visa proposes the following technical amendments related to payment card fraud. As noted earlier, identity theft differs from credit card fraud. Credit card fraud involves the exposure of account information leading to fraudulent charges. In the case of identity theft, thieves may obtain a range of information that can include a person's name, address, social insurance number, bank account information or place of work, and use this information to effectively steal an identity.

We believe that these amendments, outlined in detail in our written submission, strengthen Bill S-4 and ensure it is able to capture present and future activities.

In clause 4, proposed subsection 342(3) uses the phrase "including a personal identification number." This language is too limiting and should be replaced with "including identity information." We believe it is important that the legislation capture not only current technologies, but also be broad enough in scope to capture future technologies.

The reference to "credit card data" in the same proposed subsection should be replaced with "payment card data." The purpose is to capture all current payment systems, such as prepaid cards, charge cards, debit cards and credit cards, as well as emerging technologies, such as mobile and contactless products.

"Credit card" should be replaced by "payment card" in section 321 of the Criminal Code, as well. The Criminal Code should also be amended so that the definition of "payment card" means "debit, credit charge, prepaid cart, contactless, mobile device, plate or other device."

In clause 10, the reference to "credit card number" in proposed subsection 402.1 should be deleted. Visa believes that introducing those concepts in this provision is redundant, since proposed section 342 deals specifically with crimes related to credit cards. As well, "personal identification number" or PIN should be added in proposed sub section 402.1. In a related change, the definition of "identity information" should include a reference to personal identification number or PIN when our recommended change in clause 4 to proposed subsection 342(3) deleting the phrase "including personal identification number."

Finally, in proposed subsection 402.2(1), if the committee accepts our proposal to delete "credit card number" from proposed subsection 402.1, it follows that this section would apply only to identity information, not to credit cards.

Thank you for the opportunity to make this submission. I am happy to take questions later on.

The Chair: Thank you very much. Did all senators manage to catch those references?

Senator Joyal: We were trying to flip the pages.

The Chair: Often it helps us to have page numbers in the bill.

Mr. Jamieson: I am sorry.

Senator Joyal: We can come back to that.

The Chair: Fine. Those are interesting suggestions.

Rick Rennie, Vice-President, Customer Security and Risk Services, MasterCard: First I would like to acknowledge some overlap in the themes. I should point out that, while we are fierce sales competitors, we work closely and have a lot of common interests in combating fraud.

I am Vice-President, Customer Security and Risk Services at MasterCard Canada. Thank you for allowing me the opportunity to appear before you today to discuss Bill S-4 and its amendments to the Criminal Code provisions regarding identity theft and related misconducts.

Let me speak briefly to what MasterCard is and is not. MasterCard Worldwide advances global commerce as a franchiser, processor and adviser. We develop and market payment solution processes worldwide. We process approximately 21 billion transactions each year and provide industry leading analysis and consulting services to financial institution customers and merchants. Through our family of brands, including MasterCard, Maestro and Cirrus, MasterCard services consumers and businesses in more than 210 countries and territories.

MasterCard does not issue cards directly to consumers or set interest rates on cards. We do not make decisions regarding whom to issue cards to or what interest rates or fees to charge. Terms or conditions, including rewards programs, are made by our customer financial institutions, such as Bank of Montreal or President's Choice Financial to name two.

MasterCard applauds the government's decision to introduce legislation that criminalizes the activities which lead to identity theft and card fraud. As we know, these are often perpetrated by highly-organized and sophisticated criminals. Deterring this activity requires the active engagement of many players, including government, the payment industry, retailers, law enforcement, the courts and the public, of course.

At MasterCard, we know that despite our card issuing and acquiring customers' best interests, some consumers become victims of identity theft or payment card fraud. That is why fraud prevention and detection are an integral part of business operations for MasterCard and our customers, requiring multi-million-dollar investments each year in people and technology. I will speak briefly to some of these efforts later.

MasterCard has always stood with industry stakeholders in support of the government on this important issue. MasterCard strongly supports Bill S-4, just as we had endorsed its predecessor, Bill C-27. With the introduction of Bill S-4, we are confident the addition of measures to criminalize the collection and distribution of the personal information of private citizens will better serve to protect Canadians from the very personal and invasive crime of identity theft.

Card-specific provisions contained in the legislation will provide the justice system with the critical tools to target and neutralize the organized groups behind card fraud. While we fully support the spirit of the legislation, we would be remiss to not provide some comments on how Canadians might be better served by the legislation.

First, I would like to point out that the proposed legislation's definition of "identity information" under proposed subsection 402.1 appears to contemplate that a credit card number can be used alone to identify an individual, and this is not the case. A credit card number without another piece of identification, such as a name, cannot identify an individual and, consequently, cannot be used alone to commit identity theft, while a credit card number and expiry date alone could be used to commit fraud. MasterCard therefore believes it is important to distinguish between the terms "fraud" and "identity theft."

Second, MasterCard supports the bill's extension of the term "credit card data" in proposed subsection 342 (3) to include "personal identification number," though we recommend the term be expanded to "personal identification number or other authenticating information." This acknowledges emerging trends in payment card technology that can potentially deliver even stronger methods of authentication. Biometrics is one example.

Third, proposed subsection 342 (3) criminalizes the unauthorized use of credit card data. MasterCard recommends Bill S-4 take the opportunity to update the Criminal Code to reflect innovations in the payment card industry, and specifically that section 342 (3) be amended by adding the term "or other payment card data."

We recommend it be amended by adding the term "or other payment card data" after the term "credit card data." This will ensure the Criminal Code can encompass emerging technologies, for example, mobile payments or other handheld devices which will eventually contain payment applications.

I would like to take my last few moments to quickly highlight some of the policies and tools used by MasterCard and our customers to protect MasterCard cardholders and to safeguard financial and personal information. MasterCard has a comprehensive information security program to keep our networks secure and requires our financial institutions to adhere to related rules, including the Payment Card Industry Data Security Standards, or PCI.

Our zero-liability policy ensures that MasterCard cardholders are not responsible for fraudulent activity on their Canadian-issued consumer cards. Our chargeback policies afford additional consumer protection in instances where they do not receive goods or services purchased using their MasterCard card.

MasterCard and our financial institution customers employ very sophisticated financial transaction monitoring systems to detect fraud, often on a 24/7 basis. Cardholders are routinely alerted before they are even aware of fraud and the incidents are managed with minimal stress and inconvenience.

MasterCard SecureCode is a product that provides added security through the introduction of a password for online shopping at participating retailers.

Finally, MasterCard is a global leader in the implementation of chip and PIN technology, and our financial institution customers are well into the process of delivering chip and PIN cards and acceptance devices in Canada. Greater detail on these policies and tools is provided in our written submission, and I would be happy to expand upon that during the question and answer session.

Thank you again for the opportunity to address this important topic and the significant legislation you are pursuing.

Senator Milne: My first question is directed to Ms. Giuliani. We heard from a previous witness that modern identity theft is increasingly being used to steal smaller amounts from more accounts. One witness said that if you steal a dollar from a million accounts, no one will even notice that it is missing, let alone report it to the police. If they do report it to the police, the police will not spend a lot of time tracking down the theft of $1, just as they will not investigate a car crash that causes less than $1,000 of damage.

What is the solution to this? It is apparently increasing quite dramatically recently.

Ms. Giuliani: It largely depends on the type of fraud being referred to. There are some internally driven frauds where a little bit will be taken from many accounts, and that is extremely difficult to detect. More modern identity thieves are also trying to fly under the radar. However, the "fictitious identity" frauds that I referenced are still affecting multiple accounts with significant amounts being expended or taken down at once.

In terms of a general solution, the industry has been working collectively on a number of things over the years. I was not going to speak about some of our ideas on that, but since you asked, I will. Again, it is relative to the type of fraud. In some situations, having greater capability to verify the information submitted on the application would greatly help detect the fraud at the outset. In that way we will not be in the predicament of having to detect it in all of its modern forms. In other cases, organizations could step up internal monitoring tools as much as possible.

Senator Milne: Do you see this kind of fraud increasing and the frauds in larger amounts decreasing?

Ms. Giuliani: There has been some movement, but not nearly to the point of being so small that it would go without notice. Using hypothetical numbers, if the average loss to an identity theft was $75,000 at one time, it may be $25,000 now, but it is still substantial enough to warrant our attention.

That is for the theft of another's person's identity or submitting applications in someone else's name. Fictitious identity fraud numbers are through the roof.

Senator Milne: That is interesting. That is what we have been hearing.

Do you gentlemen agree with each other's suggested amendments for improvements to this bill?

Mr. Jamieson: They are nearly identical. We are competitors, but we are fairly consistent in our approaches to identity theft.

Within the credit card industry, we report on a number of different fraud types. The ones specifically related to identity theft are clearly false applications, and those could be either true names or fictitious names. The second kind is what we call account takeover. That is where someone has another's personal information, calls a financial institution and asks for a second card for their daughter, for example, and provides an address for delivery of the card. That is someone taking over another's account. They would have to have personal information and know enough about that individual to take over the account.

Those two categories represent about 5 per cent of total fraud losses.

Senator Joyal: What is the amount of the losses?

Mr. Jamieson: The CBA acts as an independent broker for the industry to gather our information. I will not share mine with MasterCard and American Express, and vice versa. As a total for Visa, MasterCard and AmEx, for the 12 months of 2008 there were $407 million in losses from all types of fraud. Taking out false applications and account takeovers, which represents about 5 per cent, that works out to about $20 million.

Senator Baker: I do not think that completely answers the question. It is fine to say $400 million or $20 million, but of what total amount? What would be the percentage of loss?

Mr. Jamieson: That is the loss.

Senator Baker: Yes, but what percentage of total transactions would that be?

Mr. Jamieson: That is about one tenth of 1 per cent.

Senator Milne: I am interested in what you said, Mr. Jamieson, about the three-digit code, which is referred to as a CVV2, that is used by merchants. Canadians have three-digit codes on their Visa cards. Quite often outlets in the United States require a four-digit code and you cannot use your Visa card there.

Mr. Jamieson: There is some confusion. The three-digit code on the back is traditionally used for card-not-present transactions. Internet transactions are a perfect example of when that code would be requested. You need something beyond the account number and the expiry date; you need this additional information.

In the U.S., sometimes at gas pumps, for example, they will ask for your postal code. In the U.S., it is a numeric postal code known as a zip code while ours is alpha-numeric, and that causes problems. It is not compatible in the U.S., so they would have to go into a kiosk to complete your transaction.

Senator Milne: They ask for a four-digit code in some places. It is not the PIN number, because it is not printed on the card.

Mr. Jamieson: Some consumers confuse that three-digit code with their PIN number, which is not the case. CVV2 value and equivalent security features of other brands are on the back and are only three digits. They are meant for card-not-present transactions. Some merchants are starting to use them in card-present environments. One large electronic retailer in Canada uses them in the card-present environment to deter counterfeit, and it has been very effective.

Senator Milne: I find it disturbing that with a card with a chip in it my signature is no longer required.

Mr. Jamieson: You are authenticating with a PIN.

Senator Milne: Someone else can use that card and do the same thing.

Mr. Jamieson: They have to know your PIN, though.

The Chair: We keep reading horror stories about how people can read your fingers on a keyboard to figure out what your PIN is.

Senator Baker: You have suggested specific amendments to the legislation. This is a good time to make those suggestions because the bill is being introduced here, and it will go to the House of Commons later, if it passes here in the Senate.

If I read your specific suggestions correctly, and I listened carefully to what you said, were to more or less stretch out the coverage of the particular sections you referenced so that it would not be particularized but rather generalized, and the definitions would change so they could encompass more than the bill presently anticipates.

We heard from the Department of Justice the other day on this bill. We raised a concern about one section being too particularized. I would like your opinion on the explanation given to us. It was that for fear of Charter challenges they had to restrict the definitions in some cases.

Do you have any thoughts on that? Mr. Jamieson, you are a former RCMP officer.

Mr. Jamieson: Yes, I am.

Senator Baker: You should have some opinion.

Mr. Jamieson: I do have opinions. My only point here is that the reason we wanted it stretched somewhat is because we are introducing these technologies today. To introduce a bill that is limited to current technologies that you all are aware of does not seem appropriate. We are testing mobile transactions on your cellphone, using your cellphone to wave in front of a terminal right now. It is out right now; we are testing it.

We have contactless cards that could be a fob, which is not necessarily the plastic that you are used to seeing. That is why it is important that you address it now and include it in that, or you are writing legislation that may be outdated when it comes out.

The Chair: In connection with what should be covered by payment cards, Mr. Jamieson, you said the definition should be amended to mean any debit, credit, charge or prepaid card, contactless mobile device, plate or other device. I betray my technological ignorance. What do you mean by "contactless"? Is that wireless? Also, what do you mean by "plate"?

Mr. Jamieson: Plate is part of the definition within the code now, so we kept that same terminology. It could be something you are taking an imprint of. Our cards have embossing on them today, so you take an imprint of something and it is like a plate.

"Contactless" is the technology that is coming out. We have contactless chip cards, for example.

The Chair: You just wave them.

Mr. Jamieson: You just wave them. Mr. Rennie may have one here.

Senator Joyal: What the witnesses are saying is exactly what we raised at our last meeting; I know the sponsor of the bill was listening at that time. We want to be sure with this bill that we are not behind the technology, that we are at least at par with the technology and even able to try to cover future developments so that the bill will not be obsolete the day it is passed and gets Royal Assent. I wonder if the Department of Justice is in the room to ensure that they will be able to react to the proposed amendments, which express the concern that we have already stated around this table — that the new method of payments, which are totally beyond our imagination now, will change completely from the plastic card that we all have in our back pockets. The telephone and other electronic devices will be the method for paying and transferring money and doing whatever business transactions will be available for any customer.

Since those are very specific proposed amendments, it is important that we get the reaction of the Department of Justice and the sponsor of the bill to ensure that what we do is not working in the context of 19th century technology, but the technology that will be in place at the end of this century. Can we ensure that?

The Chair: We can, indeed. In connection with these or any other proposals for amendment that are made to us, we will be sure to contact the department for its response to those proposals.

Senator Baker: I discovered during questioning that Mr. Jamieson is a former RCMP investigator. I have seen his name in case law, where he investigated this very subject with machinery that was used for forging cards and successfully brought to a conclusion some very serious matters. That is not what I wanted to ask him about, although it is fascinating in and of itself.

Mr. Jamieson, in various sections that you wish to expand upon, the bill gives authorization for investigations concerning forgery instruments, possession of forged documents, credit card data, identity documents and identity fraud. It gives authorization under a section of the Criminal Code which is called "Invasion of Privacy."

You are aware of the typical authorization you get to tap people's telephones and interfere with persons on reasonable grounds under investigation. Do you think the bill is going a bit too far in adding so many sections under forgery and fraud to that section of the code — specifically section 183, which authorizes the tapping of telephones and all other communication devices?

Mr. Jamieson: I have applied for wiretaps in my days with the RCMP, and they were specifically directed at credit card-related offences. I gave comments to my predecessors when they were developing legislative changes in the mid- 1990s around section 342 of the code. I think we have sufficient legislation around credit cards for law enforcement to do its job. It did apply to wiretapping; it did allow us to apply and be granted wiretapping for those types of investigations we were investigating.

That is why I am saying that for some of the aspects here, specifically credit cards — not identity theft, we must draw that distinction — there is sufficient legislation in place specific to credit cards. Identity theft is a different aspect, and I think there needs to be that requirement there.

Senator Baker: Changed to incorporate what you have pointed out that should be amended?

Mr. Jamieson: Yes.

Senator Angus: Mr. Rennie, you listed all these different trademarks — MasterCard, Maestro, Cirrus — but you did not mention Mosaic and we see that name around a lot. What is the story there?

Mr. Rennie: Mosaic is a specific product from one of our financial institutions.

Senator Angus: From the Bank of Montreal. Would they have the intellectual property rights to that name?

Mr. Rennie: It is a trademark name that they have. MasterCard, Cirrus and Maestro are brands we license to our clients around the world.

Senator Angus: You have been having quite a bit of experience with Senate committees lately. How is it going?

Mr. Jamieson: Not myself.

Mr. Rennie: It is well above our pay scale.

Senator Angus: Some of us senators sit on certain committees, others sit on other committees and some, like Senator Dickson, sit on all relevant committees.

In terms of the draft legislation we are reviewing here for identity theft — and you all seem to favour it — if I understand the thrust of it, it will reduce some of the costs you incur to chase down the bad people for fraud and so forth. Would this compensate for some of the increased costs?

Mr. Rennie: Can I speak to that one?

Senator Milne raised an important point that is worth highlighting again, which is that card fraud in particular is run by very sophisticated groups. On the question about do you go after someone committing a $500 or $1,000 crime, there are not the resources to justify doing that.

Through the efforts particularly of our issuing financial institutions, all of those sophisticated detection methods I talked about — perhaps many of you have gotten phone calls from your financial institution questioning transactions that you may have processed — we find we are very effective at detecting fraud. That $400 million figure that Mr. Jamieson mentioned, I promise you, would be triple, quadruple or quintuple if not for those efforts. That is an important point to mention.

Regarding your question about the impact of this bill, it will undoubtedly support it. Law enforcement already had a lot of the tools necessary as Mr. Jamieson indicated.

We work closely with law enforcement on a regular basis. Our interest — that is, the industry and issuers in particular — is in bundling cases that have dozens or hundreds of these $1,000 or $2,000 losses so they can go after the organized groups behind it. That is one of the things that we strongly support from a prevention standpoint.

Also from a prevention standpoint, we are confident that chip and PIN technology will have a substantial impact. However, it is expensive to implement and it will take a long time to do.

Senator Angus: What is the biggest expense of that? Is it the machine?

Mr. Rennie: It is a combination. Issuers have to replace all of their plastics with those with chips embedded in them. Merchants have to upgrade devices to handle a chip transaction and networks have to be able to pass more sophisticated, enhanced data.

Senator Angus: I had an experience last weekend in Northern Ireland. I had the card with the chip and they had the machine, but it was not convenient to have me and the merchant together at the same time. I gave them the credit card and when it came time to get it back, I said I would put in my PIN. They told me, "No, we do not need to do that. We have everything we need. Thank you very much."

Mr. Jamieson: The case of whiskey is yours.

Senator Angus: What is the story? Does that happen in a place where you are trusted such as a private club? That surprised me.

Mr. Jamieson: It surprises me too. Without a cardholder verification method, which traditionally in the magnetic stripe world is a signature, as we go to chip technology, it is the PIN. That is how you are authenticating that you are the cardholder.

Senator Angus: It was a private club and they knew who I was in this case. Does that enable them to take the data from the card without the PIN?

Mr. Jamieson: Yes, they take the risk. Since you have a relationship with them, they are taking your card number and will process it. It would probably be done offline through paper processing by taking an imprint. They take the risk in that scenario.

Senator Chaput: I had the same experience at the airport in Toronto. They did not ask for my PIN, did not need it and the transaction went through.

Mr. Jamieson: Did they ask for a signature?

Senator Chaput: No.

Mr. Jamieson: We have some low-value transaction programs in place for less than $25.

Senator Chaput: It was over $25. It was a $200 purchase.

Senator Angus: You were buying my birthday present?

Senator Chaput: Buying myself a birthday present.

Mr. Jamieson: The point is that if the merchants do not follow the proper card acceptance procedures, if they choose to do that and process the transaction, then they take the risk if something goes wrong.

Senator Chaput: Is there a risk for me?

Mr. Jamieson: It is not your risk. It is the merchant's risk.

Mr. Rennie: It is important to point out that millions of transactions a day are being processed and there will always be exceptions. People will not follow proper acceptance procedures. However, they do to a great extent.

While we are in this transition period, it is more challenging because much more front-line training is required. People have to get used to it. The roll-out is uneven. That contributes to the challenges sometimes. We are confident that it will do exactly what we expect it to do.

Senator Angus: I wanted to address the issue of insider people who could take personal information to which they legally have access and use it for illegitimate purposes. Do you feel this bill goes far enough?

Ms. Giuliani, I would think your organization would be one of those types of organizations that would have that access. I would like to ask you many questions on another occasion. It goes to identity credit prejudice of individuals. Does the bill go far enough?

I do not care who answers this.

Mr. Jamieson: I believe it does.

Senator Angus: Fine. Thank you.

Senator Joyal: I will follow up on the last answer to Senator Angus. It goes far enough provided that we include what they have proposed as amendments to the bill.

Senator Angus: Is this the one you were talking about earlier that I missed at the last meeting?

Senator Joyal: I am not saying more than what I just said.

It is important that the amendments you propose cover the emerging payment forms that will not use the plastic credit card itself. The experimental telephone payment that you are testing will mean that at a point in time, we will not even have a plastic card with us. We will have our telephone number and pay with cellphones. The data will not be transmitted by the chip in the card, but by the chip in the telephone.

Mr. Rennie, you are proposing that we add after "credit card data," "or other payment card data." It seems to me that it would not cover that kind of future payment because you are talking about a card. Would it not be better to say "or other form of electronic payment"?

Mr. Rennie: "Or other payment data" might be another way to phrase it. You are absolutely right. We already process hundreds of thousands of those contactless transactions. As Mr. Jamieson mentioned, there are trials under way around the world currently — including in Canada — for mobile telephone transactions as well.

Senator Joyal: I have no objection to keeping "credit card data" because it is the usual form of payment today. However, very soon we will pay with cellular phones and we will not need a plastic card with a PIN or whatever information is on that card.

If we are to amend the bill and add "or other payment card data," we should have "or other payment data."

Mr. Rennie: Yes.

Senator Joyal: That seems to be more in sync with what you are telling us today if we want to achieve the objective of having a bill that would be useful down the road.

Mr. Rennie: That is valid.

Senator Joyal: Proposed subsection 56.1(3), on the first page of Bill S-4, contained the definition of identity document:

For the purposes of this section, "identity document" means a Social Insurance Number card, a driver's licence, a health insurance card, a birth certificate, a passport as defined in subsection 57(5), a document that simplifies the process of entry into Canada, a certificate of citizenship, a document indicating immigration status in Canada or a certificate of Indian status, issued or purported to be issued by a department or agency of the federal government or of a provincial government, or any similar document issued or purported to be issued by a foreign government.

Does it cover all the identity documents that you and your business feel are contemplated to check the identity of someone in your opinion?

Mr. Rennie: MasterCard does not actually capture personal information. We are capturing card data that we transmit along our networks. Our issuers absolutely are capturing personal information. They tend to be financial institutions. I do not know if you had the CBA speak, but they would probably be better positioned to talk about their particular practices.

Ms. Giuliani: We have some direct consumer activities where we take identification. Yes, that is encompassing enough. The only thing it does not include would be the direct payment card — debit or credit — which would be covered elsewhere. Other than that, that is comprehensive enough.

Senator Joyal: That is the point, though. What I have in mind is, when someone is holding a card that is normally confirmed by identity, you take that card as the identification document. That is not covered by this. In other words, if you fabricate a false identity document through that card, that would not be covered by that.

That is why I posed the question to the Department of Justice witnesses. The answer was that there is a Charter problem. It seems to me, however, that, since a credit card is in fact related to identity documents that are checked somewhere, if you make a false card, that false card becomes, in a way, an identity document.

Mr. Rennie: Are there not other types of cards that could fall within that category, such as a membership card or a student card? There is a whole range of cards that are used in some places as identification.

Senator Joyal: Yes, but it is the identification card to get credit or pay, in that context.

Ms. Giuliani: Some of those ancillary cards like student and library cards, they would be far down the line in the suite of identification. There would always need to be a government issuer with signature, photo or both. We have really moved away from the municipal cards or community cards. This is fairly comprehensive.

I am sorry; I have not thought about it in this vein. However, the only thing would be if a credit card was produced as one of the identification cards, would it otherwise be covered if it was counterfeit?

The Chair: As an example, senators are given cards to get into the building. They have numbers, our photographs and are issued, goodness knows, by an arm of the Government of Canada; namely, the Senate of Canada.

Senator Milne: They also have a chip in them.

Ms. Giuliani: We do not see them often in the industry.

The Chair: Would this section, from your point of view, be better or worse if, instead of applying only to the list of documents, it also had a catch-all: Any other government-issued identity?

Ms. Giuliani: I thought it did here. The last part, after Indian status: "...or issued or purported to be issued by any department or agency of the federal government or provincial government."

The Chair: Maybe we need to have this clarified by the officials. However, as I read it, that section says, in essence: "Any of the above documents that have been issued or purported to be issued by a department or agency."

Therefore, it is a limiting list. From your point of view, would it be better to have a slightly broader catch-all? I take the point about government documents being what you really care about, and that is useful. However, should we not say in that case "any government identification"?

Ms. Giuliani: In the same vein as contemplating future technologies, there may be future government documentation, sure.

Senator Joyal: It is right on the point. That is what I tried to get from witnesses; to understand the implication of that definition of "identity document," because it is a leading definition for everything that follows from there on.

Mr. Jamieson, in your proposal and amendments, if you want to go back to that document, in the middle of the page, you refer to clause 4 of the bill relating to proposed subsection 342 (3). In your third bullet you state the definition of payment card should be amended in the code to mean "any debit, credit charge or prepaid card, contactless, mobile device, plate or other device." In which section of the Criminal Code do you propose that definition?

Mr. Jamieson: In the early part of the 300s there, there is a definition of "payment card." I cannot remember. It has been a while since I quoted it.

The Chair: Section 321, I am informed.

Senator Joyal: In your opinion, would that be wide enough to cover the new methods of payment that you are presently testing that might soon become the usual form of payment for everyone?

Mr. Jamieson: Yes, I believe so. Mr. Rennie, do you agree?

Mr. Rennie: I am not sure I can provide an opinion on that at this moment.

Senator Joyal: The other question is also for Mr. Jamieson. Your next group of points in the document relates to proposed subsection 402.1. The second bullet reads:

This section should include "personal identification number" or PIN. As stated, we recommend that subsection 342(3) be amended to delete the phrase "including a personal identification number," as it is too limiting and should be replaced with "including identity information."

Mr. Jamieson: Right.

Senator Joyal: Are there any Charter implications in that proposal?

Mr. Jamieson: I am not a lawyer.

Senator Campbell: Or an RCMP officer.

Mr. Jamieson: The idea was that when we saw "personal identification number" earlier in proposed subsection 342(3), we felt the description should include "identification information." Then, within the definition of "identification information," PIN should be put in there because that is a form of identification that we are using as we go to chip technology.

Mr. Rennie: We agree. You can go back to our text, as well where we used the phrase "personal identification number or other authenticating information."

Senator Joyal: That seems to be the way to try to circumscribe the scope of what is to be covered so we do not find ourselves in a challenge on the basis of the Charter.

Mr. Jamieson: Mr. Rennie has mentioned "other identification information" would cover anything now or possibly others introduced in the future.

Senator Wallace: I will address this to Mr. Rennie and Mr. Jamieson. It is somewhat along the lines of what Senator Joyal was speaking of. Both of you seem to be making the same recommendation in regard to proposed subsection 342(3) included in Bill S-4. Rather than limit proposed subsection 342(3) to only "personal identification number," you are suggesting, as Senator Joyal mentioned, it would include the reference to "or other authenticating information." I understand the logic of trying to create flexibility and breadth to that.

However, on the other hand, I think whatever is added must be identifiable; we have to know what that information is. Otherwise, it is vague and lawyers will deal with that and it can create problems in trying to enforce the section.

With that in mind, I believe I know what a "personal identification number" is. I can picture that. What is "or other authenticating information"?

Mr. Rennie: In my remarks, the example I gave was biometrics. There is a wide range of biometric potentials. Whether they have commercial application or not is another matter because, regardless of what you employ for authentication, a PIN falls into the category of "something you know." Biometrics typically falls into the category of "something you have or are." The "something you know" could be a PIN or a password or something like that. I think that is covered off.

It is the other area. Again, quite frankly, we do not know exactly where that will go. If you are to put that into the market, you have to put it out there on a universal basis so it is accepted everywhere. Regarding the earlier question about Ireland, if you have biometrics and only 5 per cent of the merchants accept biometrics, it does not do you any good.

Ms. Giuliani: If you look at what it is getting you, perhaps there could be some type of definition there. It is for the purpose of gaining access to an authorized instrument, currency or network. It is for the purpose of access. You are right; we know what there is today; we cannot know what is to come, but it is for the purpose of getting through the gate.

Mr. Rennie: For the purpose of unauthorized access.

Ms. Giuliani: It is the merchants' or institutions' form of identifying or authorizing access.

Senator Wallace: In the industry you obviously have a sense of what it is, but the breadth of it is currently unknown. I am looking at it objectively, aside from the industry, at lawyers and those trying to enforce these sections. It is obviously serious. If someone is in possession of or trafficking in what would be referred to as "or other authenticating information," it is significant. Because I am not in the industry, I do not get the sense of the boundaries of it. If someone is in possession of whatever that is, they could have a serious problem, so I think there is a need to define things clearly.

On one hand, I agree that we need a breadth so that we do not box ourselves in so continuing changes in technology and industry do not mean we have to continually amend the Code. As a lawyer, however, I do not have a certainty of what that is, and it is a significant concept.

Ms. Giuliani: Some examples may assist with context. They would be lists of passwords or secret words that would gain you access through telephone authentication, the PINs you use with your cards, and online passwords and codes. It is anything that gets you through.

The Chair: Senators, these are such interesting and important witnesses that we are taking more time than usual with them, but we are now well into overtime and we have other witnesses waiting.

Senator Wallace: This question should be relatively easy, I think. Identity theft is a serious problem in our society, as we all recognize. Bill S-4 is a serious attempt to address it.

From your perspective, is there an urgency that parliamentarians and legislators get on with enacting this bill with the consideration of the amendments you have proposed?

Ms. Giuliani: Absolutely. As I specified in my remarks, the deterrent factor is missing right now. It seems too easy to recruit people in relatively modest positions who have tremendous access to information. No one is thinking twice about carrying big piles of information because it is difficult to connect it to something. The urgency is certainly there, primarily for the deterrent value.

Senator Wallace: Mr. Rennie and Mr. Jamieson, do you agree with that?

Mr. Rennie: I agree.

Mr. Jamieson: I agree too.

Senator Campbell: My cop antenna goes up when I hear that the losses are $470 million a year. Ms. Giuliani says that she has 500 that are averaging $250,000 a pop, which is $115 million. It seems to me that the fraud we traditionally think of is penny ante compared to fictitious identity fraud.

How will the chip, cordless technology, the telephone, et cetera, stop me from putting together a fictitious identity? How will you find that out? Fraud has been going on forever, and we have some pretty good investigation techniques for that. You gave the example of ordering a credit card for a daughter. One could shoot those orders off in all directions. How do you catch up with that?

Mr. Rennie: Using the card industry as an example, fraud has been with cards since the beginning. Sophisticated practices have been put in place to detect the problem quickly and to deal with it. The losses might be $400 million, but they would be dramatically higher without those procedures in place.

I do not think that these measures will have a substantial impact in that arena. It is more about pure identity theft and it falls into the category of what types of controls need to be put in place in that industry around authentication.

Senator Campbell: Can we differentiate between identity theft and fictitious identity? How do we go between those two with the technology or the changes that you want here? How does it even make a difference, except that we have to broaden the terminology to cover the technology that is being added?

Ms. Giuliani: When reading the bill, we thought about it from both vantage points, from stealing an entire identity and doing a straight impersonation, and from taking components of someone's identity, and we found that it is covered in so many places. The one that jumps out at me is "falsely represents themselves." That would be covered whether it was a real person or a nonexistent person.

Am I missing something?

Senator Campbell: My question is, how does this new technology stop people from putting up a fictitious identity?

Mr. Jamieson: If you are talking about chip and PIN technology, it does not.

Mr. Rennie: It is not intended to, either.

Mr. Jamieson: No. It is intended to secure the point-of-sale transaction at the time of transaction with the higher- level security and the higher level of cardholder verification.

The process of applying for a card is still managed by our client member banks. They screen applications and go through the credit bureaus as a method of further identifying individuals.

The Chair: Since we are running up against the clock, I will ask the remaining senators to put questions and ask the witnesses to respond to them in writing, if that is agreeable to all.

Senator Dickson: You replied to Senator Wallace that there is urgency in this bill going forward. My question relates to similar legislation in the United States. Have you studied existing legislation there? Are there significant differences between what we are now proposing and what is now in existence in the United States? Technology is moving so fast that it is difficult, as Senator Wallace said, to draft legislation that keeps up.

Mr. Rennie: We have not done any comparative research. However, the rate of card fraud, which is all we can speak to in Canada, is considerably higher in Canada than in the United States. I am not sure whether legislation is the reason for that or if there are other causes.

Senator Dickson: Are the sanctions proposed in this legislation satisfactory, or would you like them to be more onerous?

Mr. Rennie: I think the sanctions are satisfactory. As I said earlier, the problem is organized criminals. If you are really going to address the problem with the legislation in hand, you have to go after the organized criminals behind it.

With all respect to the United States, the U.S. Secret Service is intimately involved in counterfeit fraud. They are very successful and they are aggressive in their prosecutions. That could be part of the reason for the difference.

Senator Dickson: While I agree with the amendments you are proposing, would it be more beneficial to the industry to get this bill through the House of Commons and the Senate as quickly as possible? In other words, you could come back in two years to make the changes. Technology moves along.

Senator Angus: Rather than have the amendments now?

Senator Dickson: Yes, rather than have the amendments now.

The Chair: We are the court of first instance.

Senator Joyal: It is an S bill. The bill was introduced in the Senate. It has not passed in the other place.

The Chair: There is no delay.

Senator Joyal: We can send it back and forth; there is no delay here.

Senator Angus: The sponsor is here now anyway. They were just protecting the sponsor.

The Chair: I think we interrupted the witnesses who may have wished to respond to the question.

Mr. Jamieson: What is challenging in the U.S., is that you see a lot of bills that come in at the state level and then at the federal level. It is confusing to try to follow the law on what they are doing about identity theft in the U.S., because there are so many different bills being introduced at different levels of government.

To Mr. Rennie's point, the fraud situation is still there in the U.S., and globally as well. I believe that specifically this bill will have a huge impact on identity theft-related crimes.

The sentencing is appropriate, but that is what is listed in the Criminal Code. Whether that is what is handed out, dispensed, is the challenge you get. The sentence, even for credit card-related offences, tends not to be a sufficient deterrent in Canada. Depending on where the individual is being tried and the impact on the community in the area, a sentence could be conditional, it could be six months or two years. That is the challenge we have.

Senator Campbell: It is the same with any crime.

Mr. Jamieson: Yes, it is.

Senator Dickson: I am really impressed by the substance of the amendments that you propose. Since the government lawyers probably should have consulted you before they drafted the bill, it would be helpful if you came forward in writing to us with instructions to draughters so they have a better comprehension of what should have been in the bill. It would have been less embarrassing today.

The Chair: We will be asking them to respond in writing, so perhaps we could add that to the list.

For a second round, we have Senator Milne, Senator Angus and Senator Joyal. I will ask them to put their questions, which we will ask you to respond to in writing.

Senator Milne: My question is really a concern. Mr. Jamieson, you talked about chip cards, which are virtually impossible to copy. However, there is technology out there that can read them from a distance, I am informed.

I was reading an article just the other day where the U.S. border service now can read all the information that the banks have embedded in the chip on your particular card, plus the PIN numbers, and they know this before you drive up to the border. I am concerned about how secure these are.

The Chair: If you could respond to that in writing, please. It is fascinating but we really are short of time.

Senator Angus: My question has to do with the practice that has grown up to give more business not only to the merchants, your clients, but to the card companies, of giving out your number of your card. On television, you see these things, dial 1-800 and you get this fancy new product; just phone in and give your credit card number and it will be delivered tomorrow. I have always felt this was a dangerous thing. I do not give mine and I am unpopular at home for being like that because I have made it a rule. I would like to know the general parameters around that. Is it risky and does the bill help to prevent theft of your data by being what I call careless with your number?

Senator Joyal: With that new method of payment, which will be by phone, in my opinion the risk of fraud will be multiplied. Contrary to the credit card that you must have on you, the phone can be operated from outside.

Mr. Rennie: Not that far away — it must be that close to the reader.

Senator Milne: Yes, but you do not always have it on you.

Senator Joyal: Did you evaluate the additional risk of fraud with that new method that is being developed now, which would make the payment easier? How much does the ease of payment multiply the risk; and if so, what are the measures that can be taken to prevent that risk from happening?

The Chair: I know you are all yearning to answer and we are all yearning to put more questions, too; but I will quite ruthless and stick to what I said, which was to ask you to answer these questions in writing.

You can tell how very interesting, informative and helpful we have found your testimony. We thank you so much for being here. It has been most useful for us all.

Mr. Jamieson: Can we get a transcript of the questions so we know exactly what we are answering?

The Chair: We will put them to you by tomorrow morning, in one way or another.

Mr. Jamieson: Thank you very much.

The Chair: We are now very pleased to welcome, from the Royal Canadian Mounted Police, Chief Superintendent Stephen White, Director General, Financial Crime; and Stephen Foster, Director, Commercial Crime Branch, which means, I suppose, that you are very expert in the issue before us. Have you decided which of you will speak first?

Chief Superintendent Stephen White, Director General, Financial Crime, Royal Canadian Mounted Police: Thank you very much, Madam Chair, honourable members of the committee, for inviting us to be part of today's hearing with this opportunity to present the RCMP's perspective on the current state of identity theft and fraud in Canada.

Before computers and the widespread use of the Internet and other associated technology, stealing and using another person's identity was a relatively difficult crime to commit. Criminals had to invest considerable time and effort in the process and the risks were high. To assume someone's identity, a thief had to break into a house or steal a purse or wallet. Today's technologically-adept thieves can do just as much damage in the time it takes to swipe your bank card through the reader at a cash register.

The same technology that has made our lives more convenient by allowing us to shop from home and operate in a virtually cash-free marketplace has also given rise to countless new criminal opportunities for identity thieves. They can now steal your personal information from the comfort of their home offices half the world away taking advantage of everyday transactions that require people to share personal information for identification purposes.

[Translation]

The techniques used by identity thieves range from the primitive to the highly sophisticated. They steal your mail and go through your household garbage looking for bank and credit card statements. More technologically advanced thieves hack into computer databases and tamper with card readers in retail location. Parallel to the evolving nature of technology, criminal techniques are involving at a pace that's just as rapid.

[English]

Today, the methods adopted by criminals to commit economic crime are increasingly sophisticated. There are strong indications that organized crime is more involved in financial crimes across multiple jurisdictions which further increases the complexity and challenges of criminal investigations.

The growing impact of identity theft and fraud is deeply troubling. In an April 2009 report, the United Nations Office on Drugs and Crime stated that identity-related crime is linked to other activities involving organized crime, terrorism, corruption and money laundering. A 2008 EKOS survey found that nine out of ten Canadians were somewhat concerned that they could be victimized by identity theft and fraud. The survey also indicated that Canadians ranked economic crimes, fraud and identity theft as their number one concern, more troubling than terrorism, organized crime and gang violence.

That is why we have to view economic crime as being every bit as serious as many other types of criminal activity. While it is true that identity theft and fraud, for example, are less physically dangerous than many other types of criminal activities, their social damage can be very severe and can undermine the trust that people have in their society.

The cost to a person who has had his or her identity stolen can be enormous: Financial loss and the investment of hundreds of hours try to re-establish identity and good credit all take their toll.

[Translation]

A recent study by McMaster University estimated that, in 2008, 1,700,000 Canadians identity theft victims spent 20 million hours and 150 million dollars clearing their names.

[English]

Of course, individuals are not the only victims. Stolen identities are also used to commit frauds involving government services, benefits and official documents. Financial institutions and retailers, the foundations of our economy, suffer growing losses every year.

Evidence indicates that identity fraud is not just committed by enterprising individuals. Organized criminal groups are also applying their considerable resources to this expanding field of opportunities.

Quantifying the damage is extremely difficult. Many instances of this type of fraud go unreported so definitive statistics are hard to come by. PhoneBusters, the Canadian anti-fraud call centre jointly operated by the RCMP, the Ontario Provincial Police and the Competition Bureau of Canada, can only maintain statistics on the complaints they receive. In other words, the more than 11,000 complaints received by the call centre in 2008 reflect only a small percentage of the problem.

[Translation]

In March 2009, the Canadian Council of Better Business Bureaus indicated that identity theft was the faster growing type of fraud in North America, with the cost of consumers, banks, credit card firms and retailers estimated to be in the billions of dollars each year.

[English]

Raising public awareness about protecting personal information is currently the best tool we have for preventing identity fraud. Along with members working in RCMP detachments across the country, members in our financial crime units make numerous presentations to educate the public on this issue. Whether these presentations are made to businesses, government agencies or community groups, the messages are the same: Protect your personal information; shred unwanted personal documents; be wary of suspicious emails.

Prevention is still the best cure, but prevention can only do so much. Currently the Criminal Code does not contain specific offences pertaining to identity theft. Most Criminal Code offences related to property crimes were enacted before computers and the Internet were even invented. While the Criminal Code addresses most fraudulent uses of personal information by identity thieves, it does not address the unauthorized collection, possession and trafficking of personal information for the purpose of future criminal activity.

The RCMP is in favour of legislation that will criminalize identity theft and fraud-related activity. Bill S-4 will close legislative gaps that currently allow criminals to collect, possess and traffic in personal identification information and documents.

Why be reactive when we can be proactive? We must constantly examine our environment to identify new tools that can greatly assist in investigating white-collar crime. Legislative amendments aimed at closing the identity theft gap would help the RCMP and other law enforcement agencies protect not only individual Canadians but also the integrity of our economy. We welcome laws that will move us closer to this goal.

Madam Chair, honourable members of the committee, that concludes my prepared remarks, and we would now be happy to answer any questions you may have.

Senator Wallace: Thank you for the presentation, Superintendent White. We have heard thoughts on this from a number of different witnesses. Some have looked at the bill from a technical point of view, but you deal with it on the front line. You are dealing with the results of identity theft and identity fraud. The public looks to you to protect us as best you can, and you need the tools to do the job.

As you pointed out towards the conclusion of your presentation, you say that legislation aimed at closing the identity theft gap would help the RCMP and other law enforcement agencies, not only to protect individual Canadians but also the integrity of our economy. That would undoubtedly be true.

Is that what Bill S-4 will do? Is it an example of that? Is it the type of legislative amendment that you are looking for and feel will better protect consumers in this country?

Mr. White: Yes, definitely. One of the big gaps we see now with identity theft and identity fraud is the front end of the whole identity fraud process, and that is the actual collection, possession and potential trafficking of the personal information. Right now, for follow-up fraudulent activities, quite a number of offences currently in the Criminal Code can address the actual fraudulent activity conducted with the personal information. It is the front end that has a significant gap, and this legislation can definitely provide us with the tools that we need from a law enforcement perspective to address that front end.

Senator Wallace: I take it from your comments that you feel Bill S-4 is a tool that law enforcement needs now, there is a sense of urgency to it and that it should not be put off for another day?

Mr. White: Definitely. From our perspective, this is a piece of legislation and a tool we would like to have immediately.

Senator Wallace: Thank you.

Senator Milne: Gentlemen, you were present during the last presentation, so you heard the suggested amendments to this bill. Do you agree with these amendments? Perhaps it might help if you had a copy of them and could read them. I think they are more specifically laid out in the Visa presentation.

The Chair: Since they are a little technical, if the witnesses do not feel comfortable responding right away, perhaps we might give them copies and ask them to respond in writing.

Mr. White: Today is the first time we heard of those amendments.

Senator Milne: You probably do need to analyze them a bit, but I would certainly hope you can respond in writing quickly.

My other question would be similar to that I asked of Ms. Giuliani. We have had witnesses before this committee who spoke of the fact that modern identity theft is moving from small numbers of people who stole large amounts of money through identity theft or credit card theft to much larger numbers of people who are just stealing a few dollars, anywhere from $1 from people's bank accounts to $100. Quite often, people would not even realize that money had gone. They would think they did not add in the interest this month or whatever. These are usually unreported and, if they are reported, they are too small for the police to bother with, because you have to husband your resources as well. Do you see this trend?

Mr. White: I am not sure if there is a trend. I think it has been consistent over the years that people who are defrauded of a small amount of money will not come forward and report it. One of the challenges we currently have in terms of trying to identify a good national picture of identity theft and identity fraud here in Canada is that the statistics we have are only those complaints that are actually reported. Our estimate is that a very small number of complaints of identity theft or identity fraud activities are actually reported, and a recent study by McMaster University definitely reinforces that.

The whole issue of identity theft and identity fraud has changed from the past, coming from more traditional methods. A lot of activity now is migrating to the Internet, the cyberworld, so more tools and techniques are available to a broader percentage of the population. Committing identity theft and identity fraud is easier today with technology, so just by progression, you will have more people involved in that type of activity for the very reason that it is a significant way to make money.

Senator Milne: They can do it from home.

Mr. White: They can do it from home, and it could be profitable.

Senator Milne: Have you found that? Does the RCMP have any statistics on that?

Stephen Foster, Director, Commercial Crime Branch, Royal Canadian Mounted Police: We would not have specific statistics on how the identity theft would have occurred. There is a broad range of activities by which your identity could be stolen, and we do not have statistics related to the break-out of how it occurred.

Senator Joyal: My first question is in relation to the force's capacity as a crime investigation unit in relation to identity theft. My question is simple: Do you have the personnel capacity to investigate the dramatically increased number of crimes related to identity theft, as we have heard from the previous witnesses, following the adoption of this bill? In other words, it is good to adopt legislation, but if we stay with the same resource capacity, we will not meet the target we would like to achieve, which is to fight this kind of crime.

Mr. White: That is a very good question. In terms of our ability to investigate new offences that would be brought into play with this new legislation, like every other type of criminal activity that occurs, we will never have enough resources to investigate it all. Our approach has been to try to get the best information and intelligence collection nationally so we can identify the biggest organizations operating in this domain and, in terms of prioritizing, going after what we consider to be the biggest threats.

This piece of legislation may give us a jump start, because right now, without identity theft as a criminal offence, we have to wait until the fraud is actually committed and then do a fraud investigation, which may take more resources to conduct. The new offences proposed in the legislation will enable us to move forward with a criminal offence prior to the fraud even being committed, and that would be the possession of the personal information. In many ways, it will assist us from a resourcing perspective. Instead of having to do a lengthy identity fraud investigation, it will potentially give us a tool so that we can be at the front door and identify people involved in this activity before they get involved in the second level, which is the actual fraudulent activity.

Senator Joyal: In other words, you will be more efficient in fighting crime with the personnel resources you have rather than trying to simply add personnel to the forces to meet the same results?

Mr. White: Primarily. You have heard the statistics on the volume of identity theft and identity fraud out there, and we will never be able to investigate all instances. As with any other criminal investigation or domain of criminal activity, we would try to get the best and most complete information and intelligence that we can nationally and identify the biggest groups, organizations or threats, and that is where we would prioritize our investigations.

Senator Joyal: You referred in your presentation to the United Nations Office on Drugs and Crime report. Do you not see a need to be able to fight the tentacles of that kind of crime that might be organized outside of the borders of Canada? The technology, as you know, is now worldwide. Do you not feel that there should be better cooperation through a treaty with, for instance, the United States and some of the European countries which share some similar objectives and priorities with Canada, to help you to pin the author of that kind of fraud? Most of them are systemic. It is not just the person who steals someone's purse or wallet and goes to the shop and uses the card. That is small fry in comparison to the organized crime that sets up an operation and locates it in a country where they could operate through the Internet and so on. In other words, do you need an international instrument to be more effective in fighting the origins of the biggest ones?

Mr. White: Definitely, it is extremely important, because with technology, a lot of the activity that is targeting Canadians is taking place outside of Canada, and that will probably only increase with other advances in technology. The critical point here is that we have strong international cooperation with other countries in terms of law enforcement and from a judicial standpoint as well. We are involved in a number of initiatives and working groups. For example, we have very good cooperation and exchange of information with the Americans in this domain.

There are always ways to improve. I am not sure if treaties would be the answer. We would need further consideration. International sharing of information and intelligence between law enforcement agencies is critical for us to be able to go after the larger international organizations operating from within Canada or across multiple countries at the same time.

Mr. Foster: Many of the investigations of this nature are already international. We are communicating with other law enforcement agencies where necessary. We can take action under the existing legislation and the Mutual Legal Assistance Treaty. We are in close contact with the FBI and the legal attaché's office here in Ottawa. There is regular cooperation in this domain to the extent that we will draw witnesses internationally or have peace officers testify internationally if necessary.

Senator Joyal: You have the internal capacity in terms of mastering the technology, to be able to trace back and follow up on the investigation, which does not stop at the border. As you said, the largest number of identity theft crimes perpetrated and fraudulent activities related to that start outside of Canada. You have to be as efficient abroad as in Canada in order to identify the origin of the crimes.

Mr. White: Yes, definitely. As Mr. Foster mentioned, one of our major tools is the Mutual Legal Assistance Treaty that Canada is a signatory to along with many other countries. It is one of our primary tools for sharing of evidence in criminal proceedings between countries. The RCMP has a network of international liaison officers for day-to-day sharing of information and intelligence with other countries. We are now established in 25 or 26 countries. They are our front-line, everyday gateway to facilitating investigative activity from an investigation in Canada out into a foreign jurisdiction. They basically establish the networks and cooperation we need with foreign law enforcement to pursue our Canadian investigations. That works very effectively.

Senator Milne: I have a supplementary question.

You spoke about international cooperation. How well are police forces within Canada sharing information currently? Is it still a work-in-progress?

Mr. White: It is always a work-in-progress. The best way to answer that is that many different police forces probably receive complaints locally, whether from a small town in British Columbia or the Toronto police. The challenge is trying to get all of that information and intelligence into one centre. That is what is required for us to get a good understanding and national perspective of identity theft and fraud. We need to get that into a central hub or collection area because it is difficult to get the whole picture if we just have pockets of information and intelligence across the country.

Senator Joyal mentioned earlier identifying the international linkages. It is as important to identify the national linkages because many groups are stealing identities and payment cards in one province and moving the whole operation to another province to use them.

It is critical and it is something we are constantly working on. There is good cooperation amongst law enforcement agencies. We are currently looking at getting tools together that can bring all the information and intelligence into one hub to give us the complete intelligence picture.

Senator Angus: Senator Milne started questioning you on something in the paragraph near the bottom of page 3 of your written submission. You are basically saying much of this is going on and only the tip of the iceberg comes to your attention through complaints. You mentioned three sources. I was confused why the Competition Bureau is there and how it fits with the OPP and the RCMP.

However, I assume reporting is less than 10 per cent. That is only an educated guess.

Mr. Foster: Are you asking as a multiplier that we see the tip of the iceberg with 10 per cent?

Senator Angus: Yes.

I got into a discussion with the officials when the bill was first brought to us about my car having been broken into. Many of us have had the same experience. I lost all kinds of documentation including the types listed in the bill and also tax returns and other documentation that you do not like to have flying around. The general response seemed to be that this material is sent out of the country quickly and into the hands of central or sophisticated organizations that operate businesses stealing identities.

I made my complaint to the local Montreal police. They told me they average hundreds of such break-ins of cars per night. I do not think you probably ever heard about my car.

Let us say it is 10 per cent of the thefts that take place in Canada. It might be a much greater number because the thefts not reported are being perpetrated by the same people who perpetrated the ones that are reported. Is that a reasonable conclusion?

Mr. White: One of the best recent surveys on identity theft in Canada in terms of completeness is that from the School of Business at McMaster University in July 2008. One of their findings was that few cases of identity theft were reported to police. It was only 13 per cent according to their survey. That is probably the most recent survey we have. It is a low number that is reported.

Senator Angus: Would you think that the people who perpetrated that 13 per cent are the same people who perpetrated most of the other 87 per cent? In other words, is it a small number of perpetrators, if it is from big organized crime?

Mr. White: I do not think our statistics would demonstrate that. Our perception is that it is much broader.

Senator Angus: There are many people involved.

Mr. White: Many people and organizations are involved. It is not limited to a small, select group of organizations.

Senator Angus: Everyone has raised the issue of resources and the ability to enforce. You have your limitations and my colleague who is no longer here was a policeman himself. He says he has never heard of any law enforcement agency that said they have enough money to do their job.

It is well known in Canada. We did a study of insider trading and while-collar crime in the securities markets. An organization was created between the RCMP and IMETs. The year we studied it, in 2007, it had 93 files open and not one prosecution. That highlighted a need.

We have limited resources. There is recognition that there is a huge problem. I gather you people had input with the government drafters in terms of what is included in this bill and you are relatively comfortable that, in terms of the law as a deterrent, it is adequate. It is a "step one," right?

Mr. White: It is definitely a "step one" and it is a huge deterrent for that front-end activity, which is the actual theft of the personal information.

Senator Angus: Then, the next step would be allocation of more manpower and money, et cetera. It is so widespread. It is one thing to have the law. Am I right? Am I leading you to the correct answer?

Mr. White: I think you are asking if we need more resources.

Senator Angus: I understand you do. It is great to have the law, and I think we need it. There are a series of bills coming through the committee that are trying to create greater deterrence and to show that society is becoming a little fed up with all of this criminal activity. However, I am troubled, obviously, as I think my colleagues are, that it is all well and good to have the laws on the books but, if we cannot enforce them, what are we doing?

Since we have the privilege of having you here — this is not right on the point of the bill — but do you have any suggestions or other things that could be done, other than just money?

Mr. White: Again, in terms of enforcing the legislation, the way we look at as it giving us one extra tool. When we do hit the street, before, where we had to go out and wait for someone with that personal information to actually use it for criminal or fraudulent activity, which occurs in most cases, now we do not have to do that. Now, if we do identify that individual with the personal information and it is evident that the individual in possession — whether it is documents or debit or credit cards — will use it for a criminal or fraudulent activity, now there will be another tool and another offence we can use at the outset. That is the key for us.

Senator Angus: How would that work? Would that enable you to hold them and ask who they are reporting to? Would it be that sort of thing? In other words, would it enhance the investigation?

Mr. White: Definitely. That would be part of it. Whenever anyone is arrested and charged with a criminal offence, talking to us is voluntary. At an early stage of this identity theft and fraud process, with a new tool and offence, we are able to arrest and charge an individual at the outset.

Whether we are able to glean any additional information or intelligence from them with regard to whether they are part of a larger organization is no different than any other investigation. If we arrest a drug trafficker, for example, sometimes we would get information of a larger organization. Sometimes we will not. We are not saying we will go out and do a lot more investigations, but it will give us what I think is a rich tool to identify this activity at the front end. That is the great benefit for us.

Senator Chaput: Senator Angus just asked the questions that I was to ask and I have the answers to those questions. Thank you.

The Chair: You used your time well, Senator Angus.

Senator Baker: In other words, the witnesses are saying that, when you create a new offence under Canadian legislation — primarily under the Criminal Code — then, of course, all the tools of the Criminal Code come into play and you can do your investigations. However, without there being an offence, you cannot conduct the investigations or be suspicious or have reasonable grounds.

I am looking for a suggestion from you — and I do not know if you will proffer one — as to what can be done to improve the legislation before us, given the fact that this is not an ordinary offence, as we know the word "ordinary" pertaining to an activity that takes place within the jurisdiction of Canada. We have heard from witnesses who have told us that the biggest organizers of this crime are outside our boundaries.

Therefore, the logical question is: Is there something missing from the bill that you can think of that perhaps you could use, because the provincial jurisdictions will obviously come to you to investigate something that is outside the jurisdiction of Canada. Is there something that could be incorporated into this bill to assist you in the investigation of these new offences that we are creating?

Mr. White: I cannot think of anything that comes to light right now.

Mr. Foster: We would not necessarily investigate crimes that are wholly outside of Canada. There would have to be a connection back to Canada that would interest us and be of a significant level so that we would actually prioritize it with the resources that we have and say, "This needs investigation, and it is international in nature."

If it was already being investigated by another agency, we would also assist in that type of investigation. However, the extent to which this legislation actually targets and makes an offence outside of Canada, et cetera — is something like that your question?

Senator Baker: No, it is not my question. My question is quite simple: You cannot lay a charge if the offence does not take place within the jurisdiction of the territory in which the charge is being laid.

If you are laying a charge in Canada and you have new offences under this act, is there anything that can be put into this bill to assist you? Tomorrow, we are hearing from the Privacy Commissioner and she will tell us that she is investigating cases outside the jurisdiction of Canada because the offences the fraud being perpetrated is on a person who lives in Canada. The fraudulent activity, however, is being organized outside of Canada.

She will then call upon you, if she finds a criminal offence has been committed.

The Chair: Is this hypothetical or do you happen to know what she will say?

Senator Baker: I imagine it, looking at the case law from PIPEDA. I am looking for something from the witnesses, if they care to proffer it. If they do not, I understand. However, is there something here we are missing?

Senator Joyal: This might help the witnesses. Let us make a parallel with terrorism. A terrorist activity might start outside of Canada, but it might have an impact in Canada, through all kinds of means of communication. There is a parallel to be made between a criminal activity contemplated in this bill, which you stated properly is mostly being managed outside Canada, and terrorism activity with origins outside Canada.

If you want to be as effective in fighting this crime as we pretend to be on terrorism, in my opinion you must have similar legal means to fight that crime as much as you have for terrorism.

Senator Baker: Does anything immediately come to mind?

Mr. White: The dialogue we are moving towards is: The actual offence is committed by individuals outside of Canada. It is all done over the Internet, for example, by an individual, say, in South America. He has stolen the information and is sitting in South America, over the Internet. Now he has your information.

To commit a fraud, it would have to be committed somehow in Canada. If he is going after your bank account, or getting into your credit card account, that would be activity related to Canada. In that case, there would be criminal activity occurring here in Canada. The identity theft part would have been conducted outside of Canada because he is in a foreign jurisdiction now.

Similar to other criminal activities that we would investigate, we could potentially lay a charge here in Canada against that individual. The challenge would be getting him back to Canada to prosecute him. We could do so if Canada has an extradition treaty with the other country.

It is not much different from other criminal activities that we investigate. An individual involved in a conspiracy to import narcotics into Canada may be based in another country, but the importation occurs in Canada, so criminal activity occurs here. We can investigate and lay a charge against that individual. Whether we can get him back to Canada to prosecute him is another thing.

Senator Dickson: You made reference earlier to cooperating with 20 agencies or police forces around the world. I assume the reason for that is that some of these gangs are located in those jurisdictions. Is the law in those jurisdictions similar to this bill? Is it stricter? How does this bill rate against their laws? You want to get the big criminals first, I assume, and you must have some idea of who the gangs are.

Mr. White: Definitely. It would depend on the country. I am not in a position to speak about what the legislation is in many countries where we have liaison officers. If there is similar legislation in those countries, it is possible that we could pass evidence on to those countries that would enable them to charge an individual who committed the crime in their country. That is if there is local legislation that would enable the foreign authorities to lay a charge in that country. That is also a possibility, and the exchange of evidence in criminal matters could be facilitated through the Mutual Legal Assistance Treaty.

Some possibilities exist, but it would depend on the circumstances of individual cases. It would be hard to say generically. We would need a broader addition to this legislation.

Senator Baker: I asked the question because you used the example of the Controlled Drugs and Substances Act throughout your presentation. As you are aware, we passed that law, and prior to that, the Narcotics Act, which contained special provisions that are beyond search warrants for which you are being given authorization here, 487 warrants and 492.2 warrants. They are beyond that, that is, they are warrants in which for example you do not have to identify the time in which the warrants will be exercised, it could be 24 hours a day, and so on. These are special provisions to fight drug offences. There are no special provisions here. You are simply being added to sections of the Criminal Code that give you all the standard tools that are used in investigating other crimes.

I was wondering whether you felt that in this case, as we have done with controlled drugs and substances, special provisions should be instituted to fight identity theft.

Mr. Foster: This legislation targets that gap that exists, as opposed to the CBSA and Narcotic Control Act. The special provisions and special tools in those cases are intended to fill gaps related to that activity. This legislation targets the preparatory acts that precede a fraud but relate to the collection and trafficking in personal identification information. In that sense, this is a special tool for us, because it does not currently exist. We are filling that gap.

The Chair: We thank you both so very much. It is very important for us to have heard from the RCMP, since you will be charged with using this legislative measure once it becomes law.

(The committee adjourned.)