Past Session:

Proceedings of the Standing Senate Committee on
Legal and Constitutional Affairs

Issue 9 - Evidence for May 28, 2009

OTTAWA, Thursday, May 28, 2009

The Standing Senate Committee on Legal and Constitutional Affairs met this day at 10:47 a.m. to study Bill S-4, an Act to amend the Criminal Code (identity theft and related misconduct).

Senator Joan Fraser (Chair) in the chair.

[Translation]

The Chair: Honorable senators, welcome to the Standing Senate Committee on Legal and Constitutional Affairs. We will continue with our study of Bill S-4, an Act to amend the Criminal Code (identity theft and related misconduct).

We have very interesting witnesses this morning. We are pleased to welcome Ms. Jennifer Stoddart, the Privacy Commissioner, and Ms. Lisa Campbell, Acting General Counsel, who is with her today.

[English]

We are happy to have them with us in the study of identity theft and related misconduct, which has turned out to be an enormously complex and fascinating topic.

Ms. Stoddart, I believe you have an opening statement, so I will ask you to give us that, and then we will ask you questions.

Jennifer Stoddart, Privacy Commissioner, Office of the Privacy Commissioner of Canada: Thank you very much. It is a pleasure to be here with you. We have been following these hearings, and I am personally extremely heartened by the interest you take in this topic. It is hugely important to a variety of Canadians. I hope there will be swift action on this important bill, which amends the Criminal Code.

We are pleased to see that the government is taking this action on the growing problem of identity theft. Polling conducted by my office this year reveals that 1 in 6 Canadians have experienced some form of identity theft. Over 90 per cent of Canadians are concerned about the issue of identity theft.

"Identity theft" is, as you know by now, a broad term that is often used to describe a wide range of behaviour. It can include credit card fraud. It often refers to pretexting, which is pretending to be someone authorized to obtain information in order to get it. There are also the more sophisticated techniques such as skimming, which involves stealing personal information from the magnetic strip on debit and credit cards through the use of small electronic devices.

Another method of identity theft is "phishing" or "vishing," which uses emails and phone calls from what appear to be trustworthy organizations, such as banks, to lure people into providing account and other personal information. "Pharming" is another variation, in which a counterfeit website is set up using the correct address of a genuine website in order to entice people to give up personal information.

[Translation]

As technology evolves, identity thieves are constantly developing new techniques to obtain personal information. There are even online operators and underground networks that specialize in the sale of stolen personal information. Thus, identity theft can range from the stealing of credit card information to the wholesale misappropriation of an identity.

Once obtained, personal information can be used to open bank accounts, obtain loans or credit cards, obtain personal employment or transfer property in the victim's name. Stolen or copied personal documents can also be used to obtain government benefits or government-issued documentation.

In 2007, my office investigated the massive computer data breach at TJX/Winners, which affected millions of credit card holders worldwide. We found that the company had failed to adequately secure the personal information that it held, making it possible for thieves to hack into wireless networks and access the data.

[English]

Victims of identity theft may suffer significant financial loss as well as damaged reputation or credit ratings. They may lose time, incur expenses and experience severe stress associated with restoring reputations and recovering financial and other losses incurred. In addition, significant costs to government and the private sector are experienced when identity is misappropriated.

The lessons of the past few years teach us that stronger privacy protections are needed if privacy is to have any meaning at all in the face of contemporary challenges. Criminal gangs, such as the one behind the TJX heist, and commercial organizations, such as in the Abika.com case, which is Lawson v. Accusearch Inc., which you have heard discussed in previous hearings, have both come to the same conclusion that there is now a lucrative and booming global market for personal information. Many of our own audits and investigations bear this out. From government officials being impersonated on social network sites to company insiders misusing corporate data for their own ends, it is an issue that knows no borders, no neat distinctions between public and private organizations, and it is happening everywhere. Such an issue calls for global action.

[Translation]

When we appeared before the House Standing Committee on Access to Information, Privacy and Ethics in May 2007 on the issue of identity theft, we urged the government to adopt a broad-based strategy that would include public education, stronger regulation of data handling practices, civil remedies and finally criminal sanctions for the worst cases.

In our view, the government's identity theft legislation is a step in the right direction; however it should form part of a broader-based strategy to address identity theft and identity fraud.

The recent introduction of anti-spam legislation is also an important contribution. At the moment, Canada is one of the only major developed countries without anti-spam legislation. The Electronic Commerce Protection Act addresses many of the shortcomings of the current Canadian legal framework, by providing severe penalties, and broadly defining unsolicited commercial electronic messages to include text-message spam.

It also has targeted provisions against phishing and spyware, and a right of action against spammers, as well as greater government cooperation. Significantly, it would also create a national coordinating body, and a Spam Reporting Centre. Many of these provisions are consistent with the recommendations that the National Task Force on Spam made four years ago.

[English]

I would like to see a similar effort on ID theft. Too much fine work is being done to have the task at hand muted by lack of coordination. We have the PhoneBusters anti-fraud call centre operated by the RCMP, the Competition Bureau and the Ontario Provincial Police. We have excellent resources on identity theft on the SafeCanada.ca website set up by Public Safety Canada. There is the federal-provincial-territorial Consumer Measures Committee working group on ID theft. We now need police regulators, public and private sector, federal and provincial officials to sit at the same table to focus all this expertise for Canadians' benefit.

When Bill C-27, the predecessor identity theft bill to Bill S-4 was introduced, my office sought an opinion on the effect of the proposed legislation from Professor David M. Paciocco, a respected author and expert in criminal law. His advice is available on our website. We shared this opinion with the federal government at the time together with our concern that while sanctions are required for the most serious instances of identity theft and fraud, many of the problems associated with these phenomena could be better addressed through regulatory measures and modernized privacy legislation.

In our recommendations for reform of the Privacy Act, we have asked for stronger regulation, including better security safeguards and broader grounds to take matters before the courts. In the review of our private sector legislation, the Personal Information Protection and Electronic Documents Act, PIPEDA, we have similarly recommended changes that would allow us to better regulate personal information handling practices, including the authority to cooperate with other enforcement authorities around the world and mandatory breach notification. These measures would empower Canadians to prevent identity theft and motivate companies and government organizations to properly safeguard personal information under their control.

Professor Paciocco agrees that conduct such as pretexting is better addressed through regulation than the criminal law. As he observes, regulatory regimes are often more efficient and, therefore, more enforceable than criminal offences. Regulatory legislation can be drafted to address the problem in a more aggressive way than criminal regulation could. Thus pretexting and other activities that are often the precursors to identity theft may be better addressed through targeted infractions and the stronger regulations that my office has been calling for.

Thank you for inviting me to speak on this extremely important issue. Our general counsel and I would be happy to answer questions.

Senator Wallace: Thank you for your presentation. As you say, and we have heard it from others that have presented before us, identification theft is a serious problem in our society, and we all recognize it is time that each of us as parliamentarians took action to address it.

As you point out, there are different aspects to it, some of which can be dealt with through Criminal Code amendments, which is what this bill proposes. Other elements of it can be dealt with better through the regulatory process, through the Privacy Act, PIPEDA and the recently presented anti-spam legislation. I think you will agree there is not necessarily one avenue that we can proceed down to solve all of the issues that are involved with this problem.

At this point, we are dealing with amendments to the Criminal Code. We are dealing with the sanctions that the government believes are required to address the issue.

Do you agree generally or specifically with this approach? Do you believe that the Criminal Code sanctions that are included in this bill are appropriate and are more than first steps, in that they are positive and progressive steps leading us to the other actions that you have suggested might be necessary?

Ms. Stoddart: Thank you for the question. Yes, I am happy to make it clear that we are pleased with this bill and happy that it has been introduced in the way it has. We hope for a speedy passage.

In terms of a criminal law approach, clearly that is one necessary part of an anti-identity theft strategy. You need to have the Criminal Code. We are not saying that it is not a good or necessary step.

We have no suggestions as to this particular piece of legislation. We are happy with what we see here, and we would encourage you to go on and study the broader phenomenon and see how other pieces of legislation and other government coordinating mechanisms could possibly complement this piece of legislation.

Senator Wallace: I think it is evident from your comments, but I believe all of us around this table feel a sense of urgency. The public are vulnerable to identification theft. The consequences can be grave for those impacted by it. All of us feel a sense of urgency to respond to that reality. Would you agree that it is important that, in considering this bill, we appreciate the sense of urgency and move it forward without delay?

Ms. Stoddart: Absolutely. I have been raising this issue almost since I became Privacy Commissioner because it was clear from our own work that the misuse and the fraudulent, wilful misuse of personal information was becoming a huge problem. I do not know if you remember back, but very early on, I was the victim of some pretexting in a very spectacular way to make a point about the weaknesses of controls. This was controls in a private sector organization, so I could hardly have missed this. Then we had a few high-profile cases involving misuse of personal information from organizations in the United States. Almost every day, in some part of our work at the Office of the Privacy Commissioner, whether it be in the public sector or the private sector, we are coming across incidents of deliberate misuse of personal information of some type or another.

Senator Wallace: "Interesting" may not be the right word. We have experienced it within the limited numbers we have around this table.

Ms. Stoddart: It is terrifying misuse.

Senator Wallace: You have experienced that as well. Senator Angus, who is a member of this committee as well, spoke of the difficulties he ran into when someone came into possession of his credit card and other personal information and the problems he had. We see it happening in the experience around this table, and when you think of it in terms of our society, it is an epidemic we have to deal with. Thank you very much. I appreciate your comments.

Senator Baker: We are about to hear, in a few moments, from a group that says that if one wishes to see personal information that is in the possession of a business or their employer, that under the federal Personal Information Protection and Electronic Documents Act, that information shall be provided, which was what we thought when we passed PIPEDA. As I understand it, if any business refuses for any type of privilege to give the information to you in your investigation, they do not have to. Is that correct?

Ms. Stoddart: Are you referring to the issue of solicitor-client privilege?

Senator Baker: No, I am referring to any type of privilege, including solicitor-client privilege. We thought, when we passed the PIPEDA legislation, that it had the same teeth the Privacy Act had in that it gave you certain authority, which was not on par with a Superior Court or a Federal Court judge, although that is the way you are described, but certainly it gave you the power to be able to do what advocates are advising people to do when they seek their own personal information that is in the hands of an employer or a business.

You do not have the power to demand that information, receive it and adjudicate whether or not it should be subjected to a privilege. You do not have that authority. Am I correct, or am I wrong?

Ms. Stoddart: You are correct. This is a question of some debate, not only with our respondents but before the courts. This went up to the Supreme Court of Canada, because those who were there when PIPEDA was written and passed understood that it gave at least the same powers as in the Privacy Act. I will ask the general counsel to take over from here because the Supreme Court, in its wisdom, set forward a procedure for us to follow, and I understand this procedure is now being contested by respondent companies, so we are before the courts again.

Lisa Campbell, Acting General Counsel, Office of the Privacy Commissioner of Canada: You raise a very good point, which is that the act does give authority to our office to compel production of documents, of affidavit evidence or other evidence. That is in section 12 of PIPEDA. It is court-like powers. We do have that authority. In the Blood Tribe case that went to the Supreme Court of Canada, we tried to exercise that authority. In that case, the respondent contested, saying that the documents in question were subject to solicitor-client privilege and should not be seen by us. The matter went to court, and the court determined essentially that that is a matter that should be looked at by the courts.

The middle road that we have implemented and think is working — although one respondent organization does not agree with us, and we are in court with them on that issue — is that we simply ask for ancillary proof showing that matters or evidence are subject to solicitor-client privilege. We will say, "Give us an affidavit that shows us that you prepared this in the course of litigation. We do not need to see the documents themselves, but give us something to substantiate your claim that it is subject to privilege." To be fair, most respondent organizations are happy with that. They do provide us affidavit evidence. We can cross-examine on that, and we can test it. In most cases, that seems to be working. One respondent organization has taken us to court, but we are dealing with that matter before the courts. Does that answer your question, in part?

Senator Baker: It answers it quite adequately. In other words, when dealing with people's private information and the investigation of that, you do not have the power under PIPEDA that you do under the Privacy Act.

Ms. Campbell: We do have the power. We can compel production of evidence. Every time we have had to use that section, we have never had to take the matter to court. It has always worked. The rare times that we have had to say that we will issue an order compelling someone to produce, most organizations produce that information. The solicitor-client issue is a special one that went to court.

Senator Baker: In other words, just to conclude on that, because that was not the question I wanted to ask you, the Supreme Court of Canada has interpreted our PIPEDA legislation as you not having, as a commissioner, the power of a court judge.

Ms. Stoddart: Right. Not completely, in some areas.

Senator Baker: You do not have that power. If I wish to obtain information from my employer, as suggested by the parties who are about to appear before us, yes, go to the commissioner, but understand that the commissioner is not a court of law, and, although an investigative body in statute, it does not have the power of a judge to receive the information if there is an objection to it and make a determination as to whether or not it is, in fact, what the business claims it is.

The Federal Court recently — and this came up in a previous meeting — has determined, against your argument, that you had jurisdiction. I am quoting from the determination of Justice Harrington of the Federal Court a short while ago in Lawson v. Accusearch Inc. They took peoples' private information in the United States and they did up an identity-theft organization. You claimed that you did not have the power to investigate that U.S. company, but the Federal Court said that, yes, you do, under your legislation. The conclusion in paragraph 51 reads:

In conclusion, PIPEDA gives the Privacy Commissioner jurisdiction to investigate complaints relating to the transborder flow of personal information.

I would like your comments on that. It is certainly fitting given the legislation before us and whether we are required to amend the legislation before us or PIPEDA, which you requested a few moments ago, to verify this Federal Court decision.

Ms. Stoddart: I was overjoyed with the result in the Abika.com decision because it was a very long and difficult discussion for us to see if PIPEDA — very new at that time — applied in that particular situation, which was a cross- border personal information situation. We had thought, in all good faith, and with the help of people who were part of the drafting of PIPEDA that unfortunately it was not. Therefore, I was very pleased, when faced with the reality of the international flow of personal information, that the Federal Court said, yes.

The problem that we evoked at the time of how in practice do you do it was not solved by a decision of the Federal Court. This is what has led my office to work on international cooperation and collaboration among regulatory agencies. It is very hard for me to go out and investigate a U.S. resident before the U.S. courts, et cetera. It is far easier to go to the Federal Trade Commission, which I did, and ask if they can help with the case by offering to get the information for us. In fact, they did. We have recently concluded the investigation in that case. It has gone out to the parties involved.

The Federal Trade Commission, FTC, has a relationship with the Competition Bureau on aspects of this. We would like to develop a mutually enforcing relationship where we would go after "baddies" of the other jurisdiction that are operating on the other side of the border to prey on citizens and thus escape the issues. I think that is one of the problems in "do not call" and so on. We have to work across national boundaries in a way that reflects the flow of criminally-used information.

You referred to Accusearch Inc.; we also have another case, and this case is the FTC against Accusearch Inc. in which the FTC won in the first instance. It has been pleaded before the United States Court of Appeals for the Fifth Circuit. We submitted an amicus curiae brief with the approval of the FTC telling the court how important it was to maintain the conviction of Accusearch Inc. and the international impact on Canadians of this type of elicit operation. The decision should be out soon. That is the end of the story.

Senator Baker: Therefore, you are saying that we do not need to amend or add anything in this legislation to affect what you wish to do.

Ms. Stoddart: I think this legislation is fine as it is. We are looking for, in PIPEDA particularly, the ability to cooperate more broadly on investigations with international organizations. A large part of that is addressed in the new anti-spam legislation.

Senator Milne: Ms. Stoddart, we should probably put on the record what you mean by "pretexting." A pretext to me is an excuse.

Ms. Stoddart: Yes. Did I talk about pretexting in my prepared remarks?

Senator Milne: You talk about such conduct as "pretexting," but you did not define it.

The Chair: On page 2, Ms. Stoddart did say, ". . . pretending to be someone authorized to obtain information in order to get it."

Senator Milne: We have phishing, vishing and pharming. You also talked about the fact that you can set up a fake website that has exactly the same address as an authentic one. I did not think that was possible.

Ms. Stoddart: Yes, it is. I am not quite sure how. Perhaps our general counsel is more conversant on the techniques.

Ms. Campbell: To answer the first question, pretexting is an old practice that has been around forever. It is pretending to be someone else so that you can get more information about them. The modern form of it is calling someone up as a legitimate business or individual pretending to be another individual in order to gain further information about them. The modern phenomenon of identity theft has many people involved in the flow of personal information, so many hands touch it. It is a lucrative trade in illicit personal information.

The creation of false websites is something that can happen very quickly. People will usually buy a domain name. It can be in existence for a couple of days. It usually gets found out quite quickly because people will report it to the legitimate website. However, quite a bit of fraud may have been committed in that intervening couple of days.

Senator Milne: Which one will you get if you go to that website? Is it a matter of chance, or is it that it usurps the other one?

Ms. Campbell: If you look when you first click onto a website, usually at the top of the page, you will see where you are being directed. Sometimes you will see the phrase "redirect." That can be an indicator that you are going to a different website.

For example, it is much the same as counterfeit money: It will often look like real money at a quick glance. However, people who know what currency looks like can look closely and see the false indications. It is the same with false websites.

Senator Milne: You have to watch closely what is going across the top of your screen.

The Chair: I have been told that sometimes when you receive these email messages, in the body of the message will be a return address that comes up in blue, at least on my computer. If you put your cursor over that — do not click on it — you will see that the actual address is not the same as the one in the body of the message.

Is that what we are talking about?

Ms. Campbell: You are right; that can tell you more information. You will see a window pop up that gives further information when you put your cursor over it without actually clicking. That can be another sign about the legitimacy of the website or lack thereof.

Senator Milne: In other words, beware when you are online.

Have you had a chance to look at the amendments suggested to us last evening by the Visa and MasterCard representatives? They came up with specific amendments to change some of the words from "credit card" to broaden it and to cover what might be future developments to make this legislation more proactive.

Ms. Stoddart: It seems, fortunately, that my staff did that.

Ms. Campbell: What they talked about yesterday is somewhat reflected in the proposed legislation, which has two parts. One is identity documents that we carry to prove our identity and the other is identity information, which is where the future is going. I think what you heard yesterday is their concern that the law is too narrow and will not capture future developments.

The future is really passwords and identifying numbers usually paired with a biometric, some type of physical identifier. It is the most reliable method of identity. That is the matter to which they were referring.

Our position is that to the extent that personal information is involved, we would want a law that can protect it adequately.

Senator Milne: I will not say "agree" because you have not seen them, but you tend to agree with what they are suggesting?

Ms. Stoddart: Yes, this sounds like a realistic and reasonable amendment. The industry that is at the forefront of fighting these crimes, they are the people who are there along with the hackers and inside rogues before the police come in. If they are making this suggestion, it is probably from bitter experience, and I would support it.

Senator Milne: That is good to know. I was reading the other day about the system the Americans are applying at the border. You can now drive up to the border and by the time you arrive at the border returning into Canada, they apparently have read your credit card, they know your PIN number, and they know when you entered the United States. If they have this type of capability, I am concerned about how quickly the criminal element will also have this type of capability. You just walk past a spot in the street, and they pick up every bit of information that they need to know about you. Have you any concerns about this?

Ms. Stoddart: We have had huge concerns about this for many years now. This has to do with the commercial and government deployment of something called radio frequency identity devices, RFIDs. They basically broadcast waves that are linked to a computer chip or transmit waves bearing information. There are huge security and confidentiality issues, depending on what type of information they are broadcasting about you, where it is going and who is picking it up. The whole issue of the use of RFIDs to track commercial theft, which we know is a huge problem, leads to the possibility that is spoken about in a realistic way now by industry. Items that you buy, for example, at a pharmacy would all have RFIDs in them because we want to prevent shoplifting. The RFID could also serve at the scanning machine.

Senator Milne: It follows you as you walk down the street.

Ms. Stoddart: You walk down the street, and someone knows that you just bought three bottles of shampoo and two packages of shoe laces or other products that perhaps you might have more reticence about people knowing you just bought. These are not far-fetched scenarios. Yes, RFIDs have useful purposes, but how do you turn them off?

With the electronic driver's licence, one of the things being talked about is the possibility of an on-off switch. As you approach customs, you switch your electronic driver's licence on, and then you switch it off. This has not been taken up by government so far.

In the francophone media in particular, there have been reports about the inadequacy of what is called the Faraday sleeve, which is a cover put over the electronic driver's licence that buffers the emission of the waves, and how it can easily slip off or be worn through.

Senator Milne: We may need to carry these and have all our credit cards with their chips inside a Faraday sleeve.

Ms. Stoddart: Yes, zipped up and locked, from what I hear about it.

Senator Milne: Including, perhaps, our telephones.

Ms. Stoddart: Yes.

The Chair: It is really a terrifying prospect, is it not?

Senator Joyal: Welcome, Ms. Stoddart.

On page 2 of your presentation, the fourth paragraph, you say, "Another method of identity theft is phishing or vishing, which uses emails and phone calls from what appear to be trustworthy organizations, such as banks, to lure people into providing account and other personal information."

Let me give an example. Someone phones me and introduces themselves as being a consumer company doing a survey about consumption related to, let us say, bio-food. They ask all manner of questions related to that, and then they move into personal information. What interests them is, of course, my personal information. I have been lured into giving personal information that might be used to construct the identity of someone who does not exist.

My concern is that, to me, this is criminal intent transformed into an activity, an initiative. Proposed new section 56.1(1) of the bill states, "Every person commits an offence who, without lawful excuse, procures to be made . . ." As you know, the Criminal Code must be interpreted strictly in its terms, and any activities that "seek to get" are not covered by "procures to be made."

[Translation]

The bill states:

Every person commits an offence who, without lawful excuse, procures to be made, possesses, transfers, sells or offers for sale an identity document that relates or purports to relate, in whole or in part, to another person.

[English]

The activity I just described is not covered by that because the activity is that I seek to get information to be able to either usurp or to create another identity. It seems to me that it is criminal to do that. The intent of the person who impersonates a legitimate company or corporation is to do something criminal. The intent is criminal. The bill, as labelled, does not cover that. You yourself identified that activity as being something that is happening. We know it is happening, especially for the seniors who are more vulnerable and generally act in good faith and provide all the information. In fact, they are the victims of a criminal act.

Should we not be concerned that the bill cover that type of criminal activity and make it a criminal offence if we want to deter people from entering into that activity?

Ms. Stoddart: Yes, you have raised one of the technical issues of this bill, namely that it does not cover mere pretexting per se. The reason for that leads us into some of the intricacies of criminal law. I will ask my general counsel, who has practiced criminal law for several years, to tell us why pure pretexting is not there — but we nevertheless support the bill. She can describe the challenges of trying to criminalize that.

Senator Joyal: Do not misread me. I am not saying that I am against the bill. However, since we are studying the proposal, we should ensure that it targets what we feel are wrongful activities. I am not against what is there; I am saying that maybe we should add to what is in the bill.

Ms. Stoddart: In fact, you and I think alike. For more than a year now, we have been raising this with the Department of Justice Canada. We would ideally like it to go back, but the answers we get are serious answers. Perhaps our general counsel can explain the position of the Department of Justice and why it does not want to include this.

Ms. Campbell: As the commissioner mentioned, when Bill C-27, the predecessor bill, first came out, we commissioned a legal opinion from Professor Paciocco on the issue of pretexting, which is just what you are describing — someone is pretending to be someone else or using a bit of information to get more information — because that is where it all starts. How do you get at that? In Canada, most offences are not Criminal Code offences. Most are of them are regulatory offences, and for a good reason: They get at the softer crime or the starter crime. You can enforce them on a strict liability standard.

In other words, you do not need to get into intent and issues of constitutionality and proving people's rights. They are much easier to prove and much quicker. They often can be enforced by administrative bodies, such as the Office of the Privacy Commissioner, and they stop crime where it starts. They can be very effective. Professor Paciocco agreed with our position, which is that many of the problems with misuse of personal information should be dealt with by regulation and not by using the heavy hand of criminal law.

The criminal law in this bill deals with the very worst cases where you can prove there is an identity theft lab or a ring, many people are involved, and it is a sophisticated criminal operation. Short of that, we know there is a lot of illicit trade in personal information in the province of Quebec; for example, 200 organizations specialize in only that. Their primary clients are creditors and lawyers, but all they do is obtain personal information and sell it.

Senator Joyal: When I read proposed new section 56.1(1) that states:

Every person commits an offence who, without lawful excuse, procures to be made, possesses, transfers, sells or offers for sale an identity document that relates or purports to relate, in whole or in part, to another person.

Let us think for a second that we have added the following words "seeks to obtain" before "procures to be made." In other words, the gesture of seeking to obtain would be included in that. I agree with you that a regulatory offence might be easier to change because regulation is easier to make than criminal law. On the other hand, if we want to address, as you propose in your conclusion, the whole of the reality of identity theft and wrongful impersonation, that is the beginning of the criminal offence; it is seeking to obtain that information.

Ms. Stoddart: As I remember, these are exactly some of the discussions we had with representatives of the Department of Justice. I agree with you that that type of act should be sanctioned, but we were told that both constitutional and Charter problems exist in trying to criminalize behaviour that takes so many different shapes and where criminal intent would be so hard to prove, as I understand it. That is why it is left out of the bill.

Because we see that behaviour in our work, and that is why we say that if something cannot be corrected usefully by the criminal justice system perhaps it is not appropriate to put it there, maybe it is appropriate to put it somewhere else. As soon as you talk about the criminal system, you have the presumption of innocence and all the Charter rights, the criminal procedure, which can be lengthy, and so on. Sometimes it is more effective law enforcement to put things into laws that are, perhaps, simpler to administer and do not bring in the whole panoply of the necessary protections that we have in criminal law and just slap big fines on a certain type of behaviour.

That is my understanding of why it is not here. That is why I hesitate to say to you that, yes, this should be put here; I believe there are good reason why it was not put there. However, I am saying to you that I would urge you to go on and suggest that this behaviour be sanctioned somewhere else.

Senator Wallace: Ms. Stoddart, I am directing this question to you, but it relates to what my fellow senator raised. Perhaps I should be talking to him.

On the suggestion that Senator Joyal has made, that words be added to proposed new section 56.1(1) that would include "seeks to obtain" or "seeks to procure," perhaps broadening that out would give additional protection. I think the situation described is one to be concerned about; there is no question about it.

When I look at proposed new section 56.1(1), though, it deals specifically with identity documents, and identity documents are quite limited when you look at the definition in proposed new section 56.1(3). My sense is the concern the senator is describing is far broader than simply being limited to identity documents.

Senator Joyal: At least it would be always signalling that this is criminally wrong.

Senator Wallace: That could be, and not to nitpick as to where that thought should be implemented, but I do see an issue with it being part of proposed new section 56.1(1). It relates more to identity information than identity documents, perhaps. Do you have any comments?

Ms. Stoddart: Perhaps both, yes. I honestly cannot help you much more than what we have given. I think you need to speak to the legislative drafters and specialists of the Department of Justice on this.

Senator Wallace: This is more directed to Ms. Campbell. The issue of pretexting, is it not captured in the code in some way, shape or form now under the general fraud provisions? If someone falsely represents themselves to be someone else for the purpose of committing a criminal act, is that not fraud and already covered in the code?

Ms. Campbell: Yes, you are right. In fact, already about 40 Criminal Code offences are being used, although somewhat awkwardly, to prosecute people for identity theft.

The problem with identity theft, as you point out, is it is a broad term that can mean many different things. Mostly in Canada it means credit card fraud. It is actually a credit card offence that has happened, and there is a Criminal Code offence to deal with that, and people are prosecuted under that, but the lay term applied to that is identity theft. Serious penalties are applied.

I was doing some research in preparation for today, and often sentences are imposed of federal terms, so two years plus, depending on the amount of money involved and whether it is a criminal ring. Some of the code provisions do work for things such as credit card fraud, but they do not get at the broader range or the criminal ring aspect of it.

Senator Wallace: However, they could cover generally the type of situation that Senator Joyal has described, namely, someone calling you up and trying to extract that information from you. To me, that seems to be fraudulent.

Ms. Campbell: They do not. That is where this legislation would try to cover the gap.

The existing Criminal Code offences were largely put into place when we were talking about property, not intangible things such as a credit card or a number or personal information. They are mostly applicable when the crime has happened. Pretexting is everything before and leading up to the crime, which is where we say that we need stronger regulations and reform to the Privacy Act.

The Chair: I am asking for your best guess on this, and I suspect you will ask Ms. Campbell to respond to it, but, off the top of my head, the question that Senator Joyal was addressing with his proposal on "seeks to obtain," would a slightly narrower wording meet the objections of the Department of Justice? The section now talks about "procures to be made, possesses, transfers, sells or offers for sale." If we added to that "purchases or offers to purchase," those being specific acts that you can prove were done or not done, such as selling or offering for sale, do you think that would get us where we think maybe it would be a good idea to go?

Ms. Campbell: I think that may target trafficking, which they were trying to deal with in proposed new subsection 368(1).

If we look at many of the other Criminal Code offence provisions, there are many other sets of provisions similar to this where we have a possession offence, a use offence and a trafficking offence. It is the type of scheme that we see often for things such as cars and controlled substances. They have mirrored it, and I think they are trying to get at illicit trade in proposed new subsection 368(1).

The Chair: However, proposed new subsection 368(1), again, says "transfers, sells or offers to sell it." It does not talk about purchasing or offering to purchase it.

Ms. Campbell: Again, as the commissioner indicated, much of what we heard back in discussions with the Department Of Justice — and they are right, I think — is that, with criminal law, a fine balance must be struck. If too much innocent behaviour or non-criminal behaviour is captured, then there is a risk that the law will be found unconstitutional. In fact, Professor Paciocco expressed some of those concerns in the advice he gave us. He had concerns about the predecessor Bill C-27.

The Chair: It is the fence, not the fence's customer. Senator Baker has a supplementary.

Senator Baker: Just as a matter of interest, the normal expression is "buy, sell, trade or barter."

I am interested in whether the Department of Justice put forward the argument that the included offence of attempt would be covered under the Interpretation Act. Did they suggest to you that that is one of them?

Ms. Campbell: No. In fact, that was a big discussion that we had. Their thought was that it could not be included simply because it could capture so much innocent behaviour; for example, a family member pretending to be someone else in order to set up a surprise party. That was the primary concern with this legislation; we have been calling for identity theft legislation for some time. The primary reticence has been around the fact that there is so much innocent behaviour, plain lying, that could be captured by this, that you would not want to criminalize.

Senator Nolin: The criminal innocent in clause 24(1) would deal with that. Of course, we would find out in court, but I hope that the law enforcement people would reasonably consider an excuse in a situation such as the one that you just discussed. Clause 24(1) would still apply.

Ms. Campbell: You are quite right, except that by that point the person would have been charged, fingerprinted, brought to court, et cetera.

Senator Nolin: That is why I was talking about the law enforcement officers' discretion. I would hope they would use their brains not to charge someone if the excuse seems to be innocuous and without criminal intent.

Ms. Campbell: Exactly.

Senator Nolin: Otherwise, where are we going?

Ms. Campbell: Exactly. It is still better, though, not to put criminal laws on the books that are overbroad, if you can help it.

[Translation]

Senator Rivest: I understand that generally speaking, the commission does indeed agree with the bill. It is certainly a step in the right direction. A suite of measures are required, as you pointed out.

One of the aspects that concerns me is public awareness. I find that there are many individual initiatives that are undertaken, either by government organizations or businesses. But there is not really a systematic awareness campaign to inform the public of the dangers of identity theft. People get rid of their computers and other equipment, such as cell phones, for example. Is the commission concerned by this aspect of the issue?

Mrs. Stoddart: Thank you for that question: An ounce of prevention is worth a pound of cure. We are once again alerting the population to these dangers, as we have over the years. We have some materials posted on our website. We now have a website to warn young people about the dangers of the Internet and the proper use of personal information. But there are still too many Canadians who do not take this seriously and too many Canadian businesses do not take the issue of managing their client's personal information seriously enough.

This is one reason why we would like authorities to work together. This is one of the reasons why we would like there to be a mandatory reporting system under the Personal Information Protection and Electronic Data Act (PIPEDA) for breaches of personal information or leaks of personal information to our office. In the amended Privacy Act, which governs the actions of the federal government, it states that departments and agencies should also be obliged to disclose any information leaks, because there is leaking of information within government. The public is rarely aware of this. This helps focus the attention of senior public servants on the importance of these measures.

[English]

Senator Dickson: Madam Commissioner and counsel, I refer to page 4, the last two paragraphs of your presentation.

Could you share with the committee the legal opinion that you received from Professor Paciocco?

Ms. Campbell: Yes, we can. It is on our website, and we will also provide the committee with copies.

The Chair: To shorten the time, I will ask the clerk to print it out and convey it to all senators.

Senator Dickson: In the last paragraph on page 4, where do you stand in the process to get the changes in the either regulations, the Privacy Act or PIPEDA? Where is that moving? I am asking in order to close the loop here. We are looking at the criminal side and you are making very good points here.

Ms. Stoddart: Thank you. The reform of the Privacy Act is a subject dear to my heart. It is moving very slowly. The House of Commons Standing Committee on Access to Information, Privacy and Ethics has just completed its study of the reform of the Privacy Act, particularly the 12 recommendations, the so-called quick fixes — you can bog down, so we went to the essentials. I appeared before them on Main Estimates Monday and then they went into an in camera discussion to discuss a draft report, which I guess will be tabled before the House of Commons fairly soon.

The minister has said that he is waiting to see this report before moving on reform of the Privacy Act.

As for PIPEDA, these are amendments that have been identified for several years now. Certainly, I am happy with some of the changes to PIPEDA that have been attached to the anti-spam legislation — the ones I referred to in answering Senator Baker's questions — which give me more discretion in complaint treatment and allow me particularly to cooperate fully with international organizations, whether they be in the United States or in France because there is much foreign shopping in terms of using personal information. The thinking is maybe we will go to this jurisdiction and maybe they cannot get at us. We have to be able to cooperate, and the law technically did not allow me to cooperate using people's personal information. You have to share the personal information in order for them to investigate, for example, in France, for you.

Senator Dickson: The suggestions that were made by MasterCard for amendments in whatever sections there were, are there any other sections of this bill or anything that you would like to see added to this particular bill that we are considering?

Ms. Stoddart: No, we have not identified any.

The Chair: Senator Baker has a question, but before I go to him I have one myself, arising out of the earlier discussion about these devices that can read information that you have in your wallet.

Does this bill address the possession of equipment that can be used to do that, the possession for illicit purposes of such equipment?

Ms. Stoddart: I think there is a part that deals with the equipment.

The Chair: Proposed new subsection 342.01(1) only talks about copying credit card data. Would it be helpful to have that say "equipment adapted or intended for use in the copying of credit card data or other personal information"?

That area of the Criminal Code is all about credit cards. However, in terms of perhaps broadening this bill, that might be the place to do it, if we thought it was advisable to do that.

Ms. Stoddart: Spontaneously, I would say, yes, but perhaps we could look at that a bit more. I do not see, at first blush, any technical issues to broadening the type of information that would be captured, unlike some of the other aspects of the bill that we have talked about. We can get back to you on that.

The Chair: I would appreciate that.

Senator Baker: We all read your various adjudications that are made from time to time. They are carried by Quicklaw and WestlaweCARSWELL and all the reporting agencies. I do not know if you are aware of that, but it is a regular thing.

In the judgments, you sometimes address remedy. In other words, someone's personal information has been taken by, say, a bank employee or an employee of a credit card agency who has established a fake ID. Many cases involve those sorts of things. The bank under your adjudication then makes a remedy, an offer of financial restitution, for the stolen identity that took place within the business.

In this bill, there is a remedy section as well. Do you have any comment about any conflict that could arise or anything that comes to mind since, in your authority under your adjudications, remedies are discussed? You even passed judgment on whether they appear to be adequate. I have noticed that in your judgments. Would there be a conflict with this bill in that the judge, then hearing the criminal charge laid against the employee, has the authority under the bill to also give restitution?

Ms. Stoddart: Yes. First, I have a very important correction, with great respect. I do not adjudicate; I come to conclusions that have no, strictly speaking, legal weight. I am an ombudsman of a particular type. These are conclusions, but they are conclusions that have a great persuasive force.

Therefore, when we close a case and do not take it to Federal Court it is because we have suggested there be a remedy. We have looked at the damages suffered by the person and suggested to the respondent that according to criteria of jurisprudence that this person be made whole for the damage. Usually this is what happens, which is why we take very few cases to Federal Court, a handful of year, and most of them are settled. I do not see, in terms of my role, any conflict with the application of the criminal law.

Senator Mitchell: I have really appreciated and found this interesting. You will realize the truth of what I am about to say in about 30 seconds, and that is that I have never sat on this committee before and I am just filling in for someone. When I ask this question that will be evident.

When someone encounters the difficulty of their identification being stolen, would they go directly to the police or to you or to the institution that was being misconstrued as being the institution, for example, that they are dealing with?

Given the complication of sorting this out, which you have alluded to earlier — and it is now an urban myth except it is not a myth, it is certainly widespread, about the difficulty of dealing with this — is there some sort of assistance that people can find to help them work through these problems? Is there an agency of government or governments, and if not, should there be?

Ms. Stoddart: Who they go to I think depends on the facts of the case. If you get your whole wallet deliberately stolen from a hotel room or your purse snatched violently from your shoulder, as often happens, you will probably go to the police. If someone is misusing your credit card, you will probably go to the credit card company. If you have a problem and you think that an organization is systematically misusing your personal information and this is causing you problems, you may lay a complaint with my office, so it depends.

Certainly the police have said to us that they cannot deal with the number of complaints of identity theft, and we do not have the tools. They are very pleased that they will have better tools now.

What organizations deal with this? The biggest and best known one is PhoneBusters, but they seem to be the OPP, the RCMP and the Competition Bureau, so I do not even know how you say "PhoneBusters" in French. I do not know how it functions elsewhere across Canada. Again, this is why we need group action so that we have maybe one federal government website with links to all the provinces, because much of this is provincial prosecutorial authority, where people, if they have these problems, could go and be directed rapidly to the right organization that could help them.

Senator Mitchell: Are you aware of any initiative in that regard now?

Ms. Stoddart: No, I am not.

Senator Mitchell: Are you recommending this?

Ms. Stoddart: We recommend this, yes.

The Chair: An American agency called the Internet Crime Complaint Centre is a partnership between the Federal Bureau of Investigation, the National White Collar Crime Center and the Bureau of Justice Assistance, apparently, which is, I gather, a sort of a one-stop shop for the victims of cybercrime at least to start, to lay a complaint and get shunted in the right direction and so on. Is that a model we should look at in Canada?

Ms. Stoddart: Absolutely. All identity theft is not cybercrime, but yes. If, as a society, we really want to beat this, I believe we have to make a concerted effort, cooperate with each other at all levels and make it easier for the public to push back, and, therefore, make it more difficult for these rings to operate because now it is very easy.

The Chair: Thank you very much. As usual, it is most interesting and most helpful. Thank you both very much indeed.

Our next witnesses are from the Interac Association, Caroline Hubberstey, Director, Public and Government Affairs; and from the Consumer Measures Committee, Michael Jenkin, Federal Co-chair. I suspect you will help us a great deal in some of the things we have been discussing with the Privacy Commissioner.

Welcome. Thank you both very much for appearing. Mr. Jenkin, the floor is yours.

Michael Jenkin, Federal Co-chair, Consumer Measures Committee: I have some brief remarks. We have passed around a collection of documents including my remarks in both languages and examples of the public materials we have produced on identity theft over the course of our work in the last few years.

Honourable senators, thank you for providing the opportunity for the Consumer Measures Committee to discuss the issue of identity theft with you. The Consumer Measures Committee, CMC, is a forum of federal, provincial and territorial officials responsible for consumer affairs. As the Director General of the Office of Consumer Affairs in Industry Canada, I am the federal co-chair. There is a provincial co-chair from Manitoba as well. That person is a lead official in their government on consumer protection.

The CMC is a body created under the Agreement on Internal Trade introduced in 1995. We deal with Chapter 8 under the agreement, which is to effectively harmonize federal and provincial consumer protection legislation and regulation. That is primarily why we are in business.

We have been working on a large number of issues over the years since that time. It is one of the more active committees under the Agreement on Internal Trade. We have been working on the issue of identity theft in one form or another since 2003.

Our work has two sides. First is public information. We have produced common public information documents that all governments can use to deliver common messages to consumers about the issue of identity theft. We have produced various documents — a few of them are in your package — that provide information to consumers on the character of identity theft and what they can do about it. The other half of our work is dealing with policy issues as they impact on governments involved in consumer protection that are members of the committee.

One thing about the committee itself in that regard is that member governments on the committee come from somewhat different administrative perspectives. Some of them that deal with consumer protection work under the aegis of a ministry of government services, in some cases the ministry of justice, in one case the Department of Finance and so forth. You are dealing with a federal-provincial group that all deal in some way or another with consumer issues. However, they all have slightly different authorities, powers and perspectives because of their administrative experience dealing with the issues.

Nonetheless, we have developed a lot of common work in this area. In terms of consumer information, we have developed an identity theft kit for consumers that can be found on the CMC website at www.cmcweb.ca. We also make all of the information we have available through the joint federal-provincial and NGO website called www.consumerinformation.ca. It brings together a wide range of consumer information for citizens across the country.

The ID theft kit includes information to help consumers reduce the risk of identity theft, assess whether they have become a victim and advise them on what to do if they suspect they are a victim. We also have a one-page checklist that we have produced to summarize the key information involved in those three areas as a companion piece to the kit. That has proven to be very popular. We have given out thousands of copies for public information purposes to organizations such as law enforcement agencies, consumer protection groups, NGOs, et cetera that are interested in providing information to their clients about identity theft.

In addition, we have also developed some specialized information products, which are also in your kit. These are for youth and for low literacy communities. The idea is to standardize the messaging and to increase our ability to distribute information in an effective way as governments working together. These information pieces are available online in the places mentioned earlier.

To support policy research and analysis with respect to ID theft, we carried out a public consultation in 2005. That carried over into 2006 with stakeholder follow-up discussions. We posed 10 questions on possible measures to improve consumer protection in this area. Much of that consultation considered issues beyond the scope of what you are looking at here. However, they raised matters related to businesses, financial institutions, consumer reporting agencies and others. We also discussed how those groups handle or should handle consumers' personal information in a way that would reduce the risk of identity theft and how to help consumers when they become victims.

I will refrain from going into the details of that consultation because they are not all germane to the topic at hand. However, during the course of those consultations, we received a number of comments and views that supported improving criminal measures applicable to identity theft. We passed this information some time ago to the Department of Justice for their work on identity theft. We do not claim any credit for bringing the current legislation forward, but I think they found that information useful.

Identity theft is obviously an issue that cuts across many borders, groups, agencies and so forth that are acting in both the public and private interest.

That is my short introductory presentation, and I would be pleased to answer any questions you have.

The Chair: Thank you. Before we hit you with questions, we will ask Ms. Hubberstey to give her presentation.

Caroline Hubberstey, Director, Public and Government Affairs, Interac Association: Thank you for inviting us here today to offer our insight into the proposed revisions to the Criminal Code included in Bill S-4. The Interac Association is pleased that the government is making amendments to the Criminal Code to tighten the framework for combating identity theft.

Interac is Canada's leading payment brand connecting Canadians to their money at any time from almost anywhere in Canada. At ABMs, at the store and online, Interac has become a part of everyday life and has been making Canadians' lives simpler for nearly 25 years. Last year, Interac Association members processed more than 4 billion transactions positioning Canadians among the world's most active debit card users. Furthermore, our research shows that Interac is Canadians' preferred method of payment ranking well ahead of both cash and credit cards.

While Canadians enjoy the benefits of one of the safest and most efficient payment systems in the world, fraud is unfortunately a reality. As one of Canada's leading payment networks, you can appreciate why fraud is a concern to us, to our members and to our business. Almost non-existent just a few years ago, the problem of debit card fraud, also known as skimming, has grown. Skimming involves the theft of a cardholder's magnetic stripe data and their personal identification number, PIN, subsequently used to create counterfeit debit card frauds and to conduct fraudulent transactions.

In 2003 — that was the first year the Interac Association collected information on debit card fraud — $44 million was reimbursed to 27,000 victims of debit card fraud. This reached over $106 million in 2007. However, last year saw a stem in the growth. We actually saw a decrease. The volume decreased to $104 million. This is largely attributed to the collaborative work being carried out by the Interac Association, financial institutions, law enforcement and many other industry partners.

Although we have seen a decrease, debit card fraud continues to be a problem and one we are fighting vigilantly. While victims of fraud are protected by the Canadian Code of Practice for Consumer Debit Card Services and are reimbursed for their financial losses, this is not a victimless crime. Put yourself in their shoes. A criminal has invaded your bank account and your personal savings. Think about the emotional strain that cardholder faces, the embarrassment and the impact of a lack of funds while the investigation is underway.

Moreover, think about where the proceeds of debit card fraud are going. Our law enforcement partners tell us that the proceeds are often used to fund more serious crimes.

The Interac Association and our members are greatly concerned about debit card fraud. We are working every day to tackle this problem. Together with our members, we lead a multilayer strategy to combat the problem and to protect Canadians. Our members use sophisticated monitoring systems and detection mechanisms that often prevent incidents. We educate and equip law enforcement with the tools and expertise needed to identify, investigate and catch criminals. We also teach consumers and merchants about prevention techniques they can use.

We are also taking a large technological step forward as an industry. Interac is leading the rollout of the chip on debit cards in Canada. The migration to chip cards over the next few years will make card skimming and counterfeiting extremely difficult. While the transition to chip requires a significant investment by our organization and all of the parties involved, it is an investment that will provide long-term security for electronic payments in this country.

Although the best efforts are being made across the industry to fight fraud, assistance is needed at the legislative level. We can make it hard for fraudsters to operate in this country. We can work with our law enforcement partners to catch fraudsters and to investigate incidents, but without clear and effective legislation fraudsters will not be convicted.

We have been an active supporter throughout the development of this legislation, and we are very pleased that Bill S-4 is before Parliament. We are very eager to see the Criminal Code modernized to ensure that electronic crimes, such as debit card fraud and identity theft, are effectively built into the legislative framework.

While payment cards have long be addressed in the code, Bill S-4 will modernize these provisions to explicitly incorporate cardholder PINs and equipment that fraudsters use to capture PIN data. The bill will also broaden the code to address existing and emerging forms of electronic commerce.

As we move forward, the Internet will play an increasing role in the new forms of payments, so these new provisions are of paramount importance. Making identity theft a crime and defining identity information to include such items as electronic signatures, digital signatures, user names and passwords brings the legislation up to date. Furthermore, we are pleased that the bill will tackle fraudsters throughout their various layers of activities.

Let me explain: Today's criminals are sophisticated and organized. The criminal conducting the fraudulent transaction is not the only delinquent in this crime. The crime involves those who build and sell the devices or software used to capture the personal data, those who use the devices to steal customers' identities and the middle men who buy and sell this information. Bringing the possession and trafficking of information into the Criminal Code is a necessary step.

While we are very supportive of this bill, we would be remiss if we did not take this opportunity to raise a strong and closely related concern. Police forces across this country are protecting Canadians by partnering with the payment industry and working hard to apprehend suspects. Unfortunately, criminals convicted of debit card fraud offences under existing laws typically receive sentences that range from time served to a few months in jail, which is usually a cost that the perpetrators are willing to absorb as their legal activities are far more lucrative.

With this in mind, we believe the bill would be stronger if it included provisions for minimum sentencing for these crimes. This would help to ensure that the consequences for committing these crimes provide a substantial deterrent to would-be criminals and would get convicted fraudsters off the street.

I will conclude by saying that the Interac Association is pleased to see the assistance at the legislative level, and we are confident that this new legislation will provide a sound framework to protect Canadians; we encourage speedy passage.

The Chair: Thank you both very much indeed.

Senator Wallace: Thank you for those presentations; they were excellent.

One point your presentations bring home, Mr. Jenkin in particular, is to help consumers, how to help them when they become victims, which obviously is critically important. I am reminded that the bill is directed toward minimizing the numbers of people who do become victims. It is to catch it in that preparatory stage before the actual fraud is committed. That is obviously something we are all working toward.

Ms. Hubberstey, you suggested in your presentation that perhaps the bill would be stronger if the phrase "minimum sentencing" was included. I am wondering if you have anything more specific that you would recommend. Do you have in mind particular provisions with particular minimums?

Ms. Hubberstey: As the bill indicates, it showcases maximum sentencing for certain offences. We are interested in the ability to add a minimum sentence. As I indicated in my opening comments, we are hearing and do see that when some criminals are caught committing debit card fraud — and I know of a number of big busts in the Toronto, Montreal and the Windsor corridor — if you catch them in November, by summer they are out and you are catching them in Vancouver. These are the types of situations we are addressing with it. Appropriate minimum sentences could be looked at, given other minimum sentences existing in other provisions.

Senator Wallace: It is obvious, from the comments both of you have made, that there indeed is a sense of urgency for this issue to be dealt with.

As the previous presentation made loud and clear, it does require a multi-faceted approach. There is the regulatory side and public education, but there is the Criminal Code element of it. I would say that the bill does not cover all of what may be required, but it is dealing with the Criminal Code element of it.

Would you agree that there is a sense of urgency, that we as parliamentarians move forward without delay to deal with the Criminal Code aspect of this problem?

Ms. Hubberstey: Without question. This is important. If you look at any criminal activity, the criminals are on one side and the rest of us are on the other. By "the rest of us," I mean industry, consumers, merchants and government. We all have a role to play. By taking this step, the government is playing a role, modernizing the code as is required.

As well, it is taking a step to look at these crimes and asking, in the continuum of criminal activity, where we want to put law. Do we want to wait for victims to be victimized or can measures be taken to stop having victims impacted? This bill was effective in moving that up and dealing with issues before we have significant victimization.

Senator Milne: I was very interested in your presentation, Ms. Hubberstey, because you say that you are leading in the role of chip technology in Canada. In several stores and hotels that I have been in recently, I no longer have to sign a Visa bill; I have to put in my PIN number. The methodology to read this chip technology is already out there.

We have heard also that U.S. Customs can read your chip as you drive up to the border crossing to return to Canada, and they get your PIN number as well. Since this technology is already out there, how long will it be before the criminal element gets a hold of it?

Ms. Hubberstey: I will start with our involvement in the rollout of chip technology on debit. This was a decision made in 2005 by Interac when we started looking at the fraud loss numbers, and were we going to make this investment on the debit side. That is when the decision was made.

In 2007 we worked with industry partners, such as credit card companies, on a chip trial in the Kitchener-Waterloo area to see what the acceptance would be from the merchant and consumer perspective. The technology behind the EMV chip — taken from the initial letters of Europay, MasterCard and Visa — is a global standard used by many countries around the world.

To your point, yes, we are seeing the rollout. You are starting to see terminals in merchant locations. Credit cards and debit cards are being issued with the chip. That started happening in the fall of last year, and Interac is leading the debit side of that equation.

The EMV standard and the chip card technology is the best form of security known today. That is a global standard. We are looking at trying to get global interoperability, so when we are using our cards in other parts of the world, that technology is there as well. It is the latest and greatest. It has not been broken. This is the best way to ensure that the safe system we have now — and we do have one of the safest debit card systems in the world — can be made even more secure. That is why we are moving to the technology. It is also the best standard we have available today.

Senator Milne: You have not answered my question. What is preventing criminals from either stealing the technology or the machines themselves that can read your chip?

Ms. Hubberstey: Criminals have been able to obtain devices, and that is why we encourage merchants to lock them down. That being said, duplicating the chip itself is extremely difficult. It is the same as having a mini computer right there in the card.

Senator Milne: As far as stealing your identity and being able to use it in other ways, a large amount of information is on that chip, and it depends on which bank issues it.

Ms. Hubberstey: The only information available on the chip on debit cards is the same information on a magnetic stripe, and that is the information that will allow for a transaction to happen. It does not contain your pin. Only you know your pin. If a fraudster obtains your chip card — your chip debit card or credit card — they would need the pin as well. They cannot duplicate that chip information; that is why it is incredibly secure, unlike a magnetic stripe today where you have a skimmer. The skimmer will obtain the magnetic stripe information, and that information allows a payment to proceed. They use another device another way to capture the pin. In combination, they then can create the duplicate card and create a fraudulent transaction.

With chip technology, the ability to duplicate that chip has not been accomplished yet. They might be able to get the pin in a certain way, but they are not able to create the chip information to create a duplicate card to create a transaction. The benefit of the chip technology is the inability for it to be duplicated.

Senator Milne: That is interesting. I read an article that said that as you drive up to the border returning to Canada from the United States, the border guards know before you even drive into the booth just about everything about you including your birth date, PIN number and what date you went into the U.S. Is that article inaccurate?

Ms. Hubberstey: I am not familiar with the article and how it would read a chip on a debit card or a credit card.

The Chair: I think the distinction, and rightly so because that is what you do, is you are speaking of debit and credit cards; but the readers that will be used are being produced for broader purposes than that. The Privacy Commissioner did not seem to be concerned about that particular evolution of technology.

Ms. Hubberstey: That is why I am saying that the information on a chip on a debit card is no different than what is on the magnetic stripe today, which is the information to be able to process a payment.

Senator Milne: Except that it is minus the pin.

Ms. Hubberstey: Right. Only you know your pin, and that is the authenticating device.

Senator Milne: I am just looking at the material that you handed out, Mr. Jenkin. In this identity theft kit you handed out, "Watch Out!", you advise people to get a copy of their credit report once a year. You can do it by phoning Equifax at a 1-800 number. If I phone Equifax at their 1-800 number and claim to be my dear friend here, what will prevent Equifax from giving me the information?

Mr. Jenkin: They require you to provide additional information to verify you are who you say you are.

Senator Milne: That is still verbally over the phone. It could have been obtained from any source.

Mr. Jenkin: To be honest with you, I am not familiar with all the questions they ask individually, each agency, but they are responsible to ensure that they do not issue a credit report without adequately checking and verifying the identity of the individual concerned.

Ms. Hubberstey: I am not familiar with Equifax procedures.

Senator Joyal: Welcome. I would like to come back to your presentation, Ms. Hubberstey, especially when you mentioned that the victims of fraud are reimbursed for their financial losses.

Ms. Hubberstey: Correct.

Senator Joyal: Do you have a copy of the bill?

Ms. Hubberstey: I am familiar with the bill.

Senator Joyal: It contains a new provision, proposed new subsection 738(1)(d), that reads as follows:

(d) in the case of an offence under section 402.2 or 403, by paying to a person who, as a result of the offence, incurs expenses to re-establish their identity, including expenses to replace their identity documents and to correct their credit history and credit rating, an amount that is not more than the amount of those expenses . . . .

Are those expenses presently covered by the reimbursement for the financial losses that you mentioned in your statement?

Ms. Hubberstey: I think the bill covers a broader issue because identity theft can have significant financial impact. I do not know if anyone here has been involved in it, but I know, victims of identify theft broadly, if they get a hold of your driver's licence, social insurance number, it can have a significant impact. A significant amount of time is involved in putting your name back into your possession.

With respect to debit card fraud, these reimbursements happen under the Canadian Code of Practice for Consumer Debit Card Services within a 10-day period, maximum. It is often the case that consumers are reimbursed even before they know a fraudulent transaction has occurred. It is actually the financial institution calling you to say that they have noticed some activity; they have noticed something and have actually reimbursed you. Therefore, with a debit card fraud, you would not have those longer-term financial expenses.

Senator Joyal: Will that provision change some of your responsibility in relation to consumers and pass it on to the author of the fraud?

Ms. Hubberstey: Financial institutions do the reimbursement, so the card owners' financial institution would reimburse them for the funds. I do not know how this would impact that particular situation given the fact that these reimbursements happen extremely quickly. Part of the Canadian Code of Practice for Consumer Debit Card Services mandate is if you are a victim of fraud, you are reimbursed within a 10-day period.

Senator Joyal: I am trying to legally follow up on it. Let us take the example of an insurance company that covers your risk. If the risk happens, the insurance company gives you the indemnity, but you have to transfer your right to recover from the author of the damage to the insurance company that then decides to go after the author of the negligence or the damages that have been inflicted upon you.

I am trying to understand legally how this section impacts on those who would be reimbursed by their financial institution, banks, MasterCard or whatever else, and the responsibility that is now put on the author of the crime to pay back the cost to the victims.

Ms. Hubberstey: As I said with debit card fraud, I do not see the provision being there. We can take a look at that provision and see how it may impact more broadly and provide the committee with a response.

Senator Joyal: I think that is an important issue. This is a new law and an expansion of the Criminal Code principle, which is to cover the damages. I think it is important for us. The main objective of identity theft is money, related to a point. It would definitely impact the institutions, be they banks, other financial institutions or other institutions, that would now have a way to pressure to get the compensation from the author of the crime rather than just disbursing the money themselves.

Ms. Hubberstey: We can undertake to look at that. I believe the Canadian Bankers Association is coming before the committee as well. It might be a question you would like to pose to them.

Senator Joyal: Yesterday, we had a representative from Visa and MasterCard. I do not know if you were aware that they were here.

Ms. Hubberstey: I did not hear their testimony.

Senator Joyal: My question might be moot. They propose to amend some sections of the bill to ensure that the bill would encompass more capacity to cover the new emerging technology. Sooner or later, we will have the capacity to pay with a telephone instead of having a debit card that your system manages. You will probably have to adapt to that also.

They suggested to us that we amend the bill to ensure that the bill be labelled more broadly in some of its sections. That does not change the objective of the bill; it widens it and makes it more efficient for years to come. Are you aware of the suggestion they made to us in that regard?

Ms. Hubberstey: I wish to add an important point to that. The bill modernizes the Criminal Code to a place where we are today in terms of technology. We have seen in the past that the Criminal Code has not been modernized efficiently and as needed to deal with emerging technologies. We do not necessarily know where technology will go and how that will be adapted to various services.

It is important that the Criminal Code be revisited on a regular basis. For example, I think it still contains the provision in section 371 where you cannot send a telegram in a false name. The last telegram in Canada was sent on January 27, 2006. There is nothing in there on email, and email has been around for not that long but long enough. The Criminal Code had not dealt with that.

This bill does modernize it, but where technology goes next is an important point; it cannot remain static or rest until another issue emerges, and then it takes time to deal with it and put in a new provision.

It will have to deal with new and emerging technologies. Whether it does so now or in the very near future, it will.

Senator Joyal: If I can quote from the Visa brief from yesterday, they suggested an amendment to proposed subsection 342(3). I am quoting from their brief, which states:

In clause 4, proposed subsection 342(3) uses the phrase "including a personal identification number." This language is too limiting and should be replaced with "including identity information." We believe it is important that the legislation capture not only current technologies, but also be broad enough in scope to capture future technologies.

Many of us around this table have been here for a while, and we know how difficult it is to amend the Criminal Code. This is the second try for this legislation. It was previously incarnated under Bill C-27. We want this bill to be adopted quickly, but amending the Criminal Code is a long process. We are more concerned about ensuring that what we are doing will cover, to a point, future technologies than just saying that in two years' time we will revisit this bill because the telephone payment system will be the most popular system, and it will not be covered enough by the bill. Essentially, that is our preoccupation at this stage.

Ms. Hubberstey: You have moved a lot in proposed new section 402.1 to address things such as digital signatures and passwords, so that has been the case. To modernize it further, to look at emerging technologies and emerging methods of payment would be things that the committee may wish to consider.

Senator Joyal: You have no specific suggestion to make in relation to this bill as far as the Interac Association is concerned?

Ms. Hubberstey: That is correct.

Senator Joyal: What new technologies are you considering at the Interac Association at this point in time, if you are not revealing industry secrets?

Ms. Hubberstey: We are always looking at where the marketplace is going and where you, as a payment provider, can participate as well. There are other areas that we would like to pursue.

Not wanting to get into telling my competitors at Visa and MasterCard where we would like to go, I will refrain from saying too much.

Senator Joyal: Both of them appeared jointly yesterday, and they seemed to agree on the overall objective of covering emerging technologies.

Ms. Hubberstey: We do as well.

Senator Joyal: You do not have any opposition in principle to the suggestions they made?

Ms. Hubberstey: No.

Senator Joyal: We will ensure that you get a copy of the briefs from Visa and MasterCard yesterday, and if you have any objections as to what has been proposed by them, perhaps you can inform the committee accordingly. That would help us conclude on the proposal that Visa and MasterCard have put forward to us.

Ms. Hubberstey: We will look at their specific proposals and provide the committee with a response.

The Chair: We would be happy to receive that response sooner rather than later. That would be greatly appreciated.

Ms. Hubberstey: Yes, of course.

Senator Milne: One thing Visa and MasterCard suggested yesterday was changing the words "credit card data" to "payment card data." Would you agree with that one?

Ms. Hubberstey: "Debit card" currently fits under the "credit card" definition.

Senator Milne: I am talking about "payment card" data.

Ms. Hubberstey: "Payment card" would cover both, yes.

Senator Joyal: That was one of the suggestions they made. We ask you to look into the other ones as well.

Ms. Hubberstey: I am more than happy to look into them and provide the committee with our recommendations in short order.

The Chair: Thank you very much indeed.

Senator Dickson: My question relates to your brief, Ms. Hubberstey, in relation to sentencing. You were saying that there should be certain minimum sentences imposed.

The members of the committee would be interested in hearing your view as to which sections should have minimum sentences. I am a firm believer that credit card fraud, et cetera, is so prevalent that there should be minimum sentences imposed. With all the technical information we have received over the last few days, I am sure that many judges would not even be aware of how technology is moving so quickly, what the quantum of the losses are and the frustration that is encountered by those people who suffer from credit card fraud or identity theft.

You might not want to answer this now, but you might wish to give some consideration to providing us some suggestions in writing as to minimum sentences, which would definitely be a strong deterrent.

Ms. Hubberstey: Wherever there is a sentencing provision for a maximum, there should be a corresponding minimum. We could look at it from our perspective, but it might be something that should be looked at in terms of other like crimes where minimums are imposed and what would be an appropriate minimum.

Senator Dickson: I am sure that Senator Wallace will follow up on that.

Senator Milne: We do not all agree with minimum sentences.

Senator Mitchell: There is a great deal of controversy about minimum sentences, and it is not immediately obvious that they get everyone that we think they should nor that they actually work.

Earlier, you mentioned an example of a case of someone who was caught in the Windsor corridor in December and then caught again in Vancouver. Was that a lyrical example, or do you actually have specific cases?

Ms. Hubberstey: That was a specific example.

Senator Mitchell: Do you have a number of those?

Ms. Hubberstey: We can work with our law enforcement partners, obtain examples and provide them to the committee.

Senator Mitchell: Yes, it would be interesting to see how they got out and why that happened.

Ms. Hubberstey: Sure.

Senator Joyal: Mr. Jenkin, since you protect the consumer generally, you would certainly have an interest in knowing that the criminals are in prison. Have you ever considered in your group the issue of the length of a sentence and the way the court generally treats offenders?

Mr. Jenkin: No, we did not. As I mentioned in my remarks, the only point that we found in the course of our consultations was that there seemed to be considerable support for broadening criminal definitions and getting back at — as the bill does — these instances where people are in possession of information for trafficking in identity theft. The concern was that the criminal provisions needed to be more preventive in character in that regard.

I do not think we received any submissions with respect to increasing the penalties or in terms of lengthening the sentences or minimum sentences or anything similar to that.

Senator Joyal: I think you were in the room this morning when we raised with the Privacy Commissioner the overall criminal activity that exists in seeking to obtain information or luring people to provide information in the context of any legitimate informing initiative. I provided an example of someone who phoned citizens and introduced themselves as a company doing an investigation on bio-food. At some point in the questionnaire, they ask for personal data from people, at which point they will either sell it or try to use it for a wrongful purpose.

In your discussion with the various groups that are part of your association, has that aspect of fraudulent activity been raised with you as one of the activities that should be repressed or condemned and recognized as a criminal activity?

Mr. Jenkin: In the course of the consultations we conducted, but also in general in our understanding of consumer protection issues in the area of identity theft, the degree of inventiveness is amazing in terms of the type of fraudulent activities that go on here. The Internet, and electronic means of communication more generally, has opened up a whole new territory to portray yourself as an authoritative person and get information.

I would not say that, in itself, fraud was the only primary issue of concern. It is more that the character of the technology today and the inventive capacity of criminal fraudsters seem to make it very difficult to keep up to date with the latest frauds. Every week there appears to be a new trick.

One of the big challenges we face in consumer protection is to keep up and tell people about the various types of potential risks that they may face in these areas. The trick of the message is to try to capture these things as generically as possible so people can realize if something looks suspicious. Our constant challenge is to ensure that people understand that what seems to be something legitimate may not be and to ask the right questions.

Fraud was raised, but I do not think it was a real focus in and of itself. More generally, the concern was that the technology is opening up broad new avenues for people to do fraudulent things and obtain information fraudulently from individuals.

The Chair: This question is beyond the purview of this bill, but it is one that has come up several times in our work. The Privacy Commissioner raised it this morning, but other witnesses before her have also raised the question of the desirability of a central coordinating body.

I asked one of these witnesses whether your body could do the job, Mr. Jenkin. They abounded in praise for your body, but said, "No." Even you and your wonderful committee could not do what they were talking about.

I am looking at Ms. Stoddart's proposal. She said:

We now need police regulators, public and private sector, federal and provincial officials to sit at the same table to focus all this expertise —

— which she had previously praised —

— for Canadians' benefit.

Do you think that is a desirable development?

Mr. Jenkin: We have not had formal discussions, as the Consumer Measures Committee, about a particular proposal in this regard. However, we have done work ourselves, and we have managed to construct a consensus among a number of jurisdictions who come from slightly different perspectives although they are all concerned with consumer legislation, and action has been taken in common on this, particularly on the public information side.

I certainly think there would be willingness from the groups that I am working with to participate in an exercise such as this. I think the point that Ms. Stoddart made in her comments was that this is a very complex phenomenon that needs participation from quite a wide variety of players — those concerned with public information and consumer protection, through to those concerned with enforcement and so on.

The point that she made is an important one. You need to look at a collaborative body that draws in quite a spectrum of people. I am certain that the group I work with would seriously consider helping out in that regard, given our track record.

Ms. Hubberstey: Without question, we have learned that working cooperatively, sharing information, sharing our best practices has been an effective way to combat the debit card fraud that we are experiencing. It is a collaborative effort and, with more people at the table, it certainly helps the effort.

Senator Dickson: My question is related, but not directly. It involves your website. Do you have the most proficient website? I imagine there are certain key words that you use to go to a particular site. How does yours rank? Are you in the middle or at the top? If I go to the Web and type in "identity fraud," do you pop up first?

Mr. Jenkin: It is difficult to predict that, to be honest.

Senator Dickson: I understand that systems can be put in place to do that.

Mr. Jenkin: Yes. On www.consumerinformation.ca, which has most of the information that the CMC site does, we tried to optimize it so that happens. We do not have good data on how frequently it would pop up at the top of the list. That is often difficult to predict, but we do take measures to try to ensure that happens.

Senator Dickson: Let us assume that this bill will go through, which it will. Do you have any strategy in mind to use your website to inform the public of the new criminal process that is in place?

Mr. Jenkin: We will certainly update the information that we have there, and ask our partners to do so, too, to reflect this information.

The Chair: Thank you both very much indeed. It was very helpful and instructive. We are grateful to you for the time and trouble you have taken to help us on our way.

Colleagues, that concludes this meeting. Our next meeting will be on Wednesday next in this room at 4 p.m. or when the Senate rises. At that time, we shall be hearing from the Criminal Lawyers' Association, the Canadian Bar Association and the Canadian Bankers Association. That will be another informative session.

(The committee adjourned.)

Legal and Constitutional Affairs

Proceedings of the Standing Senate Committee on Legal and Constitutional Affairs

Issue 9 - Evidence for May 28, 2009

Proceedings of the Standing Senate Committee on
Legal and Constitutional Affairs