Skip to main content
EVIDENCE

[Recorded by Electronic Apparatus]

.1115

Tuesday, December 9, 1996

[English]

The Chair: The Standing Committee on Human Rights and the Status of Persons with Disabilities shall be convened. Welcome to our witnesses, who I shall call upon in a moment to introduce themselves individually.

This is the third in a series of meetings on the whole question of privacy rights as human rights, the extent to which those rights are being impinged upon by the new technologies, and how broad the perception and the reality are between our right to privacy as individuals and the right of the state to know more about it than we would care perhaps for it to know.

I think it's important for us to recognize that privacy is such an enormous and wide-ranging field that we decided to examine and perhaps look at the siege areas in a very defined way. We're looking at three basic types of intrusive activities, which include the whole question of physical surveillance, the question of biological surveillance, and the personal identification practices, which we will be examining today.

We looked at the first two issues last week with very well-informed experts in the field. We're really taking a closer look at the different types of technology that impinge on those particular areas of video surveillance and genetic testing.

The issue we're going to talk about today is the third type of invasive activity, and that is personal identification. Some of us know that as smart cards or swipe cards or ID cards, but I think we'll learn much more about it as we listen to each and every one of you.

.1120

[Translation]

I am sure that we have much to learn from our witnesses. I would now like the members of the committee to introduce themselves.

Mr. Bernier (Mégantic - Compton - Stanstead): Maurice Bernier. I am Vice-Chairman of the committee, member of the Official Opposition and member for Mégantic - Compton - Stanstead, in the Eastern Townships.

[English]

Mr. Allmand (Notre-Dame-de-Grâce): I'm Warren Allmand from Montreal.

Mr. Regan (Halifax West): I'm Geoff Regan from Halifax West.

[Translation]

The Chair: And the Reform Party members?

[English]

Mrs. Hayes (Port Moody - Coquitlam): Thank you, Madam Chair. I'm Sharon Hayes, Reform Party, Port Moody - Coquitlam, British Columbia.

[Translation]

The Chair: Yes, Mr. Allmand.

[English]

Mr. Allmand: Madam Chairman, this will be a very short intervention. Following our meeting with Margaret Somerville last Thursday, I had the opportunity to meet her at McGill on Friday. She gave me an article she had not seen when she appeared before us and wanted me to bring it to the attention of the committee. It's an article from The Lancet, the very renowned medical journal in the United States. The article is from November 2, 1996, and the title is ``Gene Warfare Unless We Keep Our Guard Up''. The purport of the article is that they are now developing genetic agents they can put in biological weapons that will kill only certain races or religions, and so on, as a group.

The Chair: What?

Mr. Allmand: This is not a crackpot magazine; as Margaret Somerville said, this is one of the most renowned medical journals. In other words, according to this article they are developing weapons with genetic information that, if put in water supplies, would not kill everybody but would just kill people with certain genetic traits.

I'd like the clerk to take this, photocopy it and distribute it to all members. This is what Ms Somerville had asked.

The Chair: Thank you.

Mr. Allmand: Yes. They say it hasn't been developed yet, but there's a high possibility of developing it.

The Chair: I think that would fall under chemical and biological warfare concerns or whether Orwellian theories have now reached reality.

Mr. Allmand: She's afraid of the use of genetic testing - the information. We've talked about the American armed forces now DNA-testing everybody and other types of genetic testing being used for purposes other than what they were meant to be used for. I'll leave it at that. I would like to have it distributed.

The Chair: We'd like some informed consent around those issues. They're really quite scary. In fact, ladies and gentlemen who are here as our witnesses, I can tell you this committee has been very perturbed by the information we've received.

I guess we all came from the cops and robbers and Dick Tracy era of thinking, and it really hasn't evolved much beyond that. When we find out you can see who we are and your video camera, through video surveillance, can penetrate brick walls -

In fact, Sharon, you might be interested to know that your deputy leader was sitting there watching the people walk by. The witnesses were also looking at these people. The concern was, could they hear and could they see? There is a control that came out of a study the Honourable Warren Allmand did, that you can video as long as there's no sound. That question went around the table and the issue was that they could be almost 300 metres or more away from here. They have video cameras that can find out how many of you are in the room, where you're sitting, and also hear what you had to say, some of which would be quite illegal. She was horrified. Your caucus meets in here and our finance committee meets in here.

So we thought that was kind of scary, ladies and gentlemen as our witnesses. That was one of the things that was brought to our attention, among many. There's the whole question of being able to digitize the face of someone and then search a crowd so you could do things without even having a search warrant. There's a whole bunch of stuff that really didn't please us.

Now, you're going to tell us about how you can invade our personal privacy and how you can know how I'm made up. Then you can put it on a little card. At least I think that's something you're going to tell us.

Perhaps we can start with Rita Reynolds from the Municipality of Metro Toronto, who I believe is in charge of the corporate access and privacy office. Would you please just describe who you are and what you do? We're going to go through the four witnesses, and then we'll have your testimony please.

.1125

Ms Rita Reynolds (Manager, Corporate Access and Privacy Office, the Municipality of Metropolitan Toronto): Good morning. My name is Rita Reynolds and since 1990 I've had corporate responsibility for access and privacy legislation in the Municipality of Metropolitan Toronto.

The metro government is the sixth-largest government in Canada and we serve a population of about 2.2 million people and provide a range of services from water, sewer and transportation to social assistance benefits and child care.

The Chair: Thank you very much. Stuart MacPherson please.

Mr. Stuart MacPherson (Manager, Program Development Division, Travellers Directorate, Customs Border Services Branch, Revenue Canada): I am a manager with the program development division in the travellers directorate of Revenue Canada Customs and Border Services.

The Chair: Boy, you came at the right moment. We've been talking about you - go ahead.

Mr. MacPherson: In that regard I have some responsibility for the implementation and the administration of the CANPASS program, specifically the CANPASS airport program, which I'll be speaking about later today.

The Chair: Thank you very much.

[Translation]

Micheline McNicoll.

Ms Micheline McNicoll (Lawyer and representative of the Bureau du protecteur du citoyen du Québec): Good morning.

The Chair: Welcome.

Ms McNicoll: I represent the Bureau du protecteur du citoyen du Québec, the Quebec ombudsman's office.

Our role is to hear complaints about public administration and requests to intervene on behalf of citizens. The ombudsman is not the main organization concerned with the protection of privacy in Quebec, but we do have privacy concerns because of the Charter of Human Rights and Freedoms.

The Chair: Thank you.

[English]

George Tomko.

Mr. George Tomko (President, Mytec Technologies Inc.): I am one of the co-founders of Mytec Technologies in Toronto and I'm currently chairman and chief scientific officer. Our company develops biometrics to protect the privacy of individuals. I will be speaking about biometrics and the implications on privacy.

The Chair: Good. Are you going to tell us how you're going to put up walls so everybody should know who we are?

Mr. Tomko: How not to put up walls.

The Chair: How not to put up walls - oh, marvellous.

Unfortunately, Steven Baker from the Advanced Card Technology Association, l'Association canadienne de la technologie des cartes, is not able to be with us, as there has been a death in the family.

I wonder if we could start, Madam Reynolds, with you. The procedure will be each of you will have five to ten minutes maximum. Then we will be happy to ask you questions. Please go ahead.

[Translation]

Mr. Bernier: Are we going to hear all the witnesses?

The Chair: How would you like to proceed? The way we did last time?

Mr. Bernier: That is what we did last time. I think that we could interact more if we have heard everyone.

The Chair: I thought I would ask them to each do a presentation and then we could put questions. Do you agree?

Mr. Bernier: Yes, fine.

The Chair: Very well.

[English]

Please go ahead.

Ms Reynolds: Merci.

Madam Chair, I speak to the issues of privacy and technology from the practical perspective of protecting privacy in the delivery of a broad range of government programs and services. It is my responsibility to balance competing privacy and program interests in the use of biometric identification and electronic surveillance.

While the principle of privacy is clear, its application is context-driven and case-specific. To illustrate I will outline a program, now in the late stages of development, that will use biometric technology in the provision of welfare benefits. I will also briefly comment on electronic surveillance.

The welfare system rests on two tests - identification and need. Traditional forms of identification are all inferential. The individual holding the documentation is presumed to be the rightful owner. There is no positive link between an individual and his or her own personal information.

Stolen or forged identification documents can open public vaults to tax-free cash, and in the absence of a means of positively identifying an individual, there is a strong incentive for unscrupulous individuals or organizations to create multiple identities and receive multiple benefits.

.1130

Our goal, therefore, was to implement an identification process that ensured an individual could be enrolled only once. Biometric technology is a solution, but it is a double-edged sword, with the potential of both invading and protecting privacy. Protecting privacy is central to maintaining public trust. Therefore, I look to privacy legislation to create a framework within which the benefits of this technology can be realized without unnecessarily invading privacy.

The new identification process was to be implemented as part of a larger accounting and cash disbursement system that would use automated teller machines. The requirements for privacy, security and confidentiality were built in as part of the request for proposal for the system.

For government institutions, the collection of personal information must be limited to that necessary to deliver a mandated service. The selection of identification requirement is therefore dependent on the goal. In this case, the goal was to determine whether or not an individual was already enrolled. A sufficiently accurate biometric will allow that question to be answered in virtual anonymity. Two of the most commonly suggested means of doing this are finger patterns and digital photographs.

Finger patterns are unique, but retaining an actual copy or print is not necessary. Encryption technology allows the finger pattern to be converted to algorithmic code, and an algorithmic code is therefore all that is necessary to determine if an individual is already in the system.

As to the use of a photograph, photographs disclose sensitive information about an individual such as approximate age, gender, race, etc., and these facts are not relevant to the provision of benefits. In a welfare application, a photograph does not answer the primary identification question of whether the individual is already in the system.

Some respondents to our RFP proposed the use of a photograph and a metro logo on a disbursement card. Such a card would reveal that an individual was in receipt of welfare benefits - an unjustified invasion of privacy. Neither a photograph nor a logo is necessary to interact with a banking machine, and both were eliminated as an unnecessary intrusion on personal privacy.

The storage of biometric identifiers with other information about an individual creates a highly sensitive database of personal information. A caseworker needs access to only an individual's case information but does not have any need for the biometric information. Storage of the biometric information in a separate database was therefore made mandatory. Separation of databases is perhaps the ultimate field level restriction.

Metro is now in the final stages of selecting an identification system. We have followed an intensive process over several years of clearly defining the minimum requirements of an identification system and thoroughly reviewing the technological options in order to understand their implications. The system metro finally chooses will meet our goal while maintaining the privacy and dignity of our clients.

Finally, I'd like to address the issue of electronic surveillance. Metro Toronto has a series of video cameras to monitor traffic on its expressways and to direct emergency vehicles, as required. Prior to a recent protest march on Queen's Park, the police requested we turn control of the traffic cameras over to them, and it was not the first time. The purpose was to monitor the parade for reasons of public safety. The cameras would be zoomed to capture individuals' faces and the information would be used to identify individuals in the event of any disruption.

The public had no expectation that these traffic cameras would be used by police to conduct surveillance. When metro council made the decision to implement a traffic monitoring system, the public debate did not include any discussion about police usage of cameras. To have turned over control to the police, absent of warrant, would have constituted an unjustified invasion of privacy and in my view would have seriously damaged the public trust.

.1135

The resolution was that our staff would control the cameras at all times from a high-level viewing position. Staff would zoom the cameras as needed to determine the emergency service required and then return to high-level viewing. In circumstances where information about identifiable individuals was collected that may have been relevant to a law enforcement proceeding, the tape could be subpoenaed.

In other words, it's not an unjustified invasion of privacy to collect information in response to a true emergency. It is, however, an invasion of privacy to collect information about individuals in case they do something wrong.

There must be a presumption of good faith, public debate about these matters and a totally open decision-making process.

Those are my comments.

The Chair: What is your reaction to the information Mr. Allmand read to us?

Ms Reynolds: The whole issue of DNA testing is extremely fraught with privacy implications, right from targeting certain groups to determining which people will get health insurance and which people will not. It is a very serious matter.

The Chair: Thank you very much. I really shouldn't have asked the question, but I was very tempted with your zoom camera and the identification and all this business of whether it is real or not.

Stuart MacPherson please.

Mr. MacPherson: Thank you, Madam Chair. I'd like to thank the committee for the opportunity to appear today to provide information on Revenue Canada's CANPASS airport program, which is presently operating as a pilot test at the Vancouver International Airport. Perhaps I may begin by explaining why we decided to begin the project in the first place.

The officers of Revenue Canada's customs border services are responsible for interviewing every traveller arriving in Canada, to apply our customs and immigration laws. To carry out this function, officers must determine which travellers have a legitimate purpose to enter this country and which do not. In addition, some of the legitimate travellers are persons who may require additional documentation before being allowed into Canada.

In the fiscal year 1994-95, over 103 million travellers entered Canada by all modes of travel. Of that number, almost 13.5 million travellers entered by air, which represented a 5% increase over the previous year. While this in itself represented a service challenge to Revenue Canada, there were a number of other factors that came into play.

In February 1995 the governments of Canada and the United States signed the open skies agreement, which is having an effect by allowing airlines to gain easier access to new routes and additional flights between Canada and the United States. The implementation of this agreement is expected to increase the number of flights and passengers requiring customs and immigration clearance at some airports by as much as 40%.

In order to maintain an appropriate level of service in a time of limited resources, it's necessary to implement new and innovative means of expediting the clearance of the lower-risk traveller. This allows the inspection personnel to concentrate their efforts on those segments of the population potentially representing a real risk to Canadian society. It was in this context that a decision was taken to implement a pilot test of an alternative way for travellers to comply with customs and immigration requirements.

One of the concerns faced in developing the pilot program was to find a way to facilitate the entry of low-risk travellers while maintaining the level of protection expected by our stakeholders. It was decided to pilot-test a procedure that had previously had great success on the land border south of Vancouver.

The intention was to take the process we had used at the land border and attempt to modify it to apply to airline travellers. Technological advances in the areas of card-based technology and biometrics made it possible to try innovative methods in a program that we called the CANPASS airport program.

The Chair: Is this a CANPASS card that I'm holding?

Mr. MacPherson: What you're holding is the card stock we use for the CANPASS card for the pilot program.

The Chair: Would you issue this to me if I were judged worthy and not a problem?

Mr. MacPherson: The persons who wish to join the program make application. Using the information on the application, we determine whether they are low risk, in that they have no record of criminal behaviour and no customs or immigration infractions. We would then issue that card to that individual.

.1140

The Chair: Okay. I think my colleagues will ask you questions about how you get the information, how much people know about me, and whether I can find out what you know about me.

Mr. Godfrey (Don Valley West): We know lots about you.

The Chair: Yes, I'm afraid that may well be the case. Please go ahead.

Mr. MacPherson: As both Revenue Canada and Citizenship and Immigration Canada are responsible for the management of people seeking to enter the country, these two departments began discussion on the implementation of the project. Once it was decided to use advanced card technology, it was obvious we should explore linkages with other projects under development between the two departments.

At this time we also began discussions with the Canadian passport office, which had just received permission from the Treasury Board to explore the development of a wallet-sized passport card. In granting permission to explore the development of the passport card, Treasury Board ministers were quite clear they expected the passport office, Citizenship and Immigration Canada and Revenue Canada to cooperate on any program to ensure that the Canadian government would issue only one card for use in the travel sector.

The three departments agreed that a partnership to develop and implement the CANPASS airport project would be the best way to investigate the use of card technology in the travel sector, while following the direction of the Treasury Board.

The CANPASS airport program allows low-risk, frequent travellers to enter Canada through a special line, while meeting the necessary legal requirements. This is a voluntary program offered as a service to facilitate passage through customs and immigration. The program is modelled on the CANPASS highway program currently operating south of Vancouver.

The Chair: Is that the INSPASS?

Mr. MacPherson: The INSPASS is operated by the American agencies. The program we operate on the land border is also called CANPASS. It was originally started as a pilot program known as PACE, for the Peace Arch Customs Entry program.

The INSPASS is very similar to the CANPASS airport program. It's offered by the U.S. Immigration and Naturalization Service at three airports, one of which is U.S. pre-clearance at Pearson Terminal 3 in Toronto.

CANPASS airport is open to Canadian citizens and permanent residents who have no record of criminal activities and no illegal customs or immigration activities. The program is also available to U.S. citizens and permanent residents who have no record of criminal activities, illegal customs or immigration activities and who meet the usual immigration entry requirements.

Travellers who wish to participate must apply for a permit to use the system and must pay an annual fee for participation. All applicants undergo rigorous background security checks by the customs and immigration authorities.

Applicants who wish to import goods when using the special lane must also supply a valid credit card against which duties and taxes are charged through a special self-declaration system. Travellers who do not wish to provide the credit card information may use the program when they are not importing goods, and use the normal processes when they do have goods with them.

Approved participants enter the country through an automated kiosk that is activated by a card that incorporates a personal identifier such as a fingerprint or hand geometry. This ensures that the person using the card is the rightful holder of the card.

Customs and immigration officers monitor the kiosk and carry out random compliance checks on travellers. Those who do not comply will lose their privilege and will be subject to appropriate penalties.

Our long-term goal is to work with the U.S. immigration authorities to amalgamate the CANPASS airport program with their INSPASS to provide a seamless border movement between the two countries.

The reason we chose to use a biometric identifier is related to the fact that the traveller will be using the card at an unstaffed kiosk. For that reason, we felt it was important to ensure that the person using the card was indeed the person to whom the card was issued.

The three agencies cooperating on the project decided to capture and use two biometrics. One is the person's fingerprint template. The other is hand geometry. While the project is testing the fingerprint as the primary biometrics identifier, the use of hand geometry was included to allow for compatibility with the American INSPASS system, which also expedites the clearance of low-risk travellers.

We decided to test the use of a fingerprint to learn about different biometrics in an operational environment. Our colleagues at USINS were using hand geometry and we therefore had access to the information on the success of that biometric. Testing fingerprints therefore offered a chance to consider another option for this type of system.

At the time of the traveller's enrolment, we capture the traveller's hand geometry and a fingerprint template of two fingers, preferably one from each hand. When a pre-approved person approaches the kiosk he or she inserts the CANPASS card. The kiosk will identify the biometrics file stored on the card and will ask the person to place his or her finger on a fingerprint reading device. The kiosk will then attempt to match the live scan with the biometric stored on the card. If the match is successful, the system will then compare the biometrics stored on the card with those stored in the system database to ensure the integrity of the card has not been compromised. In this manner the pilot system can be satisfied that the card is a valid CANPASS card and the person using the card is a properly authorized person.

.1145

The kiosk will then ask whether the traveller has goods that exceed his personal exemptions, request appropriate action, and issue a receipt to the traveller. The traveller takes the receipt and proceeds directly to the exit, bypassing the normal interview. At the exit the traveller gives the receipt to an officer and is free to proceed from the facility or is referred for a random verification. In this regard, the rate of referral on CANPASS travellers is very similar to the rate of referral on travellers using the normal stream.

The kiosk also has the capacity to code the receipt for an examination if the department becomes aware that a previously approved traveller may no longer qualify for the program, for example because of a customs infraction at another customs office.

We're continuing to learn from the pilot test, and it's still too early to indicate what changes could be brought to an operational system. What we have learned, though, is that the use of a fingerprint as a personal identifier is workable in this situation and it appears to be quite acceptable to those travellers who are interested in joining the program.

The card itself is designed to meet ICAO standards. The International Civil Aviation Organisation prescribes standards for international travel documents. The CANPASS airport card in itself is not recognized as a replacement for a passport. Therefore the traveller is obliged to carry any required official documentation with them to identify himself or herself.

The card shows the photograph and signature of the card holder, as well as the person's name, sex, nationality, and date of birth. The face of the card is completed with the document identification number and the expiry date. The back of the card contains the optical field into which all of the data is encoded.

This technology is similar to the CD-ROMs you buy for music. It can store up to three megabytes of data.

At the bottom of the card is a machine-readable zone for data stored in a format known as OCRD, which is similar to the special coding on many passports. This particular use of technology also allows for future compatibility with the American INSPASS program.

At present the cards are being used only for accessing the CANPASS kiosk. However, the decision to use an optical card was taken to allow for the possibility of future incorporation of the requirements of the other participating agencies, the passport office and Citizenship and Immigration Canada.

From analysis of the data storage requirements of the three agencies it was determined that optical technology would best meet our needs and it was therefore chosen for the pilot test. The data currently being stored in the optical portion of the card are only related to the CANPASS program and all data are stored in an encrypted form. The agencies have agreed, however, that when the other projects are ready to be implemented, using this common technology, the data on the card will be stored in a fashion such that those data elements which are common to all program requirements, such as the person's name and address, will be stored in an area that is encrypted with a shared key, such that all agencies would have access to that particular portion of the data.

The Chair: The name and address?

Mr. MacPherson: The name and address, basic tombstone information. But any information that is specific to a particular program, such as information needed only for the CANPASS program, in this case the fingerprint biometric, would be stored in an area encrypted with a key that only Revenue Canada would have access to. In that way agencies would have access only to the data they require.

The Chair: To save a lot of us a lot of information, could you please describe what you call ``tombstone data'' or bases.

Mr. MacPherson: We would take a look at things such as those pieces of data that would be common to all of the agencies, such as the person's last name, first name, their address, telephone number, date of birth, citizenship.

The Chair: Their health card number, their SIN number, anything of that nature -

Mr. MacPherson: We don't request health card or social insurance number -

The Chair: Do you ask for it on the form?

Mr. MacPherson: No, we do not.

The Chair: So that's all you would call ``tombstone data''?

Mr. MacPherson: In taking a quick look at the application form -

The Chair: It's quite important for this committee.

Mr. MacPherson: I can understand that.

The Chair: Whether you're handicapped, you're disabled, you're hard of hearing, you're in a wheelchair, none of that is asked?

Mr. MacPherson: No, it's not.

The Chair: Thank you. Please continue.

Mr. MacPherson: The CANPASS airport program is continuing as a pilot at Vancouver International Airport during this fiscal year. At present we have more than 1,800 travellers enrolled in the program and the kiosk has been used more than 4,000 times. At this time we're continuing the evaluation of the pilot program and we expect to learn how to adjust the program to better serve our clients' needs.

.1150

In addition, we're continuing discussions with our colleagues in the United States Immigration and Naturalization Service to find ways to join the CANPASS airport program with their INSPASS program to further improve service to clients.

I'd like to thank you very much for this opportunity to share this information.

The Chair: Thank you. You may well be asked about the right of looking back at retroactive information on the kinds of forms you fill out for customs, and then the right to go and review that information. It's something we've been talking about, particularly in the cases of those people who are on welfare or unemployment insurance.

I believe the next person up will be

[Translation]

Ms Micheline McNicoll, please.

Ms McNicoll: Thank you, Madam Chair.

Good morning, ladies and gentlemen.

I would first like to say a few words about the ombudsman's office. We receive complaints from people from all over Quebec regarding government ministries and organizations. We deal with the legality of decisions as well as the fairness and reasonableness of public administration actions. Our concerns are also how accessible government services are as a whole, how transparent the administration is and how accountable civil servants are.

The protection of privacy in Quebec is written in the Charter of Human Rights and Freedoms, among other places in section 5 that says that every individual has a right to respect for their privacy, but we would also include section 4 that refers to the dignity of the individual. It is mainly in this capacity that the ombudsman is interested and involved in the privacy debate.

As you are also aware - because the federal privacy commissioner mentioned this in his last report - in Quebec we have two laws to protect confidential information. We have a law on access to documents and the protection of confidential information in the public sector, and we also have a law that protects confidential information in private businesses. This law has been in effect since 1994 and it was passed at the same time as the Civil Code was reviewed. It seemed to be important at the time to include standards regarding the protection of privacy, particularly with respect to personal information.

The Chair: Excuse me, Ms McNicoll. We had the pleasure of hearing Mr. Paul-André Comeau. He was in Brussels at the time.

Ms McNicoll: Yes.

The Chair: Do the changes to the Civil Code involve sections 4 and 5?

Ms McNicoll: Well, the Charter of Rights and Freedoms is not the Civil Code.

The Chair: I see.

Ms McNicoll: The Charter of Rights and Freedoms is an independent legislative text which dates back to 1975. The Civil Code was reviewed in Quebec and we took that opportunity to include more specific standards regarding the respect for privacy.

The Chair: Thank you for that explanation.

Ms McNicoll: Does that answer your question?

The Chair: Yes.

Ms McNicoll: In Quebec we currently have several projects regarding cards. We also play cards a lot. First, our chief electoral officer would like all voters to have an identity card, which would make his work infinitely easier and would also ensure that the right people are voting at elections. That is rather basic.

There is another project that comes regularly back on the table every five or six years, and involves a national identity card for all citizens residing in Quebec. This debate has been going on for 20 years. There were members at that time who were considering such a bill. At the time, the bill never even reached first reading. It died on the order paper.

Government services, but also the private sector, constantly have new needs in terms of identification. What we've observed is that we have cards that are not identity cards, but are being used to identify individuals.

.1155

For example, driver's licences are often asked for and, in Quebec, our health insurance card - which has the advantage of always containing an up to date address and now also has a photograph - is also requested. The social insurance card is also frequently used.

There is currently a debate in Quebec about the necessity of an identity card and, of course - we haven't been able to escape this either - of a multipurpose card which is somewhat like the dream card that would include all our identification needs and all possible situations, including eligibility for programs and services. So we are also reflecting on the implications of these cards.

The multipurpose card, among others, is closely linked to the development and spread of the information highway, the highway that carries information.

This is an extremely emotional debate, but it is also a very practical, pragmatic and economical debate. The concern of the ombudsman is not to decide whether yes or no we should have an identity card in Quebec, whether yes or no we should have a voter's card or the card of our dreams, the multipurpose card, but rather to ensure that the citizens primarily concerned, that is to say all of us, participate in the debate on these issues.

The ombudsman's attitude towards citizens is not paternalistic. We treat them as grown adults capable of understanding the social, economic, national and international implications and capable of participating in an enlightened debate on these issues.

The ombudsman's perspective is rather a very general perspective on what the needs are and what we feel is the best way to deal with these issues in a civilized and democratic society where all individuals are equal and intelligent enough and capable of participating in these debates.

Of course, we were called upon to give our opinion on various projects and I will give you a brief summary of what we said.

All cards are communication media, whether that be communication with the government or with the private sector. Their common purpose is to identify and allow eligibility. They're there to simplify our lives and to promote and encourage efficient administration. The dream that we perceive everywhere is total integration, that is, one card that would do everything and that would provide all necessary information under all circumstances. Men and women would only have one card and we would all be happy.

Now let us speak about the disadvantages. Obviously these cards make life easier; that goes without saying. I'm perhaps being somewhat humorous about this, but it is true. The potential disadvantages to using a card or communication media such as this one is that this medium engenders structures; that is, that systems need to be developed to use it, whether that be a scanner or information highway and, slowly, this becomes obligatory.

With the technology currently available, these cards also become linked to databanks. These databanks are part of a network and they speak to each other - they communicate with each other. The reservation that we often have is that yes, this technology is interesting and we do want more of it but it does not eliminate all our problems. It does not eliminate delays and errors and when an error has been made, it is often multiplied over and over again.

The problems that exist now are real. There has been a proliferation of cards and they have been used in ways that were not originally intended. Health insurance cards are used to rent a video. I do not think that that is an ideal situation.

.1200

Technology provides many possibilities. However, one of the questions we need to ask is this: what are our real needs? How are we going to chose? What is going to help us make the right choice? You cannot make the right choice if you are not aware of the real needs.

Second, one has to be as familiar as possible with our society's values, values that we want to protect as much as we can, such as equality, non-discrimination, equity and universal access.

Of course, there is also the issue of cost, but that is another area.

Now, who is going to chose? That is a question that we are greatly concerned with. Will it be lobbies, civil servants, members of government, or what would appear to be a melting pot of everything? I say what would appear to be a melting pot because in fact, there is always one force that dominates the others, this is often called the market forces. If we do not want to leave it up to market forces, the law of the strongest, then we need public debate. That is what the ombudsman is advocating in Quebec. That is the only true democratic solution.

However, in order to have a public debate, we need ways of assessing technology. Today, this committee is hearing people who have specific experience in specific areas and this is very useful. Thus, as ombudsmen, we have to remain critical. Obviously, if I want to sell something, I'm going to present its best side. Even if I undertake an analysis, I will always be subjective as a person, which is absolutely normal.

What is clearly lacking is an organization, like the one in the United States, to assess technologies from a social and economic viewpoint. These assessments should not be restricted to judging one aspect of an issue. We need truly in-depth analyses that allow us to envisage a future shaped by one technological choice over another.

I was listening to Mr. MacPherson from Revenue Canada and Ms Reynolds. Of course we have a thousand questions to put because what we are seeing is the situation that you have presented. But what is the potential? What developments do you think will occur? Nobody has done that analysis.

In Quebec, we have an Access to Information Commission which you have already met with and which is doing very good work. They have published a document on identity cards. It is on the Internet. Anyone can consult it and I tabled it with the clerk. Once again this is good but it has to go further.

That is what I wanted to say about disadvantages.

As far as smart cards go, in general one can say that they completely hide the decision-making process and content. It is all very well to have a small card and it is all very well for it to be smart, but I am no more the smarter because of it; I do not know more just because I carry this card with me.

Thus, the disadvantage of smart cards is their non-transparency.

The first thing to be said about biometric cards is that they send out a rather heavy cultural image. I can only note that good law-abiding citizens, who go through customs more easily, are not hurt by their use. However, once they are used to identify people on social assistance, then their use is immediately associated with a negative, a pejorative connotation.

Therefore, from a cultural perspective, the first thing we have to think about - if we're thinking of using the biometric card - is the image that it projects. But we realize that it is a permanent method of identification, much more than a photograph is. However, it requires the use of various scanning instruments. Therefore, the owners cannot do much with it. They cannot use it in some situations. Therefore, it is not a universal solution.

.1205

The Chair: [Inaudible - Editor]

Ms McNicoll: Not necessarily; it could be discriminatory.

The Chair: It is supposed to cost $50.

Ms McNicoll: In this case, yes.

As far as the identity card as such, I will not repeat what I already said; an identity card, if there must be one, should first of all improve the current situation and meet real identification needs.

The principles that we should base our decisions on are first, the transparency of the institutions issuing the cards, of the process, the content and uses; second, shared control with the individual, shared decision-making on the content, its conservation and use; the education of people using the identification data; and finally, integration of services.

Personally, I am not fatalistic. I think that we can develop rules that will lead to an environment for all citizens that respect the rights and freedoms while meeting the needs of our collective lives.

Thank you.

The Chair: Thank you, Ms McNicoll.

[English]

Mr. George Tomko, please.

Mr. Tomko: Thank you, Madam Chairman.

We have an economic issue in our society now: fraud is becoming big business. Identity-based fraud, in fact, is increasingly a major source of losses for corporations and governments. If we're going to grow this electronic society or this digital economy, we require security of access - more specifically, to control fraud in the areas of electronic commerce, finance and benefit disbursements.

As we all know, biometrics are being considered the answer to solving these access problems. The reason for this is quite simple: it's the missing link. A biometric such as your fingerprint, as we've discussed, or your hand geometry, or your facial image, or the iris surrounding your pupil, are the only things that will unquestionably tie you to your chosen public identity. A personal identification number won't do that. A card won't do that, be it a dumb or a smart card. They cannot unquestionably prove that you are you.

A biometric, which gives a person the ability to positively identify him or herself, is a double-edged sword, as Rita mentioned, because the ability to positively identify oneself can serve both to enhance and to infringe upon one's privacy. It all depends on how the technology is used.

I'm going to discuss the threat to privacy posed by traditional biometric technologies. Then I'll discuss a new Canadian development called biometric encryption, which is a privacy-enhancing technology that significantly dulls that edge of the sword that infringes on privacy.

To stop fraud, for example in the area of government disbursement of benefits such as welfare or health care, we could place the fingerprints of all the people receiving government benefits in a central database, and then compare the fingerprints of all new applicants against this database. That would certainly reduce fraud in the form of double-dipping - going in with multiple identities. It's secure, but it infringes on the privacy of the individual, and this is why.

Let's say I go to a nightclub and leave my latent fingerprints on a wine glass. A crime is committed later that night, and my latent prints are picked up and matched to the health care database, which identifies me. A little later I get a knock at my door by the police, wanting to ask me questions about my stay at that particular nightclub. This is a clear infringement of my privacy.

Now, one can say that the health care database will be off-limits to the police by virtue of legislation. That may be the case with the current government, but how can we ensure it will be the case with the next government, or the government after that? Nor does it address the issue of unauthorized access to a health care type of database. The temptation for secondary uses of such a database beyond its original intent will be very great, especially if crime and terrorism increase in our society.

There are digital biometric technologies that do not require that the actual fingerprint pattern be stored. They convert the fingerprint pattern to a number - a unique number, though. In most cases that number can't be reconverted back to the original fingerprint pattern. So what would be stored in the central database with these modern technologies is a set of numbers, which in a one-to-one fashion represent the fingerprint pattern of the individual.

.1210

The Chair: Are you talking about digitizing the information?

Mr. Tomko: Yes, digitizing the information and then using an algorithmic code to come up with a unique number.

The Chair: But then you can reconvert it back and identify?

Mr. Tomko: Well, in many of these codes you can't get back to the pattern. But that's not the issue.

The Chair: Okay.

Mr. Tomko: The issue is, using again our example above, that if the police obtain access to a similar finger scanner, and place my latent fingerprints through the system, they will generate my same unique number. They have to, otherwise the system doesn't work. You're really no further ahead, because you have just replaced the unique identifier of a fingerprint pattern with that of a unique fingerprint number.

That pattern or number is a unique surrogate of my real identity, and that's the privacy problem - transforming someone's identity into a unique and communicable surrogate such as a fingerprint pattern or number - because furthermore, that unique biometric number that ties a person to their identity can be used to link or associate a great deal of information with the individual.

Traditional identifiable biometrics facilitate surveillance, and - the new buzzword - ``dataveillance'', which we're all hearing about. I believe these are real concerns, and represent a serious flaw that must be acknowledged.

Let me just describe biometric encryption. Again, the problem with traditional biometrics is it links the individual to a unique number that is absolutely them, much more so than a social insurance number, even. Biometric encryption uses the finger pattern only to disguise a number that has no connection to the finger pattern whatsoever. So the health care database could choose a number such as this and use your finger pattern to disguise it so that it was unreadable. That number can have its disguise removed only by the finger that did the original disguising.

The Chair: The term is encryption, is it?

Mr. Tomko: You can use the terms coding, scrambling, encryption. Basically what it does is just disguise the number so it's unreadable without your finger pattern taking the disguise off. That number could, for example, be your personal identification number for accessing your bank machine, or you could disguise an encryption key that you store on your hard disk to encrypt messages over the Internet. It really doesn't matter what kind of number it is. The actual finger pattern does not have to be stored anywhere during the process. It stays on your finger, where it should. Only the disguised number is stored, and it can't be decoded without your live finger pattern.

Let's go back to our health care scenario. I would no longer have to leave my fingerprints in a database, or present my fingerprints to a finger scanner to generate a unique number. With biometric encryption, my finger pattern is used to disguise a number that has no connection to my identity. Therefore my latent fingerprint picked up at a nightclub would be useless to the police. The latent fingerprint itself could not generate that health care number, since it has no connection to my finger pattern whatsoever. So there is definitely not a hint of me in a unique number - it is not tied to me.

However - and this is where the security comes in - should I attempt to apply for a government benefit under a pseudonym or alias, my live finger pattern would be matched to the set of stored disguised numbers in the database. If I had previously enrolled and disguised a number, that number would be decoded, and this number could point to my personal information, which could then be used to assess whether I was trying to actually defraud the system.

The important point, from a privacy perspective, is that only through the presentation of my live finger pattern, which acts as my consent, can my personal information be accessed. The system preserves the privacy of the individual through tight and specific controls, and it reduces fraud in the process. That's the best of both worlds, and what we're trying to achieve.

.1215

Biometric encryption, as I mentioned, is a privacy-enhancing technology that places the individual in complete control of the information in his or her database, and the individual now has the freedom to choose when to positively identify himself or herself. I believe a society that has the means to provide for positive identification and has the wisdom to allow individuals the freedom to choose in using this privacy method enhances the privacy of the individual and of the civilized society in general. I believe this technology provides a technological basis for informational self-determination, but as you probably realize, it requires a paradigm shift, a change in the way we think, because we now have up to ten encryption keys residing at the ends of our fingers, there to protect our privacy.

From a legislation point of view, I think the important point is that it should lead the technology. We should not look at the existing technology and say this is what we have, therefore build legislation around that. Necessity is the mother of invention in the free marketplace. If legislation says this is what we need to protect our privacy, then let's have the faith in the free marketplace and we will develop the technological solutions to do both, protect privacy and enhance security.

Thank you very much.

The Chair: I thank you very much.

Mr. Bernier.

[Translation]

Mr. Bernier: Madam Chair, I have several questions to ask. I'm going to start by the most specific, the most technical.

Mr. MacPherson, when you were describing the CANPASS program, you mentioned that the applicants will have to provide a certain amount of information in order to benefit from the program. I would like you to tell us what that information is again. You mentioned name and social insurance number. Is there other information that has to be provided by applicants? Can you obtain that information yourself? You said that you need to ensure that that person is an honest citizen and does not have a criminal record. How do you ensure that the user of the CANPASS program is an honest citizen, has never defrauded the government and does not have a criminal record? I would like you to explain that to me.

There was also mention of CANPASS and INSPASS, the American and Canadian systems. There's therefore an exchange of information. How far do these exchanges go? In other words, once the Americans or we, the Canadians, have information on American citizens or Canadian citizens, how far can those exchanges go? What can be done with that information? In other words, what is the danger that personal information about Canadian citizens will be in the hands of all kinds of organizations or individuals in another country, in this case, the United States?

I'll first let you answer those two questions and then I will ask you some others. I have several questions to put to Ms McNicoll.

[English]

Mr. MacPherson: At the time a person wishes to enroll in the CANPASS program, they'll complete an application form - and I'll leave a copy with the clerk.

The information we request specifically is the person's name, date of birth, gender, street address, name of employer, occupation, telephone numbers for both home and business, and their citizenship. If they are not a Canadian citizen but are living in Canada, we request their permanent residence status and the date of landing. If they are a permanent resident of the United States but not a U.S. citizen, we ask them to declare that they are a U.S. resident alien.

.1220

The specific question we ask to determine their risk from a criminality or a customs and immigration violation standpoint is if they have ever been found in violation of the Canadian Customs Act, the Canadian Immigration Act, or if they have ever been convicted of a criminal or narcotics offence for which they have not been pardoned, and if yes, please provide details.

For non-residents, we ask what the purpose of their travel to Canada is, and if it is other than pleasure, to please explain and provide the complete destination address and telephone number in Canada to which they will be going.

On the back of the form we ask for a certification. There is information provided here that some of the information on this application form, with the exception of credit card information, is shared with Citizenship and Immigration Canada, the passport office of Foreign Affairs and International Trade Canada, and Statistics Canada, for the purpose of complying with customs and immigration requirements for people entering Canada.

There is also an area for those persons, as I had said earlier, who wish to import goods by using the special process, to provide us with a valid credit card number.

[Translation]

Mr. Bernier: If I understand correctly, you take the applicants at their word. If someone says they have never had problem with a department, you take that for granted and you do not check that information.

[English]

Mr. MacPherson: No, sir. On receipt of this information our officials will check the Canadian Police Information Centre CPIC system to see if there is any record of a criminal violation for the person identified on the form.

We also check the customs and immigration databases that are available to us, to see if there is a customs or immigration violation recorded against this individual. If we find no record of violation on this individual, then we accept that this is an honest, low-risk traveller, and we will allow them to enrol in the program.

[Translation]

Mr. Bernier: Is the person told about the information that you have obtained about them? If, for example, you learned that a person has a criminal record for customs fraud 10, 15 or 20 years ago and if, because of that, you refuse their application, do you tell them why they have been turned down? In other words, will they know why their application was turned down so that they can check wether or not the information is correct?

[English]

Mr. MacPherson: I'm trying to remember the exact details of the letter of refusal. Whether we actually enunciate the details at that point or whether we just advise the person of the way they can obtain the information, I'm not certain.

We operate fully within the Access to Information and Privacy Acts. This information we would keep on a person would be available, of course, through that sort of request.

[Translation]

Mr. Bernier: I come back to my question on the exchange of information. Can the information that you have obtained about the person who frauded customs a few years before end up in the hands of our American partners?

[English]

Mr. MacPherson: At the present time we are only starting the examination of joining the CANPASS program with the INSPASS program. One of the main issues we have to deal with is the issue of exchange of information and what is an appropriate amount of information we should exchange.

The programs are not joined at present. We have only begun the discussions of that, and we have yet to determine how to deal with the information requirements of each agency. We recognize that this is a very sensitive situation. One of the issues that both the governments of Canada and the United States are very conscious of is that we would not want to open all of our data banks to the other agencies.

The information that is given to us is protected by law. As such, what we would have to determine is a way in which the information that would be required by the agencies could be provided by the traveller wishing to join the combined program in such a way that the person knows that the data they've given is now available to the other agencies.

[Translation]

Mr. Bernier: You just said that you were not sure whether the letter of refusal indicated why enrolment in the CANPASS program was refused. Could you provide us with a copy of the form letter of refusal, so that we see exactly what information the applicant has given?

.1225

[English]

Mr. MacPherson: Certainly. I'll make arrangements to have that forwarded.

[Translation]

Mr. Bernier: Do I have any time left, Madam Chair?

The Chair: Not much. Just a minute and a half.

Mr. Bernier: No, that isn't much. I'll let my colleagues have the floor, and come back with other questions for Ms McNicoll.

The Chair: Great. Who will start the round on the government's side?

[English]

Mr. Allmand.

Mr. Allmand: I want to follow up on the same questions. You could be in violation of the Immigration Act for health reasons or financial reasons. As a matter of fact, there's a medical test and there are financial viability criteria in the Immigration Act. When a person answers the questions and you verify whether he was answering or not, you have to check to see whether the person has HIV, hepatitis. Various diseases put you in violation. You cannot be admitted in certain circumstances.

It's the same thing with certain categories of immigration. For entrepreneurial or business-type applicants, they need to know your financial worth under certain categories, so they're checking these things out.

Mr. MacPherson: When we receive an application, if we have reason to believe the individual may not be fully compliant or may not fully qualify within the requirements of the Immigration Act, we reserve the right to have that individual examined by an immigration officer, the same as we would in the normal process of processing travellers.

Mr. Allmand: All right. I want to move on to another question.

This is a general one for - Oh, first I want to ask Mr. Tomko a question with respect to biometric encryption, the protection of privacy, and the implications of that. Correct me if I'm wrong, but from what you tell me, there are still risks despite the use of these numbers that do not link directly to the fingerprint. For example, my fingerprints are found on a glass in a restaurant where a murder has taken place. The police use it, but they just get the number rather than Warren Allmand's name. Yet I suppose they could always go to the agency that links the number to my name to get it. They can't get it right away, they can't get it as easily, but if I understand it correctly, they could still get it and find out who I am. It would just be with a little more difficulty.

Mr. Tomko: Mr. Allmand, technologically, I would say nothing is impossible. However, I -

Mr. Allmand: A good detective.

The Chair: I would be very concerned with the proper answer to your question. I mean, they have to get that information.

Mr. Tomko: That's right. With that caveat that nothing is impossible technologically, given enough time and money, the issue here is that if my latent fingerprints were picked up, it would be inordinately difficult to determine my identity because of the fact that the system that does biometric encryption is an optical computing system. You can't shove digital information into an optical system. You need what is termed analogue information. You need three-dimensional prints and all this kind of stuff, which you don't pick up with a latent print.

So it's very similar to encryption technology. Yes, you can break a key, but you might have to spend 400 years doing all the permutations. That's the issue.

Mr. Allmand: Couldn't they get back to the people who keep the link and get it without breaking it down another way? In other words, the police -

A voice: They can't get the number.

Mr. Tomko: They can't get the number because it's just a random number that your finger pattern - Basically, in the example that I use, if I want to disguise this number, what the computer basically does is it takes this piece of paper, rips it up into myriads of pieces, and then falls down. The location of each piece of paper -

Mr. Allmand: This is on television. You're being videoed.

Mr. Tomko: - is the function of the print of my pattern. As a result, you can't get back at it.

The Chair: Can it do that?

Mr. Allmand: Okay, I'll move to -

Mr. Tomko: May I have my paper back, please?

Mr. Allmand: Push a button, you'll get another copy.

This is also to you, Mr. Tomko, but maybe the others have - I have more fear of this type of biometric information being used not so much by government - there are checks and balances if we were doing something here and there are debates with committee hearings - but by private sector groups such as journalists, credit agencies and private detectives.

.1230

You see journalists in Europe using all kinds of things to spy on Princess Di. I gave the example before this committee a few weeks ago that about seven or eight years ago I went to get some credit and they had something on my file, which was being distributed around, that was totally wrong. I had paid that off a long time ago, but it was still somehow a black mark in my system.

Could private detectives, journalists - especially with yellow newspapers - and credit agencies use this biometric information and put it in their files? Even a legitimate organization, such as the government, because everything is outsourced now, could say ``What about Mr. Brown'', or ``What about Mrs. Jones?'' The private detective agency, the credit agency or even the journalists and investigative reporters would have all this kind of junk on you. It would get into the system. So despite the checks and balances we have in governments - whether it's Toronto, the federal government or the Quebec government - these people could range free and use anything they wanted.

Could they do that or not? I'm just wondering.

Mr. Tomko: On the issue you are presenting there, Mr. Allmand - the privacy perspective - the way to protect that is to take your databases and de-identify them. If you have a database with your credit information and your health information or any sensitive information, we would take your name from your information, separate it and use your finger pattern to code a pointer that points from your name to your sensitive information, so only your finger pattern could remove the disguise from that pointer and therefore gain access to that information.

By using that, you would be in control of your own information. Proper technology will allow this kind of thing to be done, and that's the direction we have to take with privacy. We have to start to de-identify databases, because otherwise the fears you have will be realized.

Mr. Allmand: People will not be able to get jobs. People will be refused credit -

Mr. Tomko: That's correct.

Mr. Allmand: - if the information is wrong.

We had a woman here from the cystic fibrosis foundation. She pointed out how the disease is genetically passed on from the parent, but not to the same degree. Somebody might lead a very healthy life even though that person has the genes of cystic fibrosis, but he or she could be turned down for insurance - could be refused on all kinds of things.

That's a very good recommendation. Thank you, Madam Chair.

The Chair: Thank you, Mr. Allmand.

Has that technology been perfected by you?

Mr. Tomko: It's like a parent bragging about his son. I'm not here to promote my company, but yes.

The Chair: So you have protective walls.

Sharon, please.

Mrs. Hayes: Thank you, Madam Chair.

This is very interesting. I have a couple of questions and then I'll do a lot of listening.

First, you mentioned the CANPASS system is being used in the United States in a similar fashion. What is the fee for joining this for someone who's interested in it? I don't know if that's been mentioned. What other jurisdictions have it besides the United States and Canada?

On the rate of tests for compliance, how often are random tests performed, and what have been the results on that? Is it being taken advantage of in any way, or has it actually been shown to work?

On the protection of information that is part of that, you mentioned you may go forward and have the different departments use encrypted sections of the information, so they only get to refer to different parts. What is your sense of that actually being secure? I know certainly within the Internet, when any anti-viral software comes along there's a virus that beats it within the week, I think. It just seems to be that way. Technology breeds just a quicker type of technology to undo it. Do you see this test case as moving towards a mandatory program similar to that for all immigration and customs entry?

.1235

Mr. MacPherson: With respect to the fee issue, for the pilot test that we're operating right now we charge an annual fee of $50 for membership in the CANPASS program. The CANPASS program is only available in Canada from the Canadian government. That is our program. U.S. Immigration runs a similar system called INSPASS. To the best of my knowledge, we are the only two countries in the world at this time who have operational systems using this sort of technology to facilitate border crossing. However, we do participate in an informal group that meets occasionally to discuss standards and discuss processes. I know there are a number of European countries that are considering similar programs. To the best of my knowledge, however, no other countries other than Canada and the United States have actually implemented a program for this type of border crossing.

Insofar as the rate of referral for compliance checking is concerned, we use a rate that is the same within the CANPASS program as the one that we use in our normal lanes. What we've discovered over time is that the rate of compliance with our general customs and immigration crossing is actually quite high. What we have is a way to randomly refer travellers just to ensure that we are maintaining the same high rate, and occasionally we'll do special checks to satisfy our system. To the best of our ability, we have yet to discover that anyone is taking advantage of this program to avoid compliance with either customs or immigration requirements.

Although I don't have details, I know there has been at least one person who was caught cheating. It was a member in this program. That person actually had chosen to use the normal process to try to cheat, and in catching him we discovered he was a CANPASS member. We revoked the person's membership because he now had an infraction and no longer qualified for the program.

Mrs. Hayes: Is it sort of that one in a thousand are checked? You said it goes through a machine, so there aren't actually any personnel there. How would somebody be pulled aside in that line, for instance, or does that happen at all?

Mr. MacPherson: In terms of the way the kiosk works, the receipt that is issued to the traveller has a coded number placed on it. That coded number has a significance to the officer who stamps the exit from the customs facility. This is a similar process to what we use in the normal environment, where the officer will write a code on the card. As for how the coded number works, each day we change the significant number within that code, and a certain number in that code tells the officer at the exit that this person requires further verification before being allowed to leave the facility.

The code could be something that says simply that the traveller has declared that he or she is importing a bag of apples from Europe and therefore requires further processing from the agriculture department before being allowed to proceed. Or the code could mean that the officer has suspicions that the person was not completely truthful. We've used the same system in the kiosk: it puts in a special number. The kiosk will automatically generate the code that stands for a random referral.

Mrs. Hayes: Do you see this as moving towards a mandatory system?

Mr. MacPherson: We are not considering the movement of this into a mandatory system. The program has been designed completely as a voluntary program intended to provide an alternate way for people to comply with customs and immigration requirements to facilitate their movement across the border. Because of the fact that this is more extensive than the normal processing that we would do on a traveller arriving at the airport, it is expensive for the department to do these background checks. That's the reason for the cost-recovery fee, the $50 fee. It is to recover some of those costs.

If we were to make this mandatory, it would basically force us into charging people to enter Canada. I don't think that would be acceptable to anyone, so for that reason I do not see us taking the CANPASS program and making it mandatory. This will not become our core service. I believe this will always be an alternative service.

.1240

Mrs. Hayes: Something that hasn't really been discussed this morning is liability regarding the somehow unauthorized privacy invasion of whoever. As opposed to my colleague, I am concerned with not only private abuse but government abuse of privacy information; both are certainly at issue.

Maybe I could actually ask you about this, Mr. Tomko, because I was very interested in your presentation. It seems that you want to ensure that privacy won't be invaded by using another step in the process, by creating a protection there. Even then, as you've said, given time and effort, perhaps there could be an invasion of that link, maybe with a fingerprint. If it were included, the encoding could be brought back to a two-dimensional encode, which then could go back to a photograph of a fingerprint, for instance, whatever might happen, so that the actual link could be established.

How would you suggest that liability of the sharing of information or the improper use of information be addressed, through legislation or whatever?

Mr. Tomko: The Canadian Standards Association has published a code for privacy, which is based on the OECD guidelines. I think they're an excellent basis to start from, in terms of how we address legislation in terms of both the private and the public sector.

One of the things I think you alluded to was whether any privacy technology could be defeated. The obvious answer is of course it can, because privacy has a pyramid just like security. Each step up the pyramid is going to be more and more difficult, but if you spend enough time and resources, you're going to crack it. But I don't think that's the issue. I think technology is constantly going to evolve, and in society the half-life of technology is so short it doesn't matter any more.

I think the real issue is what kind of public policy we would put in place to gently get - I don't want to use the word coerce - private enterprise to use privacy enhancing technologies and the proper policies to ensure that some of the stuff Mr. Allmand was concerned about doesn't happen, in terms of genetic information, medical information, etc.

Mrs. Hayes: So you're saying the government should move towards coercing -

Mr. Tomko: No, I would never say government should coerce. My mother would turn over in her grave.

The Chair: Would you just finish this thought, please, so we can move on to the next witness?

Mr. Tomko: Yes. I would not say the government should coerce. I would say that through legislation we can provide guidelines in order to use privacy-enhancing technology.

The Chair: Thank you very much.

Mr. Godfrey.

Mr. Godfrey: I guess I have a couple of questions, which are really more of a technical nature.

The first issue is that of one card versus many. I just went through my wallet and was appalled to discover that I have 32 cards of various sorts. Some of them are book clubs, some of them are video clubs. Let's take some of the more common ones: my Ontario health card, my driver's licence, and my credit card.

Obviously it would reduce pocket wear if I could boil down these cards. But from a protection point of view, am I better off having separate cards to make sure that things don't get matched up, which I don't particularly want? Is the technology now such that, as I understood from Mr. MacPherson, there are segregated bits of the card which only certain folks can use? So in fact you achieve the same effect on one card, which is in a way as secure as if I had two cards. Or is there always the danger that a bad guy could do something to me? I guess that's my first question.

.1245

Mr. MacPherson: I would have to first qualify this by stating that I am far from an expert on card technology and I would not want to speak to a broad range of technologies. But within the choices we made for the Canadian government card issued for the travel sector, we took a look at a number of different media, a number of different technologies that were possible for cards: magnetic stripe; IC, the integrated chip - various technologies. The reason we chose to go with the technology we did, which is this optical media, is that it did provide us with the capacity, the size, to store the data that the agencies anticipated they would require in order to carry out their mandates, while allowing us to segregate the data in such ways that we would be able to meet the privacy requirements we wished to bring to the card.

I'm not sure whether anyone else would have further information.

The Chair: Perhaps you might ask our two other witnesses, particularly Rita Reynolds, who has been looking at all these things. I'm sorry, I know as parliamentary secretary you were pulled out of the room to go and settle something in another room so you may have missed this, but they've tried and looked at -

Mr. Godfrey: No, I was here for that. I guess the issue is does it matter from a technological point of view, two and one, so to speak?

Ms Reynolds: I think really the issue is what kinds of protections you can put on each of those cards.

Mr. Godfrey: Right.

Ms Reynolds: It is certainly possible to encrypt information on one card and to separate it into essentially separate databases, so that if you're dealing with a health issue the institution you're dealing with would have access only to that portion of the information. Ideally it also would be linked to a biometric so that it would require both the card and the individual to activate the information.

Mr. Godfrey: Let me understand this encryption business, because I think it's exciting but also challenging, as my colleague discovered. Putting it into analogous language, is it the equivalent of my taking my bank card and going in and picking my own PIN number? So what I do is present the card and my mitt, and I say, okay, this is the equivalent of my PIN number, so only I control the PIN number and therefore there's that match and it's done. Is that basically it?

Mr. Tomko: Yes. There's one step in between. It's as if you choose a PIN number, and then that PIN number is used to scramble the information.

Mr. Godfrey: Okay.

Mr. Tomko: So the information on your card is always disguised so that if you lose it or it's stolen, it cannot be read by anyone without your authorization, which is your finger pattern.

Mr. Godfrey: But I actually go through a PIN-number-like selection process. Someone's not looking over my shoulder or someone's not checking it out.

Mr. Tomko: It can be both ways. You can choose your own PIN number in the ATM example, or in the example that you want a card to be your own private, portable database, then the system would choose a strong encryption key that your finger pattern would disguise. That encryption key would scramble the information on that card, so now in effect your finger pattern is the key to the information on that card. That's technologically possible now.

Mr. Godfrey: I see.

By the way, for purposes of explanation, is a photo in and of itself - even primitively, just by looking at it and asking if that is me, which I hope it isn't - biometric information? Is a photo by itself, without all the encryption and computers and so on, primitive biometric information?

Ms Reynolds: Yes.

Mr. Godfrey: Okay.

My final question is do any of the three of you see a problem with this? Is there something you would critique or raise a red flag or a caution sign on, on this particular technology?

Ms Reynolds: On the encryption?

Mr. Godfrey: Yes.

Ms Reynolds: No. The encryption is perhaps the only reason governments can consider going down this road of using biometric information. The weaknesses in our identification system are fairly clear to everyone, but it would be better to leave them the way they are without encryption technology because with databases being created it does create the potential to have an enormous invasion of privacy, and encryption is perhaps one of the most exciting things to come along in privacy protection in the last ten years.

[Translation]

The Chair: Is there anything you'd like to add, Ms McNicoll?

Ms McNicoll: Yes, there is. Generally speaking, we could say that the belief that one card can contain all information is a myth. In any case, proliferation of cards is not the biggest curse we've had to deal with.

.1250

Now practically speaking, there is an old adage that says we should put all our eggs in one basket. If you have one single smart card that contains all the data about your own life, your identity and everything else, that's a lot of eggs in the basket. And a very big stroke of luck for whoever finds the card.

The Chair: Except if the fingerprints don't match.

Ms McNicoll: That may be true, but who knows. There are geniuses everywhere - there are as many geniuses around to circumvent the systems as there were to devise them.

The more delicate aspect of the multi-purpose card is the superposition of different functions. Having a great deal of information in a single database might be considered acceptable. But that's not where the real risk lies. The real risk lies in the proliferation of functions and uses, including delivery of services, monitoring, control, verification, statistics and everything else. When people have many cards, like 15 or even 35, they tend to leave some at home when they go out. The next time they go out, they leave different ones at home. So we'd have to see what the most rational approach to assessing this would be. I should say that I myself, as a citizen, don't consider the single smart card such a great thing.

The Chair: I have one short question for you, Ms McNicoll, and then we'll come back to you, Maurice.

[English]

I want to bring to your attention that the federal privacy commissioner,

[Translation]

In his 1993-1994 annual report, Mr. Phillips explained why he was opposed to the introduction of a national multi-purpose identity card. He said:

[English]

I think we have discussed before that you can have a perfect society and you can have perfect control, but that's not exactly the democracy we've all been dreaming about. So I wonder if in response to the questions placed by Mr. Godfrey - Listen, you were the chairman of the cultural committee. You know perfectly well that we've now gone from analogue to digitized! But I think Mr. Bernier, Mr. Allmand and Mr. Godfrey have indicated really serious concern in this regard. I wonder if you want to add anything.

Geoff, you had a question related to this issue.

Mr. Regan: Thank you, Madam Chair.

First of all, I want to congratulate you today as a visitor to the committee. I'm delighted to see that you're working on this very important issue.

My questions are related to two points. I'm curious to know how, what kind of wide use, or to what extent the CANPASS cards are being used. What number of Canadians are using those cards at this stage? That's the first question for Mr. MacPherson and for Mr. Tomko.

Secondly, what are the dangers of hackers getting into a system so that when you go to use your fingerprints there has been interference in the system and there are problems?

[Translation]

The Chair: Do you want to put your question, Maurice?

Mr. Bernier: No, I'll let him answer first, because my question is about something else.

The Chair: Please go ahead.

[English]

Mr. MacPherson: With respect to the number of people who have CANPASS cards at the present time, we have enrolled 1,800 people.

.1255

Mr. Tomko: With respect to hackers - and I presume you're talking about hackers at a distance - there is no way they can physically get into the optical computing portion now. But after the number has its disguise removed it's in digital form and they could access that. You just have to use good security practices in encryption mechanisms to guard against that.

The Chair: Mr. Bélanger - excuse me, Mr. Bernier.

[Translation]

Mr. Bernier: Please don't change my name, Madam Chair, or I'll have to pull out my cards.

I don't know how much time we have left. The meeting was scheduled to go until about 1:00 p.m. Could we extend this a little?

The Chair: We can add a few minutes.

Mr. Bernier: My question is to Ms McNicoll, but any of the other witnesses can comment if they wish. If you'll allow, I'll start with a short promotional message - it's a little jingoistic, but it's interesting.

The December 1996 issue of l'Actualité contained an interview with the ombudsman, in which the ombudsman dealt with the very issues we have been discussing for some time now. He raised a very interesting point of view, which Ms McNicoll explained and elaborated on in her introduction, the need for public debate.

I think that Ms McNicoll knows exactly what our committee is trying to achieve. Before engendering the need for more statutes and more regulations, the committee would like to know how our fellow citizens in Quebec and Canada feel about all these new technologies, and what impact they could have on their lives.

There are some fundamental debates that need to be held. I'll link my question to an example raised during Mr. Tomko's introduction. Mr. Tomko said that we needed biometric identification systems to avoid fraud. Now let me come back to the interview with the ombudsman in l'Actualité: the interviewer reminded the ombudsman of a statement he had made a number of years before. He had said that the government - or at least society in general - had the ongoing impression that one half of society was always trying to put one over on the other half. That attitude is good grounds for instituting all kinds of measures to protect against this.

And it really is a fundamental issue. Take the Department of Revenue: the ombudsman quite rightly pointed out that income tax returns were processed on the fundamental principle that citizens were acting in good faith. We do not presume they are attempting to defraud the government; we presume they are acting in good faith.

The ombudsman added something I will read to you, because I think we should all hear it. Here it is:

But threats to privacy were not really generated by information technology. What is at stake here, is the welfare State. If I want to benefit from the wide variety of services offered by the State, I have to renounce some aspects of my privacy. I am going to be asked for my address, my name, my social insurance number and many other data the government needs to protect against abuse. I end up in the position of debtor to the State, if you will: I have rights, but before I can exercise them, I have to provide the information needed for these programs to be applied.

Earlier on, you were talking about the issues we will have to raise, including the issue of who decides which measures - including the new cards - will be applied. You mentioned decisions being made by the government, the private sector, or some kind of amorphous agency.

I would like to conclude on this very important point: I would like you to tell us who will watch out for us, who will make sure that our privacy is not invaded, even for all kinds of good reasons.

.1300

The Chair: Can I have a supplementary to Mr. Bernier's questions? You said that the general public could take knowledgeable part in the debate.

I would like to share that view. But everything we have learned around this table in the past six or seven meetings have astounded us completely. We have been amazed by the facts we have learned and by the speed with which changes happen and affect our daily lives. Could you take that into account in answering Mr. Bernier?

Ms McNicoll: Well, this is the sixty-four thousand dollar question. Investment would be needed - human investment would be needed before we can begin. And as to who makes the decision - well, in my mind, fundamental issues involving the introduction of technologies that could undermine freedom or interfere with our rights and freedoms, fundamental issues with huge economic implications for the future - since any infrastructures implemented to support these technologies mean a long-term commitment - should not be decided by a handful of experts who are acting for our own good.

The general public should be informed, and that's not a pipe dream. Some 15 years ago, a survey showed that concerns about privacy rank 33rd among other concerns in Canada. In 1992 or , a 1993 survey carried out by Equifax Canada Inc. showed that privacy concerns now ranked 3rd or 4th. This means that people are having to give out a great deal of information and are much more aware of the privacy issue.

Obviously, when dealing with complex technologies, people need social evaluation mechanisms that provide information for them, both at the local and national level.

In my view, what we need to do is inform our citizens properly, and that is difficult to achieve. You have had experience of that. Without requiring everyone to become an expert, institutions, government representatives and private spokespersons must give people a chance to express their views on these technologies.

There are people who have talked to us about certain technologies. A synthesis of all these diverse elements could be very useful - some aspects of the issue could be demystified, while others could be shown in a more positive light.

One thing is clear: we really don't have independent - genuinely independent - organizations with the scientific and human resources required to provide such information and to do proper assessment of the economic impact of changes made when government takes certain measures, like cutting services.

The Auditor General of Quebec recently made a very disturbing statement: it seems that some existing practices are in kind of an economic vacuum - we have no idea whether they are cost effective. Yet, at the same time, people are putting forward ideas for miracle, cheer-all technologies without telling us their real costs. We applaud the technology because in general it tends to improve our quality of life. Opening hours have been extended. We can do our banking at automatic teller machines. We can do all kinds of things. There's no question that our lives can be simplified, but what is the price we have to pay?

And was is the greatest threat against which we must warn our fellow citizens? It is the belief that anything we are offered to make our lives easier is necessarily a good thing. We have to think twice before jumping in. I don't mind having 15 cards, if I can maintain some control. Having only one card might make my life easier, but am I not paying a very high price for that?

The Chair: The real issue is consent, knowledge -

Ms McNicoll: That's right.

The Chair: - and the right to say yes or no, to refuse.

Ms McNicoll: I'm sorry, I don't quite understand. Oh, I see, citizens should have the right to say yes or no.

The Chair: Exactly.

.1305

Ms McNicoll: But they have to know what they are saying yes or no to.

The Chair: That's exactly what I mean.

Ms McNicoll: Well, I might say yes to a beautiful present, but what price do I have to pay for it?

The Chair: It's like when you don't read the fine print.

Mr. Bernier: Madam Chair, if you would allow, I have a short comment before letting my colleagues have the floor. A few years ago, there was a Quebec comedian who said that the Department of Revenue's motto was: ``We want your property, and we're going to get it''. We should bear that motto in mind when we let others take over our lives.

Ms McNicoll: We should not underestimate every person's ability to understand what the real stakes are if they are properly and openly explained.

[English]

The Chair: Mrs. Hayes, please.

Mrs. Hayes: My concerns are much the same as those of my colleague who was just asking the question. I thought we heard an instructive example, and maybe I could just get a comment from Ms Reynolds about it.

With respect to your example of the surveillance camera and the municipality or whatever deciding not to pass it on to the enforcement agencies, are you comfortable with that? This is an example of who makes the decision about what level the information would be carried to.

Ms Reynolds: I can only repeat a comment one of my staff made to me after the discussions were held. What concerned that person was that all that really stood between electronic surveillance being conducted or not was me saying ``No way.''

The problem is that privacy legislation is a very good framework, but it is essentially a codification of social values. Legislation is not the social values themselves. So it's up to individuals to actually apply those principles and to stand behind them. The strengthening of privacy laws and a strengthening of the authority of the information and privacy commissioners in Canada would be very helpful.

Currently in Ontario, the privacy commissioner can issue orders on access. They cannot issue orders related to privacy. There are very few penalties for invasion of privacy. I think the biggest one is public embarrassment, and that is simply not enough. If there were some real statutory penalties for invasion of privacy, particularly with electronic surveillance - There is always someone who will say there is an argument in some obscure law about why we can do this under this circumstance today.

I think we need clarity in the Criminal Code, particularly related to electronic surveillance, as to what is or is not permitted. The position I took was simply that if they did not have a warrant we would retain control of the cameras. Of course the protest went off beautifully and there were no incidents.

You have to realize that the police have a very heavy responsibility for safety. And if anything goes wrong, we're the first to say to them, ``Why weren't you there?'' Unless we're going to have a police officer on every corner we have to recognize that it is a competing interest and they will want to try to get as much information to protect public safety as they can, but, on the other side, that's dependent on having equally strong protections in law from that kind of intervention.

The Chair: I think it's one of the reasons why this committee, which is the human rights committee - And today is a very special day in the history of this committee because today is International Human Rights Day. It is actually the day on which you celebrate the declaration on human rights, which a Canadian was very involved in writing.

The question you can place before yourselves, given the nature of the exchanges today, is just how far are we stretching what would be considered privacy rights 25 years ago and what would be considered privacy rights worthy of protection today? Do you change the criteria of fundamental human rights based on social prerogatives, social imperatives and economic imperatives? At what point do they come into balance with each other?

.1310

Mr. Godfrey: It's also a good day because the Ontario health minister resigned yesterday on a privacy issue because one of his assistants went into the records and started to talk to journalists.

The Chair: Really?

Mr. Godfrey: It's on the front page of The Globe and Mail.

The Chair: If everyone is quite satisfied - I know we've gone beyond our time line, but for me the bottom line of consent and of knowledge becomes very vital before one moves into this field.

I thank you very much for being with us.

[Translation]

Thank you very much. You have broadened our horizons. I hope we come to some useful conclusions. Thank you for your very valuable input.

[English]

We are adjourned until Thursday morning.

Return to Committee Home Page

;