Canadian identity, just in time for the Olympics…

Molson sure know how to define Canadian-ness… (at least for the 18 to 34 crowd!)

Courtesy RBsTweets

Mike

Identity Theft? Identity Fraud? Busted either way…

The criminal code has recently been revised to include new identity-related offences — this courtesy of the most excellent Slaw.ca.

What first caught my eye were two solid definitions:

  • identity theft (new Code section 402.2(1)): knowingly obtaining or possessing “another person’s identity information in circumstances giving rise to a reasonable inference that the information is intended to be used to commit an indictable offence . . .”
  • identity fraud (revised Code section 403) : fraudulently personating another person for various improper purposes.
  • I like the clear distinction offered by these.  Theft is possession of another person’s identity information, fraud is doing bad things with that identity information.

    Perhaps these definitions will assist the press to more carefully describe crimes related to identity; I notice that they tend to call everything identity theft.

    I checked with the American author and thinker Jim Harper on these definitions, as the definitions in his book, Identity Crisis, are a bit different.  Jim was kind enough to respond:

    It’s probably a compromise with the popularity of the phrase “identity theft” that it appears at all, but I think it’s very helpful to refer to these crimes accurately, and these definitions do that well. Ordinary people will look at the law and understand better what it means, what it’s supposed to do, and what they can do to protect themselves.

    Also of interest are the examples of identity information that section 402.1 provides:

    • name
    • address
    • date of birth
    • written, electronic or digital signature
    • SIN, health insurance or driver’s license number
    • credit or debit card number
    • number of an account at a financial institution
    • passport number
    • user code
    • password
    • fingerprint or voice print
    • retina or iris image
    • DNA profile

    The new legislation recognizes that some of these items on their own represent uniquely identifying information (e.g. SIN) while others (e.g. address) would need to be combined with other attributes to arrive at a unique person.

    There’s more — if you are interested, check out the legislative summary.

    Mike

    Sun presents on Identity

    I had the chance to attend Sun’s presentation titled Effective IT Begins Here: Identity Management – Pathway to Enterprise Agility in Vancouver last week.  The presenters were Michelle Dennedy and Mark Dixon from Sun.

    Organized by IT World Canada, the breakfast session was a good chance to hear an update on how business is driving identity management.  Too often the delivery of technology is the focus in this field, so Michelle and Mark’s emphasis on business needs, strategies and privacy issues was refreshing.

    The next session is in Toronto on Tuesday November 17th.  Contact Junnel Reyes for details.

    Mike

    Canadian Identity Assertion

    <saml:AttributeStatement>
         <saml:Attribute Name="isAmerican">
              <saml:AttributeValue>                   
              false
              </saml:AttributeValue>
         </saml:Attribute>
    </saml:AttributeStatement>

    Canada’s top court enforces license photos

    Do our driver's licenses need photos?

    Do our driver's licenses need photos?

    This past week the Supreme Court of Canada dismissed an application to rehear an appeal related to mandatory photos on driver’s licenses.  The legal proceedings with the Alberta provincial government had been dragging on for some years before this final decision was rendered.

    The legal issue was raised by Hutterite colonies in southern Alberta because they felt it was a violation the second commandment, “thou shalt not make unto thee any graven image.”  Hutterites feel that photographs of any kind violate this religious principle.

    The issue is a real one as Hutterites must drive in order to conduct farm business, and they must be able to get to market to sell their produce and wares.

    So, clearly, this group of people have a classic dilemma: they can’t drive without a license, and they can’t get a license without violating their strongly held beliefs.

    What is interesting in all this is that the photograph on a license is simply a biometric that is easily read by humans without requiring special readers. (The ‘readers’ are our own eyes and brains.)  It is therefore easy for policemen to compare the photo with the subject in front of them.  The strength of this biometric combined with other information written on the license (height, weight, etc.) make it a rather classic identity document.

    And with this document, the subject can attain a high level of assurance: Pan-Canadian Level 2 at a minimum, and with appropriate corroboration, Level 3.  Of course, passports offer similar if not greater benefits due to their relatively higher quality.

    What is NOT true, however, is that picture ID is the only way for individuals to attain the high levels of identity assurance required for conducting high-value interactions and transactions.  Technically, a photo on a driver’s license is not the only way to prove one’s identity to a suspicious policeman.  A few years ago I worked on a web-based, identity proofing project that did not require picture ID.  The registrant provided a number of strong shared secrets, followed by an approval step carried out by a trusted third party who knew the individual (i.e. could provide corroboration).  The resulting electronic credential was supported by a strong password and an RSA SecurID fob.

    While this example is not directly related to the case of presenting identity to a law enforcement officer, we need to be careful about assuming that picture ID is mandatory for these types of identity assurance activities.  I was encouraged to hear that the Minister of Service Alberta, Heather Klimchuk, was willing to work with the Hutterite colonists to find creative solutions to the problem. One idea was to provide these people with a special pouch that hid the image until an officer needed to confirm the identity of the holder.

    I would like to think that there are emerging technologies that can be considered as well.  For example, based on tenders and other public records, the Solicitor General in Alberta is looking to implementing iris scanning technology, and it seems probable that police forces could be equipped with iris scanners at some point in the future.  Another option would be encoding the facial image in a 3D bar code or chip on the license, and deploying readers to support these technologies.  Perhaps one of  these options would be acceptable to Hutterites?

    There are certainly privacy issues to be considered, and solution costs have to be reasonable, but it is this type of idea generation that will be needed to properly address this issue. While most of us may not be able to relate to the Hutterite’s specific objection, this minority population has every right to their religious beliefs and practices.  Our Canadian values of inclusion and respect for diversity require that we work to support these fundamental rights.

    Mike

    I am Canadiam

    Identity and Access Management in Canada is different.

    American identity issues are complicated by their obsession with national security.  British data and privacy laws are decidedly different than ours.  Identity and Access Management (IAM) implementations vary greatly from country to country.

    We need a ‘conversation’ about IAM in Canada.  Canadiam is that conversation.

    This blog has been established to discuss a range of issues, cross-link to resources, promote solutions and share IAM project information.

    Some ideas for what could could appear on these pages:

    • An ‘IAM Alert’ page where we provide a profile of new Canadian IAM implementations, and updates on existing ones.
    • A section with a collection of identity assurance stories, perhaps something like ‘How I got my drivers license in Whitehorse’ .
    • Any and all news as it relates to emerging technologies such as OpenID, Info Cards, new strong authentication solutions, new products and services, etc. — especially as they relate to life in Canada.

    Really, anything in the IAM field goes — the only catch is that there needs to be a Canadian spin to the info.

    How can this happen? With your help and support.

    We are recruiting Canadian (and ex-pat) IAM professionals as blog writers and other contributors to Canadiam.  Anyone want to run a Facebook group? Do a logo? Customize a WordPress theme? Take over the new LinkedIn Group? Have an idea for a Flickr collection perhaps a photo-stream of amusing identity signage? Want to create a mash-up using video of Paul Henderson’s winning goal, our national anthem and Dick Hardt Identity 2.0 sound bites?

    If so, please add a comment with your interest and contact info (I’ll moderate the posts so this info won’t be displayed).

    So why bother with all this? Well, it is simply because we ARE different.  Compared to the US, we have a very different systems of government, finance and health, different attitudes about privacy and different ‘sensitivities’ — yet almost all of our information on identity management originates from the US.  Understanding and discussing Canadian issues on a blog like this will help us to better understand how identity management can best be delivered in Canada.

    With all that out of the way, I give you Joe Canadiam, uh, Canadian…

    Mike Waddingham
    October, 2009

    Follow

    Get every new post delivered to your Inbox.