Daily Archives: Jan 15, 2015

DIACC Comments and Recommendations: Proposed Changes to Province of Ontario’s Electronic  Signature Regulation December 2014

Background on Digital ID and Authentication Council of Canada….

The Digital Identification and Authentication Council of Canada (DIACC) is the non-profit coalition of public and private sector leaders committed to developing Canada’s system for digital identification and authentication to enable Canadians’ full and secure participation the global digital economy.

We are committed to unlocking economic opportunities for Canadian consumers, and businesses by providing the framework to develop a robust, secure, scalable and privacy-enhancing digital identification and authentication ecosystem that will decrease costs for everyone while improving service delivery and driving GDP growth.

DIACC’s members and advisors include leaders from both the federal and provincial levels of government as well as representatives from small and large businesses, charities, and privacy commissioners.

We operate transparently and participation is open to all Canadians. Our current membership includes all of Canada’s major financial institutions and credit unions, telecommunications companies, departments within the Canadian Federal, Provincial and Municipal governments, and technology providers).

Comments:

The Digital ID and Authentication Council of Canada appreciates the opportunity to contribute to the process of reviewing the proposed changes to the Province of Ontario’s Regulations regarding e-Signatures for Agreements of Purchase and Sale of Land.

Our membership consists of a broad cross section of stakeholders (including Canada’s largest financial institutions, telecommunications companies, departments within the Canadian Federal, Provincial and Municipal governments, and technology providers). We were founded specifically to create an environment for strong implementation of digital ID and authentication experiences and to stimulate Canada’s digital economy.

From our members, the DIACC has collected a panel of experts to review the proposed Government of Ontario regulation changes and agree that at first glance the current proposals represent an improvement over the current regulations.

The DIACC does caution that changes to the regulatory environment will impact many sectors, and if not written and applied correctly, new regulations can bring about unintended consequences and create significant challenges in the long term.

The decision to use one type of signature over another must be assessed against many factors including, but not limited to:

• Risk tolerance
• Potential for fraud
• Accepted practice
• Cost

Secure Electronic Signatures

Pursuant to the Canada Evidence Act, Personal Information Protection and Electronic Documents Act (PIPEDA) and Secure Electronic Signature Regulations a Secure Electronic Signature is defined as being:

• Unique to the person
• Under the sole control of the person
• Used to identify the person
• Linked with the electronic document in such a way that it can be used to determine if the document has been changed since the signature was attached
• Uses Public Key Infrastructure (PKI) technology

This is a very prescriptive method, and although provides additional assurance, may create unnecessary technical barriers and costs.

Electronic Signatures

• They encompass close to everything else: user name and password, PIN code, scanned signature, signature with stylus pen, name typed at bottom of e-mail, scanned signature saved as jpg etc.

When discussing a need to alter or amend the regulation one must consider the original intent. The intent of having a signature on agreement of purchases and sale of land in Ontario are to:

• Ensure the identity of the parties entering into an agreement
• Ensure both parties understand and agree to the transaction
• Ensure neither party can claim ”ignorance of” or deny intention of transaction
• Ensure there is a public record of the transaction
• Ensure that the signed document has not been altered or modified once a signature had been applied.

As mentioned, the decision to use one type of signature over another must consider a number of important factors, notwithstanding the nature of program and its costs alone.

Proposed Province of Ontario Regulatory Changes

Draft Regulation

1. For the purpose of subsection 11(4) of the Act, the following class of documents is prescribed: agreements of purchase and sale of land in Ontario.
2. A legal requirement that a document of the prescribed class be signed is satisfied by an electronic signature only if the method of signature used:

a.   Is reliable for the purpose of identifying the person who signs;

b.   Ensures that the electronic signature is permanent and cannot be removed from the signed document;     and

c.   Is accessible so as to be usable for subsequent reference by any person who is entitled to have access to the document or who is authorized to require its production.

The DIACC recommends altering the Section 2 of the proposed regulations to read:

A legal requirement that a document of the prescribed class be signed is satisfied by an electronic signature only if the method of signature used:

a.   Is reliable for the purpose of identifying the person who signs an electronic document using an electronic signature;

b.   Ensures that the electronic signature is under the sole control of the person when signing the electronic document;

c.   The electronic signature can be linked with the electronic document in such a way that it can be used to determine if the electronic document has not been changed since the signature was attached; and

d.   Meets security requirements as prescribe by applicable agreements, legislation or regulation.

DIACC Brief for Minister of Finance Advisory Board November 2014 Regarding Proposed Regulatory Changes to Allow for Recognition of Digital Identity

Canada’s economic future depends on developing a secure and convenient system for digitally validating an individual’s identity using reliable sources, while placing the individual in control of what personal and/or private information is shared.

Canadians are enthusiastically adopting digital technologies and services to improve the way they work and enhance their lifestyle. The rapid adoption of mobile devices, mobile apps and cloud-based services have the unprecedented capability of transforming entire industry sectors.

With the shift to digital services, many of the traditional methods of how we prove who we are now being viewed as obsolete, as irritants, or as barriers to innovation. As our society transitions to the digital world, in-person and paper-based processes, once the preferred method of service delivery, are now being replaced by digital alternatives.

This trend toward digital alternatives, is transforming how we present ourselves in-person and online. Canadian documents used for the purposes of identification and eligibility are being modernized: from the Canadian e-passport to provincially-issued smart services cards, such as the BC Services Card. These modernized documents, while preserving the traditional in-person and document-based presentation methods, represent the next step toward digital alternatives. Through embedded electronic capabilities, these documents provide secure ways to electronically authenticate documents that can be used to identify customers subject to PCMLTFA regulations. In conjunction, electronic methods enabled through the use of these documents as well as broader transformation to digital identification sources can provide electronic alternatives that enable a fully digital service delivery capability that is equally secure, trustworthy, and legally binding.

The significant advantages these modernized documents and capabilities have over traditional identity documents (e.g. driver’s licence, birth certificate, etc.) include:

• More robust authentication techniques where the document can be electronically authenticated by means of a secure reader. This is key to combating document and identity fraud
• The elimination of expensive and error-prone paper-based evidence collection processes (e.g. photocopying a document and placing in a physical file)
• Ability to integrate multiple reliable sources of information to provide a more robust validation of the individual based on preponderance of information vs 1-2 methods that exist today

Application of digital identity across Canada can enhance accuracy of information, improve operational efficiencies across the public and private sectors and increase convenience and access for Canadians, including:

• Enabling secure conduct of high-value business transactions, such as opening a banking account, purchasing a cell phone or signing legal agreements
• Enabling transactions that involve sensitive personal information, such as viewing medical records or renewing a prescription
• Facilitating simple every day transactions such as signing a child’s waiver form for hockey camp or a class field trip

Regulatory Analysis

Modernized identity documents and capabilities can be used to enhance and ultimately replace existing procedures where an individual is required to be physically present:

• Electronic authentication of document security features and identity information versus the more difficult (and less reliable) visual authentication and manual transcription by a sufficiently-trained clerk or officer
• Electronic collection and validation of identity information, reducing data entry errors and ensuring up-to-date identity information about the individual
• Use of additional methods to ensure that the individual is the legitimate owner (e.g. use of a PIN)
• Preserving privacy by collecting only the information that is required to meet regulatory requirements. For example, a photocopy of a driver’s licence contains personal information that is not required to open a bank account

Regulatory Recommendations

To build a Digital Identification and Authentication (DIA) regime to underpin a modernized payments system, enable fully digital transactions, and protect Canadians’ privacy, Government must lead the charge. We propose that an additional method be added to the Schedule 7 of the regulations that will allow for the option of a fully electronic (i.e., digital) method to ascertain identity that is sufficient in strength to meet the non-face-to-face identification requirements. We propose that this additional method be called “Electronic Confirmation of Identity”, as described below.

Electronic Confirmation of Identity

This method of ascertaining a person’s identity consists of two parts: i) electronically confirming the accuracy of person’s identity information using an accredited authoritative source, and, ii) ensuring the identity information being confirmed relates to the person making the claim (i.e. not to another person).

These two parts, as described in the proposed method above relate to two key objectives that must be met when ascertaining identity:

• Objective 1: Accuracy of identity information. Identity information about an individual must be accurate, complete and up-to-date. Accuracy ensures that the identity information represents what is true about the individual and the individual truly exists (i.e. not a fictional or ‘synthetic’ identity).       Confirming the accuracy of information is also referred to as Identity Validation.
• Objective 2: Linkage of identity information to the individual. Identity information, once confirmed as accurate, must relate to the individual making the claim. Linkage ensures that identity information is not being fraudulently being used by another individual. Ensuring the linkage of information is also referred to as Identity Verification.

Together, when these objectives are met, they can provide a level of assurance that an individual is actually who they say they are.

Identity Validation is the confirmation of the accuracy of identity information as established by an authoritative source. Identity validation ensures that identity information regarding an individual is accurate. Identity Verification is confirmation that identity information relates to the individual making the claim. Identity verification may employ a variety of techniques to ensure that an individual is claiming his/her own identity information (and not that of another individual). Techniques include asking for shared secrets that only the individual knows, requesting the presentation of trusted credential (electronic or physical) that has been (or will be) authenticated, etc. AN INDIVIDUAL, OR AN AUTHORIZED AGENT ON BEHALF OF THE INDIVIDUAL, SHOULD BE DIRECTLY INVOLVED IN AN IDENTITY VERIFICATION TRANSACTION

The flow diagram illustrates the simplest identity validation scenario involving an individual as a client, a relying party as a service provider to the client, and an authoritative party providing the identity validation service.

To maintain simplicity, this flow diagram assumes the following:

• All interactions conducted within a secure context, including a secure connection and/or authentication using a trusted anonymous credential.
• Privacy and consent notices are displayed when appropriate.
• Relying party and authoritative party have the necessary authorities to collect and use information.

About the DIACC

The Digital Identification and Authentication Council of Canada (DIACC) is the non-profit coalition of public and private sector leaders who are developing Canada’s system for digital identification and authentication to enable Canadians’ full and secure participation the global digital economy.

DIACC’s members and advisors include leaders from both the federal and provincial levels of government as well as representatives from small and large businesses, charities, and privacy commissioners.

We are committed to unlocking economic opportunities for Canadian consumers, and businesses by providing the framework to develop a robust, secure, scalable and privacy-enhancing digital identification and authentication ecosystem that will decrease costs for everyone while improving service delivery and driving GDP growth.

We operate transparently and participation is open to all Canadians. Our current membership includes: