Jan 15, 2015 in Papers & Projects by DIACC

DIACC Brief: Minister of Finance Advisory Board

DIACC Brief for Minister of Finance Advisory Board November 2014 Regarding Proposed Regulatory Changes to Allow for Recognition of Digital Identity

Canada’s economic future depends on developing a secure and convenient system for digitally validating an individual’s identity using reliable sources, while placing the individual in control of what personal and/or private information is shared.

Canadians are enthusiastically adopting digital technologies and services to improve the way they work and enhance their lifestyle. The rapid adoption of mobile devices, mobile apps and cloud-based services have the unprecedented capability of transforming entire industry sectors.

With the shift to digital services, many of the traditional methods of how we prove who we are now being viewed as obsolete, as irritants, or as barriers to innovation. As our society transitions to the digital world, in-person and paper-based processes, once the preferred method of service delivery, are now being replaced by digital alternatives.

This trend toward digital alternatives, is transforming how we present ourselves in-person and online. Canadian documents used for the purposes of identification and eligibility are being modernized: from the Canadian e-passport to provincially-issued smart services cards, such as the BC Services Card. These modernized documents, while preserving the traditional in-person and document-based presentation methods, represent the next step toward digital alternatives. Through embedded electronic capabilities, these documents provide secure ways to electronically authenticate documents that can be used to identify customers subject to PCMLTFA regulations. In conjunction, electronic methods enabled through the use of these documents as well as broader transformation to digital identification sources can provide electronic alternatives that enable a fully digital service delivery capability that is equally secure, trustworthy, and legally binding.

The significant advantages these modernized documents and capabilities have over traditional identity documents (e.g. driver’s licence, birth certificate, etc.) include:

  • More robust authentication techniques where the document can be electronically authenticated by means of a secure reader. This is key to combating document and identity fraud
  • The elimination of expensive and error-prone paper-based evidence collection processes (e.g. photocopying a document and placing in a physical file)
  • Ability to integrate multiple reliable sources of information to provide a more robust validation of the individual based on preponderance of information vs 1-2 methods that exist today

Application of digital identity across Canada can enhance accuracy of information, improve operational efficiencies across the public and private sectors and increase convenience and access for Canadians, including:

  • Enabling secure conduct of high-value business transactions, such as opening a banking account, purchasing a cell phone or signing legal agreements
  • Enabling transactions that involve sensitive personal information, such as viewing medical records or renewing a prescription
  • Facilitating simple every day transactions such as signing a child’s waiver form for hockey camp or a class field trip

Regulatory Analysis

Modernized identity documents and capabilities can be used to enhance and ultimately replace existing procedures where an individual is required to be physically present:

  • Electronic authentication of document security features and identity information versus the more difficult (and less reliable) visual authentication and manual transcription by a sufficiently-trained clerk or officer
  • Electronic collection and validation of identity information, reducing data entry errors and ensuring up-to-date identity information about the individual
  • Use of additional methods to ensure that the individual is the legitimate owner (e.g. use of a PIN)
  • Preserving privacy by collecting only the information that is required to meet regulatory requirements. For example, a photocopy of a driver’s licence contains personal information that is not required to open a bank account

Regulatory Recommendations

To build a Digital Identification and Authentication (DIA) regime to underpin a modernized payments system, enable fully digital transactions, and protect Canadians’ privacy, Government must lead the charge. We propose that an additional method be added to the Schedule 7 of the regulations that will allow for the option of a fully electronic (i.e., digital) method to ascertain identity that is sufficient in strength to meet the non-face-to-face identification requirements. We propose that this additional method be called “Electronic Confirmation of Identity”, as described below.

Electronic Confirmation of Identity

This method of ascertaining a person’s identity consists of two parts: i) electronically confirming the accuracy of person’s identity information using an accredited authoritative source, and, ii) ensuring the identity information being confirmed relates to the person making the claim (i.e. not to another person).

These two parts, as described in the proposed method above relate to two key objectives that must be met when ascertaining identity:

  • Objective 1: Accuracy of identity information. Identity information about an individual must be accurate, complete and up-to-date. Accuracy ensures that the identity information represents what is true about the individual and the individual truly exists (i.e. not a fictional or ‘synthetic’ identity).       Confirming the accuracy of information is also referred to as Identity Validation.
  • Objective 2: Linkage of identity information to the individual. Identity information, once confirmed as accurate, must relate to the individual making the claim. Linkage ensures that identity information is not being fraudulently being used by another individual. Ensuring the linkage of information is also referred to as Identity Verification.

Together, when these objectives are met, they can provide a level of assurance that an individual is actually who they say they are.

Identity Validation is the confirmation of the accuracy of identity information as established by an authoritative source. Identity validation ensures that identity information regarding an individual is accurate. Identity Verification is confirmation that identity information relates to the individual making the claim. Identity verification may employ a variety of techniques to ensure that an individual is claiming his/her own identity information (and not that of another individual). Techniques include asking for shared secrets that only the individual knows, requesting the presentation of trusted credential (electronic or physical) that has been (or will be) authenticated, etc. AN INDIVIDUAL, OR AN AUTHORIZED AGENT ON BEHALF OF THE INDIVIDUAL, SHOULD BE DIRECTLY INVOLVED IN AN IDENTITY VERIFICATION TRANSACTION

The flow diagram illustrates the simplest identity validation scenario involving an individual as a client, a relying party as a service provider to the client, and an authoritative party providing the identity validation service.

To maintain simplicity, this flow diagram assumes the following:

  • All interactions conducted within a secure context, including a secure connection and/or authentication using a trusted anonymous credential.
  • Privacy and consent notices are displayed when appropriate.
  • Relying party and authoritative party have the necessary authorities to collect and use information.

About the DIACC

The Digital Identification and Authentication Council of Canada (DIACC) is the non-profit coalition of public and private sector leaders who are developing Canada’s system for digital identification and authentication to enable Canadians’ full and secure participation the global digital economy.

DIACC’s members and advisors include leaders from both the federal and provincial levels of government as well as representatives from small and large businesses, charities, and privacy commissioners.

We are committed to unlocking economic opportunities for Canadian consumers, and businesses by providing the framework to develop a robust, secure, scalable and privacy-enhancing digital identification and authentication ecosystem that will decrease costs for everyone while improving service delivery and driving GDP growth.

We operate transparently and participation is open to all Canadians. Our current membership includes:

BlackBerryNotariusSecureKey Technologies
BMO Bank of MontrealOnline Business SystemsSierra Systems
Canada PostPlaceSpeakTD Bank
CapcoProvince of British ColumbiaTELUS
Central 1 Credit UnionProvince of New BrunswickThirdstream
CIBCProvince of OntarioThoughtwire
Desjardins GroupPwCTicoon
Equitable BankRoyal Bank of CanadaTrulioo
Government of Canada, Public Works and Government Services Canada