The Security Paradox

Protecting Trust and Identity Through Smart Architecture

February 26, 2026

#PrivacyInPracticeCA

“Digital credentials can deliver real public value when trust is built in from the start. Independent Officers of the Legislature, like Privacy Commissioners, play a critical role in ensuring privacy, security, and data protection are embedded by design—not addressed after the fact. Keeping them meaningfully engaged is essential to protecting citizens’ rights as governments move toward high-value digital services.”

 

– CJ Ritchie, Executive Advisor,
Cybersecurity and Government and Public Sector Practice, EY Canada

 

Introduction: Security and Privacy Aligned

The best security architectures also protect privacy. This alignment is not coincidental. It reflects fundamental principles of information protection. Limiting data exposure reduces attack surfaces. Distributing data across systems prevents the concentration of targets. Encrypting data protects against both breaches and surveillance.

This alignment challenges a common misconception: that security and privacy are inherently in tension. In some contexts, they can be surveillance-based security models that conflict with privacy. But well-designed security architectures support both goals. The choice between security and privacy is often a false choice.

Canadian provincial wallet implementations demonstrate this alignment. Strong encryption protects data while decentralized storage prevents the creation of centralized targets. Security and privacy reinforce each other when architecture is designed thoughtfully.

The 2022 FPT Joint Resolution called for robust security measures to protect against unauthorized access and misuse.[1] Canadian implementations show that meeting this requirement supports, rather than conflicts with, privacy goals. This is the security paradox. Measures often associated with privacy protection can also be the most effective security controls. When architecture limits unnecessary data exposure, both privacy and security improve.

This article examines security architecture in Canadian digital trust and identity: how provincial wallets balance protection with privacy, why centralized databases create compound risks, and how the private sector is innovating to achieve both security and privacy goals.

What Provincial Implementations Demonstrate

BC and Alberta have made architectural choices that serve both security and privacy objectives. These solutions help provincial residents access services at home and support secure access to federal services, including CRA resources. These choices offer lessons for the broader ecosystem.

Alberta’s Encryption Leadership

Alberta’s wallet uses advanced encryption to protect credentials at rest and in transit. Alberta’s documentation emphasizes that data remains private and accessible only to the user.[2] This encryption serves multiple purposes:

  • Confidentiality: Even if devices are lost or stolen, attackers can not read encrypted data without the corresponding keys. 
  • Integrity: Cryptographic techniques ensure that credentials cannot be modified without detection. Verifiers can confirm that credentials are authentic and unaltered.
  • User control: User-managed encryption keys ensure that only users can access their own credentials. This is not just a security feature. It is a privacy feature that prevents unauthorized access by system operators.

Alberta’s encryption implementation represents genuine technical leadership. The specific cryptographic choices, the algorithms, key management approaches, and implementation details reflect careful security engineering.

BC’s Distributed Architecture

BC Wallet stores credentials locally on user devices rather than in central databases. This architectural choice has profound security implications:

  • No centralized target: There is no central database for attackers to target. Compromising one user’s device affects only that user. It does not expose millions of records.
  • Distributed risk: Risk is distributed across millions of devices rather than concentrated in a single system. The expected harm from any single breach is drastically reduced.
  • Device‑to‑device capability: Credentials can be verified directly between trusted devices without a central service. This improves resilience while reducing reliance on and exposure to centralized infrastructure.

BC’s documentation notes that verifiers can confirm information without contacting the issuer.[3] BC’s privacy policy further specifies that when credential information is shared, the issuer is not informed.[4] This design choice serves both privacy (by preventing issuer tracking) and security (by reducing network dependencies and attack surfaces).

The Easy Target Problem: Why Centralized Databases Attract Attackers

Centralized databases of personal information are irresistible targets. The concentration of valuable data creates powerful incentives for attackers while making defence disproportionately difficult. This does not suggest that all centralized systems are inherently flawed, but concentrating identity data increases risk and raises the bar for safeguards.

Attack Economics

Attackers face costs: time, resources, risk of detection and prosecution. They seek targets where expected returns exceed expected costs. A centralized database containing millions of identity records offers substantial returns, justifying significant investment in attacks.

A distributed system with the same total data offers far less attractive returns. Compromising one user’s device yields one user’s data. The same attack effort for a tiny fraction of the return. This economic reality shapes attacker behaviour.

Defense Asymmetry

Defenders of centralized systems face a fundamental asymmetry: they must prevent all successful attacks, while attackers need only succeed once. This asymmetry worsens as the value of the centralized target increases, because higher-value targets attract more sophisticated and persistent attackers.

Distributed architectures partially address this asymmetry. Because each target is less valuable, attackers invest less in each attack. Defenders still face the succeed-always-vs-succeed-once asymmetry, but the stakes of each defensive engagement are lower.

Breach Statistics Tell the Story

The OPC’s 2024-2025 annual report noted that breach reports from federal institutions increased to 615 from 561 the previous year, while the number of individuals affected more than doubled to 309,865.[5]

These numbers are consistent with known risks of centralized systems. When a centralized system is breached, everyone in that system is affected. The doubling of affected individuals does not necessarily mean more breach events. It may indicate that larger, centralized systems were compromised.

Provincial wallet architectures address this pattern. A breach affecting one user does not affect 300,000. The architectural decision to distribute data across devices is a security decision as much as a privacy one.

Biometric Data: Special Considerations

Biometric data requires special attention in security architecture. Unlike passwords, biometric characteristics cannot be changed if compromised. A fingerprint template exposed in a breach remains exposed permanently.

Commissioner Dufresne’s Guidance

Commissioner Dufresne’s August 2025 biometrics guidance emphasized privacy-protective approaches from the outset.[6] The guidance recognizes that biometric systems pose unique risks that require tailored safeguards.

Key themes reflected in the guidance include:

  • Purpose limitation: Biometric data should be collected only for specific, legitimate purposes and not repurposed.
  • Data minimization: Only the biometric data necessary for the specific purpose should be collected and retained.
  • Security measures: Enhanced security measures appropriate to the sensitivity of biometric data are required.
  • Transparency: Individuals should understand how their biometric data is collected, used, and protected.

On-Device Processing

On-device biometric processing keeps biometric templates local, an approach increasingly adopted in the modern Canadian mobile and identity verification ecosystem. When biometric matching occurs entirely on a user’s device, the biometric template never leaves the device.

This architecture dramatically reduces the risk of biometric breaches. A server breach cannot expose biometric templates that the server never possessed. An attacker must compromise individual devices rather than central databases.

On-device processing also supports privacy. Service providers that never receive biometric data cannot misuse, share, or be compelled to disclose it. The security architecture enforces privacy constraints automatically.

Private Sector Security Innovation

Private sector organizations have made substantial investments in security architecture that also serves privacy goals.

Financial Institution Innovation

Financial institutions have developed sophisticated fraud detection systems that operate without centralizing identity data. Machine learning models can be trained and operated on distributed data using techniques such as federated learning, thereby maintaining fraud-detection capabilities without creating centralized identity repositories.

Banks have also pioneered secure enclave approaches that protect sensitive data even from their own systems. Hardware security modules and trusted execution environments create security boundaries that prevent even privileged insiders from accessing protected data.

These investments reflect both security requirements and customer expectations. Financial institutions that demonstrate strong security and privacy practices build trust that drives customer acquisition and retention.

Identity Verification Provider Innovation

Identity verification providers have implemented end-to-end encryption to protect verification data within their systems. Some providers have adopted ‘zero-knowledge’ architectures where they facilitate verification without ever having access to the underlying identity data.

Providers have also invested in liveness detection and anti-fraud capabilities that protect against synthetic and manipulated identities. These capabilities protect individual users and the broader ecosystem from identity fraud.

Technology Company Innovation

Technology companies have pioneered secure processing architectures that keep sensitive data protected throughout its lifecycle. Secure enclaves, homomorphic encryption, and secure multi-party computation enable processing on sensitive data without exposing it.

These techniques are moving from research to production. Secure enclaves are now available in consumer devices. Homomorphic encryption, once too slow for practical use, is becoming viable for specific applications. Companies operating in Canada, including DIACC members, are actively exploring how these emerging techniques can be applied within Canadian digital trust contexts.

The trajectory is clear: security technology is increasingly capable of protecting data not just from external attackers but from the systems that process it. This capability alignment makes privacy-preserving security architecture increasingly practical.

Balancing Security Logging with Privacy Minimization

Security often requires logging (recording) events for audit, investigation, and incident response purposes. But logging creates data that can itself become a privacy risk or an attack target.

The Security Value of Logs

Security logs serve legitimate purposes:

  • Incident detection: Anomalous patterns in logs can reveal attacks in progress.
  • Forensic investigation: After an incident, logs help understand what happened and how to prevent recurrence.
  • Compliance evidence: Logs demonstrate that security controls are operating as intended.
  • Accountability: Logs create records that support accountability for system access and actions

The Privacy Risk of Logs

The same logs that serve security purposes create privacy risks:

  • Tracking capability: Logs that record user activity can enable tracking and surveillance.
  • Breach exposure: Logs containing personal information can be exposed during a breach.
  • Subpoena vulnerability: Logs may be subject to legal demands that expose information organizations would prefer not to disclose.
  • Function creep: Logs created for security purposes may be repurposed for other uses.

Achieving Balance

Organizations can balance security and privacy in logging through several approaches:

  • Purpose-limited logging: Log only what is necessary for specific security purposes.
  • Aggressive retention limits: Delete logs as soon as their security purpose is no longer needed.
  • Aggregation and anonymization: Use aggregate statistics rather than individual records where possible.
  • Access controls: Limit access to logs to those with legitimate security needs.
  • Encryption: Encrypt logs to protect against exposure in the event of a breach.

DIACC’s Position and Commitments

DIACC recognizes that security and privacy are complementary when architecture is designed thoughtfully. Provincial implementations demonstrate this alignment; the private sector is extending it as well.

We believe the digital trust and identity ecosystem would benefit from breach response guidance tailored to the unique characteristics of identity data, and we look forward to working with stakeholders to advance this conversation.

DIACC will continue working with the Trust Framework Expert Committee to ensure that security and privacy are treated as complementary objectives within the Pan-Canadian Trust Framework. We encourage certified organizations to demonstrate how their security architectures support privacy outcomes alongside threat prevention.

We recognize that security is a shared responsibility across government and industry. Neither sector can secure digital trust and identity on its own. Government provides regulatory frameworks and public infrastructure security. Industry provides implementation and operational security. Collaboration is essential.

The Vision: Security That Serves Privacy

The goal is a digital trust and identity ecosystem where the security architecture reinforces privacy protection, the same design choices that prevent breaches also prevent surveillance, and users can trust that systems protect their information from all threats.

This vision is achievable. Provincial wallets demonstrate the architecture. Private sector innovation is extending it. What remains is broader adoption and sustained commitment.

Security and privacy professionals have sometimes been positioned as adversaries—security requiring data access, privacy requiring data restriction. This framing is false. The best security architectures minimize unnecessary data exposure and distribute data to prevent concentrated targets. Security and privacy professionals should be allies, working toward shared goals.

DIACC is committed to advancing this alliance. Canadians should not have to trade privacy for security. The architecture exists. The imperative now is adoption. 

Next Week

Article 6 examines When AI Meets Identity: Navigating Opportunity and Responsibility
AI’s genuine value for fraud prevention and the privacy considerations that require thoughtful governance.

Footnotes:

[1] Federal, Provincial and Territorial Privacy Commissioners and Ombuds with Responsibility for Privacy, Joint Resolution on Digital Identity, September 20-21, 2022, St. John’s, Newfoundland and Labrador. 

[2] Government of Alberta, Alberta Wallet.

[3] Government of British Columbia, BC Wallet.

[4] Government of British Columbia, BC Wallet Privacy Policy

[5] Office of the Privacy Commissioner of Canada, Prioritizing privacy in a data-driven world: 2024-2025 Annual Report to Parliament on the Privacy Act and the Personal Information Protection and Electronic Documents Act

[6] Office of the Privacy Commissioner of Canada, Privacy Commissioner of Canada publishes guidance on biometrics, News Release, August 11, 2025. 

The Privacy Scorecard

A practical tool for measuring digital identity services against the FPT privacy principles. Assess your organization’s implementation across architecture, policy, user experience, and ecosystem coverage. It is not a compliance checklist or legal advice. Use it to spark conversation, explore unfamiliar concepts, and identify areas worth digging into further.

Access the Privacy Scorecard

Follow the Series