A Canadian digital ID could be politically ‘explosive,’ say experts
Ottawa is being cautioned by technology and privacy experts that introducing a digital identity platform could be politically “explosive” if not done right. The process could also highlight the feds’ affinity for outsourcing major IT projects to subcontractors, leaving the public service unpracticed in handling such tasks.
In his December 2021 mandate letter to then-Treasury Board president Mona Fortier, Prime Minister Justin Trudeau ordered her to work “towards a common and secure approach for a trusted digital identity platform” aimed at offering “seamless service delivery to Canadians.”
Anita Anand now holds that role, and new Citizens’ Services Minister Terry Beech has vowed to adopt a “digital first” approach to federal services.
Ottawa is in the “early stages” of consulting provinces and territories, industry players and privacy commissioner Philippe Dufresne about how a “completely voluntary” digital ID could boost federal service delivery, a spokesperson for Anand told Parliament Today. So far, the focus is on setting standards to ensure digital credentials are “safe, secure and interoperable.”
Dufresne confirmed the Treasury Board sent him a “preliminary overview of plans” for the ID in June. He said his office reminded officials that privacy impact assessments must be done for “any new or significantly amended program” that deals with personal information, and reviewed by Dufresne before implementation can begin.
Other privacy and technology experts say the feds must proceed with caution.
The Privacy Pro senior advisor John Wunderlich said there is an underlying and “ongoing tension” between privacy experts and “data geeks” in the public service.
While privacy experts may argue that personal information should be held by institutions operating “in silos that don’t talk to each other” in order to mitigate the risk of privacy breaches, data-focused officials may want to consolidate that info into a single database to lay out “every aspect of [someone’s] interactions with government” in order to improve service delivery.
But that goal doesn’t necessarily mean data storage needs to be centralized, says Pascale Chapdelaine, a University of Windsor privacy law professor. A better approach would involve “firewalls” between departments and agencies so they only have access to information that is needed to further their goals.
Ultimately, the success of a Canadian digital ID will rest on its implementation, according to Wunderlich.
“The technology is relatively well understood on how to do a digital ID,” Wunderlich said, pointing out that E.U. citizens already have the European Digital Identity. “I think the barriers are political in that the downside risk of people running with this and saying it is government overreach — whether or not it is — it’s potentially explosive if they do it wrong.”
There are already signs of opposition. At a rally in Penticton, B.C. last month, CPC Leader Pierre Poilievre vowed never to bring in any “mandatory digital ID” if elected PM — a nod to a since-debunked conspiracy theory suggesting Trudeau was requiring provinces to sign onto the regime to access billions in health-care cash. Earlier this year, Alberta Premier Danielle Smith and Saskatchewan Premier Scott Moe also vowed to fight any attempt by the feds to impose a digital ID.
However, there are other examples of public agencies using and collecting data in ways that have rightly raised concerns, says Katrina Ingram, CEO of Ethically Aligned AI.
In December 2021, the Public Health Agency of Canada confirmed it had collected and used location data to track the effectiveness of lockdown measures and better understand the relationship between travel and Covid’s spread.
Telus was contracted to provide “de-identified and aggregated data” to the agency, and while the federal privacy commissioner concluded PHAC “did not contravene the Privacy Act,” Ingram said those types of stories can raise people’s hackles.
Transparency and accountability about what the digital ID does and how the government uses it will be key to its success, but no matter how Ottawa ends up proceeding, the program will need a lot of “consultation and legitimacy in the eyes of the public” in order to succeed, she added.
Ingram sees the federal Privacy Act — which has not been significantly modernized since its introduction in 1983 — as a potential stumbling block for the successful design and rollout of a digital ID program. The outdated law is an issue also on Dufresne’s radar, although Innovation Minister François-Philippe Champagne’s last mandate letter did not contain instructions to meaningfully modernize the legislation.
Growing outsourcing pains
Ottawa’s effort to launch a digital ID could highlight other tensions within the public sector. Ron Babin, a Toronto Metropolitan University professor with expertise in IT governance, predicts the public service’s capacity is likely to come under scrutiny if the feds opt to create and implement the program in-house.
“For whatever reason, the Canadian government has not been well equipped at managing complex technology projects,” he said, pointing to the Phoenix payroll system fiasco and McKinsey & Co.’s plethora of public contracts. “They’re equally poorly equipped to manage others who do it on their behalf.”
There is no easy answer, Babin warns. Lack of public sector project capacity is rarely a “top of mind issue” for voters,” leaving politicians with little incentive to make timely improvements. But the issue is “one of those background things that if you don’t get it right,” the fallout could be severe and embarrassing for Ottawa.
For the digital ID, Babin says security is an area the feds should pay particular attention to, especially if personal data is kept in a central digital repository — “that’s exactly the place that hackers want to attack.”
“It’s better to do it right and do it well,” he said of the effort. “It doesn’t need to go fast, it just needs to be done.”