New Brunswick

StatsCan pilot project an 'outrageous' privacy overreach, says cybersecurity expert

A New Brunswick cybersecurity expert has serious concerns about a Statistics Canada pilot project that would collect personal banking and credit card information from 500,000 Canadians without their consent.

Statistics Canada pilot project would provide data on housing market, debt levels and gig economy

The chief statistician of Statistics Canada, Anil Arora, says financial transaction data being collected on Canadians for research purposes will not violate their privacy and will remain protected at all times. (Canadian Press file photo)

A New Brunswick cybersecurity expert has some serious concerns about a Statistics Canada pilot project that will see it collect personal financial information from half a million Canadians.

"What they're asking for is outrageous," said David Shipley, CEO of Beauceron Security Inc. in Fredericton.

Statistics Canada plans to collect account information from banks and credit card companies starting in January, including bill payments, cash withdrawals, credit card payments, money transfers and balances together with customer names.

"This is a dramatic overreach and it's so fundamentally wrong, the lack of consent here," Shipley said.

"Frankly, they're not resourced to handle this data. And they won't be able to protect it appropriately."

David Shipley, the CEO and co-founder of Beauceron Security Inc., says this pilot project represents a 'dramatic overreach' by Statistics Canada. (CBC)

Opposition MPs have also raised concerns about the initiative, calling it a breach of privacy.

Liberal government officials have said the data will be protected and that private details will be anonymized, once the government agency has them. They also said good data are the basis of good policy.

Statistics Canada has said three-quarters of all purchases are made online and it needs information about Canadians' spending habits, financial holdings and debts in order to provide data on the housing market, debt levels and the emergence of the gig economy.

An alternative way

Shipley said he understands why the information is desirable, but it would be better for the government to get anonymous, aggregate data directly from the banks.

The banks could send a message to their customers, he said, asking whether they would like to opt in to the program.

They have painted a massive target on their back.- David Shipley , cybersecurity  expert

"At least I know that when Statscan gets it, there's no way they can trace it to an individual," said Shipley.

"But if we're handing this data over to Statscan to then try to depersonalize and protect, I have huge trust issues there," he said, noting that it also jeopardizes the trust customers have in their bank.

The banks together spend about half a billion dollars a year on cybersecurity, said Shipley.

That's about equal to Statistics Canada's total planned spending for 2018-19, according to its corporate business plan.

Hackers ready to pounce

Shipley suggested hackers will be targeting the data now that this pilot project has been made public.

"They have painted a massive target on their back," he said.

"Every hacker on the planet who wants to go after Canadian financial information knows there's going to be a good half million of it transiting the banks, which are better secured, to a federal government department, which is not.

"They will not be able to withstand that."

Anil Arora, the head of Statistics Canada, says his organization is prepared to effectively protect the the financial transaction records of 500,000 Canadians. (CBC)

Canada's chief statistician Anil Arora said his agency has a long history of working with sensitive data and they have policies and practices in place to ensure this financial information is also protected.

Arora said Statistics Canada has worked closely with the Office of the Privacy Commissioner and incorporated its recommendations into the project design.

Shipley said it's more evidence that the federal Privacy Act needs an overhaul.

He also feels this is sending the wrong message to the private sector.

"What moral authority does our government have to combat the overreach and abuse of Canadians' personal information by the private sector when it's basically taking a full page from Facebook and Google?" Shipley said.

"This is our own government treating our data like it's theirs to take whenever they want."

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.