Virtual passport app presents real data risk, experts warn
IBM Canada has won $1.5M contract to develop new platform for IRCC
Canadian privacy experts are concerned the federal government's plan to develop an online passport application process could put personal information at risk and open a new angle of attack for fraudsters.
IBM Canada has been awarded the $1.5-million contract to create software that would allow Canadians to apply for a passport using their smartphones, tablets or computers.
The new platform would also allow applicants to pay fees and upload their passport photos securely, according to a statement from Immigration, Refugees and Citizenship Canada (IRCC).
They will attempt to exploit the program very quickly, very intensely to obtain the most fraudulent passports they can in the least amount of time.- Benoît Dupont, l'Université de Montréal
But privacy and data protection experts worry that personal information may be stored on foreign servers, providing an appealing target to criminals.
Sébastien Gambs, a professor in the information technology department of l'Université de Québec à Montréal and Canada Research Chair on privacy and data protection, said there are real concerns about where the data will be stored, a detail neither the government nor IBM Canada has divulged, though the tender identifies Amazon Web Services (AWS), the cloud computing branch of the American online retail giant.
"Even when we do business with an American company that agrees to store data within Canada, under the [U.S.] CLOUD Act, data could eventually be transferred out of the country," Gambs said in French.
In a statement, AWS said its clients retain full ownership and control of their data, including who may access that information.
In a separate statement, IRCC said "the privacy of Canadians and the safety of their personal information will be an absolute priority."
Canadian passports highly valued
Benoît Dupont, a criminology professor at l'Université de Montréal and Canada Research Chair in cybersecurity, said the passport app will likely be a major target for fraudsters eager to get their hands on Canadian passports and the mobility that comes with them.
"That's very attractive for organized crime groups who specialize in human trafficking," Dupont said in French. "They will attempt to exploit the program very quickly, very intensely to obtain the most fraudulent passports they can in the least amount of time."
But Gambs said any virtual application will likely have extra steps built in to protect against hackers.
"As soon as we're doing things remotely, verifying somebody's identity becomes much more difficult," he said. "The government will definitely need to collect more personal information in order to verify an applicant's identity."
'Vicious cycle': PIPSC
The Professional Institute of the Public Services (PIPSC) said this tender should never have gone out to the private sector when it could have been developed in-house by public servants, as was done with the online tax portal.
"It's a vicious cycle. Instead of developing resources internally, we go externally," said Stéphane Aubry, vice-president of PIPSC. "Then we don't have the needed expertise internally, which unfortunately, over the years, fades and makes it so we need to contract out."
PIPSC said the project raises the spectre of the Phoenix pay system fiasco, which also involved IBM. IBM Canada will be required to train and support IRCC employees in running the new passport system, according to the tender documents.
In 2020, the government issued just 897,401 passports, compared to 2.6 million the year before. For the first four months of the pandemic, Service Canada was only providing critical passport services for urgent travel.
Nevertheless, the Canadian Anti-Fraud Centre received 1,806 reports of passport-related fraud last year.
With files from Radio-Canada's Estelle Côté-Sroka