CAN-ID Report
Total Page:16
File Type:pdf, Size:1020Kb
CAN ID? VISIONS FOR CANADAʼS IDENTITY POLICY Understanding Identity Policy and Policy Alternatives WRITTEN BY Krista Boa, Andrew Clement, Simon Davies, Gus Hosein Information Policy Research Program, Faculty of Information Studies, UofT in partnership with Policy Engagement Network, LSE Faculty of Information Studies University of Toronto PEN paper 1 Faculty of Information Studies, University of Toronto • Policy Engagement Network, The London School of Economics Summary Whether intended or not, Canada is approaching the point of no return on a national identity policy. There is nothing simple or trivial about developing national policies for managing the identities of millions of citizens. Such policies are highly complex socio-technical interventions into the functioning of a nation, requiring significant investments of time and resources, with the potential of reshaping the relationship between the individual and the state. They must be carefully designed and deployed so as to avoid or balance an array of costs, risks and challenges. There are few opportunities for 'second chances' for getting it right. This report maps, analyses and makes recommendations about the current identity policy landscape in Canada. Prepared by a team of independent researchers from the University of Toronto and the London School of Economics, with the support of a Contributions Program grant from the federal Office of the Privacy Commissioner of Canada, it draws upon experiences in other national jurisdictions as well as a review of selected cases of identity scheme development in Canada. To solicit further experiences, insights and feedback, the team also conducted two research workshops with government officials, academic, civil society organizations and private sectors firms who are active in the identity arena. We begin by enumerating the main policy dynamics surrounding national identity schemes. The most significant of these are the political risks they inevitably incur. We also show how considerations of the various driving forces, feasibility and effectiveness issues, high implementation costs, ownership tensions and civil liberty challenges further interact to complicate the policy development process. The turbulent experience in the UK with its ID Card legislation and current struggles with implementation of the worldʼs most ambitious national ID scheme provide abundant evidence for the fraught social, financial, political, and technical complexities of identity policy. We further illustrate these dynamics with the cautionary analysis of the current major identity development initiative in the U.S., REAL ID, which despite relatively swift passage into law is now facing of a host of problems that have emerged as its practical implications are considered more closely, and it may yet flounder. At the same time however, there are undoubtedly significant benefits that can be derived from the development of a sound national identity policy framework. The needs for reliable and convenient forms of identity assurance are already widespread throughout society, and growing with the spread of digitally networked mediations for many forms of everyday transactions. A policy framework that tackled the recurring issues of identity authentication based on a firm understanding of the practical contingencies as well as the social dimensions could be an economic boon to commerce and re- invigorate citizen-state relations. Experience in other jurisdictions, notably France, Sweden, Hong Kong and Malaysia, while not exemplary in all aspects of their recent identity initiatives, do offer Faculty of Information Studies, University of Toronto • Policy Engagement Network, The London School of Economics valuable positive lessons for the Canadian context. In particular, they suggest that Canada would do well to avoid developing a single, monolithic identity scheme based on the enterprise-wide models that have emerged in corporate environments, such as a single, multi-purpose ID card, but rather develop a more flexible framework allowing for ʻfederatedʼ ID schemes. This danger in taking an ʻall ID eggs in one basketʼ approach was strongly endorsed in the two multi- stakeholder research workshops we conducted in Vancouver and Ottawa. The discussions contributed insights into both the strategic challenges of a Canadian identity policy as well as the many practical issues it would face. There was a clear sense that Canada was not ready for a ʻbig bangʼ policy or another national ID card initiative. However, participants saw good prospects for making progress on the issues if based on clearly established objectives, a transparent development process, reinforced privacy protections and a ʻpullʼ rather than ʻpushʼ approach that effectively demonstrated to Canadians the value they would derive from improving identity infrastructures and practices. We also review a variety of identity programs, activities, actors and interests in Canada. As examples, we investigate current or recent identity initiatives in four provinces as well as several at the national level. In particular, we discuss in detail the major components of the current ʻSmart Borderʼ policy, as well as three identity related projects within the federal government. Unfortunately, we were not able to report on the pending development of the biometrically enabled e-Passport, now in development, because the Passport Office did not respond to our repeated enquiries about it. We further analysed the various policy drivers, legal requirements, and specific implementations. Based on the examples we studied, generally we can see that the main overt drivers are more efficient access to government services, immigration and border management, and credential management. Some schemes are even looking to increase user autonomy and control. Interestingly, terrorism prevention seems to be less of a driving concern, at least explicitly. Similarly, law enforcementʼs goals seem to playing a driving role at interdepartmental level and in some of the work at the border. This may because the public is becoming less responsive to simple appeals to ʻnational securityʼ. While privacy protection is many cases a prominently featured concern being taken into consideration, there are signs that this is more as lip-service, with the drive for other goals, such as efficiency and effective identity management, playing the greater role. In analysing these Canadian identity initiatives for recurring themes, we find there is an over-reliance on technological optimism, often revealing a naive understanding of the limitations of new technologies as well as the challenges involved in turning technological possibility into well functioning systems. Perceived international obligations also play an exaggerated role, in some cases amounting to ʻpolicy launderingʼ, illegitimately forestalling adequate discussion of their appropriate application in Canada under the pretext that we have no choice in the matter. Furthermore, we find a tendency to pursue a ʻone size fits allʼ approach that makes it harder to focus C a n I D ? 3 on the specific problems at hand and think innovatively about simpler, more effective local solutions. Finally, considering the broad and significant changes in identity policy and practice already underway, we were shocked and alarmed at how little consultation with stakeholders has taken place to date. This situation must be corrected as a matter of urgency. Public consultation and participating in policy making with respect to identity systems too often appears to be treated as threatening and to be avoided if at all possible. Rather it is essential, not only because it allows the public to express their positions in these important debates, but it also improves the quality of decision-making. Canadian policy-makers need to avoid making the same mistakes as other countries, some of which have attempted to implement widespread use of biometrics without first better understanding the effectiveness and constraints of these techniques. While we highlight many of the flaws and dangers in the current Canadian approaches to ID technology, policy and practice, we also explore the promising options that are worth pursing. We show how federated identity schemes in particular can accomplish legitimate identity policy goals while avoiding many of the pitfalls of the schemes underway. By drawing upon multiple credentialing agencies and a more fine-grained operationalization of identity assurance, federated identity allows for greater personal control by identity subjects as well as a more nuanced range of policy choices to accommodate the contending democratic, civil liberty and administrative requirements. When carefully considered, biometric can play a useful role in such approaches where high levels of identity assurance are necessary. Turning many of the critiques and challenges raised in this study into positive alternatives, the report offers a variety of concepts, precepts and principles to better guide the development of identity policy and systems in Canada. We enlarge the definition of identity currently being developed with the Government of Canada to incorporate client and citizen perspectives on everyday identity transactions. Instead of focussing exclusively on the narrow preoccupation of a government agency asking if it is ʻdealing with the right personʼ, we argue that from the point of view of the citizen, the crucial identity question is about personal status and entitlement. With this premise, we then articulate several