Statscan pilot project an 'outrageous' privacy overreach, says cybersecurity expert

A New Brunswick cybersecurity expert has some serious concerns about a Statistics Canada pilot project that will see it collect personal financial information from half a million Canadians.

"What they're asking for is outrageous," said David Shipley, CEO of Beauceron Security Inc. in Fredericton.

Statistics Canada plans to collect account information from banks and credit card companies starting in January, including bill payments, cash withdrawals, credit card payments, money transfers and balances together with customer names.

"This is a dramatic overreach and it's so fundamentally wrong, the lack of consent here," Shipley said.

"Frankly, they're not resourced to handle this data. And they won't be able to protect it appropriately."

Opposition MPs have also raised concerns about the initiative, calling it a breach of privacy.

Liberal government officials have said the data will be protected and that private details will be anonymized, once the government agency has them. They also said good data are the basis of good policy.

Statistics Canada has said three-quarters of all purchases are made online and it needs information about Canadians' spending habits, financial holdings and debts in order to provide data on the housing market, debt levels and the emergence of the gig economy.

An alternative way

Shipley said he understands why the information is desirable, but it would be better for the government to get anonymous, aggregate data directly from the banks.

The banks could send a message to their customers, he said, asking whether they would like to opt in to the program.

"At least I know that when Statscan gets it, there's no way they can trace it to an individual," said Shipley.

"But if we're handing this data over to Statscan to then try to depersonalize and protect, I have huge trust issues there," he said, noting that it also jeopardizes the trust customers have in their bank.

The banks together spend about half a billion dollars a year on cybersecurity, said Shipley.

That's about equal to Statistics Canada's total planned spending for 2018-19, according to its corporate business plan.

Hackers ready to pounce

Shipley suggested hackers will be targeting the data now that this pilot project has been made public.

"They have painted a massive target on their back," he said.

"Every hacker on the planet who wants to go after Canadian financial information knows there's going to be a good half million of it transiting the banks, which are better secured, to a federal government department, which is not.

"They will not be able to withstand that."

Canada's chief statistician Anil Arora said his agency has a long history of working with sensitive data and they have policies and practices in place to ensure this financial information is also protected.

Arora said Statistics Canada has worked closely with the Office of the Privacy Commissioner and incorporated its recommendations into the project design.

Shipley said it's more evidence that the federal Privacy Act needs an overhaul.

He also feels this is sending the wrong message to the private sector.

"What moral authority does our government have to combat the overreach and abuse of Canadians' personal information by the private sector when it's basically taking a full page from Facebook and Google?" Shipley said.

"This is our own government treating our data like it's theirs to take whenever they want."