CRA gets flack for Netfile changes

Share this article:

The Canada Revenue Agency (CRA) has unnerved privacy experts with a change to its electronic tax-filing policy: It has removed several authentication requirements for electronic filers.

In the past, the CRA asked those filing via its NETFILE web-based tax-filing service for a personal code and PIN number. Last month, however, it said that taxpayers would only require a Social Insurance Number and a birth date to file online from now on.

"By reducing the effort they put into verifying a person's identity, they are making it easier for someone to make a fraudulent submission with my identity," said Brian Bourne, a security consultant and founder of the SecTor security conference in Toronto. "It's odd that while most of the industry is trying to increase identity validation through mechanisms like multifactor authentication, the CRA is going the opposite way."

The CRA said that it applied Treasury Board Secretariat guidelines on privacy impact assessments before implementing this change, but did not believe a privacy impact assessment was required, as it does not affect privacy or security of taxpayer information.

"It seems that they made the change and are trying to tell everyone that it's safe, but it doesn't seem to me that they did the privacy impact analysis that they should have done at the outset," said Kris Klein, a partner and expert in privacy law at nNovation LLP.

"The CRA takes the privacy and security of taxpayer information very seriously," the CRA said in its statement.


Share this article:

THE LATEST ISSUE

Features

Archive of SC Magazine Canada

SC Magazine Canada

THE LATEST ISSUE

Features

Archive of SC Magazine Canada

SC Magazine Canada

More in SC Canada

Health law needs reform, says provincial privacy watchdog

The Albertan Information and Privacy Commissioner has formally asked the government to amend the province's Health Information Act with mandatory breach reporting and notification measures.

Well.ca security not that well, letter reveals

Well.ca, an online store selling health and beauty products, exposed names, addresses and credit card details for some of its customers in December, it admitted last month.

Canada signs Wedge Networks to secure government data centers

The Canadian government has hired Wedge Networks, a provider of cloud-based security services, to secure its computing infrastructure.