CRA gets flack for Netfile changes

Share this article:

The Canada Revenue Agency (CRA) has unnerved privacy experts with a change to its electronic tax-filing policy: It has removed several authentication requirements for electronic filers.

In the past, the CRA asked those filing via its NETFILE web-based tax-filing service for a personal code and PIN number. Last month, however, it said that taxpayers would only require a Social Insurance Number and a birth date to file online from now on.

"By reducing the effort they put into verifying a person's identity, they are making it easier for someone to make a fraudulent submission with my identity," said Brian Bourne, a security consultant and founder of the SecTor security conference in Toronto. "It's odd that while most of the industry is trying to increase identity validation through mechanisms like multifactor authentication, the CRA is going the opposite way."

The CRA said that it applied Treasury Board Secretariat guidelines on privacy impact assessments before implementing this change, but did not believe a privacy impact assessment was required, as it does not affect privacy or security of taxpayer information.

"It seems that they made the change and are trying to tell everyone that it's safe, but it doesn't seem to me that they did the privacy impact analysis that they should have done at the outset," said Kris Klein, a partner and expert in privacy law at nNovation LLP.

"The CRA takes the privacy and security of taxpayer information very seriously," the CRA said in its statement.


Share this article:

THE LATEST ISSUE

Features

Archive of SC Magazine Canada

SC Magazine Canada

THE LATEST ISSUE

Features

Archive of SC Magazine Canada

SC Magazine Canada

More in SC Canada

Almost 40 percent of Canada's Justice Department duped by phishing

Almost one in four employees at Canada's Justice Department fell prey to internet phishing in an exercise last December.

Microsoft wavers on Canadian spam fears

Microsoft has reconsidered a move to cease security emails in Canada, following the introduction of an anti-spam law north of the border.

Underinvestment, poor communication plague Canadian cybersecurity

Canadian cybersecurity is languishing due to poor communication and disappointing security investments, according to research from the Ponemon Institute.