CRA gets flack for Netfile changes

Share this article:

The Canada Revenue Agency (CRA) has unnerved privacy experts with a change to its electronic tax-filing policy: It has removed several authentication requirements for electronic filers.

In the past, the CRA asked those filing via its NETFILE web-based tax-filing service for a personal code and PIN number. Last month, however, it said that taxpayers would only require a Social Insurance Number and a birth date to file online from now on.

"By reducing the effort they put into verifying a person's identity, they are making it easier for someone to make a fraudulent submission with my identity," said Brian Bourne, a security consultant and founder of the SecTor security conference in Toronto. "It's odd that while most of the industry is trying to increase identity validation through mechanisms like multifactor authentication, the CRA is going the opposite way."

The CRA said that it applied Treasury Board Secretariat guidelines on privacy impact assessments before implementing this change, but did not believe a privacy impact assessment was required, as it does not affect privacy or security of taxpayer information.

"It seems that they made the change and are trying to tell everyone that it's safe, but it doesn't seem to me that they did the privacy impact analysis that they should have done at the outset," said Kris Klein, a partner and expert in privacy law at nNovation LLP.

"The CRA takes the privacy and security of taxpayer information very seriously," the CRA said in its statement.


Share this article:
You must be a registered member of SC Magazine to post a comment.

THE LATEST ISSUE

Features

Archive of SC Magazine Canada

SC Magazine Canada

THE LATEST ISSUE

Features

Archive of SC Magazine Canada

SC Magazine Canada

More in SC Canada

CSEC mishandled private communications, says watchdog

Canada's foreign spy agency mishandled information on private communications that it had collected by mistake, according to the most recent report by a government watchdog.

National Research Council breached

Canada's National Research Council has written to partner companies informing them of a breach of its cybersecurity systems.

Canadian ISP used In $83,000 cryptocurrency heist

A Canadian ISP has been identified as the source of a cryptocurrency hack that stole $83,000 over four months.