The Canada Revenue Agency (CRA) has unnerved privacy experts with a change to its electronic tax-filing policy: It has removed several authentication requirements for electronic filers.
In the past, the CRA asked those filing via its NETFILE web-based tax-filing service for a personal code and PIN number. Last month, however, it said that taxpayers would only require a Social Insurance Number and a birth date to file online from now on.
"By reducing the effort they put into verifying a person's identity, they are making it easier for someone to make a fraudulent submission with my identity," said Brian Bourne, a security consultant and founder of the SecTor security conference in Toronto. "It's odd that while most of the industry is trying to increase identity validation through mechanisms like multifactor authentication, the CRA is going the opposite way."
The CRA said that it applied Treasury Board Secretariat guidelines on privacy impact assessments before implementing this change, but did not believe a privacy impact assessment was required, as it does not affect privacy or security of taxpayer information.
"It seems that they made the change and are trying to tell everyone that it's safe, but it doesn't seem to me that they did the privacy impact analysis that they should have done at the outset," said Kris Klein, a partner and expert in privacy law at nNovation LLP.
"The CRA takes the privacy and security of taxpayer information very seriously," the CRA said in its statement.