Anti-terror bill increases risk of tax leaks, experts say

The CRA can now share tax filings with 16 government agencies
Prajakta Dhopade, MoneySense

taxes story

This article first appeared at MoneySense.

Critics denounced the passing of the Anti-Terrorism Act in the House of Commons last week, saying the legislation will impede on Canadians’ freedom of expression and religion. With all the uproar, a key change in the Income Tax Act went largely unnoticed.

Under Bill C-51, the Canada Revenue Agency (CRA) has been given permission to share your income tax filings with 13 additional government agencies.
Experts say this could render your personal financial information less secure than it already is in today’s electronic age.

Until now, the CRA has only had permission to share this information with three other agencies (CSIS, RCMP and FINTRAC) and only under very specific conditions. That list has grown to 16 in total and now includes Canada Border Services, the Canadian Armed Forces and Citizenship and Immigration among others.

The more people that have access to taxpayer information under Bill C-51, the higher the risk of leaks, hacks and other foul play, according to Avner Levin, the director of Ryerson University’s Privacy Institute.

The change in legislation is “unprecedented,” he says. “It’s snooping and meddling of the worst kind.”

Anyone who has filed their taxes in recent years should recall the little box asking whether they’re willing to share their home address with Elections Canada. This small request for consent served as a reminder that, to date, the government has been respectful of taxpayers’ privacy. But amendments to the Income Tax Act under Bill C-51 changes all that. The CRA can now share not only your home address, but all of your financial information within the government, without any form of consent or a warrant.

All the CRA needs is to believe “there are reasonable grounds to suspect that the information would be relevant to an investigation of whether the activity of any person may constitute threats to the security of Canada.”

What’s more, the CRA can distribute these private details “on its own initiative,” possibly spurring what Levin calls a “wide-scale fishing expedition.”

The CRA has always been able to send your financial information to the Canadian Security Intelligence Service (CSIS) and the RCMP if it was considered blatantly suspicious or relevant to an ongoing investigation.

But the vague wording of the new bill is problematic, according to Levin. Just about anything in your tax return could be categorized as nefarious. If, for example, you donated to a religious charity that the government deems suspicious, you could be investigated without your knowledge.

Tamir Israel, a technology lawyer with the Canadian Internet Policy and Public Interest Clinic says that the standard for what constitutes as suspicious will be considerably lowered now that the bill has passed. This means that the CRA will not only be able to share more information with additional people, but likely more often as well, resulting in a “heightened risk of financial information being leaked,” according to Israel.

The ways in which this information exchange will happen is unclear, he adds. But he suspects there is a possibility that the CRA could dump relevant categories of information about Canadian individuals into a central pool that the CSIS or any of the other 15 agencies can sift through at will. This eliminates the gatekeeping abilities of the CRA, Israel said. No longer will they have the discretion to only share information they deem relevant.

This centralized database of sensitive financial details could be a prime target for hackers, he adds. The more the data is replicated, the less secure it is, leaving “a few more holes in the dam.”

The CRA is currently held to a high standard when it comes to protecting the privacy of the 27 million Canadians that file tax returns. But the agency is no stranger to hacks, leaks and compromised information.

An October 2013 audit by the then privacy commissioner states that between 2011 and 2012, more than 50 privacy breaches involved the inappropriate disclosure of taxpayer information. At a parliamentary hearing earlier this year, it was revealed that the CRA had experienced more data breaches in the past two years than all other government agencies combined in the past 10 years.

Last year’s widely publicized Heartbleed fiasco saw 900 social insurance numbers jeopardized. Then a few months later, several prominent Canadians’ detailed tax information was unintentionally released to CBC News.

Apart from the CRA, Israel warns that the other departments that will be able to access your information may not be held to the same privacy standards as the CRA or be equipped with strong enough cyber security.

Then there’s human error and the prying eyes of public servants to consider. The 2013 audit of the CRA stated that not enough measures were taken by the agency to prevent unauthorized individuals from viewing sensitive taxpayer details.

A spokesperson for the CRA said in an email that the protection of Canadians’ tax information is a priority for the agency. “Should the Bill be passed into law, the CRA will implement the necessary procedures and controls to ensure that sharing of taxpayer information under the new provisions meets all legal requirements. Information would only be shared as permitted by law.”

If you are uncomfortable with the heightened risk of your privacy being breached, there’s unfortunately not much you can do about it, other than stop filing your tax returns, which we don’t recommend.

To Levin, the heightened risk of privacy breaches is not as problematic as the bigger issue of government surveillance in general.

Technically, our information in the hands of the government is as safe as it is in banks, he says. The difference is that banks will compensate for any losses you may experience because of hackers or fraudsters. With the passing of Bill C-51, it’s the government that may be using your information against you.

“The major point is the system we’re creating now, in which our information is going to be used by the government and by all these agencies to build profiles on us, to conduct surveillance on us,” says Levin.

“And that to me is what’s more worrisome because that’s not why we’re giving the government our income tax information…I don’t consider that a democracy.”