One year ago, on October 24, 2022, privacy commissioners across Canada released a resolution regarding digital identity systems. It sets out the requirements that governments should respect in this area. In Quebec, the Commission for Access to Information, signatory of the joint resolution, specified, in a press release, that “the government must demonstrate transparency at all stages of the realization of the digital identity project by requesting the citizen participation through broad consultations, as certain provinces have done.
However, it is clear that the Quebec Digital Identifier Service (SQIN) project is currently developing without debate, and that in several respects, it does not meet the requirements of the resolution: possible use of biometrics, lack of transparency, absence of precise legal framework.
A memorandum submitted to the Council of Ministers on the SQIN in December 2021 provides certain information: the “business solution” aims to develop a government digital identity document that is authoritative among third parties (public or private). This identity would be supported by a digital wallet (mobile application) allowing you to store various identity cards and certificates. An “enhanced” identity verification through the potential use of biometrics, for example facial recognition, is planned (voluntary according to what the Minister of Cybersecurity and Digital Affairs indicated to the media). The system would have a registry with an identity verification process for all people residing in Quebec.
The government authentication service, stage 1 of the SQIN project, was implemented as part of the digital transformation of the Société de l’assurance automobile du Québec, with the questionable results that we know of. The digital portfolio, the last phase of the project, is planned for 2025.
The SQIN project raises many questions. The development of a reliable and secure digital identifier must first respect the right to privacy. The system should not allow surveillance, and no misuse of purposes should be possible, which implies the adoption of a robust and precise legal framework. Data security and privacy issues are crucial. In the event of an outage, hack or ransomware attack, there is a fear of government services being paralyzed.
And what will happen in the event of identity theft? The apprehensions are all the greater as the government struggles to recruit cybersecurity experts, which leads it to rely heavily on the private sector; hence an increase in costs and confidentiality risks. The use of US web giants, such as Google, Amazon and Microsoft, for data hosting adds to concerns, with the Clarifying Lawful Overseas Use of Data Act (Cloud Act) allowing US authorities to access hosted data (in cloud computing) by a US provider, regardless of where they are stored.
Furthermore, basing a government identifier system on the use, even voluntary, of biometrics would lead to the insidious trivialization of this very invasive technology. How, finally, can we guarantee that the digital identifier will not accentuate the digital divide among part of the population?
So many challenges which amply justify the holding of a public, democratic and informed debate on the issue, as called for by numerous experts and organizations, including the League of Rights and Freedoms. Trust is essential to the implementation of a digital identifier, and this relies on transparency and public consultation.