We really need to get rid of SIN numbers.
They should be cryptographically signed tokens you request for a single individual service, with a defined scope of access.
E.g. when you want to set up payroll tax at a new job, you go online or visit service canada, register a token, and share that with your employer.
When you’re authorizing H&R Block to do you taxes, you request a tax token for the current year.
When you’re opening a bank account you request a token and the bank verifies it.
When these leak they are easily reset, and when credit bureaus need access to your history for a hard check, they request a token with that permission.
This is kind of a pain but it means the office administrator can’t open a credit card in your name just because they have your info, and a leak at H&R Block gives a specific scope of investigation and resolution.
Your account can still be breached, buy that has a clear resolution step (verify your identity with service Ontario or Canada Post, invalidate tokens, file an investigation, and submit new tokens).
This guy gets it. 100% agree.
Then second step : shared responsibility for theft like if someone buy a car in your name you aren’t stuck with 100% of the problem because the dealership is 50% liable. Third step : Insurances need to be available for the residual risk but with 50-50 liability everyone will be on their best behaviour.
And as a condition to use their site the CRA makes you agree that you can’t hold them responsible for any misuse of your data they may allow. How conveeeeeenient.
People affected:
If you worked at B.C.'s Interior Health authority between 2003 and 2009 and believe you may be the victim of stolen identity or a hacked CRA account, please email, in confidence, [email protected] or text or call 416-526-4704. Click here to contact CBC News completely anonymously using SecureDrop.
Axe the Tax!
And get a weak, insecure, and underfunded CRA…
