Opinion – Pretexting and Bill C-27

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Archived

This page has been archived on the Web.

When we appeared before the Standing Committee on Access to Information, Privacy and Ethics in May 2007 on the issue of identity theft, we urged the government to adopt a broad-based strategy that would include public education, stronger regulation of data handling practices, civil remedies and finally criminal sanctions for the worst cases. In our view, the government's identity theft legislation is a step in the right direction, however it should form part of a broader-based strategy to address identity theft and identity fraud. When Bill C-27 was introduced, our Office sought an opinion on the effect of the proposed legislation from Professor David M. Paccioco, a respected author and expert in criminal law. We shared this opinion with the federal government, together with our concern that while sanctions are required for the most serious instances of identity theft and fraud, many of the problems associated with these phenomena could be better addressed through regulatory measures and modernized privacy legislation. With the recent introduction of S-4 on the issue of identity theft, we believe that it is important to share Professor Paccioco's opinion more broadly.

David M. Paciocco

EXECUTIVE SUMMARY

I have been asked for my opinion on two questions relating to “pretexting,” the act of fraudulently securing private information. The first question is:

1. Does Bill C-27 capture activities known as pretexting?

The answer to this question is both “yes” and “no.” The reason for the mixed grade is simple. Bill C-27 is not about pretexting or even the protection of private information as an end in itself. It is about finding a way to discourage “identity theft” as a mode of committing already criminal and fraudulent conduct. In other words, the evil sought to be suppressed is not interference with privacy per se; the evil being addressed is fraud committed against property, immigration or the administration of justice. Private information is implicated by Bill C-27 because this proposed legislation is attempting to address the increasing extent to which private information is being used to assist in the commission of such crimes in our internet age. Those wishing to have effective legal controls over the act of pretexting in its own right will therefore find disappointment in Bill C-27.

Still, the two relevant provisions in Bill C-27, section 402.2 and section 403, will catch some cases of pretexting. More specifically section 402.2 will catch the most egregious examples; if passed this provision will criminalize pretexting that is undertaken under circumstances that give rise to a reasonable inference that the information will be used to commit a fraud-based indictable offence. Meanwhile, section 403, the “personation” offence, can be used to catch those cases of pretexting where in order to gain access to private information the accused passes himself off as the person whose information he is seeking to acquire.

The fact that Bill C-27 does not capture pretexting per se gives rise to the second question I have been asked to respond to. I have been asked

2. If [Bill C-27 does not capture activities known as pretexting], should the bill be amended to include offences related to pretexting or might this issue be better dealt with through civil remedies or regulation?

This question includes within it the three legal options there are for addressing the problem of pretexting, the criminal option, the regulatory option, and the civil option. It is my view that the regulatory option is to be preferred, provided that jurisdictional limits on federal power would not undercut the effectiveness of a regulatory statute.

Although there is nothing to prevent Parliament from choosing to use its criminal law power where the federal jurisdiction is secure, criminal law should be employed only as a last resort. It should be confined to social problems that are serious enough to warrant the imposition of the stigma, disqualifications and penalties associated with a criminal conviction and record. While pretexting is offensive both because it involves inherently dishonest behaviour and it invades reasonable expectations of privacy regarding biographical information, some cases are serious and others less so. Pretexting can be done for a range of purposes and in a variety of ways. Without question, pretexting to acquire identity information to be used to deceive others while committing a criminal offence is a significant wrong, worthy of criminal censure. This is what Bill C-27 will accomplish. The virtue of Bill C-27 is that it does so without also catching other less odious or even socially advantageous cases of pretexting, such as pretexting for law enforcement purposes, pretexting within institutions in aid of fraud prevention initiatives, pretexting by investigative journalists, or even pretexting to find dead-beat Dads. Between these two extremes - identity theft pretexting and these socially appealing cases of pretexting - sit other examples that are no doubt more controversial, things likes pretexting to conduct credit checks, or to assemble customer lists, or pretexting by social activists to expose corporate irresponsibility. Wherever the line gets drawn, the point is that pretexting is not the kind of activity that should necessarily be prohibited ab initio. Criminal law is not a fitting place to address pretexting in its own right.

Meanwhile, the civil law suit option is unattractive. Civil suits are intended to permit the recovery of loss by those aggrieved. They are not an effective tool for vindicating broader interests, such as discouraging invasions of privacy, even with the advent of the class action. Civil suits are an inefficient strategy for vindicating private rights where there has not been significant loss, and they are the preserve of the wealthy and the patient. They have their place, but not as instruments for the pursuit of sound public policy.

This leaves the regulatory offence or “infraction.” The attraction of using regulatory mechanisms is multi-faceted. Infractions are less closely scrutinized under the Charter, making it possible to craft the offences more aggressively. They are also more efficient to enforce as they are not as burdened by procedural safeguards. They can operate in a way that tailors the penalty to the seriousness of the activity without imposing the undeserved stigma and consequences of criminal conviction on the offender. And they provide a mechanism that would permit a regulatory agent to be proactive in seeking out and prosecuting more problematic cases of pretexting.

It is therefore my opinion that ideally, a regulatory approach is the preferred approach if there is a political consensus that pretexting is offensive enough to require legal intervention. I believe it is. Before embarking on a regulatory approach, careful consideration has to be given, however, to the jurisdictional limits on the federal law power.

A. The Assignment

I have been asked by the Office of the Privacy Commissioner to offer opinions on two questions relating to Federal Bill C-27 and the practice of pretexting. In particular, I have been asked:

1. Does Bill C-27 capture activities known as pretexting?
2. If not, should the bill be amended to include offences related to pretexting or might this issue be better dealt with through civil remedies or regulation?

The place to begin is by describing what I understand pretexting to entail.

B. The Problem Defined: What is Pretexting?

“Pretexting” has been defined by the United States Federal Trade Commission as “the practice [by someone else] of getting your personal information under false pretenses.”¹ In other words, pretexting is the fraudulent obtainment of personal data.

Pretexting can be carried on in a variety of ways. These include the use of false, fictitious or fraudulent statements to induce others, typically institutions, to part with personal information. Pretexting can also involve the use of forged, counterfeited, lost or stolen documents to get information. It can be accomplished by “phishing” through the use of emails from what appear to be trustworthy organizations to lure people into furnishing private information, or by “pharming,” the creation of false websites to entice people into parting with their personal data. If a broad enough idea of false pretences is employed, pretexting can even catch surreptitious acts of “skimming” which involve the secretive mechanical recording of personal information from magnetic strips on credit and debit cards.²

Not only do the means of pretexting vary widely, pretexting can be used for a range of purposes.

• it is commonly associated with the use of personal information of another to commit credit card theft (where credit is secured and used in the name of another) or bank fraud (where money is borrowed in the name of another or withdrawn from bank accounts or passed in the form of fraudulent cheques)
• it can be used for commercial advantage as a means of generating customer lists or permitting the generation of consumer credit reports³
• it is a common method of investigation used by government agents, private investigators, and institutions to do such things as:
  • locate and identify people;
  • link individuals to assets for creditor relief or the enforcement of support obligations;⁴ and
  • solving and preventing cases of fraud.⁵
• it can be used for testing security procedures⁶
• it can be used by investigative journalists⁷
• it can be used by consumer advocates or ecologists to secure information that would enable the exposure of controversial practices from corporations or other institutions

While the practice of pretexting is longstanding, it has taken on urgency because of the Internet and “the increasing availability of personal identifying information in the electronic marketplace.”⁸

C. The Coverage and Effect of Bill C-27 – does it catch pretexting?

I have been directed to clause 10 of Bill C-27 and asked whether the provisions included in that section catch pretexting. Clause 10 would create new Criminal Offences in s.402.2 and 402.3 relating to “Identity Theft.” These two offences can best be understood by noting the distinction between “identity theft” and “identify fraud” that has been adopted by the Federal Department of Justice of Canada. In its “Backgrounder” to Bill C-27 the Department of Justice notes:

“While the term ‘identity theft’ has no universal definition, it can refer to the preliminary steps of collecting, possessing, and trafficking in identity information for the purpose of eventual use in crimes such as personation, fraud or misuse of debit card or credit card data. Identity theft in this sense can be contrasted with “identity fraud,” i.e, the subsequent actual deceptive use of the identity information of another person in connection with various crimes. Identity theft therefore takes place in advance of and in preparation for identity fraud.”⁹

Section 402.2 addresses “identity theft” and operates at the stage where information is acquired. It therefore touches upon “pretexting.” Section 402.3, on the other hand, addresses “identity fraud” or actions that occur after identity information is acquired. The relevant offence to examine for this opinion is therefore section 402.2.

It is also worth examining section 403, the “personation offence.” Personation is already a crime. Bill C-27 proposes to amend it. Even prior to the proposed amendments, the offence of personation, by its terms, touches upon “pretexting.” It has never, to my knowledge, been used to prosecute a pure pretexting case, although it could be. It is therefore worth examining this offence as well as section 402.2.

I will begin with the new offence in section 402.2 since in the pretexting context it proves to be the more important of the two provisions.

1. The proposed “Identity Theft Provision – s.402.2

Section 402.2 provides:

402.2(1) Everyone commits an offence who knowingly obtains or possesses another person's identity information in circumstances giving rise to a reasonable inference that the information is intended to be used to commit an indictable offence that includes fraud, deceit or falsehood as an element of the offence.¹⁰

This section is not about “pretexting” per se. It is targeted at identity theft. It is therefore about the “unauthorized collection of information” but only when it is the first step in the ultimate criminal use of personal identity information. In other words, section 402.2 is about the act of collecting identity information in preparation for the commission of “more familiar and traditional crimes” where that information is meant to be used to deceive others.¹¹

The mission of section 402.2 makes it broader than a pure pretexting provision would be. More specifically, it catches more than just pretexting because section 402.2 includes acts of acquiring identity information that do not involve “false pretenses.” This provision could catch, for example, the use of spyware to misappropriate information surreptitiously,¹² or the straight-up theft of credit information or of mail, or even securing identity information by dumpster diving or rummaging through garbage.¹³ Indeed, section 402.2 can be triggered with publicly available information. The safeguard used to narrow section 402.2 so that it does not catch anyone who possesses identity information about others is to prosecute the acquisition or possession of identity information only if its acquisition or possession reasonably appears to be linked to a criminal purpose.

Even though section 402.2 goes beyond cases of pretexting, it does not catch all acts of pretexting. There are two limits on the section to prevent it from being a comprehensive anti-pretexting provision.

First, it does not extend to all personal information. Given its inspiration in identity theft it is limited to the protection of “identity information.” The phrase “identity information” is broadly defined but would not include non-identifying lifestyle information such as sexual preference, or family income, or criminal record or consumer shopping patterns.¹⁴

The second and key reason why section 402.2 does not catch all cases of pretexting has already been revealed; it is an offence under this provision to acquire identity information only “in circumstances giving rise to a reasonable inference that the information is intended to be used to commit an indictable offence that includes fraud, deceit or falsehood as an element of the offence.” While section 402.2 would therefore catch “pretexting” undertaken to secure identification information for “the purpose of eventual use in crimes such as personation, fraud or misuse of debit card or credit card data,”¹⁵ it would NOT catch pretexting that is done for simple commercial advantage such as for the composition of customer lists, or for performing credit checks or finding debtor assets. Nor would it catch pretexting as a general investigative technique. Investigative pretexting is excluded from the provision, whether that investigation is undertaken for praiseworthy purposes such as law enforcement, fraud detection or finding “dead-beat Dads,” or whether it is undertaken for less sympathetic or more “seedy” kinds of private investigation activities.

It can therefore be seen that section 402.2 is not really about the protection of privacy; it is, instead a provision that keys in on the collection of identity information as a means of preventing acts that have long been identified as criminal in Canada, including crimes against property,¹⁶ immigration offences,¹⁷ frauds on the administration of justice,¹⁸ and the crime of “personation.”¹⁹ While it was inspired by the increasing use of personal information as a mode of committing fraud-based crimes, it is not addressed at the harm of fraudulently collecting identity information per se; it is addressed at those who do so with a view to committing behaviour that is already criminal.

It has always been illegal to attempt to commit criminal offences, and lay persons can be forgiven for assuming that if someone pretexts in order to secure personal information to commit fraud-based offences they are attempting to commit a crime and could have been prosecuted without section 402.2. There are cases where this would be true, but the law of attempt turns on an uncomfortable and imprecise division between acts of “preparation” and acts of “perpetration.” The crime of attempt occurs only when preparation is done and perpetration begins. Would pretexting the information needed to commit the offence constitute a criminal attempt or a mere act of preparation? That is a matter on which reasonable people might disagree. Understood in this light, it is evident that the primary contribution section 402.2 makes is that it clearly permits arrests and prosecution before fraud-based crimes fully materialize but where identity information has been secured with that end in sight.²⁰ In other words, it is a provision that accelerates the point in time when actions aimed at ultimate fraud related crimes can be prosecuted. Since section 402.2 is a relatively narrow provision serving a limited purpose it will disappoint those who wish for an offence of criminal pretexting.

By defining clearly the relatively narrow function the provision has I do not want to create the false impression that section 402.2 is weak kneed. It is, in fact, an aggressive offence.

First, while it is confined to “identity information” its definition of “identity information” is sweeping. The definition includes “any information ? of a type that is commonly used alone or in combination with other information to identify or purport to identify an individual.”²¹ This is a phrase that captures information that is innocuous in isolation but useful when combined with other data. It also covers data as mundane as birth days and signatures while at the same time extending to information as sensitive as bank account numbers and SIN numbers.²²

The other thing that makes this provision “aggressive” is that in attempting to link its operation to cases of fraud, this section does not follow the customary pattern in similar criminal law provisions of requiring the Crown to prove that the acquisition or possession is actually “for a fraudulent purpose”²³ or that the act of acquisition or possession was undertaken “with intent to defraud.”²⁴ As indicated, on the face of section 402.2 the Crown can succeed where there are simply “circumstances giving rise to a reasonable inference that the information is intended to be used to commit an indictable offence that includes fraud, deceit or falsehood as an element.” To capture the significance of the difference between the customary approach and this approach one has to appreciate the relative “burdens of proof” that are at play.

Under the customary “for a fraudulent purpose” or “with intent to defraud” approach the Crown must actually prove why the accused acted as he did. This creates serious practical challenges. Why a person acts is only truly known by the actor. Courts that are called upon to identify the actual ultimate intent or purpose of the accused are therefore left to try to glean that intent or purpose from the context within which the relevant acts occurred. And where the accused has not yet completed his intended purpose there will be little context to work with. To some degree courts called upon to anticipate what the accused would have been done had he not been arrested or if the act had not otherwise been interrupted are left to infer, if not speculate. When it is appreciated that the Crown is obliged to prove all of the elements of a crime “beyond a reasonable doubt,” the challenges posed when an “ulterior mens rea” such as “a fraudulent purpose” or “fraudulent intent” are built into offences can easily be seen; absent clear and evident incriminating circumstances conviction will not be possible.

With section 402.2 the Government of Canada is trying to get around this difficulty by sparing the prosecutor from having to prove what the actual purpose or intent of the accused was. It will be enough if “circumstances giv[e] rise to a reasonable inference that the information is intended to be used to commit an indictable offence that includes fraud, deceit or falsehood as an element.” Normally a “reasonable inference” is considered to be a conclusion that a reasonable person could make. This is nowhere near the heavy burden that is imposed when a prosecutor is expected to prove the actual purpose or ultimate goal of the accused beyond a reasonable doubt.

For some, this aggressive approach will be attractive; it provides much more unremitting protection than more conventional criminal law provisions tend to do. On the other hand, I have serious doubt about whether section 402.2 can succeed a Charter challenge. Quite simply, it violates the presumption of innocence guaranteed by section 11(d) of the Charter since there will be cases where this provision would require the conviction of an individual in the face of a reasonable doubt about whether he really did intend to use the information obtained to commit an indictable fraud-based offence.²⁵ I think that in the desire to address identity theft effectively, the drafters of Bill C-27 have gone too far. If passed, section 402.2 could well end up being a short-term victory for those trying to battle identity theft.

In sum, even if it is constitutionally valid, which is doubtful, section 402.2 does not catch “pretexting” per se. If the offence is passed and does withstand the inevitable Charter challenge it will catch some forms of pretexting, but not all. This is because the offence is not really about the fraudulent acquisition of identification information; it is instead about the acquisition of identification information for use in already existing fraud-based crimes.

2. The “Personation” Offence – s.403

Bill C-27 will amend the offence of “personation” in section 403 of the Criminal Code of Canada. It will provide:

1. Every one commits an offence who fraudulently personates any person, living or dead,
   1. with intent to gain advantage for themself or another person
   2. with intent to obtain any property or an interest in any property
   3. with intent to cause disadvantage to the person being personated or another person; or
   4. with intent to avoid arrest or prosecution, or to obstruct, pervert or defeat the course of justice.
2. For the purposes of subsection (1), personating a person includes pretending to be that person or using that person's identity information – whether by itself or in combination with identity information – as if it pertains to the person using it.²⁶

On its face, section 403 applies only after the accused has enough personal information to personate another. This is because the central prohibited act is “personation” or pretending to be another who is or was living.²⁷ The offence does not occur, therefore, when the identity information of another is being, or has been, acquired. It occurs only when the accused uses the identity information he has acquired to pass himself off as another.²⁸ While section 403 offences can and typically will follow an act of identity theft,²⁹ section 403 is not about identity theft per se. Section 403 is about attempting to use the identity that has been stolen.

Still, it is possible for section 403 to catch some cases of pretexting. As Senior Legal Counsel for the Office of the Privacy Commissioner of Canada indicated in the email that solicited this opinion, “pretexting [often] occurs when an individual, armed with some information about a person, is able to obtain additional information about the person from an organization.”³⁰ If, while pretexting for further information, an accused uses some information about a person to personate that person in order to acquire that “other information,” there has been an act of personation. If that act is done for one of the illicit purposes adumbrated in section 403, the offence of personation will have occurred during the act of pretexting.

In truth, these “illicit purposes” will almost invariably be present when personation is employed in the act of pretexting. While most cases prosecuted under section 403 involve personation to secure property or an interest in property, “an advantage need not be economic, proprietary or monetary”³¹ to qualify under section 403. Subsections (a) and (c) are trigged if the personation is done to “gain an advantage” or “cause a disadvantage.” These concepts are interpreted aggressively. Any “better position, precedence, superiority or favourable circumstance” will qualify.³² Indeed, even personating a person to secure identification documents has been held to be included.³³ It is therefore difficult to imagine that there are many cases where an act of personation could occur as part of the pretexting process and where the full personation offence would not be committed. If the police and prosecutors are minded to, section 403 can therefore be used to prosecute criminally cases of pretexting where the accused is seeking personal information by pretending to be the person whose personal information is being sought. This is not because section 403 was created to criminalize pretexting; it is an accidental corollary of the way pretexting often works.

3. Summary

Section 402.2 is not about the protection of privacy, nor is it intended to criminalize pretexting. It would nonetheless catch those acts of pretexting that are undertaken under circumstances that give rise to a reasonable inference that the information will be used to commit a fraud-based indictable offence. This does not encompass all acts of pretexting but only those linked to what is generally regarded to be “identity theft.”

Things are much the same with section 403. The crime of “personation” it creates is not about identity theft, but would coincidentally catch those cases of pretexting where, in order to gain access to the private information, the accused passes himself off as the person whose information he is seeking to acquire.

D. Bill C-27 and the Criminal Law – Should it Catch Pretexting?

Pretexting is problematic for two reasons. First, it is a dishonest act. By definition, pretexting involves the use of false pretences. It is therefore offensive in some measure for that reason alone. There is no sugar coating it. Pretexting involves the employment of fraudulent techniques to secure private information.

And therein lays the second concern – it is private information that is being sought. Contemporary society prizes private information. Any doubt about that was removed with the Canadian Charter of Rights and Freedoms. While that legal instrument did more to reflect contemporary values than it did to change them it had the virtue of requiring courts and legal commentators to ask basic questions about fundamental values. Not surprisingly, in the same decade that privacy and access to information statutes were entering the legal scene, Charter jurisprudence was affirming that information can have value that goes far beyond the kind of commercial exchange worth that impelled the development of the law of intellectual property. Personal information is important enough to warrant constitutional protection simply as a matter of fundamental human rights. The Supreme Court of Canada commented in R. v. Dyment that:

“[T]here is privacy in relation to information. This ? is based on the notion of dignity and integrity of the individual?. ‘This notion of privacy derives from the assumption that all information about a person is in a fundamental way his own, for him to communicate or retain for himself as he sees fit.’ In modern society, especially, retention of information about oneself is extremely important. We may, for one reason or another, wish or be compelled to reveal such information, but situations abound where the reasonable expectations of the individual that information should remain confidential to the persons to whom, and restricted for the purposes for which it is divulged, must be protected.”³⁴

This “biographical core of personal information which individuals in a free and democratic society would wish to maintain and control” ? “would include information which tends to reveal intimate details of the lifestyle and personal choices of the individual.”³⁵ It also includes identity information. Indeed, in R. v. Harris the Ontario Court of Appeal recently held that a simple request by a police officer that a detained suspect identify himself constituted a “search” because it was an intrusion on a reasonable expectation of privacy that the individual would have in his own identity.³⁶

It is quite evident that pretexting, the act of dishonestly securing private information from individuals, is therefore offensive enough to invite legal control. Speaking generally and simply, there are three ways the law can respond to a perceived social problem like pretexting. It can use the criminal law, a body of rules employed with the intention of stigmatizing and punishing the behaviour because it is inherently wrong according to fundamental Canadian values.³⁷ Or the law can operate through non-criminal offences tending to carry lesser stigma and penalties than criminal law in order regulate the behaviour. Finally, it can leave matters to the civil courts where lawsuits can be brought not to punish but to allocate the loss caused by the behaviour or to restrain actors from causing losses before they occur through injunctive relief. To determine which of these options is preferable, it is important to consider the availability and implications of each of these choices.

The Nature of a Criminal Law Option

Technically there is nothing to prevent Parliament from making “prextexting” a criminal offence. This is because the criminal law power held by the Federal Government is so broad as to be functionally unconstrained. All that is required for a valid exercise of the criminal law power is that a law has “a valid criminal law purpose backed by a prohibition and a penalty.”³⁸ The last two of these three requirements – a prohibition and a penalty – are matters of form relating to how criminal offences are structured. In other words, these two requirements do nothing to restrict the scope of what can be made criminal. The only limit on the power to create crime is that it must be done for “a valid criminal law purpose.” This vague limit can be satisfied if the law is intended to address “public peace, order, security, health and morality” or to protect the vulnerable. A broad reading of public peace is embraced. It is evident from existing offences in the Criminal Code of Canada that valid criminal law purposes include addressing dishonest acts, and invasions of privacy. Pretexting would technically quality. And there is precedent for using criminal law to address it. The American Gramm-Leach-Bliley Act³⁹ makes pretexting a crime when it is directed at customer information held by the financial sector, without any proof that the information is ultimately going to be used fraudulently.

The fact that the criminal law is capable of being used to address pretexting does not answer whether it should be used to address pretexting. The starting point in answering this question is to appreciate that Criminal Law is society's last line of defence against harmful or injurious conduct, not its first. As the Law Reform Commission of Canada put it in the Report, Our Criminal Law, “criminal law must be an instrument of last resort.”

Before an act should count as a crime, three ? conditions must be fulfilled. First, it must cause harm to other people, to society or, in special cases to those needing protection from themselves. Second, it must cause harm that is serious both in nature and degree. And third, it must cause harm that is best dealt with through the mechanism of criminal law.⁴⁰

To understand the restrained approach endorsed by the Canada Law Reform Commission, consider what a criminal conviction does to the person convicted. First, a criminal conviction is the most powerful censure that a Government can impose on its citizens. Even leaving aside the sentence that may be imposed, it is a declaration that the citizen has acted in so reprehensible and anti-social a fashion that he deserves the stigma of being marked with a criminal record. A conviction is meant to be the ultimate expression of disapproval, which notionally should be reserved for the worst forms of conduct. Moreover, that criminal record matters. It disqualifies individuals from holding offices, including those as high flown as corporate directorships or as mundane as trusteeship of family trusts. It limits access to employment, impedes security clearances, restricts travel and exposes individuals to greater punishment if ever convicted of other offences. It is even seen to be a sign that the individual is not credible when testifying, as their criminal records can be used to discredit individuals when they are testifying.

As can be seen, whether the criminal law is an appropriate vehicle to use in a particular case is ultimately a question of policy and perspective. Responsible individuals can hold varying opinions about what constitutes harm, and when that harm is seriously wrong enough both in nature and degree to warrant treating offenders in the fashion just described.⁴¹ Even the question of whether a particular social problem is best dealt with through the mechanism of criminal law can be controversial. Offering an opinion on whether the criminal law should be used is therefore largely a matter of taste and it will ultimately reflect basic personal political philosophies, including on questions about the nature of liberty and the role of the state.

The Nature of a Regulatory Option

Not all offences are “criminal.” Most offences created in Canada are not. There are literally tens of thousands of “regulatory” offences, also known as “infractions” or “public welfare offences” or “quasi-criminal offences.”⁴² According to the legal model that has gained endorsement by the Supreme Court of Canada, regulatory offences tend to:

• deal with matters that are not inherently wrong according to basic Canadian values but which should be treated as illegal in the interests of the public welfare because the conduct can damage public or societal interests;
• deal with conduct that is not so reprehensible as to require the stigma of a criminal conviction or the serious forms of punishment used in criminal cases; and
• address conduct that need not or should not be prohibited entirely, but which should be regulated or controlled.⁴³

Given that regulatory offences tend to carry lesser penalties and stigma, the degree of protection afforded to accused persons can be lessened relative to those who are prosecuted criminally. For regulatory offences the norm is not to require proof of actual criminal intent; although regulatory offences can be defined to require proof of intent or identified purposes on the part of accused persons, most such offences impose strict liability. In other words, if the Crown proves the relevant act (such as securing the private information of another), the burden can be imposed on the accused to establish that he acted in a duly diligent or otherwise lawful manner.⁴⁴ Moreover, regulatory offences can be prosecuted without the same procedural protections required in more serious, criminal law cases.

In essence, regulatory offences make a much less profound statement of principal than criminal offences but they are administratively more efficient and better suited to conduct the seriousness of which varies.

The Nature of a Civil Option

I understand that there is a growing body of opinion that the law is coming to recognize a tort of breach of privacy. That being so the option of leaving pretexting to the civil arena is possible. It has to be understood, however, that a civil law suit is brought by a private individual or a corporate body for a wrong done to them. Typically, the plaintiff must prove damages, or the “wrong” is not actionable. In a civil law suit, there is no government agent appointed to enforce the relevant law. The aggrieved individual must initiate the action. Since civil actions are notoriously expensive, they tend to be brought only by individuals who have means, or as “class actions” typically initiated by enterprising lawyers interested in the large legal fees available. Civil suits often take years to settle and therefore require highly motivated individuals. Ultimately, unless it is a rare case for punitive damages, the outcome of the suit is not measured according to the how offensive the conduct was, but rather by how much it cost the plaintiff. In short, civil suits do not provide the best vehicle for the enforcement of public policy concerns, such as the disapproval of wide-scale practices such as pretexting.

The Preferred Option – Create a Regulatory Offence to Address Offensive Forms of Pretexting

It is my personal view that the preferred option for addressing pretexting is the creation of a regulatory offence. Pretexting is offensive enough that a compelling case can be made that it should not go unaddressed by the law. The question then is how should it be addressed?

The civil law suit option can be summarily dismissed. Pretexting often causes no tangible damage or loss and therefore there will often be little promise of reward for potential plaintiffs. Meanwhile, the costs of proceeding and the delays inherent in the process work as positive disincentives to enforcement. If the goal is to demonstrate that pretexting is offensive and to launch a frontal assault on the problem then relying on civil law suits alone is a poor strategy.

In my opinion, the option of criminalizing acts is also unappealing. There are three considerations that counsel restraint in using the criminal law option to make pretexting a criminal offence in its own right.

First, while the simple act of being duped into surrendering personal information is indeed inherently offensive, it is my view that not all cases of pretexting are serious enough to warrant criminality. I think there is a world of difference between having one's private information dishonestly secured as part of a credit check or by a consumer's rights advocate, and having one's private information secured by someone as a step towards identity fraud. Without question, identity fraud is deeply disturbing enough to require criminal intervention. It puts reputation, property and even access to public services at risk. Bill C-27 will serve this purpose while at the same time avoiding the criminalization of less offensive or worrisome cases of pretexting. In my view, Bill C-27 honours the principle of restraint by limiting its treatment of pretexting to cases where it can cause serious injury or harm rather than simple inconvenience or symbolic offence.⁴⁵

Second, criminal law works best where conduct is so offensive that it should be prohibited absolutely. This is not universally true of pretexting. Indeed, a case can be made that some kinds of pretexting should be permitted. Certainly pretexting by police investigators has social utility.⁴⁶ So, too, does pretexting to test security systems, or to identify fraud within institutions, or to locate dead-beat Dads. Arguably pretexting by investigative journalists has social value, as does pretexting done to expose legal violations or environmentally or socially irresponsible behaviour. I am not as sanguine about having my identity information accessed to compose customer lists or to check my credit history. Ultimately, though, regardless of where the lines should be drawn pretexting strikes me as conduct that should be regulated rather than prohibited ab initio.

Third, regulatory regimes are more efficient and therefore more enforceable. Moreover, regulatory legislation can be drafted to address the problem in a more aggressive way than criminal regulation could. Simple put, the regulation of pretexting through targeted infractions would likely prove to be more effective than criminalization would.

If the Privacy Commissioner wishes to make pretexting an offence in its own right, creating relevant offences under the Privacy Act⁴⁷or the Personal Information Protection and Electronic Documents Act⁴⁸ would, in my opinion, provide a better option than criminal prosecution. There are, of course, jurisdictional issues that require more careful canvass than I can give them here. Would federal regulatory offences be enforceable or would they trench on provincial jurisdiction? My instinct tells me that it would fit within the federal residuary power of peace, order and good government since pretexting, particularly using internet technology, “involves a subject matter that did not exist at the time of Confederation and is not of a merely local or private nature.” Alternatively, it “goes beyond local and provincial concerns and must, from its inherent nature, be the concern of the Dominion as a whole.”⁴⁹

Given that I have been afforded the privilege of having been asked for my own views, I am offering my opinion that Bill C-27 should not be amended to criminalize pretexting. Instead, further research should be undertaken to identify whether the non-criminal jurisdiction of the federal government would support the creation of a regulatory scheme. Should that prove so, and should there be the political will to do something about pretexting outside of the identity theft area, a regulatory regime could be proposed.

_____________________________

David M. Paciocco

 

¹ Federal Trade Commission: Protecting America's Consumers: Facts for Consumers, 4/21/2008. The Submission Presented to the Standing Committee on Access to Information, Privacy and Ethics on Identity Theft by the Privacy Commissioner of Canada defined “pretexting” as “a form of social engineering in which an individual, armed with some information about a person, is able to obtain additional information about the person from an organization.”

² In “Identity Theft: Consultation on Proposals to Amend the Criminal Code,” Consultation paper prepared by Criminal Law Policy Section, Department of Justice, Canada, June 2006 at 2 the Criminal Law Policy Section does not see it this way. They consider “skimming” to fall outside of “pretexting” because it does not involve obtaining information by false pretences, but instead, converting or taking information which was consensually shared for unauthorized purposes.

³ The Federal Trade Commission on “Obtaining Confidential Financial Information by Pretexting” before the Committee on Banking and Financial Services United States House of Representatives,” Washington D.C., July 28, 1998, at 2 of 10.

⁴ This use has been expressly exempted from the American Federal Gramm-Leach-Bliley Act, 15 USC, Subchapter II, Sec. 6821-6827Fraudulent Access to Information, s.6821(g).

⁵ This use has been expressly exempted from the American Federal Gramm-Leach-Bliley Act, 15 USC, Subchapter II, Sec. 6821-6827Fraudulent Access to Information, s.6821(e).

⁶ This use has been expressly exempted from the American Federal Gramm-Leach-Bliley Act, 15 USC, Subchapter II, Sec. 6821-6827Fraudulent Access to Information, s.6821(d).

⁷ “Identity Theft: Consultation on Proposals to Amend the Criminal Code,” Consultation paper prepared by Criminal Law Policy Section, Department of Justice, Canada, June 2006 at 2.

⁸ The Federal Trade Commission on “Obtaining Confidential Financial Information by Pretexting” before the Committee on Banking and Financial Services United States House of Representatives,” Washington D.C., July 28, 1998, at 2 of 10.

⁹ Department of Justice Canada “Identity Theft” Backgrounder, page 1 of 3. While most definitions of identity theft do as the Department of Justice's definition does by linking the acquisition of identification information to the intent to use that information use to commit fraud-based crime, wider definitions have been offered. Some definitions of identity theft are no linked to fraud-based crimes but include any misappropriation of information “to gain some advantage, usually financial, by deception.” Others treat the mere act of fraudulently securing identity information as identity theft; in other words, these definitions treat the relevant “wrong” as the use of fraud to get the identity information, whereas the Department of Justice definition treats the relevant wrong as the intent to use of identity information to commit some criminal fraud. A variety of definitions are offered in Appendix A of “Identity Theft: Introduction and Background,” CIPPIC Working Paper No.1 (ID Theft Series), March 2007, Ottawa: Canadian Internet Policy and Public Interest Clinic.

¹⁰ Like section 402.3, the offence in section 402.2 is accompanied by two definition provisions, a jurisdiction provision, and a punishment provision.

¹¹ “Identity Theft: Consultation on Proposals to Amend the Criminal Code,” Consultation paper prepared by Criminal Law Policy Section, Department of Justice, Canada, June 2006 at 7.

¹² “Identity Theft: Consultation on Proposals to Amend the Criminal Code,” Consultation paper prepared by Criminal Law Policy Section, Department of Justice, Canada, June 2006 at 7.

¹³ In this important sense, Bill C-27 is broader than proposed Private Members Bill C-299, An act to amend the Criminal Code (identification information obtained by fraud or false pretence) which was confined to pretexted information collected for use “to commit an offence under section 380 or 430.” (House of Commons, 2nd Sesstion, 39th Parliament, 56 Elizabeth II, 2007)

¹⁴ “Identity Theft: Consultation on Proposals to Amend the Criminal Code,” Consultation paper prepared by Criminal Law Policy Section, Department of Justice, Canada, June 2006 at 5.

¹⁵ Department of Justice Canada “Identity Theft” Backgrounder, page 1 of 3.

¹⁶ The indictable fraud related offences tabulated in an the non-exhaustive list in section 402.3(3) include section 342 (theft, forgery, etc of credit card), section 362 (false pretences or false statement, [which offence is limited to property or monetary instruments]); and section 366 and 368 (dealing with forgery [an offence broader than but typically implicating financial fraud]).

¹⁷ Section 402.3(3) includes in its list of fraud-based crimes, section 57 (forgery of or uttering a passport), and section 58 (fraudulent use of certificate of citizenship);

¹⁸ Section 402.3(3) also includes section 130 (impersonating a peace officer) and section 131 (perjury).

¹⁹ Section 403 is included in the section 402.3(3) list. See the discussion below.

²⁰ “Identity Theft: Consultation on Proposals to Amend the Criminal Code,” Consultation paper prepared by Criminal Law Policy Section, Department of Justice, Canada, June 2006 at 5.

²¹ Section 402.1.

²² It has to be appreciated that the only thing that makes it possible for section 402.2 to catch the acquisition of such a wide range of information is the limitation in the section that prosecution can only succeed if the information is gathered “in circumstances giving rise to a reasonable inference that the information is intended to be used to commit an indictable offence that includes fraud, deceit or falsehood as an element of the offence.”

²³ See, for example, section 340 (destroying documents of title); section 341 (fraudulent concealment); s.381 (using mails to defraud); section 389 (fraudulent disposal of goods)

²⁴ See, for example, section 336 (criminal breach of trust; section 361 (false pretenses); section 361 (false pretences); section 363 (obtaining execution of valuable security); section 366 (forgery); section 380(2) (affecting public market); section 382 (fraudulent stock manipulation); section 385 (fraudulent concealment of documents); section 386 (fraudulent registration on title); s.397 (falsification of books and documents); s.398 falsifying employment records; s.435 (arson for a fraudulent purpose).

²⁵ This is the test for a section 11(d) violation: R. v. Whyte [1988] 2 S.C.R. 3. A sophisticated argument in favour of the provision would urge that the element of the offence is that “circumstances giv[e] rise to a reasonable inference that the information was intended to be used to commit an indictable [fraud-based] offence” and that this element has to be proved beyond a reasonable doubt, consistently with the Whyte requirement. In my opinion, this is obfuscation. The section was clearly drafted to lower the burden of proof required for conviction from proof beyond a reasonable doubt of the essence of the offence, to a mere reasonable inference. Although section 11(d) violations are often saved by section 1 this one cannot be, as it does not allow the accused to rebut the reasonable inference. The current provision is not true to the ambition in the Department of Justice consultation paper of developing a narrowly tailored, rebuttable presumption to assist prosecutors: “Identity Theft: Consultation on Proposals to Amend the Criminal Code,” Consultation paper prepared by Criminal Law Policy Section, Department of Justice, Canada, June 2006 at 9.

²⁶ The underscored parts identify the changes to be found in Bill C-27. In truth, most of these amendments to section 403 are largely cosmetic. The first three are grammatical. While section 403(1)(d) looks like a change, it is a clarification given that if someone personates another to avoid arrest or prosecution or obstruct justice they would almost certainly have been caught by subsection 403(1)(a) even without the amendment; it is difficult to imagine how trying to avoid arrest or prosecution, or obstruct justice by personating another, would not be undertaken for the benefit of the accused or another. Not surprisingly, there are many pre-Bill C-27 cases where personation convictions followed attempts to avoid arrest by giving false names: See for example, R. v. Grafe [1987] O.J. No. 796 (Ont. C.A.), and R. v. Hall [1984] O.J. No. 42 (Ont. C.A.). Indeed, this could be the most common use of section 403. The only change of significance in Bill C-27 is subsection (2) which makes it plain that the offence can occur without the accused physically presenting himself as another; it is now clear that it is enough if documents are passed on to create this false impression.

²⁷ The offence does not extend to the use of fictitious names: R. v. Northrup (1982), 41 N.B.R. (2d) 610 (N.S.C.A.).

²⁸ The offence in R. v. Gooden [2007] O.J. No. 268 (Ont. S.C.J), for example, did not occur with the acquisition of the identification and credit cards of another. It occurred when credit card receipts were signed. See also R. v. Fraser [1985] B.C.J. No. 2330 (B.C.C.A), passing cheques triggered the offence, and R. v. Carew [1992] B.C.J. No. 995 (B.C.C.A.), using the SIN card of another to support fraudulent cheques.

²⁹ See, for example, R. v. Chahine (2006), 401 A.R. 6 (Alta. C.A.).

³⁰ Ms. Lisa Madelon Campbell, Senior Legal Counsel, Office of the Privacy Commissioner, Wednesday, April 02, 2008 email correspondence to David M. Paciocco.

³¹ R. v. Hetsberger [1979] O.J. No. 1818 (Ont. S.C. (A.D.)).

³² R. v. Hetsberger [1979] O.J. No. 1818 (Ont. S.C. (A.D.)).

³³ See R. v. Atkinson [2007] B.C.J. No. 1423 (B.C.Prov. Ct) where Atkinson used Cousin's Visa card and birth certificate to try to get further identification, a British Columbia Identity Card.

³⁴ R. v. Dyment [1988] 2 S.C.R. 417 at para 22.

³⁵ R. v. Plant [1993] 3 S.C.R. 281 at 293.

³⁶ R. v. Harris (2007), 49 C.R. (6th) 220 at 231-234 (Ont. C.A.).

³⁷ See R.. v. Wholesale Travel Group Inc. [1991] 3 S.C.R. 154 for a description of the theoretical differences between criminal and regulatory offences.

³⁸ R. v. Malmo-Levine 2003 SCC 74 at para. 74.

³⁹ 15 USC, Subchapter II, Sec. 6821-6827, Fraudulent Access to Financial Information.

⁴⁰ Law Reform Commission of Canada, Report: Our Criminal Law (Ottawa: Minister of Supply and Services, 1976) at 27-28. None of these conditions are universally respected in action, but they do provide a principled foundation for considering the role of criminal law.

⁴¹ The Supreme Court of Canada split badly on the role of the criminal law in addressing indecent conduct in R. v. Labaye (2005), 203 C.C.C. (3d) 170 (S.C.C.) because of different philosophical approaches to both indecent conduct and the role of criminal law.

⁴² In the United States some refer to them as civil penalties but this is a misleading term; the term “civil” should be confined to private law suits to avoid confusion.

⁴³ R. v .Wholesale Travel Group Inc. [1991] 3 S.C.R. 154.

⁴⁴ R. v. City of Sault Ste. Marie [1978] 2 S.C.R. 1299.

⁴⁵ To be clear, there is nothing restrained about the use of “reasonable inferences” as a substitute for proved intention. I am commenting here about restraint in identifying the kind of pretexting that should be included in the provision.

⁴⁶ Some cases could run afoul of section 8 of the Charter, but Charter applications can be brought in such cases; investigative pretexting by state agents can be controlled without making what can be valuable police work criminal ab initio.

⁴⁷ Privacy Acct, R.S. 1985, c. P-21.

⁴⁸ Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5.

⁴⁹ Labbatt Breweries of Canada Ltd. v. Attorney General of Canada [1980] 1 S.C.R. 914 at 944-945.