jmlang@water.UUCP (11/19/86)
I is very scary that somebody can "borrow" a few million records containing personal data about people. Reading the papers, it is quite obvious that it would be very easy to use the type of information contained in those Revenue files. In a way, it is a bit reassuring that the records were on micro-fiches, there is quite a lot more damage that could be done with the same records in electronic format. Have you noticed how many forms you have to fill that contain the S.I.N., even though there are only 3 or 4 official use for it : your employee record, your income taxe form and ...? With such a Universal number, invasion of privacy by computer matching is a definite possibility. Yet, there is little awareness about that. Another problem happens when you give out information for one use, and it ends up being used for other means : an obvious example is when I subscribe to a magazine and get put on dozen of mailing lists without my autorisation. Anyway, knowing that government files, or for that matter any files containing personal information, can and will fall in unintended hands, I'm am not sure what the safeguards should be to minimise any damage. Anybody out there have any idea? -- Je'ro^me M. Lang || jmlang@water.uucp Dept of Applied Math || jmlang%water@waterloo.csnet U of Waterloo || jmlang%water%waterloo.csnet@csnet-relay.arpa
henry@utzoo.UUCP (Henry Spencer) (11/19/86)
> Have you noticed how many forms you have to fill that contain > the S.I.N., even though there are only 3 or 4 official use for > it : your employee record, your income taxe form and ...? > With such a Universal number, invasion of privacy by computer > matching is a definite possibility... It's surprising how many of those forms will be quietly accepted, with no hassles, if you just "forget" to fill in the SIN. I've been doing this for years, and have never been challenged on it. (Plan B, should I ever be challenged on this, is "I don't have it with me".) > ... an obvious example is when I subscribe to a magazine and > get put on dozen of mailing lists without my autorisation. Most magazines will refrain from doing this if you so request. The default is "do it" rather than "don't do it" because (a) most people don't care (me, I love throwing out junk mail -- it costs them money to print and mail, and costs me nothing to discard) and (b) selling mailing lists gets them a great deal of revenue, which is an attractive alternative to raising the price of the magazine. -- Henry Spencer @ U of Toronto Zoology {allegra,ihnp4,decvax,pyramid}!utzoo!henry
ludemann@ubc-cs.UUCP (11/20/86)
In article <623@water.UUCP> jmlang@water.UUCP writes: >I is very scary that somebody can "borrow" a few million >records containing personal data about people. ... > ... In a way, it is a bit reassuring that the >records were on micro-fiches, there is quite a lot more >damage that could be done with the same records in electronic >format. The other day I was given a demo of what a few thousand dollar machine attached to a PC can do, inputting data directly from paper. It had better than 95% accuracy. Someone could probably do better than that from microfiche.
clewis@spectrix.UUCP (Chris Lewis) (11/20/86)
In article <623@water.UUCP> jmlang@water.UUCP writes: >In a way, it is a bit reassuring that the >records were on micro-fiches, there is quite a lot more >damage that could be done with the same records in electronic >format. Actually, it is difficult to see what difference it would make. As it stands (from what I've heard on the radio), these are the possible exposures that the newspapers have thought of: 1) mailing lists - *BIG* ones. A nuisance certainly, but not a big deal. 2) Improper acquisition of passports - well, you're still supposed to have "professional" references, so it shouldn't be too bad. Actually, the main thing you *have* to have is a birth certificate. A SIN without birth certificate won't get you anywhere. 3) Credit checks - theoretically, the credit agencies are only supposed to divulge this information when the request is accompanied by the signature of the person being checked. Eg: you sign a form while getting a mortgage to allow the bank to look at your credit rating. Therefore, I believe that a credit agency releasing information on the basis of a phone call regardless of whether the caller had SIN is improper anyways. Besides, most credit records wouldn't have SIN (though they will if it is in their sources). 4) Various futzing around with banks (eg: creating accounts). This is possible regardless of whether you have a SIN or not. You don't need a SIN to open an account! Banks go by signatures, names and bank account numbers primarily. SINs are there for issuing T5's (I think that you don't have to supply a SIN for this purpose - you can get the filled out form from the bank and send it yourself), RRSP, CSBs etc - and half the time the accounts are not tied together anyways (RRSP still hasn't noticed we've moved, but the mortgage sure and hell has). Any bank that allows somebody to withdraw money from an account purely because of having a name and SIN number is in big trouble. 5) Computer matching: first of all you have to break into a computer that has SINs. That ain't all that easy. But still, what is there? Well: a) banks b) Stats Can (for tracking individual progress, but only for long form, and probably divested of all other ID stuff anyways. Stats Can is not a very worth-while thing to break into) c) employers. d) Credit agencies (sometimes) From (a), (b) and (d) all you can find out of any particular interest is how much you make - sort of like being in the Civil Service. (c) isn't likely to be particularly interesting. Most companies don't have their employee data computerized anyways. [This may be an incomplete list - anybody have other examples of big databases with SINs in them?] 6) There are very few things that you *have* to supply a SIN number for. Almost entirely Taxation stuff. If you want to protect yourself - simply don't give it out except where required by law. Most companies won't insist on it. Unfortunately, though, we don't have the protection that the Americans have - US law states that no person can be denied a service (at least government - eg: welfare etc) for refusing to divulge a SSN. And, in fact, most of the big databases in the US key on names and addresses and other "non-unique identifiers" because they cannot (by law) rely on everybody giving them the SSN. From the point of view of computer matching, the SIN number is nice to have, but hardly necessary. A person's name and address is the only matching data that most organizations have in common with any other organization. For example, the Ontario Cancer Treatment and Research Foundation doesn't bother with SINs or OHIP numbers - they match on age, name and address. OHIP keys on OHIP #, last name and initials and sometimes age. Until I moved out, we couldn't distinguish between OHIP stuff addressed to me or my father... OHIP numbers are REALLY crummy IDs. (The funniest thing I ever saw was a retail store taking OHIP numbers as ID for taking a cheque. Fat lot of good it would do them if it bounced) I used to work in the Krever Commission (Royal Commission of Enquiry into the Confidentiality of Health Records) as a computer consultant. One of the things that seemed pretty obvious from a review of literature and the investigation of various health databases (eg: OHIP, WCB, Corrections, VD registry and a few non-health ones for comparison purposes) is that, frankly, a single indentifier wouldn't make all that much difference. Because you don't need anything more than a name and address to do a match. And, names and addresses are a hell of a lot easier to get than your SIN. Heck, just simply knowing *who* to target for a match gives you enough to do the match. Think about it - how many of your friends, associates, people you do business with have your SIN number? Probably pretty darn few (except of course, for bank employees etc). But all of them know your name, and most of them your address - if not, chances are that it can be pulled out of the phone book anyhow. And, there's a Real-Estate book that contains just as much about you (sorted by street address) as the Revenue Canada data does - including unlisted phone numbers! And you can buy one (actually, rent, but who cares) for about $200. That, frankly, is a far worse exposure than the Revenue Canada one. And, nobody's noticed it! (I just wonder where the hell they get all the data from...) The really sensitive databases (eg: OHIP, VD registry etc.) don't have SIN numbers in them. In fact, when we were investigating improper access to OHIP data, the vast majority of the probes didn't even have OHIP numbers! It was quite simple - several members of the Subrogation Dept. thought that it was their duty to provide some data to insurance investigators which didn't have the OHIP numbers of their "targets" - so the OHIP staff simply looked it up in the OHIP fiche sets that were keyed by name. In spite of the fact that the OHIP "enabling" legislation strictly forbids ANYONE from looking at OHIP data (other than the MRC). Actually, (as awful as it is to say for a computer scientist) the main defence we have against large-scale matching is that the raw databases in these systems are such a awful kludged up mess and are so big that it simply ain't worth the trouble in most cases. It's taken OCTRF years to be able to do the limited matching they do. The most damaging and likely problems are almost always due to disgruntled employees of some of these organizations (and have I got a lot of horror stories about that) divulging info. All the computer security in the world doesn't make that big a difference here. Nor does restricting use of unique IDs. Physical security, bonding and employee background investigations (more privacy invasion if you prefer) does make a difference. If people are sufficiently interested in following this stuff much further, I could give a "pocket" summary of what we found. You'd be surprised. Chances are almost 100 percent that this is simply another disgruntled employee trying to embarass his employer, and in actuality isn't all that particularly dangerous. On the other hand, "live" VD registry data, or in some cases OHIP *IS* dangerous. People die (and I'm not speaking figuratively!) when mistakes are made in releasing "just" OHIP data. Revenue Canada data is merely a nuisance. -- Chris Lewis Spectrix Microsystems Inc, UUCP: {utzoo|utcs|yetti|genat|seismo}!mnetor!spectrix!clewis ARPA: mnetor!spectrix!clewis@seismo.css.gov Phone: (416)-474-1955
manis@ubc-cs.UUCP (11/20/86)
In article <623@water.UUCP> jmlang@water.UUCP writes: >... knowing that government files, or for that matter any >files containing personal information, can and will fall in >unintended hands, I'm am not sure what the safeguards should >be to minimise any damage. Anybody out there have any idea? According to an article in yesterday's Globe and Mail, the shoebox in question lived in a storage room whose walls contained a posted injunction to return the box or specific fiches when finished with them. Apparently, Revenue Canada employees didn't have to do anything more than sign out what they needed; there was no human supervision. Although I generally don't believe in technofixes, this is one situation in which a computer system would never have allowed this theft to occur. Can you imagine any "secure" system which would let a user say "RETRIEVE ALL TO PRINTER"? A good computer system would log each access to a file, rendering blanket theft easily detectable ("Mr Bloggins, why did you access nine thousand files today?").
wjjordan@watrose.UUCP (11/21/86)
In article <7329@utzoo.UUCP> henry@utzoo.UUCP (Henry Spencer) writes: >> Have you noticed how many forms you have to fill that contain >> the S.I.N., even though there are only 3 or 4 official use for >> it : your employee record, your income taxe form and ...? >> With such a Universal number, invasion of privacy by computer >> matching is a definite possibility... > >It's surprising how many of those forms will be quietly accepted, with >no hassles, if you just "forget" to fill in the SIN. I've been doing this >for years, and have never been challenged on it. (Plan B, should I ever >be challenged on this, is "I don't have it with me".) Actually, unless it is for government purposes such as income tax or UI, you are not obliged to provide, and the organisation is not allowed to insist that you provide, your Social Insurance Number. You may voluntarily give it to these other groups, and then they can use this information (and anything else it gives them legal access to) as they see fit. Regarding Plan B: The back of the SIN card says "Keep on your person." Fortunately, it is still legal to go around without a SIN, and if you have one, without the card. ("Pull over! SIN police! Do you have your SIN card?"--hmm, War Measures Act, anyone?) Humourous SIN anecdote: While in the registration line-up at HMCS Quadra the petty officer at the desk asked the guy in front of me, "What's your SIN?" The cadet responded, "Adultery." -- It's the shampoo manufacturers that have defined the most expensive endless loop: "Lather, rinse, repeat." W. Jim Jordan CANADA POST: 365 Hazel St., Waterloo, Ont., N2L 3P3 USENET: ...watmath!watrose!wjjordan
manis@ubc-cs.UUCP (11/21/86)
Chris Lewis remarks (in an extremely informative posting) that you don't need a SIN to open a bank account. I'm afraid that this statement is incorrect: the Tax Act requires that banks report interest on accounts (and therefore a SIN is required). I'm not sure about the status of non-federally chartered institutions such as some trust companies and all credit unions, but, since the regulation is related to income reporting, I would assume it applies here, too. (I know my credit union wanted my SIN when I joined.)
msb@dciem.UUCP (Mark Brader) (11/21/86)
> > (Plan B: ... "I don't have it with me.") > Regarding Plan B: The back of the SIN card says "Keep on your person." > Fortunately, it is still legal to go around without a SIN, and if you have > one, without the card. ("Pull over! SIN police! Do you have your SIN card?" > ...) Well, that depends on how old it is. The back of mine says: "Keep one copy on your person and put the other in a safe place." This means that there are two places that someone could steal it from... Mark Brader
ccplumb@watnot.UUCP (11/22/86)
In article <497@ubc-cs.UUCP> manis@ubc-cs.UUCP (Vincent Manis) writes: >Chris Lewis remarks (in an extremely informative posting) that you don't >need a SIN to open a bank account. I'm afraid that this statement is >incorrect: the Tax Act requires that banks report interest on accounts (and >therefore a SIN is required). I think Chris Lewis is right... I have a bank account (chequing, money- machine card - all the goodies), but no SIN. "I'm doing my bit for anarchy. How about you? ;-)" -Colin Plumb (ccplumb@watnot.UUCP) And the obligatory ZippyQuote: We have DIFFERENT amounts of HAIR --
wagner@utcs.UUCP (11/23/86)
Chris Lewis alluded to a public registry of information about people, including unlisted telephone numbers, and asked how they get all that information. A few years ago, a friend of mine was just leaving his house when he was stopped by a person who wanted to confirm some information for 'The Toronto Registry' (or some such official sounding name). He challenged him (her? I don't remember). No more information was forthcoming; the Toronto Registry was the Toronto Registry. No information about who compiles it, etc. He asked to look at the information they already had about him. The registry listed his name, occupation, place of work, phone number, a good approximation of his salary, job title, and so on. He was convinced, from the quality of the information, that the personel department where he worked or a bank must have supplied a good bit of the information. Interesting.... Michael
glee@cognos.UUCP (Godfrey Lee) (11/23/86)
Did anyone see the news report that the suspect "has opened"/"wants to open" an agency to track down people for a fee? It would seem that the records the man was charged of stealing would be very useful for that, considering that it contains name, address, and SIN. -- ----------------------------------------------------------------------------- Godfrey Lee, Cognos Incorporated, 3755 Riverside Drive, Ottawa, Ontario, CANADA K1G 3N3 (613) 738-1440 decvax!utzoo!dciem!nrcaer!cognos!glee -----------------------------------------------------------------------------
acton@mprvaxa.UUCP (11/24/86)
In article <497@ubc-cs.UUCP> manis@ubc-cs.UUCP (Vincent Manis) writes: >Chris Lewis remarks (in an extremely informative posting) that you don't >need a SIN to open a bank account. I'm afraid that this statement is >incorrect: the Tax Act requires that banks report interest on accounts (and >therefore a SIN is required). When I worked in a bank you didn't need a SIN number to open an interest bearing account. However, when it came time to pay the interest they would withhold the maximum amount that might possibly have to be paid in income tax. I think a certain amount of interest had to be earned before this rule applied (> 50?). Donald Acton
clewis@spectrix.UUCP (Chris Lewis) (11/24/86)
In article <497@ubc-cs.UUCP> manis@ubc-cs.UUCP (Vincent Manis) writes: >Chris Lewis remarks (in an extremely informative posting) that you don't >need a SIN to open a bank account. I'm afraid that this statement is >incorrect: > the Tax Act requires that banks report interest on accounts > (and therefore a SIN is required). The parenthesized part is not necessarily a consequence of the former. Certainly, the banks are required to report interest, but this doesn't necessarily mean that you have to supply them with a SIN. All they do is give *you* the T5's and *you* send them off to Taxation. As such, there isn't any particular need for a SIN number because your SIN number *must* be in the return itself. As there isn't with tuition fee receipts, profit declarations from capital gains etc. A friend informs me that on CBC (Cross-Country-Checkup regarding the Privacy Commission a day or so ago) that somebody said that theoretically the Banks do not need the SIN number, but their practise, (presumeably to reduce distribution hassles, tie into future RRSP, CSB stuff etc., and problems during Revenue investigations when the revenoors say "give us everything you got on person so-and-so"), is to ask you for it. The comment was that there are banks who didn't insist upon SINs. I would imagine that Revenue Canada appreciates the banks who do insist on SINs - makes it a little easier to ensure that a T5 in a return corresponds to a given person. I would imagine though, that like the US, the banks might have to report certain categories to the govt., though not neccessarily to Taxation. I've been told that all cash deposits in the US over $10,000 have to be reported to the FBI! (Rationale: Anything over 10K in cash has to be drugs...) I imagine that it is also possible to refuse a SIN to your employer (given that the employer still hired you) and it shouldn't make much difference (except for nuisance value to employer). This would be roughly equivalent (regarding Revenue Canada's trust of your return) to being self-employed. Hmm, I'll have an opportunity to test (or at least enquire about it) this latter point shortly... There is a big difference between "required procedure" and "practice". Many organizations insist on certain things simply to make their accounting/ paperwork easier. They rely on the fact that most people won't object - won't even think about it. Rather than being a "sheep" you can refuse to go along with this. However, there *may* be a *bigger* risk in refusing to supply a SIN number. Then there is much more possibility for confusion between you and another person with the same name - and you might never guess that one of the credit bureaus or investigative agencies has you confused with somebody who skipped on a mortgage and child support payments in Calgary. The SIN number does protect you in a way - tends to ensure that your records are more accurate. Even though I know that it is perfectly reasonable to refuse to give some organization a SIN number, most of the time I give it anyways - to protect *myself* against corporate screwups. And corporate screwups of this nature are almost always *far* *far* more likely and damaging than somebody trying to do a computer match. The nastiest situations OHIP got itself into were simply processing mistakes where only the patient and family were involved and were largely as a result of ID-related screwups. In comparison, breaches of security involving others were mere nuisances (though there were lots more of them). -- Chris Lewis Spectrix Microsystems Inc, UUCP: {utzoo|utcs|yetti|genat|seismo}!mnetor!spectrix!clewis ARPA: mnetor!spectrix!clewis@seismo.css.gov Phone: (416)-474-1955
jmsellens@watdragon.UUCP (11/25/86)
In article <197@spectrix.UUCP> clewis@spectrix.UUCP (Chris Lewis) writes: >Certainly, the banks are required to report interest, but this doesn't >necessarily mean that you have to supply them with a SIN. All they do >is give *you* the T5's and *you* send them off to Taxation. As such, >there isn't any particular need for a SIN number because your SIN number >*must* be in the return itself. As there isn't with tuition fee >receipts, profit declarations from capital gains etc. The impression that this gives me is that Chris is not aware that the T5 (and T4, T3? blah blah blah - gee - I've been away so long I can't even remember all the numbers) are multi-part forms. The T5 in particular is a 4 part form: 1 for the issuer (e.g. the bank) 2 for you, one of which you include with your return, and 1 that the issuer sends directly to the government. This is the same as the T4. Things that provide you with deductions, like tuition receipts, the gov't doesn't care if you don't claim them. Gains and income, they care. If for example you had stock transactions during the year, you would porbably also have a T5 from your broker for interest earned on your account. Therefore the gov't could assume that you have some stock transactions. John Sellens
clewis@spectrix.UUCP (Chris Lewis) (11/26/86)
In article <1986Nov22.201542.12150@utcs.uucp> wagner@utcs.UUCP (Michael Wagner) writes: >He was convinced, from the quality of the information, that the >personel department where he worked or a bank must have supplied a good bit >of the information. Does anybody know if corporations sell mailing lists of their employees? Some of it may be from enumerations. Some of it could be from real-estate firms. I was living with my parents at the time, and was surprised to see that they had correctly identified me as a "son" of the house owner, and where I was working. I think it was called "The Brown Index", published by "Brown Publishing" in Toronto ("B"-something anyways) and I saw it in a real estate office. Had a blurb in the cover about "Being the property of Brown Publishing" and had to be returned. (I snooped while our agent was negotiating with the other party...) -- Chris Lewis Spectrix Microsystems Inc, UUCP: {utzoo|utcs|yetti|genat|seismo}!mnetor!spectrix!clewis ARPA: mnetor!spectrix!clewis@seismo.css.gov Phone: (416)-474-1955
clewis@spectrix.UUCP (Chris Lewis) (11/27/86)
In article <274@cognos.UUCP> glee@cognos.UUCP (Godfrey Lee) writes: >Did anyone see the news report that the suspect "has opened"/"wants to open" >an agency to track down people for a fee? Oops, forgot about that one. Yes, indeedy, it would be good for "skip tracing". Interestingly enough, in Ontario, the OHIP enrollment file is even better - the dates are frequently far more up to date, because even tax avoiders (and others attempting to avoid payments) want to keep their OHIP coverage up-to-date. Until 1978/9 police were able to obtain such information - the general manager of OHIP didn't realize that the legislation enabling the existence of OHIP didn't allow it. Not any more. However, there were far more private investigators using pretext calls to OHIP for the same end. As an example of where things are compared to what they were like in 1978 (when the Health Records Commission started), OHIP didn't know how many copies of the OHIP enrollment fiche were made, where they went and never noticed any going missing (quite a few copies did - though, most likely they were simply misplaced or destroyed without being reported to the COM group). One of the more interesting (and sneaky) techniques we ran into for collection agencies acquiring info was: 1) Send letter saying "You have won....(something or other)" along with a cheque for $5 "Deposit Only" to debtor. 2) Find out the name of the debtor's bank from the cancelled cheque. I was asked to report a few other incidents that the Commission found: 1) Catastrophic OHIP data processing oversight: It is the practise of OHIP to collect several days worth of data entry at one of their district offices (there were 7 in 1978-79) and do an audit on them. Once every couple of months. This is done by taking the several days worth of claims (in the order of 100,000-400,000 claims) and running them through a program that would generate a letter of the form: Dear <account holder> Our records indicate that you, or members of your family [remember OHIP numbers are for whole families, not individuals] saw the following doctors on the following dates: Dr A, <date> Dr B, <date> ... Could you please inform us if any of this information is incorrect? Note that there is no diagnostic code, service code or family member name. In one particular case, the account holder knew that one of the doctors was a OB/GYN, and reasoned out that it was his daughter (mid teens) who made the visit. To make it brief, his reaction had as end result his daughter committing suicide. When this occured, OHIP made some changes to their auditing program, such that when the diagnostic code or service code was a socially embarrassing thing (eg: abortions, D&C's, VD treatments - 20 codes in all, probably more now) the letters do *NOT* contain any reference to the associated visit. I was asked to personally inspect the OHIP code to ensure that this was being done properly. It was - sorta. When the senior analyst gave me the code, he said "it makes me want to cry" - if written in C (it was in a particularly grotty COBOL style), the code would have looked something like: int skipdiag[] = {100, 200, 202 ... }; /* 10 entries, sorted */ skipclaim(code) { if (binarysearch(skipdiag, code)) return(TRUE); else if (code == 400 || code == 501 || code == 722...) /* 10 clauses */ return(TRUE) else return(FALSE); } I gather that the analyst responsible for this piece of junk got thoroughly yelled at. -- Chris Lewis Spectrix Microsystems Inc, UUCP: {utzoo|utcs|yetti|genat|seismo}!mnetor!spectrix!clewis ARPA: mnetor!spectrix!clewis@seismo.css.gov Phone: (416)-474-1955
mberkley@watdcsu.UUCP (11/27/86)
In article <201@spectrix.UUCP> clewis@spectrix.UUCP (Chris Lewis) writes: >1) Catastrophic OHIP data processing oversight: > Dear <account holder> > Our records indicate that you, or members of your family > [remember OHIP numbers are for whole families, not individuals] > saw the following doctors on the following dates: > Dr A, <date> > Dr B, <date> I used to work for the auditor of one of the provincial medical plans, and they had a similar program. Every month they would send out these auditing letters. They decided to expand the audit one year, but slightly change the letters. The new program printed out the subscriber's name, address, and medical claims on a standard form that would be heat sealed and mailed. The auditor was very picky (a good trait for auditors), so he had us check out the first batch, one more time, before it was mailed. We discovered that the programmer had somehow managed to print out the name and claims of one subscriber, and then the address for the next subscriber. Don't ask me how he managed to do it, but I'm sure glad that we checked! Mike Berkley, Department of Computing Services, University of Waterloo EAN: mberkley@dcsu.waterloo.cdn UUCP: {allegra,ihnp4,utcsri,utzoo}!watmath!watdcsu!mberkley
dave@lsuc.UUCP (12/10/86)
In article <806@mprvaxa.UUCP> acton@mprvaxa.UUCP (Don Acton) writes: >>Chris Lewis remarks (in an extremely informative posting) that you don't >>need a SIN to open a bank account. I'm afraid that this statement is >>incorrect: the Tax Act requires that banks report interest on accounts (and >>therefore a SIN is required). The Income Tax Act requires a social insurance number solely for the purpose of filing an income tax return (s. 237 and Regulation 3800). Regulation 201(1)(b), however, requires that "Every person who makes a payment to a resident of Canada as or on account of ... interest... shall file an information return in prescribed form...". The prescribed form is the T-5, which has a slot for the taxpayer's SIN. In practice this appears to be a back door to requiring that persons opening bank accounts give the bank their SIN, in order for the bank to be able to comply with the Regulation. >When I worked in a bank you didn't need a SIN number to open an interest >bearing account. However, when it came time to pay the interest they >would withhold the maximum amount that might possibly have to be paid in income >tax. Not exactly, since there's no withholding in Canada on investment income paid to residents of Canada. I don't see anything in the Income Tax Act or Regulations which justifies quite what you said. I suspect the justification may be that if the individual has not provided a SIN he may not be a resident of Canada (though the two groups are obviously overlapping sets), and therefore that the bank may be required to withhold under ITA ss.212(1)(b) and 215(1). The non-resident withholding tax on interest is 25%, reduced by treaty in many cases. I'd be interested in hearing more specifics about what your bank did, if you remember them. > I think a certain amount of interest had to be earned before this >rule applied (> 50?). The T-5 is generally not issued if total interest income for the year is under a certain amount. It used to be $50 but I believe may now be $100. I can't find anything in the Regulations to support this; it's likely just a Revenue Canada administrative practice. Incidentally, anyone interested in learning about the Canadian income tax system through CAI should drop me a line. We have a complete course here, used for the Bar Admission Course, which takes 10-20 hours. The first few lessons would be of interest to individuals in general. Cost is $12 per hour of access (includes Datapac access for those outside Toronto). Dave Sherman The Law Society of Upper Canada Toronto (416) 947-3466 -- { ihnp4!utzoo seismo!mnetor utai watmath decvax!utcsri } !lsuc!dave