The CRA and Internet security

We are committed to providing a secure online environment so that Canadians can find information and complete transactions with us. We use various Internet security tools to address Internet security concerns. Internet security requires a partnership between two parties—in this case, you and us. We have extensive security tools in place to protect your confidentiality, and our Web site enforces specific standards that you must follow to ensure that your personal information is protected when you transact with us online.

There are many steps you can take to reduce potential risks associated with using the Internet. Robust solutions to fight problems with security on the Internet are continually being developed to help electronic transactions carry the same level of security as paper-based transactions.

What we do to ensure security

The Internet is an open and public network. When it comes to doing business transactions or providing services involving confidential data, extra safeguards must be in place. We take steps to ensure the safety and integrity of transactions on our Web site. We ask that you do not transmit personal information to us using unsecured email because we cannot be sure of who is sending the message. We also won't send personal information through unsecured email because we cannot ensure your confidentiality. We provide alternate secure methods of communications for your use.

CRA uses specially configured computer Web servers for any business we do with you. We use corporate firewalls to protect our Web servers from unauthorized access. Your personal information is not stored on these servers; we securely store your personal information on separate computer systems that are not directly accessible from the Internet.

When transmitting personal information, access to our Web servers is limited to Web browsers that meet our security standards of encryption. We ensure that your personal and financial information is encrypted—or scrambled—when it is transmitted between your computer and our Web servers. This ensures that computer hackers and other Internet users cannot view or alter the data being transmitted. Our standard for encryption is the 128-bit Secure Sockets Layer Version 3.0 (SSLV3) protocol. This is one of the most secure forms of encryption available in North America and is a typical requirement for Web-based services—such as online banking or shopping—where securing personal information is a priority.

See our privacy statement for a summary of our Web site privacy policy and practices.

What you should do to ensure security

You have to follow some security guidelines to do online transactions with us. We also suggest precautions that you should take to maximize your protection.

For a secure transaction, you must use a Web browser that meets our security standards. Your browser is automatically tested before you begin a transaction, but you can also use our browser test to check it. In addition, you should keep your browser and operating system up-to-date by regularly applying available patches. Check with the supplier of your browser and operating system for more details.

For many of the transactions you can do online with us, you have to identify yourself properly. You need to give us three pieces of confidential information before you can use our confidential areas and services. These three pieces of identity information are used to create your digital signature. Make sure that you keep this information and any passwords or access codes confidential so that others cannot use your digital signature. Along with the rest of the Canadian Government, CRA is also moving towards using the Public Key Infrastructure (PKI) based digital identities known as an epass.

Some of our electronic services, such as NETFILE, require that you call us in order to change or replace a lost, misplaced, or compromised password or access code. Other electronic services such as epass Canada, used for the My Account service, will allow you change your password at your convenience.

You should change your password regularly. A good password is made up of letters (a mix of upper and lower cases), numbers, and characters, does not contain names or words found in the dictionary, and cannot be easily guessed.

You should have anti-virus software on your computer and update it regularly. Remember to regularly scan your computer for viruses. You may consider installing a personal firewall (some of which are free) on your computer to help control connections between your computer and other computers on the Internet, and to notify you of any attempted attacks on your system.

For many of the electronic services we offer you have to enable your browser’s cookies. Like with many Internet Web sites, the cookies help us to establish a secure session between you and us. Using cookies for this purpose does not put your computer or personal information at risk. We do not store any personal information in the cookies.

After you complete your visit with us, you should clear your page cache. You can do this by following the instructions on clearing your caches. You should also clear the browser’s cookie cache by closing and reopening your browser. By taking these steps, any cookie data that was saved in your cache during your visit to our Web site will be removed from your computer and will not be available to any unauthorized user.

For more information, visit our Internet security tools Web page.