Achieving Universal Access to the Internet: An Impossible Dream?

University of Ottawa, Department of Communications Speaker Series on Communication, Social Justice and the Common Good

Philippa Lawson
March 18, 1999
I work for the Public Interest Advocacy Centre, which is a small non-profit organization based here in Ottawa, devoted primarily to representing the residential consumer interest in the regulation of public utilities and the provision of essential services. PIAC has been around since the mid-70’s, and has been particularly active in the regulation of telecommunications services during this time.
Let me tell you a bit about my clients: they live on low, often fixed incomes, which do not leave a lot of room for discretionary spending. A lot of them are seniors, who have difficulty adapting to new technologies. A lot are single parents, struggling to raise children while making ends meet. Many are unemployed, and looking for work. A disproportionate number cope with physical disabilities, and like many seniors, find it difficult to get out of the house.
These are the people who would benefit most from being electronically connected, but they are also the people for whom a computer with Internet connection is a luxury which falls outside their budget. As a result, they fall, disproportionately, into the category of information “have-nots”, which just compounds the social marginalization they already suffer.
My work on behalf of these people over the past eight years has focused on maintaining the affordability of basic telephone service. This has been a major battle. The forces of competition and globalization, we found out, are insurmountable. However, we have won a few skirmishes, and in the process, obtained concessions that should prevent, or at least mitigate, some of the excesses of free reign market forces. Yes, basic local phone rates have doubled since competition was introduced, but a mechanism is in place to limit further increases, the number of homes without phones is being monitored with a view to potentially establishing a targeted subsidy for low income households, and various rules are in place to protect consumers from abusive behaviour by marketers.
Until recently, groups like the National Anti-Poverty Organization did not consider Internet access to be an essential service – by essential, I mean necessary for full participation in society. In fact, I can’t say that they consider it essential right now, in the same way that phone service is essential, but they do recognize the speed with which this new electronic medium is catching on, the tremendous potential that it holds for their constituents, and the risk of increasing marginalization that unequal access to the Internet poses for their already disadvantaged members.
As a result, they are calling on the federal government and the CRTC to ensure, through regulatory mechanisms or otherwise, that all Canadians have access to a defined set of basic telecommunications services, including, but not limited to single line service (as opposed to party line service), flat rates for local calling and local access to the Internet at speeds that meet contemporary standards.
I’m quoting from a document entitled “Consumer Charter for a Connected Canada” – a manifesto of sorts signed by over 150 organizations from across the country, and presented to the CRTC and the government during the CRTC’s recent proceeding on high cost areas. The Charter calls for comparable rates and quality of service in rural and urban areas. It calls for affordable prices for “basic service”, and for public input into an ongoing process of determining what constitutes “basic service”. And it calls for subsidies to achieve these ends.
One thing that these groups share is the knowledge that market forces tend to work in favour of the already privileged and to the detriment of the vulnerable; that one of the most important roles of government in the information society is to intervene in proactive ways so as to harness technology and market forces for the benefit of society.

Access to What?

The Internet is not easy to describe, because it is sui generis – it’s a completely new thing.
When radio was first introduced, it was referred to as “wireless telegraph”. People were groping for familiar concepts that they could attach to it. It took some time before everyone understood what radio was. Similarly with the Internet: we’re still getting used to the concept.
I initially used the term “information highway” in my title. But like “wireless telegraph”, it’s an inadequate analogy. What we are talking about is far more than a route – it’s also the destination. It’s not just a mode of transport – it’s also the act of driving. It’s about more than information – it’s also about communication.
The Information Highway Advisory Council characterizes the Internet as “rather than a highway, ….a personalized village square where people eliminate the barriers of time and distance and interact in a kaleidoscope of different ways.” Others have referred to it as an “electronic commons”. But we’re not just talking about public space here, although that might be exactly what we need to focus on. We’re also talking about individual and commercial private spaces, which can be accessed through this common medium.
Certainly, the highway metaphor doesn’t capture the participatory nature of this medium, nor the fact that information exchange and interactivity on the Net has a cumulative, multiplier effect: the whole is greater than the sum of the parts. Nor does it capture the multiple roles which a single user can play: as author and reader, producer and consumer, teacher and student.
The problem is that there doesn’t seem to be a term that encapsulates what electronic networks can do and are doing for people. There doesn’t seem to be a perfect analogy for the range of applications that the electronic media present: e-mail, listservs, websites – both commercial and non-commercial, discussion groups, government information and services, consumer transactions, distance education……
So let’s just use the term “Internet” – that’s what it is. We’re reaching the stage where we don’t need to analogize.
Here’s what people are using the Internet for right now: [show slides with survey results]

The Importance of Access

Why is access to the Internet so important?

1. The value of any network increases with the square of the number of individuals connected. This is what makes networks unique among other utilities like roads, transportation, electricity, etc. – their economic value depends upon their coverage. Imagine if we had a number of separate telephone networks, each an entity onto itself. Any one network would be of limited value, since it would allow you to reach only a limited number of people. So, the more people hooked up, the more valuable the network is to its existing subscribers. (This applies to users both as consumers and producers: commercial entities benefit from universal access as well.)
2. Telecommunications links are particularly valuable to those living and working in rural and remote areas, where people often have no other option for communicating with family, friends, government agencies, or service providers, or for conducting business. Good telecommunications links allow for the revitalization of rural communities, through the opening of new economic opportunities, as well as the delivery of new educational and health care services
Native peoples living in Canada’s north have long cited reliable, affordable communications facilities as a top priority in order for their cultural and economic survival. A representative from the Eastern Arctic told the CRTC in its hearings last spring that:
…the basis of the whole Government of Nunavut and our ability to compete in a global economy is going to be dependent on telecommunications services. Though right now people may be focused on basic services, the whole future, the one thing we have more than anything else is distance and isolation. Telecommunications will allow us to bridge those.
In fact, the CRTC heard over and over again from people in rural and remote areas how important it is to their communities and economies that state-of-the-art telecommunications service, including Internet access, be provided at affordable rates.
As the Mayor of Yellowknife stated,
One of the great ironies of living and working in the North is that its remoteness and challenging environment have resulted in both the highest cost for and greatest reliance upon telecommunications in all of Canada.
If made available at affordable prices to people in rural and remote areas, the Internet has the potential to significantly reduce regional disparities.
It also has the potential to bridge distances, both nationally and internationally. While language differences will continue to be an obstacle, increased communication between people of different cultures and nationalities can contribute to global cooperation and international understanding. People with common interests worldwide can share their knowledge and enthusiasm. Families can maintain close links over large distances. The world can be a better place.
3. The most important reason why we should be working to achieve universal access to the Internet is its potential for individual and community empowerment. Not only can Internet access break down regional barriers, it can also break down social barriers. Individuals can, at minimal cost, set up websites, promote themselves, advertise and publish their work. People suddenly have vast quantities of information at their fingertips, an unprecedented opportunity for personal growth and learning. With e-mail, we now have a revolutionary new way of communicating. This is about much more than consumerism (assuming that commercial interests don’t take over the Internet); it’s about empowering people in their social roles as citizens and community members, as well as in their economic roles as producers and consumers.
I’m sure that you’re all familiar with that saying “The great thing about the Internet is that no one knows you’re a dog.” Well, it’s been pointed out that on the Internet, no one knows that you’re homeless. In fact, homeless people are using free e-mail and Internet access at public sites like libraries to inform themselves, to communicate with others.
Listen to what this senior has to say about the National Capital FreeNet:
“As a senior, a lot of time housebound, my computer is my best friend… to contact my friends, to learn and keep up with the world… and as a retired teacher, I also communicate with the schools and write to the students who have written on their school’s page….I enjoy my computer and the Internet… as a friend… as an escape when I cannot go out… to keep my mind working, to learn, to continue to learn… while I am still alive.”
But just as the Internet can break down social barriers, it can further reinforce them. The knife cuts both ways: if we don’t achieve universal access, if Internet access remains a privilege of the social elite, we risk exacerbating existing social disparities and creating an even more polarized society of “information haves” and “information have-nots”. The stakes are high.
It’s another story at the level of communities – and I don’t just mean geographic communities. Here, the Internet is proving itself to be a tremendously powerful tool of influence. It has been said that “the easier it is to communicate, the faster change occurs”. Advocacy groups can now share information, network among themselves, and mobilize their members like never before.
Look what happened to the MAI when the word got out over the Internet. Look what happened to Suharto, when students used the Internet to organize their movement for democracy in Indonesia. Look what has happened to Pinochet, now that human rights groups can mobilize in support of the Spanish prosecution. These are wonderful examples of citizen empowerment, that were made possible in large part by the Internet.
Individual empowerment, citizen participation and advocacy, community development – THIS is why access to the Internet is so important.
But there is an awareness hurdle ahead of us. Significant proportions of Canadians don’t appreciate the benefits that Internet access can bring them. According to a 1997 survey of Canadians by Ekos Research, almost half of those without a computer at home cited as the main reason that they didn’t need one, or weren’t interested in having one. Over half of those without Internet access from home cited lack of interest or need as the main reason. One quarter of non-Internet users in Canada think that the Internet has no information of interest to them. These people are primarily older, lower income and rural. In some respects, they are the very people who could benefit most from the technology.
More recent statistics show a disturbing trend: since the Fall of 1996, the percent of Canadian adults with access to the Internet (from home or work) has grown from 37% to 55%. But, it’s stayed at 55% for the last several months – we seemed to have reached a plateau in access. At the same time, those connected (largely upper income, urban, young and male) continue to increase their usage.
Lest we get too excited about the potential of the Internet, I feel obliged to point out a few sobering statistics. These shouldn’t really surprise you:
51% of weekly web users in Canada (26% of Canadian adults) say that they get frustrated. (When I told my husband this, he asked “what are the other 49% smoking?”)
According to the Ekos survey, a significant minority (42%) agreed with the statement that “the Information Highway is destroying human relationships with its emphasis on keyboards and impersonal contact”.
The same proportion (43%) said that they actually knew “some people who spend so much time at home using the Internet and other computer activities like games, that it has had a negative impact on the quality of their family life”.
The Internet has tremendous potential as an agent of social change, but this potential is not unmitigated.

The Meaning of Access

A great deal of work has been done by Leslie Shade, Andrew Clement and others on the conceptualization of access: breaking the concept of access down into its various elements, and thereby broadening the discussion beyond mere connection to include content, literacy and governance. I’m going to assume that you are familiar with the seven layer or “rainbow” model of access that Leslie and Andrew developed, and instead give you a slightly different, but complementary, analysis.
I see access as having five constituent elements: availability, affordability, accessibility, operability, and governance. In each case, we are talking about the individual not just as a consumer, but also as a producer; not just as a receiver, but also a provider. Interactivity is fundamental to our concept of access.

1. Availability

Many people – most people worldwide, and some within Canada – do not even have available to them a means of connecting to the Internet. I’ve referred to a recent CRTC proceeding on high cost areas – we found out, in that proceeding, that many Canadians, particularly in northern areas, don’t even have phone service, not because the rates are unaffordable, but because the service is simply not available. Many more with telephone lines still don’t have access to the Internet, whether because of poor line quality or lack of a local Internet service provider (ISP).

2. Affordability

Providing a means of physical access is of limited value unless people can afford to take advantage of it. We need to find ways of achieving affordable access without stifling competition among service providers. Postal service used to be our primary method of distance communication. Telecommunications, and increasingly the Internet, have taken over that role. Just as rates for postal service were regulated to be equitable and affordable for all Canadians, rates for basic telecommunications service, the platform on which Internet access is built, need to be maintained at equitable and affordable levels.
But the physical network is not the only expensive part of this equation. You need a computer and a modem in order to connect with the Internet. You need software. You need an network access provider. No wonder that there is a “digital divide”! No wonder that half as many low income Canadians use the Internet as do higher income Canadians. No wonder that less than half as many low income Canadians have a computer in the home, and only a third as many have Internet access from the home. No wonder that 38% of Canadians without a home computer cite cost as the main reason. (Interestingly, only 20% of those without Internet access cite cost as the main reason).
Affordability is an issue at every stage: computer hardware prices, software prices, rates for the underlying facilities over which the Internet will be reached, and rates charged by the gatekeepers to the Internet.

3. Accessibility

The service may be available and affordable, but if it’s not designed so that everyone can use it, including those with disabilities, then we will be once again further marginalizing an already disadvantaged population. Devices need to be easy to use – for everyone. And speaking from personal experience, we need to do something about repetitive strain injury.

4. Operability

Computers, interactivity, e-mail, the Web – it’s a whole new language, a completely strange and unfamiliar medium, which intimidates people (at least, adult people). Concepts such as websites, search engines, newsgroups, modems, Internet Service Providers – these are all foreign to many people. Sure, some people can pick it up fast, but I can tell you from experience that many more have real difficulty.
Take my father: even after three or four years of writing almost daily letters to the editor on his computer, I’m still not sure that he understands the concept of files and directories. He’s become a big e-mail user, but has barely ventured onto the Web – it’s just too much: too much information; too much frustration, in his view.
And that’s assuming that everything is working properly. Things go wrong far too often. It’s a legitimate question whether computers in the workplace have actually improved productivity. Think of all those files you’ve lost, time you’ve spent trying to access e-mail attachments, or frustration you’ve had dealing with viruses. Why can’t my colleagues with Microsoft Word read my documents in WordPerfect? Why doesn’t the help menu ever have what I’m looking for? Why do my return e-mails to spammers always come back “undeliverable”?
A key element of access is overcoming these obstacles to frustration-free usage. Computer systems and programs will have to become more inter-operable, less prone to breakdown, and more dummie-proof, if the vast population of non-users is to be convinced.
In the meantime, training and support will continue to be an critical piece of the puzzle. People need to be taught this new language: it is not going to come naturally.

5. Governance

Finally, and in some ways most importantly, is the issue of governance. Like availability, affordability, accessibility and operability, the issue of governance arises at all levels of access: at the level of the markets for computer hardware and software; the provision of underlying facilities; the provision of Internet access; and the Internet itself – Who controls domain names? How are technical standards and protocols decided? Who ultimately controls the Internet?
In each of these areas, there must be a structure of governance that is accountable to the public, that has as its overriding concern the public interest, however elusive that concept might be.
Looking first at the markets for access services and devices, we have learned over and over again the impermanence and limitations of competition and market forces. Regulatory bodies such as the Competition Bureau and the CRTC are essential in order to cultivate healthy competition, to guard against anti-competitive mergers and business practices, and to fill in the gaps that market forces leave open.
The Microsoft case currently underway in the US, in my view, is a good example of governments acting in the public interest to promote real, sustainable competition in an important market. The CRTC’s recent ruling requiring service providers to contribute toward the subsidization of rates in high cost areas is another good example of appropriate regulatory intervention.
And the process followed by the CRTC in coming to its decisions is public and open. The CRTC’s recent proceeding on New Media is a great example of appropriate public consultation, of including the public in policy-making right from the beginning.
Regulation and governance pose much more difficult issues at the international level, where the predominant ethos is one of laissez-faire, and where multinational corporations seem to be running the show. We must beware that our national governments don’t bargain away in trade negotiations their rights to take regulatory measures designed to improve and extend access.
Turning to the Internet itself, things get messier. We don’t have existing structures or even models of governance appropriate to this strange creature. We have to come up with something entirely new. The prevailing belief out there seems to be that the Internet is a well-functioning anarchy, and that we can and should just let it be. I’d like to believe that too, but unfortunately, the facts tell a different story. The are, in fact, a number of control points which provide tremendous power over the Internet to those in charge.
Until recently, the US government was in de facto charge. It provided the brains and the funding behind the various ad hoc processes and structures in control of the Internet. That has changed. A new, non-profit organization called ICANN (Internet Corporation for Assigned Names and Numbers) has been formed to take over the centralized decision-making functions necessary to the operation of the Internet. This private-sector model of Internet governance has been endorsed by 17 national governments, including Canada, who take the position that solutions to the fast-moving evolution of the Internet must be market-led.
It remains to be seen how the public interest will be served by a private body with no clear lines of accountability. One can’t help but be reminded of the IOC and its recent shananigans. Even more disconcerting is the potential for private commercial interests to take over what was a model of user participation and cooperative processes and procedures.
I agree with those that advocate moving the ICANN process to an international agency representative of and accountable to all those communities that use the Internet, and that make up the global public interest. We need to ensure that whatever governance processes develop, they are subject to influence by the full range of public interests worldwide and are not beholden to the interests of a dominant country or stakeholder sector.
So, that’s what I mean by “access”.

“Universal Access”

Which still leaves open the question of what we mean by “Universal Access” – where’s the limit? How much are we willing to spend to hook up those in really isolated locations? to bring broadband access to every home? How far do we go pushing this on people who aren’t keen?
At some point, the cost/benefit scales shift. This is a difficult call to make, and I can tell you that no one wants to make it. I suspect that it will continue to be made by default, and that we will have enough trouble extending access to those in need that we won’t have to worry about overextending. The good news is that costs continue to decline, and as they do, the limits of what is economically feasible and publicly acceptable continue to be expanded.
In the meantime, the Canadian government is doing the right thing under its agenda of “Connecting Canadians”, by concentrating efforts on supporting community initiatives and by providing Internet access in public places like libraries and community centres. Recent surveys show strong public support for these initiatives. They also show that a slight majority of Canadians would consider going to a community access site in order to use the Internet free of charge.
It’s also important not to get so carried away with access initiatives that we lose sight of the context. Many people don’t want access – they have cottages precisely to get away from it all. For many, the last thing they want to do after a day of staring at a computer screen developing carpal tunnel syndrome at the office is to come home and do more of the same. There’s no need to subsidize home access for these people, and we certainly shouldn’t be pushing something on them that they don’t want.

Conclusions

Is universal access an impossible dream?
I don’t think so, at least not in Canada. Relative to most other countries, we are well on the way – we have high telephone penetration rates, high cable TV penetration rates, and relatively high Internet access rates. Our government has made a serious commitment to connecting all Canadians, and is putting a lot of effort into seeing this happen.
But there’s a lot more work to be done.
We need to focus on the less privileged end of the social spectrum, and direct government subsidies and programs to the most needy.
We need to follow up on the provision of equipment and connections, with adequate support and training.
We need to create sustainable community access initiatives which cultivate public space on the Internet, where citizens can engage in discussion and learning away from the hubbub of the marketplace.
We need our governments to intervene in the market when competition is not doing the job, or when healthy competition is being threatened by dominant players.
We also need our governments to develop publicly accountable and participatory models of governance for the Internet.
We’re well on the way, but it’s no time to relax.
Thank you.
 

Protecting Personal Information on the Internet: The Canadian Approach

Philippa Lawson
Counsel, Public Interest Advocacy Centre
CPSR Conference, Boston MA
The subject of this panel couldn’t be more timely for a Canadian – just a few days ago, our federal government tabled legislation to protect personal information in the private sector, and it is notable that the driving force behind this initiative is the growth in Internet use – in particular, electronic commerce.
In fact, the privacy provisions are part of a broader Bill entitled “An Act to Support and Promote Electronic Commerce…”; the Bill also clarifies the legal status of electronic signatures and documents. As a privacy advocate, I’m deeply uncomfortable with this approach of situating basic privacy rights in the context of promoting electronic commerce, but it does appear that the privacy protections in the Bill stand on their own, and apply to all forms of commercial activity. (Bill C-54; available on Canada’s Parliamentary Website: www.parl.gc.ca).
While this legislation remains to be reviewed and passed by Parliament, it is a major initiative, especially considering some very vocal opposition from business lobbies.
I would like to briefly describe how we got to this point in Canada, what the Bill says, and what its prospects are.
The need to control government’s use of personal information has long been recognized in Canada, through legislation applicable to the federal government and most provinces. Under these statutes, Privacy Commissioners receive complaints, conduct investigations, resolve disputes, and make recommendations – but only with respect to matters involving government.
However, with the exception of one renegade province – Quebec – Canadians are basically unprotected as far as their personal information is concerned once it enters the hands of a commercial entity.
Quebec is the only jurisdiction to have laws which establish a right to privacy in the private sector, and which place strict limits on the ability of commercial entities to collect, use and disclose personal information (defined as any information about an identifiable individual). Through its Civil Code (a legal instrument unique to civil law regimes), and its more recent statute respecting the protection of personal information in the private sector (enacted in 1993), Quebec has codified the right to control over one’s personal information, and has given its Privacy Commissioner the power to fine companies in breach of the law. I think this probably reflects the more European outlook of Quebec – a higher value placed on individual privacy, and a more pragmatic view of market forces.

What do Canadians think?

Public opinion surveys over the past several years indicate growing concern about privacy, and a desire for government action. Canadians are starting to wake up to the fact that they have lost control over their personal information, and they are not happy about it.
Meanwhile, the Canadian government is very much awake to the fact that trade with Europe could be seriously hindered if Canada does not establish data protection standards similar to those in place in Europe. The European Union’s data privacy directive takes effect on Oct.25th, and it requires EU countries to block transmission of data to third countries whose domestic legislation does not provide similar privacy protection to that offered in the EU (e.g., individual rights to review, correct and limit the use of personal data).
Moreover, our current government wants to position Canada as a global leader in electronic commerce. Yet, a key reason cited by Canadian consumers for their reluctance to engage in electronic commerce is lack of confidence in how their personal information is gathered, stored and used by online businesses.
Recognizing that privacy legislation was a possibility, industry groups joined with government and public interest organizations in the early 1990s to develop a voluntary code for businesses to use in the treatment of customer information. From the beginning, industry hoped that its participation in this process that would pay off by avoiding government legislation. Consumer and public interest participants, however, saw the process as worthwhile insofar as it would lay the groundwork for legislated privacy protection, something which they have consistently called for.
Despite these conflicting motivations, the working group’s efforts paid off. In 1996, the Model Code for the Protection of Personal Information was approved as a national standard by the Standards Council of Canada. The Code sets out ten basic principles of data protection, similar to those of the OECD. In brief, they provide for individual control over the collection, use and disclosure of personal information. like the Quebec law.
By adopting the Code, and subjecting themselves to independent audits, businesses can demonstrate that they are following fair, nationally accepted standards. Unfortunately, no corporations have yet seen fit to register.
However, a number of industry associations have developed model Codes for their members, based on the CSA principles. Some of these are very good – the problem is that they are not being put into practice.
In some cases, the Code is not binding, and members have simply not adopted it. In others, the policy ostensibly adopted has yet to filter down to the operations level. In still others, a significant number of businesses are not members of the association, and are therefore not bound by the Code – for example, approximately 20% of direct marketers in Canada are not caught by that organization’s binding code.
The point is: industry self-regulation in this context is bound to fail. Quite simply, there are too many market players who fall outside any self-regulated regime. We don’t even need to get into a discussion about lack of effective sanctions, or other weaknesses of voluntary codes.
It is therefore not surprising that some industry groups in Canada have expressed support for privacy laws based on the Model Code which they helped to draft. (e.g., Information Technology Association of Canada, the Canadian Direct Marketing Association and the Canadian Federation of Independent Business)
Despite their distaste for any form of regulation, reputable industry players in Canada are recognizing that they will be better off, in the long run, under a legislated approach which encompasses the entire private sector.
And, to the surprise of many, no one is complaining about the regulatory regime in Quebec – business seems to be able to live with it.
So, it seems there was a happy confluence of forces leading to this recent initiative:

1. public pressure;
2. a committed Minister;
3. dedicated and determined civil servants; and
4. no solid or convincing industry opposition.

So, what does the legislation say?

It takes the CSA Model Code, and entrenches the ten principles, word for word, in a statute. I think this is a novel approach to legislation, and it has the strength of building on standards which were developed through consensus by the very stakeholders to whom they will apply. It represents one of the ways in which voluntary codes can be used in the public policy process – as the “backbone” of a law.
On the other hand, the CSA Code is considered a compromise by many privacy advocates, a reasonable first attempt that can do with improvements. For example, the Code requires businesses to limit the collection of personal information to “that which is necessary for the purposes identified by the organization”, but does not expressly limit the purposes for which the information can be used. This lack of any clear “purpose limitation” principle is not corrected in Bill C-54.
Other weaknesses of the Bill include overly broad exceptions to the rule of informed consent, limited powers on the part of the Commissioner to uncover and expose privacy violations, and a lack of any non-court recourse for complainants where an organization fails to comply.
The law will apply first to the federally-regulated private sector. Three years after coming into force, it will apply to all commercial activities in Canada that are not already covered by similar provincial privacy laws. In other words, the federal government is giving the provinces a chance to act, but if they fail to do so within three years, they will be effectively trumped. (I expect that we’ll be hearing from the provinces on that aspect of the Bill!)
The federal Privacy Commissioner will be mandated to investigate and report on complaints, as well as to engage in educational activities. He will also be empowered to audit organizations who appear to be violating the Act, but only where he has reasonable grounds to believe that the statute is being violated.
Complainants will have ultimate recourse will be available to the Federal Court, which has broad remedial powers including the awarding of damages for humiliation, of up to $20,000.
This is so-called “light” regulation. It sets up a complaint-driven process, which many of us feel is inadequate given that privacy violations are so difficult to spot. It requires individuals to go to court for redress, which is costly and therefore unlikely to occur except in unusual cases. It contains some exceptions that we feel are too broad. And it is improperly framed as a means of promoting commerce, rather than protecting privacy. But, it is a start on the path toward recognition of basic privacy rights that is sorely lacking in Canada, and we will be working to improve the Bill as it moves through Parliament.

What are its prospects?

I think that there’s enough positive momentum that this Bill will be enacted, in some form or another. The challenge for privacy advocates will be to ensure that the Act is tight, properly framed, and has adequate teeth.
In conclusion, let me say in response to the question put to us today, that while law, market forces and technology each have an important role to play in the protection of individual privacy, law is the essential starting point – it is necessary to articulate and define the right to privacy. Without a legal structure giving meaning and teeth to privacy rights, technology will be used to take advantage of vulnerable citizens, and market forces will have little effect, since privacy invasions are usually invisible to the consumer. There is nothing wrong with self-regulation, but it does not substitute for the rule of law, especially in respect of human rights and other essential elements of a civil society.

Achieving Universal Access to the Information Highway

Philippa Lawson
Public Interest Advocacy Centre
Global Internet Liberty Coalition Conference
I would like to begin by commending GILC and the organizers of this conference on broadening the focus of our discussion beyond traditional concepts of free speech, liberty and fundamental human rights, and including the more difficult, but equally important and relevant issues of access, privacy and consumer protection.
These issues are more difficult because their resolution calls for restraints on the free play of market forces – something that, in this day and age, is not popular. Nor is it, on its face, consistent with what is often seen as the primary message of cyber-rights activists to governments: “Stay out of our lives!”.
There is, however, no inconsistency between calling for more market freedom in some respects and less in others. Indeed, both are required for a just society. Unfortunately, many people don’t appreciate the integral link between access and free speech – the fact that the right to free speech online is pretty hollow for those individuals who can’t even get online.
Universal access to the information highway is one of those things that can’t be achieved without government intervention. Market forces just can’t do it. Indeed, market forces barely exist in some of the places where access is most needed. Left to its own devices, the market would provide amply for those of us with lots of money, but would offer limited access, if any at all, to those living in poverty. (This has been referred to as “dollar democracy”.) It would provide abundant and cheap service to urban dwellers, but would offer limited and expensive options to rural and remote dwellers. The evidence of this disparity in access is most stark at the international level (See Appendix 2 of Sid Schniad’s paper), but it is also present domestically.
Clearly, if one of our goals is to have everyone connected to the public telecommunications network, there is an important role for government to play, in extending connectivity to rural and remote areas and to those who can’t afford the market price, wherever they happen to live.
Before the widespread adoption of telephone service, we recognized the value of affordable access to a public means of universal communication – the postal system. Having replaced postal service as the primary method of distance communication, telecommunications deserves the same treatment: equitable and affordable access for all.
I would like to speak for a few moments on some solutions to this problem of unequal access.
For ordinary citizens, there are two elements of access: first, access to an underlying telecommunications network, and second, access to the Internet itself.

Access to the Telecom Network

Let’s start with the basics: a phone line. For most people, this is a prerequisite for basic Internet access. Other options (via cable television) are being developed, but it looks like telephone access will remain the most economical means of linking to the Internet for some time.

Affordable Service to Low Income Canadians

Even in Canada, one of the most connected nations in the world, with some of the lowest rates for phone service, there are thousands of households without basic telephone service because they can’t afford it. This problem is expected to grow, as basic local rates rise in order to pave the way for competition and lower long distance rates. Yes, the introduction of competition in Canadian telecommunications has led to higher rates for local phone service. Many Canadians, especially those in the lower income brackets who make minimal use of long distance service, were actually better off under the regulated monopoly.
At the same time, access to telecommunications is more important than ever.(1) It is particularly essential for disabled and elderly persons with limited mobility, for unemployed persons seeking a job, for low income families with limited transportation options, and for those living in rural and remote areas. Yet these are also the same people who have trouble affording the higher rates brought about by market forces.
After losing the battle against “rate rebalancing” (i.e., the raising of local rates in order to permit lower long distance rates), Canadian consumer groups realized that something else had to be done to maintain universal affordability of phone service. In a proceeding some three years ago, a broad coalition of anti-poverty, seniors and consumer groups published a “Blueprint for Action”, which called for a seven-point plan:

1. Define “basic telecommunications service”, and establish a process for updating this definition as technology and market demand evolves.
2. Establish an “affordability benchmark” – a monthly rate above which affordability for lower income households is jeopardized.
3. Ensure that basic monthly service is provided to lower income Canadians at a price no higher than the affordability benchmark.
4. Establish policies, such as instalment payment options, to ease the burden of lump sum charges on customers in need.
5. Examine security deposit and disconnection policies to ensure that they do not pose unnecessary obstacles to affordability.
6. Require that telephone companies offer options that allow customers to better control their bills – options such as the blocking of calls which attract usage charges.
7. Establish a Fund for the subsidization of basic service provided to self-certifying households with incomes below the poverty level.

The targeted subsidy aspect of this approach was strongly opposed by local phone companies, who instead proposed “budget” service options consisting primarily of limited usage for a lower price, and pay-per-use calling above a certain threshold.
Consumer groups pointed out that these “budget” options, while attractive to high income professionals, who use their office phone for personal calling, were completely unresponsive to the needs of low income Canadians, who if anything need to use their home phone more than average – to seek employment, to contact health and social service agencies, to stay in touch.
In the end, the CRTC decided that neither approach should be adopted, yet. Based on high overall penetration rates of phone service in Canada, the regulator determined that affordability was not yet a serious problem, but that should it become a problem, a targeted subsidy was the appropriate solution. In the meantime, the CRTC ordered that penetration rates and other affordability indicators be monitored. In spite of the urgings of consumer groups, the CRTC refused to define “basic telecommunications service”.

High Cost Serving Areas

Since that decision, the long distance market in Canada has been deregulated, the local market has been opened to competition, and a new price cap form of regulation has replaced earnings regulation for incumbent local service providers. The profit margins on long distance and urban business service that used to sustain below-cost prices in rural and remote areas are rapidly being depleted. But the cost differences remain: it is far more expensive to serve some areas than it is others. Without maintaining some kind of subsidy for these high cost areas, the goal of universal access will be lost from sight.
Public interest and consumer groups have again banded together to call for a new, competitively neutral subsidy designed to improve and maintain access to telecommunications services in high cost areas, at quality and price levels comparable to those in urban areas. We have drafted a “Consumer Charter for a Connected Canada”, which calls on the government to take the necessary actions to ensure that the benefits of competition flow to all Canadians, not just those in urban centres.
We are proposing that a national fund be established for this purpose, with monies collected through a revenue-based levy on all telecommunications service providers. The subsidy would be portable, in that any local service provider meeting pre-established price, quality and availability requirements would be eligible to receive it for those customers that it serves in the high cost area.
The CRTC is considering this and other similar proposals right now. In the interim, it has set up company-specific funds into which long-distance service providers pay (a per minute contribution) and out of which local service providers withdraw, in order to subsidize below-cost prices.

Conclusion

In Canada, almost everyone agrees: in the absence of direct government intervention, some kind of competitively-neutral, explicit, regulated subsidy scheme is necessary in order to maintain universal access to basic telecommunications service. I am confident that our government, given its commitment to being the most connected nation in the world, will support a regulatory solution to this problem.
That’s just the first part – access to basic phone service. We still have the rest of the equation to deal with: Internet access.

Access to the Internet

As part of their proposal in the high cost area proceeding, consumer groups are calling for toll-free access to the Internet, and minimum transmission speed capabilities. Specifically, they are proposing that companies who want to receive the subsidy must offer toll-free access to a location with at least one ISP. I don’t know if this proposal will fly, but the important point is that consumer groups are now including Internet access as part of their definition of basic telecommunications service.
Another coalition of public interest groups in Canada has been pushing our government to adopt a model of public space community networking, and to provide the necessary funding to sustain this non-commercial initiative. As you heard this morning, we seem to be having some success. The Canadian government is working hard to spread Internet access points across the country, and to encourage Canadians of all ages and backgrounds to use the Internet for personal and business gain. In addition, we have succeeded in convincing a major broadcast carrier in Canada to reserve a few of its licensed broadband channels for non-profit, local community purposes such as health, education, and literacy.
Yet, only 28% of Canadians have Internet accounts. Not surprisingly, this rate is much higher among lower income households. At the same time, more and more information and services are offered over this medium, and more communication is conducted over the Internet. A recent publication of the NTIA in the United States shows that, despite significant growth in computer ownership and Internet usage among Americans, the “digital divide” persists, and is in fact widening. According to the NTIA’s survey, there is an even greater disparity in access among income and racial groups than there was three years ago. In other words, we are becoming a society of information haves and have-nots, despite our best intentions.
So, how do we improve this situation?
The effective approach is, I think, a multi-pronged one:

1. Allow competition to flourish where it can best achieve the goal of affordable pricing. Governments should vigilantly guard against anti-competitive behaviour and harmful mergers in the markets for computer hardware and software, as well as Internet service provision.
2. Use regulation to address systemic market inadequacies. Companies who wish to receive subsidies for service provision should have to meet certain access requirements.
3. Provide direct financial and other support to establish public access points in communities, schools and libraries, and to train citizens in Internet usage.
4. Support the development of not-for-profit community networking initiatives. If electronic democracy is to be realized, we must protect public space on the Internet, space that is unsullied by commercial interests and that permits the free flow of individual ideas and communications.

To sum up,

1. The right to free speech on the Internet is one thing, but it’s pretty hollow for those who lack access to the medium in which this free expression can occur. A truly democratic cyberspace is one to which everyone has access.
2. In order not to exacerbate existing social disparities, we must make special efforts to ensure that the Internet advantage is brought to those who are starting off at a disadvantage. Schools and libraries are a good place to start, but ultimately, it’s access to the home that we will all need.
3. Without diminishing the tremendous value of Internet access, we must not forget that many of our fellow citizens are still struggling to afford basic telephone service. With increased competition and deregulation of telecommunications, this problem could get worse. In the enthusiasm for expanding Internet access, let’s not ignore the prior and more immediate need for basic phone access.

1. In a recent survey, 97% of Canadians viewed telephone service to the home as essential, while only 39% considered Internet access to be an essential home service.
 

Lettre aux Ministres

TUAC – ONG LETTRE DE LA SESSION PARALLELE C AUX MINISTRES PARTICIPANT A LA CONFERENCE MINISTERIELLE DE L’OCDE SUR LE COMMERCE ELECTRONIQUE A OTTAWA

Aux ministres des pays Membres de l’OCDE et des autres pays qui assistent à la Conférence ministérielle d’Ottawa :
Nous remercions l’Organisation de coopération et de développement économique (OCDE) et le Gouvernement du Canada d’avoir invité des groupes d’intérêt public à participer à la Conférence ministérielle de l’OCDE « Un monde sans frontières : concrétiser le potentiel du commerce électronique mondial » qui se déroule à Ottawa, Canada, du 7 au 9 octobre 1998 (« Conférence ministérielle d’Ottawa »).
Cette invitation reconnaît et confirme le rôle, l’intérêt et la participation des groupes d’intérêt public à l’égard des discussions et négociations internationales actuelles sur le commerce électronique.
En ce qui concerne l’OCDE, en particulier, il y aurait lieu d’établir une Commission consultative sur l’intérêt public, dont la nature et le rôle seraient comparables à ceux de l’industrie au sein du Comité consultatif économique et industriel (BIAC) et des syndicats au sein de la Commission syndicale consultative (TUAC). Ce comité devrait comprendre des représentants de groupes d’intérêt public œuvrant dans les domaines suivants : droits de la personne et démocratie, protection de la vie privée et des données, protection des consommateurs et accès aux services.
Nous regrettons que l’OCDE n’ait pas donné l’occasion aux groupes d’intérêt public, avant le début de la Conférence ministérielle d’Ottawa, de présenter un document comparable au Plan d’action des entreprises présenté par le BIAC et d’autres groupes. Cela a eu pour effet de restreindre de façon sensible la portée de notre intervention.
La promotion du commerce électronique par l’OCDE et par les gouvernements membres doit être étudiée dans une perspective plus générale, qui englobe entre autres la protection des droits de la personne, la promotion et le renforcement des institutions démocratiques, ainsi que l’offre d’un accès abordable à des services de communication perfectionnés.
En ce qui concerne les quatre thèmes axés sur le renforcement de la confiance des utilisateurs et des consommateurs, mentionnés dans le document pour les participants à la Conférence ministérielle d’Ottawa « Un monde sans frontières : concrétiser le potentiel du commerce électronique mondial », et compte tenu de la perspective générale mentionnée ci-dessus, nous recommandons ce qui suit :

• Authentification et certification : Nous recommandons que tous les pays Membres de l’OCDE adoptent et appliquent les Lignes directrices de 1992 régissant la sécurité des systèmes d’information, en particulier les principes relatifs à la démocratie, à l’éthique et à la proportionnalité. L’OCDE devrait aussi étudier les questions relatives à l’authentification et à la certification dans un contexte de protection des consommateurs et de la vie privée. Les politiques et pratiques qui ne tiennent pas compte des préoccupations en matière de protection des consommateurs et de la vie privée finiront par miner la confiance du public.

• Cryptographie : L’OCDE devrait promouvoir la mise en œuvre des Lignes directrices de 1997 régissant la politique de cryptographie et préconiser le retrait de toutes les mesures de contrôle de l’utilisation et de l’exportation des techniques de cryptage et autres techniques qui assurent une meilleure protection de la vie privée. La confiance exige une disponibilité aussi grande que possible des meilleurs moyens qui permettent d’assurer la sécurité et de protéger la vie privée.

• Protection de la vie privée : L’OCDE devrait insister pour que les pays membres conçoivent et mettent en œuvre intégralement des moyens d’appliquer les Lignes directrices de 1980 sur la protection de la vie privée. Ces Lignes directrices de l’OCDE définissent un cadre indispensable à la confiance des consommateurs à l’égard des transactions en ligne. L’autorégulation n’a pas réussi à établir une relation de confiance adéquate. Nous recommandons aussi l’adoption de mesures destinées à promouvoir l’anonymat et à réduire la collecte de renseignements à caractère personnel, afin d’accroître la confiance des consommateurs.

• Protection des consommateurs : L’OCDE devrait appuyer l’établissement de normes minimales ayant trait à la protection des consommateurs, prévoyant entre autres la simplification des contrats, des méthodes de résiliation des contrats, des mécanismes efficaces de règlement des différends, la limitation de la responsabilité des consommateurs, la non-application de clauses contractuelles déraisonnables, des recours aux lois et aux tribunaux de leur pays et la coopération entre les gouvernements afin d’appuyer les recours juridiques. Ces normes minimales devraient prévoir une équivalence fonctionnelle aux mesures de protection actuelles et offrir une protection au moins comparable à celle qui s’appliquerait à d’autres types de transactions.

Nous recommandons aussi ce qui suit :

• Propriété intellectuelle : Le cadre de protection de la propriété intellectuelle devrait reposer sur des mécanismes qui minimisent les intrusions dans la vie privée et les restrictions au développement de nouvelles technologies.

• Réglementation d’Internet : Les gouvernements devraient favoriser des structures de réglementation d’Internet qui reflètent des valeurs démocratiques, sont transparentes et tiennent compte de l’intérêt des utilisateurs. Les méthodes de normalisation devraient être ouvertes et favoriser la concurrence.

• Fiscalité : A la Conférence ministérielle d’Ottawa, M. Charles Rossotti, Commissioner of the Internal Revenue Service, des Etats-Unis, a évoqué la possibilité de former un Groupe consultatif de la fiscalité réunissant des représentants des gouvernements et des entreprises. Les groupes d’intérêt public devraient être invités à participer aux travaux de ce groupe consultatif.

• Emploi : Les conséquences sur l’emploi doivent être évaluées et prises en compte dans toutes les discussions et négociations.

Le Comité de la politique à l’égard des consommateurs demeure un important point de convergence pour l’étude des nouveaux enjeux entourant les politiques de protection des consommateurs, notamment en ce qui concerne le commerce électronique. Il importe, donc, que le mandat de ce comité soit maintenu et que ce dernier tienne encore des réunions à intervalles réguliers.
Signé
Alan Stevens, Editor, WHICH?Online (U.K.) *
Center for Democracy and Technology (U.S.)
Computer Professionals for Social Responsibility (U.S.)
Consumer Association of Canada
Consumer Council of Norway
Consumer Project on Technology (U.S.)
Consumers International
Cyber Rights & Cyber Liberties (U.K.)
Danish Consumer Council
Electronic Frontiers Australia
Electronic Privacy Information Center (EPIC – U.S.)
Fédération nationale des associations de consommateurs du Québec (FNACQ)
FITUG (Germany)
Foundation for Information Policy Research (U.K.)
Harvard Information Infrastructure Project
Imaginons un Réseau Internet Solidaire (IRIS – France)
Public Interest Advocacy Centre (PIAC), Ottawa
Richard Long, Vice President, Communications, Energy & Paperworkers Union *
Sid Shniad, Research Director, Telecommunications Workers Union *
Vincent Emmell, Progesta Publishing (Québec, Canada) *
Yves Poullet, Université de Namur, Belgique *

• Les organisations sont nommées pour fins d’identification seulement

 

Letter to Ministers

LETTER TO MINISTERS ATTENDING OECD MINISTERIAL CONFERENCE ON ELECTRONIC COMMERCE, OTTAWA

To: The Ministers of the OECD Member Countries and the Other Countries Attending the Ottawa Ministerial Conference
We thank the Organisation for Economic Cooperation and Development (OECD) and the Government of Canada for the invitation to some public interest groups to participate in the OECD Ministerial Conference, “A Borderless World: Realising the Potential of Global Electronic Commerce,” which is being held in Ottawa, Canada, on 7-9 October 1998 (“Ottawa Ministerial Conference”).
This invitation recognises and affirms the role, place and participation of public interest groups in the ongoing international discussions and negotiations with regard to electronic commerce.
With regard to the OECD, in particular, there should be established a Public Interest Advisory Committee, similar in type and function to the Business Industry Advisory Committee (BIAC) for industry and the Trade Union Advisory Committee (TUAC) for trade unions. Such a committee should include representatives of public interest groups in the fields of human rights and democracy, privacy and data protection, consumer protection, and access.
We regret that public interest groups were not afforded the opportunity by the OECD, prior to the commencement of the Ottawa Ministerial Conference, to submit a document similar to the Business Action Plan that was submitted by BIAC and others. As a result, the extent of our intervention has been severely constrained.
The promotion of electronic commerce by the OECD and member governments must be considered within the broader framework of protection of human rights, the promotion and strengthening of democratic institutions, and the provision of affordable access to advanced communication services.
With regard to the four issue areas for building trust for users and consumers, identified in the document for participants in the Ottawa Ministerial Conference, “A Borderless World: Realising the Potential of Global Electronic Commerce,” and mindful of the broader framework discussed above, we recommend:
Authentication and certification: We recommend that all OECD member countries implement and enforce the 1992 OECD Guidelines for the Security of Information Systems, particularly the Principles on Democracy, Ethics, and Proportionality. The OECD should also consider issues of authentication and certification within the context of consumer protection and privacy protection. Policies and practices that disregard consumer and privacy concerns will ultimately undermine public trust.
Cryptography: The OECD should promote implementation of the Cryptography Guidelines of 1997 and urge the removal of all controls on the use and export of encryption and other privacy enhancing techniques. Trust requires the widespread availability of the strongest means to protect privacy and security.
Protection of privacy: The OECD should urge member states to implement fully and develop means to enforce the Privacy Guidelines of 1980. The OECD Guidelines provide an essential framework to establish consumer trust in online transactions. Self-regulation has failed to provide adequate assurance. We further recommend efforts to promote anonymity and minimize the collection of personal information so as to promote consumer confidence.
Consumer protection: The OECD should support the establishment of minimum standards for consumer protection, including the simplification of contracts, means for cancellation, effective complaint mechanisms, limits on consumer liability, non-enforceability of unreasonable contract provisions, recourse at least to the laws and courts of their home country, and cooperation among governments in support of legal redress. Such minimal standards should provide a functional equivalence to current safeguards, offering at least the same levels of protection that would be afforded in the offline world.
We also recommend:
Intellectual property: The framework for intellectual property protection should be based upon mechanisms that are least intrusive to personal privacy, and least restrictive for the development of new technologies.
Internet governance: Governments should foster Internet governance structures that reflect democratic values and are transparent and publicly accountable to users. Standards processes should be open and should foster competition.
Taxation: At the Ottawa ministerial Conference, Mr. Charles Rossotti, Commissioner of the United States Internal Revenue Service, spoke of the creation of a Tax Advisory Group, in which government and businesses will participate. Similarly, the public interest groups should be invited to participate in this advisory group.
Employment: Impacts on employment must be evaluated and taken fully into account in all discussions and negotiations.
The OECD Committee for Consumer Policy has been and continues to be an important vehicle for discussion of emerging consumer policy issues, including those relating to electronic commerce. It is important, therefore, that the mandate of the Committee for Consumer Policy continue and that the Committee continue to meet on regular basis.
Signed,
Alan Stevens, Editor, WHICH?Online (U.K.) *
Center for Democracy and Technology (U.S.)
Computer Professionals for Social Responsibility (U.S.)
Consumer Association of Canada
Consumer Council of Norway
Consumer Project on Technology (U.S.)
Consumers International
Cyber Rights & Cyber Liberties (U.K.)
Danish Consumer Council
Electronic Frontiers Australia
Electronic Privacy Information Center (EPIC – U.S.)
Fèdèration nationale des associations de consommateurs du Quèbec (FNACQ)
FITUG (Germany)
Foundation for Information Policy Research (U.K.)
Harvard Information Infrastructure Project
Imaginons un Rèseau Internet Solidaire (IRIS – France)
Public Interest Advocacy Centre (PIAC), Ottawa
Richard Long, Vice President, Communications, Energy & Paperworkers Union *
Sid Shniad, Research Director, Telecommunications Workers Union *
Vincent Emmell, Progesta Publishing (Quèbec, Canada) *
Yves Poullet, Universitè de Namur, Belgique *

• Organizations listed for identification purposes only

Grants and Contributions Program Budget

Grants and Contributions Program Budget Office of Consumer Affairs – Letter to the Honourable John Manley, Minister of Industry (November 17, 1999)

 
Honourable John Manley
Minister of Industry
235 Queen Street
11th floor, East Tower
Ottawa, ON
K1A 0H5
Dear Minister Manley:
Re: Grants and Contributions Program Budget Office of Consumer Affairs
On behalf of the Board of Directors of PIAC, I am writing to request that Industry Canada and the Federal Government give consideration to an increase to the Grants and Contributions program that would be reflected in the next federal budget. The Grants and Contributions Program constitutes the primary source of funding for consumer and public interest organizations across Canada that are engaged in advocacy on consumer issues within the federal domain. The current amount of funds that are allocated through this program to consumer groups and organizations is one million dollars.
This amount, however, is much reduced from past government allocations. In 1984, this program funded projects and consumer groups to a total of 1.8 million dollars. The equivalent amount in 1999 dollars of the 1984 figure is 2.7 million dollars.
The program dollar amount shrank in accordance with the deficit reduction measures implemented by the various federal governments during the decade of the 1990’s. It was solely the straitened financial circumstances of the government that caused this diminution of the program funding. It was not reduced because efficiencies were found, or the need for funding was lessened.
The need for funds has, in fact, increased. As a result of various deregulation initiatives, market forces play a greater role today as the means for consumer protection. However, this has also meant that problems of market failure are more critical and frequently difficult to address without adequate empirical support. In the result, the problems of enabling access by ordinary consumers to the benefits of newly competitive markets have occupied considerable organizational resources and time by a dwindling number of consumer groups.
In addition, governments consistently require the policy advice and assistance from non-commercial interests to assist them in formulating appropriate policy to meet changing public expectations. Examples of such requirements for such input abound in federal initiatives concerning privacy, electronic commerce, competition law, airlines and financial services, where effective policymaking cannot take place without an informed and engaged consumer presence. The blunt fact is that the federal government cannot continue to expect a contribution from the consumer interest sector towards issues of public and governmental concern when it is funded with less than 40% of the resources (in 1999 dollars) than it received in 1984.
I know that we do not have to repeat the litany of good work and assistance that groups and organizations funded by the Grants and Contributions have rendered to Industry Canada in the past with the assistance of this program. As you may be aware, there is also considerable work and assistance that is provided without actual funding through this program. There is little likelihood that any organization will be able to maintain the expertise to successfully execute project grants or to render unfunded assistance unless there is a major boost to consumer group funding.
We have all heard the floodgates response which is front-line defense the government is currently offering for all new requests for funding. We recognize that the government must hold the line to ensure that the improving financial condition of the government does not become a reason, in itself, for undue largesse.
However, in this case, the Grants and Contributions Program is a cost effective investment in making markets and the policies associated with markets work better.
There are few larger concerns for Industry Canada and the government. We hope that the importance of this program will accordingly be recognized with a substantial increase in funding in next year’s budget.
Thank you.
Yours truly,
Michael Janigan
Executive Director/General Counsel
cc: The Rt. Honourable Jean Chrétien
The Honourable Paul Martin
 

The Summit on Electronic Commerce

Speaking Notes – Philippa Lawson
The growth of electronic commerce is, in many ways, a boon for consumers – immediate information, more choice, better deals, more convenience. But its benefits are not unmitigated. There are good reasons why consumers are reluctant to engage in online transactions. Quite rightly, they wonder:

• How do I know that my credit card is not going to be intercepted by some third party?
• How can I be sure that this is a legitimate business and that I’m not being taken in by some scam artist?
• Who can I turn to for recourse if it turns out I’ve been taken advantage of?
• How can I be sure that this company is not collecting information on me behind my back, and using it in ways of which I don’t approve? (And what are cookies, anyway?)
• How do I know that I won’t start receiving spam as a result of registering on this site?

The success of the online marketplace will depend to a large extent on the confidence of consumers, and that confidence will be gained only if these kinds of questions can be answered to the satisfaction of consumers.
Privacy is a serious concern in the marketplace generally, and nowhere more so than in the electronic world. Consumers recognize that they have considerably less control over their personal information in online transactions than they do in ordinary transactions. They see the ease with which personal information can be collected, manipulated and traded once it is in a computer. And they know that they don’t have the full story – that they don’t have control.
Survey after survey has confirmed that Canadians value the privacy of their personal information, and want control of it returned to them.
This concern was one of the factors that led to the development of the CSA Model Privacy Code, which sets out ten fundamental principles for protecting personal information. The key principle is informed consent.
Consumers must have the ability to control what information is collected on them when they contact a business through the Net. That means, first of all, telling the visitor to your website exactly what information about them is being collected, and for what purpose. It means providing the individual with a way of saying “no” – I don’t agree to that.
It means not sending unsolicited e-mail or making unsolicited phone calls to consumers who have purchased one of your products. And it means providing an easy way for consumers to get off marketing lists that they may previously have asked to be on.
Canadian Tire’s approach to online marketing gets a thumbs up with respect to the last point. But where was the notice telling me, a visitor to the website and subsequently, a subscriber to the e-flyer, what information of mine was being collected, what use it was being put to, and who else might have access to it?
A number of industry groups have, commendably, adopted codes of practice governing their members’ treatment of customer information. It has become clear, however, that such voluntary efforts are not enough.
First and foremost, they don’t capture those who don’t volunteer to be captured. As long as there are some bad actors out there, we need government to wade in and deal with them.
Second, many well-meaning companies have simply not gone far enough to address the privacy concerns of their customers. They need a shove.
This is why, I think, that there is so much support for the federal government’s current initiative to draft legislation governing private sector treatment of personal information, and to work closely with the provinces in extending the same rules to all players in the marketplace.
IF TIME PERMITS:
Let me just say that Privacy is not the only pressing concern for consumers.
Governments need to update their consumer protection laws so that they adequately cover online transactions. The borderless nature of the Internet is a problem – Authorities need to work together, nationally and internationally, to create efficient and effective dispute resolution mechanisms for consumers and suppliers in different jurisdictions.
And those who wish to benefit from Electronic Commerce must do their part in removing the risks to consumers of online transactions. Above all, that means giving consumers full information – about you the merchant, where you’re located, about the product or service in question, about the terms and conditions of the contract, and about how any complaints or disputes will be dealt with.
There are a number of innovative ideas and experiments being floated right now with a view to improving consumer confidence in Electronic commerce, but I’ll leave that for the discussion.
To sum up:
The promise of electronic commerce will only be fully realized if key consumer concerns relating to security, privacy, information and redress are dealt with, adequately and soon.
Neither government nor industry can do it themselves; and neither should try to do it without active involvement by consumers.

How-to’s:

1. Codes of Conduct – these should cover the full range of consumer concerns, and should do so to the satisfaction of consumer advocates. Each Code should cover as broad a spectrum of industry as possible, in order to get consumer recognition. The more Codes that are out there, the less likely it is that consumers will know about them. (IC booklet)
2. Use of reputable 3P, so as to give credibility to small merchants, who don’t have the reputation or brand name of a Canadian Tire, or the assurance of a regulated bank. (e.g., BBB)
Logo, on which the consumer can click, and hotlink to the 3P site, where the reliability of the merchant can be confirmed. The Better Business Bureau is apparently doing this already, but the standards it requires of its members are unduly limited – they don’t include consumer information or privacy standards.
3. Use a reliable 3P to take online consumer payments and hold them, until the transaction has been completed to the satisfaction of both parties. Once the consumer has received the product in good order, the funds would be released to the merchant.
4. Use online arbitration to resolve consumer complaints – apparently, there are two such initiatives currently being trialled in the US: Online Ombudsman and Virtual Magistrate.
5. Government (or indep.3P) to collect and publish marketplace info. on fraud, post-fraud measures – inform consumers! (e.g., Internet Fraud Watch)
5. Those businesses that effectively function as “gatekeepers” have a particularly important role to play in the building of consumer confidence:
– Credit Card Companies – Online consumer transactions will be handled in large part with credit cards. Not only should credit card companies play an active role in weeding out offenders (i.e., companies who generate sig. no. of consumer complaints), they should, through chargeback policies, provide consumers with redress via their credit card when a distance transaction fails. In the US, such chargeback policies are required by law, but I’m told that credit card companies now recognize that it’s good business, and have voluntarily extended their chargeback policies to cover international transactions. Why aren’t Canadian credit card companies doing the same?
– Domain Registries – There’s a saying: “The great thing about the Internet is that no one knows you’re a dog”. Well, this is also a great failure of the Internet – because without adequate disclosure by commercial entities, consumer trust will not develop. Domain Registrars hold the keys to electronic merchants. They have a duty to exercise this responsibility by requiring their registrants to meet certain informational requirements.
– Backbone Providers and Website Hosters – Again, these bodies have the ability to pull the plug on electronic entities that don’t meet certain basic standards of consumer protection.

Electronic Commerce (Business – Consumer)

Four different aspects:
1. Information/Advertising/Marketing
2. Communication/Feedback
3. Delivery (only re: digitized goods)
4. Transaction: Contracting/Payment

Key elements of consumer protection in EComm:

1. Location/Identity of merchant
2. Full Information on product and transaction, etc.
3. Security of transaction
4. Privacy of personal information
5. Clear rules re: what constitutes acceptance online
6. Availability of redress mechanisms (laws upon which liability can be easily determined; consumer able to sue in own jurisdiction;

Key Consumer Protections in Provincial Legislation:

• implied warranties (goods free from encumbrance, seller has good title; goods of merchantable quality, correspond to description….)
• required information to be provided to consumer
• when written contract required
• goods to be delivered within a reasonable period of time
• delivery deemed not to occur until buyer has examined goods
• rules against misrepresentations, pressure sales tactics, grossly inflated prices…

Needed Reforms:

• generally – need to harmonize consumer protection laws across provinces to the highest standard (e.g., information provision prior to finalizing transaction)
• contracts entered into by consumers should be deemed to have been entered into at address of consumer
• implied warranties to cover services as well as goods
• protection against external, incomprehensible or abusive clauses

Specific Online Commerce Reforms

• define what constitutes a “written” document; and what constitutes a “signature” in the context of electronic transactions;
• clarify what constitutes acceptance on the part of the consumer in the context of online transactions;
• update lists of proscribed business practices so as to include those that are specific to online commerce; and
• consider applying “cooling-off” periods to online consumer transactions.

 

Digital Authentication and Consumers' Privacy

Report commissioned by:
Electronic Commerce Task Force
Industry Canada
Prepared by:
Angie Barrados, Researcher
Public Interest Advocacy Centre
1204 – 1 Nicholas Street
Ottawa, Ontario
K1N 7B7
barrados@web.net
www.piac.ca
April 2000

Table of Contents

INTRODUCTION
A. OVERVIEW OF DIGITAL AUTHENTICATION
B.SECURITY
B1. Securing Entire Systems
B2. Security Problems with Digital Signatures
B3. Use of Best Available Technology
B4. Social Systems
B5. Security: Conclusion
C. MANAGEMENT OF PERSONAL INFORMATION
C1. Centralization of Personal Information and Data Matching
C2. Certification Authorities
C3. Certificates and Names
C4. Management of Personal Information: Conclusion
D. INDIVIDUAL CONTROL OVER PERSONAL INFORMATION
D1. Choices and Ability to Evaluate Systems and Certification Authorities
D2. Key Rings
D3. De-linking Authentication from Identification
D4. Individual Control Over Personal Information: Conclusion
CONCLUSION

Digital Authentication and Consumers’ Privacy

INTRODUCTION

This paper identifies and discusses the main implications of digital authentication to consumers’ privacy based on two sessions of the Tenth Conference on Computers, Freedom and Privacy (CFP) held in Toronto from April 4-7, 2000: “Who Am I and Who Says So? Privacy and Consumer Issues in Authentication” and “Everything You Need to Know to Argue About Cryptography”(1). The material from the conference is supplemented by selected secondary sources.
The paper provides a brief explanation of what authentication is, and provides definitions of some key terms relating to digital authentication. The main potential problems and issues for protecting consumers’ privacy in the context of systems that use digital authentication are then discussed under three headings: security, management of personal information and individual control of personal information. Experts’ main recommendations on protecting consumer privacy in these three areas are also noted.

A. OVERVIEW OF DIGITAL AUTHENTICATION

Generally, authentication means “the process of establishing confidence in an assertion”(2) and is the basis of being able to conduct transactions of many kinds. Authentication is often related to establishing the identity of someone entering into a transaction, such as when consumers show their driver’s license to have a cheque accepted. Methods of authentication can also be used establish someone’s authority, as in a diploma, or to establish someone’s privileges, as in a membership card. Also, statements can be authenticated as being endorsed by a specific person by means of a signature or a seal.
Authentication methods currently in use for electronic transactions such as magnetic strips on cards, credit card numbers, PINs and passwords share some major flaws. They are not very secure, since they can be stolen relatively easily, either through low-tech methods (looking over someone’s shoulder at an ATM) or higher-tech methods (breaking into someone’s computer). Also, they cannot be tightly bound to one person. Consider buying something over the Internet with a credit card for instance; the credit card number alone does not tell the vendor that you are who you say you are. Added to these problems is the fact that much electronic communication is occurring over relatively insecure media such as the Internet that can easily be eavesdropped on.
Public key cryptography potentially offers a secure way of authenticating digital transactions over the Internet, and thus a great deal of attention is being paid to the development of systems that use public key technology, and the infrastructure needed to support such systems. In particular, digital signatures that use public key cryptography have great potential to facilitate electronic transactions. Generally, “digital signature” means a scheme using public key cryptography that functions much like a physical signature to authenticate the origin and integrity of documents.
Public key cryptography is distinct from traditional cryptography, because traditional cryptography uses the same key to encrypt and decrypt messages, while public key cryptography uses two keys to convey one message: one key to encrypt a message and another key to decrypt the message(3). One key cannot be derived from the other, so that one key can be made public, while the other can be kept secret. The way that public key encryption works is explained by the following example of how it can be used to send a message securely:
Say that Alice wants to send Bob a message. We assume they both own a key pair and they both know each other’s public key. Alice encrypts the message using Bob’s public key, and sends it over an insecure channel. Bob decrypts the message using his private (secret) key.
In this case, Alice can send a message to Bob over an insecure channel knowing that only Bob can read the message. But it does not authenticate the message (ie. confirm that the message comes from Alice). In order to authenticate the message, Alice must use her private key as a digital signature to the message in the following way:
Alice computes the “hash” of the message using a “hash function”(4). She then encrypts the hash with her private key: this is the digital signature. She sends this signature to Bob along with the message.
When Bob receives the message, he computes the hash of the message. He then decrypts the signature with Alice’s public key, and compares the resulting hash to the hash of the message he computed. If they are the same, he can be sure that the message was sent by Alice, and was not tampered with.
In this example, Bob can only rely on the digital signature if he can be sure that Alice’s public key in fact belongs to Alice. Alice’s public key must be tied in some way to Alice herself. This can be done through a certification authority that checks Alice’s identification, and certifies that the “real” Alice owns the public key. The certification authority would issue a certificate that Alice could send with her signature to validate her public key. It would be important that the certification authority be trustworthy, so that a certificate signed by the authority could be relied upon.
The establishment of certification authorities is the main part of the infrastructure needed to support the use of digital signatures (known as “public key infrastructure” or PKI). By and large, PKI is still a conceptual notion and not a reality, but there is a great deal of interest in establishing certification authorities and standards for their operation. Creating PKI may seem like a primarily technical issue, but in fact, once PKI is in place, it could lead to the widespread use of digital signatures. This has quite important implications for consumers. Digital signatures will facilitate the further use of electronic communication and storage of personal information in many fields. The new systems that use digital signatures as authentication will introduce new ways of identifying people, change individuals’ responsibilities and liabilities, and provide new ways to centralize information.

B. SECURITY

Digital signatures have a great deal of potential to increase the security of electronic transmissions, but the reliance on digital signatures in itself would create new security concerns (discussed below). Also, digital signatures will probably facilitate the development of new electronic systems through which to carry out transactions, and these systems in turn will have to be secure.
The importance of system security to the individuals who use these systems was made clear by the hypothetical example that was discussed by the CFP panel. The hypothetical system used public key technology to control access to a database of emergency medical profiles, and was accessible to doctors and insurance companies with certain certificates. Individuals could access their own files using a smart card containing a biometric identifier. An Orwellian scenario was given of an individual finding that her file had been altered without her knowledge. Her private key (the smart card) had in no obvious way been violated, so she had no way of proving that she did not make the changes to her file. If the culprit was not found, she could be held liable for the misuse of her card, and expenses to her insurance company.

B1. Securing Entire Systems

Computer security experts find that people are dazzled by public key cryptography, and that they tend to assume that it can be used to completely secure systems(5). However, most ordinary operating systems are vulnerable to attack by hackers. In many cases using digital signature technology will be “like putting a vault-door on a cardboard box”. For instance, a security expert on the CFP panel explained that in sending a digital signature over the Internet, a user’s browser may have access to the user’s private key. In this case, the digital signature itself may be hard to attack, but it would not be hard to attack the user’s browser and find the private key.
The layperson may assume that one cryptography function is all it takes to secure a computer system, but in actual fact, most security problems require many functions in different parts of the system (a cryptographic protocol)(6). Designing good cryptographic protocols is “amazingly hard”, and applying them to software is even harder, according to cryptographers. However, many systems designers consider security at the last minute, and do not realize how hard it is to apply cryptography to security problems. In many cases, the use of cryptography may give a false sense of security.
In setting up systems using public key cryptography, it is important that the limitations of the technology be clearly understood by both system administrators and users(7). It can never be assumed that systems are completely secure.

B2. Security Problems with Digital Signatures

A digital signature can be less secure in some ways than a physical signature in authenticating a transaction. As discussed above, a digital signature relies on the use of a private key; the private key is actually a string of digits that would most likely be stored on a card accessible with a PIN. Proponents of digital signatures tend to assume that the private key and certificate is controlled by the certified keyholders, but if the private key is kept on a card, there is clearly a danger that the card and PIN could be copied or stolen. Critics feel that the problem with relying on digital signatures is that it would be as easy to steal a signature as it is to steal a credit card(8).
In the case of a forgery of a physical signature, an individual can try to prove that he was not the person who physically signed a document through a number of methods. He can show that the forged signature does not match his real signature, he can call on people who witnessed the signing of a document, and he can try to prove that he was in a different location at the time the document was signed. A digital signature cannot be related to a person in the same way, unless there is a video camera recording who is at the computer monitor conducting a particular transaction.
To tie private keys more strongly to individuals, private keys could be based on biometrics (such as fingerprints, or iris scans). If biometric data was downloaded to a card for use, there would be the same danger of the card being copied or stolen. However, if the public key was an actual scan of one’s fingerprint, for instance, it would be harder to forge, although some computer security experts feel that even biometrics are not secure(9).
An investigation of a fraudulent use of a digital signature would depend on the audit trail of the suspicious transaction. It is, therefore, important that systems be designed to keep such audit trails(10).

B3. Use of the Best Available Technology

Designing secure systems is expensive, and the companies that build these systems may not always have the incentive to use the best available technology(11). The extent to which this incentive is present will be determined by the assignment of liability in the case of a security breach. Contracts between individuals and service providers will likely specify who is liable for misuse of the individual’s private key. If providers bear liability for misuse of the private key, they will have a strong incentive to use the best available technology. This assignment of liability would be analogous to the liability banks have for misuse of ATM cards. Banks bear the liability for misuse of ATM cards provided customers take reasonable security precautions, so they use good security methods such as video cameras at ATM machines.
In future, individuals may be able to choose among different service providers that have varying levels of system security. It will probably hard for individuals to be able to understand and evaluate security issues, since these issues are complex, even for experts. Also, individuals may not understand the potential risks that security breaches pose for them. Therefore, consumer protection laws should clearly place responsibility for security on service providers.

B4. Social Systems

Even if technology can provide good security for a computer system, there may be serious security problems if the people using the system are not security conscious. The CFP panel on authentication discussed the difficulty of ensuring security of medical files in a hospital or clinic setting. Typically, security is based on a “firewall” concept, that allows the insiders (say hospital staff) to have access to all files(12). This means that a great many people have access to the files, which increases the possibility of abuse. Also, there are typically many low-tech ways of accessing personal information (such as reading files left in easily accessible places). Introducing an electronic system based on public key cryptography will not solve these problems and may indeed introduce greater potential for abuse because of increased centralization of personal information.
To provide data security, attention needs to be paid to the social system that uses the computer system, as well as the computer system itself. The panelists agreed that changing these social systems to ensure data security can be just as hard as designing technological solutions to security problems.

B5. Security: Conclusion

The application of public key cryptography is not enough to solve all security problems. In fact, the new systems that will be facilitated by public key cryptography create a whole set of complex security concerns that must be addressed to ensure the protection of personal information.

C. MANAGEMENT OF PERSONAL INFORMATION

Digital signatures could lead to the development of much larger, more complex electronic systems than have previously been used. These systems may raise significant concerns about how individuals’ private information is collected and exchanged by private entities.

C1. Centralization of Personal Information and Data Matching

The systems that will be facilitated by the use of digital signatures will likely increase the centralization of personal information. For instance, it will soon be possible for all of an individual’s medical information to be stored and updated in one electronic file. This may be advantageous to doctors and patients in many ways, but it also means that patients would have less control over their medical information. A patient would no longer be able to withhold parts of her medical history from a new doctor. Also, unauthorized access to the file would disclose the entire medical history and potentially create far more problems for an individual than disclosure of a partial file.
A major privacy concern will arise if one digital signature is used for multiple purposes. In this situation, the public key would become a de facto universal identifier, and allow for matching of diverse databases. This means that comprehensive files on individuals could be compiled by authorities with access to many different databases, or by hackers. Also, all of an individual’s electronic transactions could be recorded, and traced back to the individual.

C2. Certification Authorities

Certification authorities will likely play an important role in PKI; they will issue digital certificates to individuals to certify that an individual is the rightful holder of a public key. Through the process of issuing certificates, a certification authority would keep records about individuals identification, registries of public keys and certificates, as well as certificate revocation lists(13). The revocation lists in particular raise concerns because anyone relying on digital signatures would have to check the revocation list each time they accept a signature. In the process of checking the revocation list, a data trail would be created that would show every inquiry about a particular certificate. Therefore, everyone with whom an individual transacts could potentially be recorded by the certification authority.
Certification authorities could have a great deal of power over individuals by virtue of their function in issuing/withholding certificates, and revoking certificates. This power will be greater to the extent that the following factors are true:

• individuals need to obtain a certificate in order to engage in important or essential transactions;
• individuals do not have a choice as to which certificate authority they deal with, or all certification authorities offer the same service;
• eligibility requirements are not regulated;
• identification requirements and application criteria are not publicly disclosed.

Privacy advocates are concerned about the creation of authorities that could potentially exercise a great deal of power over individuals, and would hold significant amounts of information about them.

C3. Certificates and Names

Identification requirements to establish an individual’s eligibility for a certificate will have to be established. Privacy advocates are concerned that these requirements may be too onerous, and thus privacy invading. This problem will be more pronounced with certificates that actually establish identity, compared to certificates that establish some type of eligibility without identifying the individual.
Another privacy concern involves the personal information that the certificates would potentially display. The subject’s name and public key may not be enough information, because names are not always enough to unambiguously identify someone; other information such as an e-mail address or a driver’s license number may be required. A subject’s privacy could be compromised by having to disclose personal information in a certificate every time she uses a her digital signature.
The identification and eligibility requirements used by certificate authorities will have very important privacy implications. Many companies have an interest in securely identifying their customers. In the context of digital signatures they may see an opportunity to improve identification by pushing for more onerous identification requirements for certificates than the identification that is currently used to verify physical signatures. Any such push towards identifying individuals more comprehensively needs to be counterbalanced by privacy considerations.

C4. Management of Personal Information: Conclusion

To protect individuals’ privacy, personal information held by certification authorities and systems managers would need to be protected from misuse, and any authorized use of the information would have to be carefully evaluated to ensure that it is not privacy invasive. These privacy protections rely on good data management practices which could be promoted by sound rules and oversight. However, it will be impossible to completely avoid misuse of information or security breaches. It is important therefore, that PKI build in privacy protections apart from private-sector information management practices.

D. INDIVIDUAL CONTROL OVER PERSONAL INFORMATION

As digital signatures allow systems to be built that increase the centralization of information, it will become more and more important to ensure that individuals do not lose all control over their personal information, and thus any ability to protect their privacy. There are three main ways that individual control over personal information can be maintained in a digital environment: allowing people to choose privacy-enhancing services, allowing for the use of a “key ring” rather than one multipurpose key, and the de-linking of authentication and identification in many situations.

D1. Choices and Ability to Evaluate Systems and Certification Authorities

In the future, individuals may or may not have a choice about whether to acquire a digital signature, and which certification authority to use to validate it. It is important that individuals be able to choose options that maximize their privacy. As PKI is developed, it is important that individuals not be forced by mandated use of certain systems to acquire digital signatures. People should be free to acquire digital signatures when they are confident that their privacy is adequately protected.
If individuals are given choices about which systems and certification authorities to use, they must be able to evaluate the security and information management practices of a particular service. This will require the disclosure of key information about services, and some sort of independent evaluation of them, made available to consumers in understandable language.

D2. Key Rings

As mentioned above, there is a major concern with the public key becoming a de facto universal identifier. A public key would not become a universal identifier if an individual owned different key pairs (public and private keys) for different transactions, so that, for instance, an individual’s public key for accessing her bank account would be different from that used for accessing her medical records. Ari Schwartz of the Center for Democracy and Technology suggests that individuals should possess a “key ring” of different keys. This would be preferable to a single key, according to Schwartz because:
Given the choice between a ring with multiple keys or a single key to open all doors, most consumers would stick with the key ring – despite the initial appeal of the single key. The single key could be easily lost or misused and its functions couldn’t be isolated; … by giving someone the key to your car you would in effect be giving them the key to your life(14).
There are a number of factors that suggest that single keys may indeed become the norm. As mentioned above, powerful companies would like to have their customers identified conclusively, and will probably try to set up PKI so that one key will be the norm. Also, having multiple keys could mean additional expenses for individuals and the responsibility of managing multiple cards with multiple PINs. Nonetheless, the key ring concept should be promoted, as it could be the single most important way of maintaining individuals’ control over their personal information.

D3. De-linking Authentication from Identification

The potential for systems managers and certification authorities to invade individual privacy would be greatly reduced in cases where digital signatures did not function as identifiers. It is important to remember that authentication also applies to credentials, eligibility and reputation in ways analogous to diplomas or membership cards. There are many potential applications for digital signatures in which identification is not disclosed, and “blinded” digital signatures in which identification is hidden. To protect individual privacy, individuals should only be identified in digital transactions when it is necessary to do so(15).

D4. Individual Control Over Personal Information: Conclusion

In envisioning PKI, it is important not to assume that individuals will use one type of identifying digital signature for all of their transactions. The extent to which individuals can use different keys for different purposes, and choose whether or nor to identify themselves with a key, will determine how much control individuals will retain over their personal information. Also, the extent to which individuals can choose different types of certificates will determine how much individuals will be able to opt for privacy-enhancing options.

CONCLUSION

This overview of the privacy issues surrounding the development of digital authentication indicates three overall recommendations to maintain and protect individual privacy:
1) The limitations of public key cryptography in securing systems must be taken into account. Ensuring that information is secure throughout a system is a complex task that requires a number of methods, including providing incentives through assigning liability for misuse of information, and changing social systems. Systems must be auditable so that suspicions transactions can be investigated.
2) In the future, certification authorities and other service providers could possess a great deal of personal information. To protect individual privacy, information held by private entities would need to be protected from misuse, and any authorized use of the information would have to be carefully evaluated to ensure that it is not privacy invasive. These good information management practices should be promoted by sound rules and oversight, but this will not be enough to ensure individual privacy; PKI should also be designed so that individuals retain control over their personal information.
3) PKI should give individuals the choice to opt for privacy enhancing services. People should have the option to own multiple keys, and to use keys that do not identify them. As PKI is developed, people should not be forced to acquire digital signatures, but should rather be allowed to acquire them when they have confidence that there are adequate consumer safeguards in place.
As PKI is being developed, there will be a need for much more investigation of how these general recommendations can be implemented in practice.
1. Appendix A gives a description of the sessions and who contributed to them.
2. Roger Clarke, Personal Notes on Computers, Freedom & Privacy 2000
Toronto, 5-7 April 2000 at http://www.anu.edu.au/people/Roger.Clarke/DV/NotesCFP2K.html accessed on April 18, 2000
3. The following discussion on public key cryptography relies upon Brian A. LaMacchia of Microsoft “Everything You Need to Know to Argue About Cryptography” Cryptograph Tutorial, CFP 2000, April 4, 2000.
4. A hash function reduces a message to a fixed size, and is a “one-way” invertable function. This means that knowing the hash function and the hash of the message does not allow someone to be able compute what the initial message was. Therefore, Alice can choose a well-known hash function; it does not need to be kept secret.
5. This paragraph is based on remarks by Carl Ellison of Intel at “Who Am I and Who Says So? Privacy and Consumer Issues in Authentication”.
6. This paragraph is based on Brian A. LaMacchia “Everything You Need to Know to Argue About Cryptography” Cryptograph Tutorial, CFP 2000, April 4, 2000.
7. This point was made by Phil Hester of IBM at “Who Am I and Who Says So? Privacy and Consumer Issues in Authentication”
8. This point was made by Margot Freeman Saunders of the National Consumer Law Centre at “Who Am I and Who Says So? Privacy and Consumer Issues in Authentication”
9. This was suggested by Carl Ellison at “Who Am I and Who Says So? Privacy and Consumer Issues in Authentication”. Roger Clarke reports that fingerprints are very easily forged, and that most biometrics will probably be “forged with ease” in Privacy Requirements of Public Key Infrastructure at www.anu.edu.au/people/Roger.Clarke/DV/PKI2000.html accessed on 18/4/2000.
10. This point was made by Phil Hester at “Who Am I and Who Says So? Privacy and Consumer Issues in Authentication”
11. This paragraph is based on comments by Margot Freeman Saunders of the National Consumer Law Centre at “Who Am I and Who Says So? Privacy and Consumer Issues in Authentication”.
12. This point was made by Carl Ellison at “Who Am I and Who Says So? Privacy and Consumer Issues in Authentication”
13. Certificate revocation lists would list certificates that have been revoked because they have been compromised, or have expired.
14. Ari Schwartz, “Smart Cards at the Crossroads: Authenticator or Privacy Invader?” Center for Democracy and Technology at www.cdt.org/gigsig/idandsmartcards.shtml accessed on 12/4/2000.
15. Roger Clarke, Personal Notes on Computers, Freedom & Privacy 2000.