1998 EPIC Cryptography and Privacy Conference

Washington, DC,   8 June 1998

Panel on International Developments
(Conference Agenda)


Speaking notes for Helen McDonald, Industry Canada.


INTRODUCTION

Thank you very much for the opportunity to come here and describe Canada's position.

ELECTRONIC COMMERCE STRATEGY

In the most recent Speech from the Throne (our equivalent to the American State of the Union Address), the federal government set the goal of making Canada the most connected nation in the world. We are as prone to hyperbole as any, but in this case we committed to increase spending on public Internet access sites in both rural and disadvantaged urban areas, as well as funding for the interconnection of universities, schools, libraries, and non-profit or voluntary groups.

Our reasoning is that Canada would be more competitive if businesses were able to capture the productivity gains and growth opportunities attendant on the use of information technologies. And that individuals will benefit from the employment and learning opportunities on the Internet.

The planks of this "connectedness" agenda include, in addition to affordable network access and skills development, electronic commerce.

Our ambition, likely shared by most nations, is to become a world leader in the supply and use of electronic commerce.

We start as most nations do with the premise that electronic commerce will be and should be driven by the private sector. But we see a legitimate role for government. Our electronic commerce agenda has four prongs:

(1)
promoting consumer and business trust in electronic transactions through the right policy environment;

(2)
removing legal barriers to business investment and innovation;

(3)
acting as a model user to catalyse action; and

(4)
promoting international action to prevent and remove barriers to seamless global electronic commerce.

How best to convince consumers that it is safe to conduct business electronically?

Our surveys and focus groups repeatedly reveal that consumers want reassurance as to who it is they are dealing with in cyberspace. They want the same protections they are used to in the real world, and they want to know that their personal and transactional data will be protected.

How best to convince businesses that their sensitive corporate communications and intellectual property can be safe, that technologies exist which can handle the authentication problem on open networks, and that these technologies will have some legal standing if there is a dispute?

By the end of this year, the Canadian government will have taken three concrete measures to realise our domestic agenda:

(1)
introducing privacy legislation for the private sector;

(2)
getting the basic infrastructure, policies, standards, and legal framework in place for the Government of Canada Public Key Infrastructure; and

(3)
clarifying the government policy on cryptography.

In addition, Canada will be hosting an OECD Ministerial conference on electronic commerce this October. We hope that this meeting will result in a series of substantive outcomes that commit governments and international organisations to timely action, or commit us to adhere by a set of common principles for taxation, consumer protection, privacy, and authentication.

Let me describe in more detail our domestic plans.

DATA PROTECTION

First, privacy.

The federal government intends to introduce legislation to protect personal data in the federally regulated private sector. This covers telecommunications and broadcasting endeavours, banking, airlines, and interprovincial transportation - but not the whole of electronic commerce.

The bulk of commerce lies within provincial jurisdiction, and thus we are working closely with the provincial governments to seek agreement on a common minimum privacy standard. This is likely to happen, and it will be the Canadian Standards Association model privacy code. This standard represents a consensus of industry, consumers, and government, and is consistent with the 1980 OECD privacy guidelines.

Some of our provincial partners believe that self-regulation deserves more time to prove itself. We are encouraging them to set some timelines for the private sector to come up with an adequate self-regulatory approach. For example, can we agree to give the private sector three (more) years to show concrete action, at which time all governments agree to legislate if industry has failed to act? We have one province, Quebec, which has legislation covering the provincially regulated private sector, and which therefore would likely easily meet the demands of the European Union for "adequate" data protection. We need the rest to act.

We believe that light framework legislation, based on our national standard, would build on and extend existing industry voluntary action, by providing an independent oversight body - the federal privacy commissioner - and a mechanism for consumer redress should companies ignore complaints.

Canadian consumers are not looking for heavy-handed government intervention, but they are looking for "someone to mind the store", someone to look after their interests by giving them some measure of control over their personal information.

We do not have the same history of individual legal action as in the U.S., and we view the reliance on tort actions as overly burdensome on individuals seeking to right a wrong. We think that, contrary to the popular notion that legislation is always more costly for business than self-regulation, in this case, framework legislation might be cheaper. The cost to business in developing codes of practice, purchasing outside audits of compliance, and negotiating contractual obligations, is not insignificant. Our public consultations show that business is willing to accept the kind of light framework legislation we are talking about.

GOC PUBLIC KEY INFRASTRUCTURE

The second concrete measure I mentioned was the Government of Canada public key infrastructure or PKI.

The federal government set itself the target of making electronic service delivery the preferred method for dealing with clients and internal operations, by 1998.

We knew that this would require secure methods to support authentication, message integrity, non-repudiation, and confidentiality services. We allocated $10 million (Cdn) to develop the technologies that underlie a certificate-based public key infrastructure, or hierarchy of certification authorities.

We are using primarily Canadian technologies - most notably the Entrust suite of products - but the PKI will support a wide range of off-the-shelf end user products.

The infrastructure architecture consists of a central root authority (our Communications Security Establishment), and certification authorities and local registration authorities within each department - although departments can outsource the functions to a common service agency or to the private sector.

Individual employees would be issued separate keys for signatures and for confidentiality. The employee's confidentiality key would be backed up at the departmental authority. Our GOC PKI is based on a business case, which says that the recovery of stored data, for business continuity reasons, is important. It is not designed specifically for law enforcement ends.

The government also established a policy and legal issues group to develop a set of certificate policies and certification practice statements for federal departments, and to identify and tackle the legal and policy barriers to electronic service delivery. These policies and practice statements set out the applicability of a certificate to a particular community or class of applications, and the practices which a certification authority employs in issuing certificates.

One of the barriers is the uncertainty surrounding the legal standing of digital signatures and electronic records.

We will be introducing legislation this fall to create legal presumptions in favour of secure electronic signatures and electronic documents. At the same time, we will remove requirements, where appropriate in more than 330 federal statures, for handwritten signatures, or the submission of documents "in writing". Departments will be able to "opt-in" to global provisions, or set their own requirements.

CRYPTOGRAPHY

The third thing we committed to do is to review and articulate a policy stance on cryptography. I wish I were able to lay it out for you today. I have been chairing biweekly meetings of an interdepartmental working group set up to explore encryption policy options and make recommendations, and while we are closer after a year and a half, we are not there yet.

Instead, let me explain our starting point, the process we are using, and what we have learned along the way.

Current encryption policy

Canada has no import or use controls. You can buy and use whatever strength cryptography products you want.

We adhere to the Wassenaar Arrangement, and thus control the export of encryption products. Like the US we do not control products only used for digital signatures, or encryption products at or below 56 bits in key length.[1]

Unlike the US, we do not impose key recovery requirements on exporters. We do not give an export preference to KR products, nor do we have a formal policy position on key recovery. We do not control mass market and public domain software because we, like most of the Wassenaar Arrangement nations, agree that such controls would be unenforceable.

So I guess you could say we start from a market-based approach domestically. We believe that users should be free to determine what kinds of authentication and encryption products and services they need. And if you are still uncertain about what I have said, you need look no further than the GOC PKI - the system is set up to clearly respond to a business need.

Policy review process

There were considerable pressures within Canada for a review of this policy, from both exporters and law enforcement agencies. In addition, a blue ribbon panel of industry leaders advised government to update its cryptography policy in order to ensure the realisation of the economic potential of the information highway. They asked us, in so doing, to find the right "balance" between human rights, privacy, business, law enforcement, and national security interests.

Unfortunately, they did not tell us how to do it, but they did stress the importance of freedom of choice, a market-drive approach, and an informed public debate.

My interdepartmental working group was set up in 1997 to make policy recommendations. Our mandate is to develop a "balanced" policy framework that will:

The interdepartmental working group, which includes 11 federal departments, agreed at the outset that, in addition to whatever research into legal, technical, trade, and cost studies we might do, we would consult widely.

And so we released a public discussion paper in February 1998 seeking views on a range of options for encryption for stored data, real-time communications, and export controls. Excluding those who wanted to sell us products or services, we received about 150 responses.

We also organised a round-table, which grouped crypto manufacturers, privacy and freedom of speech advocates, police chiefs, and government representatives from the public security and law enforcement agencies - a very interesting dialogue.

What have we learned?

So what have we learned from our work to date, however modest, and incomplete as it is?

In Canada, our Charter of Rights and Freedoms, prevents us from placing restrictions on citizens' freedom unless these are "demonstrably justifiable in a free and democratic society". Essentially this means that we must be able to prove that restrictions are likely to obtain the outcome they are aiming for, and that the means used to obtain that outcome are proportionate. We cannot cause significant, negative side effects that are worse than the cure we are trying to effect. The benefits must be proportionate to the privacy, human rights, and e-commerce trade-offs.

This means, for example, that we would have to be prepared to prove in court, that any key recovery preferences in our export control regime, or any extension of controls to shrink-wrapped software, are logically and practically linked to the Wassenaar Arrangement goals of global and regional peace and security. And we would have to be able to prove, if challenged, that mandatory licensing of Trusted Third Parties, or key recovery use restrictions, despite the likelihood that these would be circumvented by criminals, are plausibly linked to crime investigation and prosecution.

This could be problematic.

Our public consultations asked for views on a wide range of options.

We learned that other than the Association of Chiefs of Police, mandatory controls on the use or importation of encryption, or mandatory key escrow or recovery, are unacceptable to industry and the public.

We learned that mandated access to real-time communications can only be achieved at great cost and at significant risk to Canadian competitiveness and personal privacy. There is no business case for key recovery for real-time communications.

The adverse privacy implications of our possible policy options were a big concern with our respondents - this single issue drew more comments than any other in our public comment period. The greatest concern was that law-abiding citizens would be disadvantaged by proposals aimed at supporting law enforcement needs. Not surprising to anyone here, there was a strong belief that the needs of users, carriers, and suppliers were in some cases in direct conflict with the stated needs of law enforcement and security agencies.

Canadian cryptography suppliers are among the world leaders, and we learned that mandated solutions would have a chilling effect on further development. We learned that crypto manufacturers believe that the Canadian government is applying the Wassenaar Agreement more stringently than in other countries, and this is disadvantaging both manufacturers and users.

On the other hand, there were some encouraging signs:

We also learned that the public wants government to be actively encouraging the legitimate use of strong cryptography as a way of building confidence in secure electronic commerce and service delivery, and as a way of reducing electronic crime.

And thus we were encouraged to reduce legal uncertainties related to the use of electronic authentication methods and computer-generated records, but to let the market place, not licensing regimes, set the standards and procedures for certification authorities and authentication schemes.

Our respondents argued that government has a role to play as a model Internet user and purveyor of on-line services to businesses and citizens. Our PKI should interoperate with private sector security infrastructures, it should use open international standards, and it should be built, to a reasonable extent, from Canadian IT security products and services. Government should work with the private sector to help build consumer confidence in transacting business over the Internet and build awareness of effective security procedures.

Finally, we learned that government should continue to work in international fora to promote secure and seamless electronic commerce and to reduce the barriers to global trade in cryptography products and services.

These were the highlights of our consultations, although the richness of the comment and the seriousness of most formal replies cannot be expressed in such limited time. (This material will be up on the web shortly, once translated into Canada's two official languages.)

Thank you for the opportunity to present this material to you today.

Helen McDonald
Director General Policy Development
Electronic Commerce Task Force
Industry Canada
McDonald.Helen@ic.gc.ca

[1]
Canada controls all hardware and custom software products, but broad permits would be issued for those at or below 56 bits after a one-time review to assess strength.