Computing Canada
vol 24, no 11
Monday, March 23, 1998

Proposed policy changes causing angst

by Greg Enright

Canadian businesses and industry analysts warn that proposed changes to Ottawa's cryptography policy could severely threaten corporate privacy.

The revisions are being considered in the areas of encrypted stored data, encrypted real-time communications and Canada's policy on the export of encryption products to other countries. Until April 21, Industry Canada is accepting public feedback through its Web site (strategis.ic.gc.ca).

For each area, the government has presented three options for the revamped policy, ranging from minor alterations to much more extreme changes. It is the more radical suggestions that have many in the IT community worried.

For encrypted data stored by organizations, for example, the government has suggested that a law be passed that would make the use of encryption products without key recovery capabilities illegal. This would make it difficult for companies to encrypt their proprietary information in a way that would make it understandable only to them. It would also allow access to law enforcement agencies such as the RCMP if needed for legal proceedings.

Some individuals, however, feel the government should not have any say in how a company chooses to handle its data. "In a free country like Canada I should be able to send e-mail to my colleague in Vancouver in secret, period, without having to give the keys to the government or the police", said David Jones, president and secretary of Electronic Frontier Canada Inc., an IT industry watchdog. "I should be able to do whatever I want to do."

Jones, who is also a professor of computer science at McMaster University in Hamilton, Ont., added that Canadian businesses that are planning their e-commerce strategy should be very concerned about such proposals.

"If the government imposes a policy that says individuals can't use strong encryption, that it has to be weak enough for the government to eavesdrop on, then it's also true that it's weak enough that criminals can eavesdrop on it or commit fraud. It creates a tremendous vulnerability."

Bill Kossmann, a business analyst for David Thompson Health Region, a Red Deer, Alta., health authority, said it would be small and medium-sized businesses that would be hit the hardest by such a policy.

"It's an intrusion on the privacy of the smaller company and the individual because certainly the organized crime folks and larger organizations, and certainly intelligence communities, have encryption that cannot be broken", he said.

Bill Munson, director of policy at the Information Technology Association of Canada (ITAC), said that by putting a company's stored electronic data in the hands of anyone unknown, including the government, the possibility of information being leaked to ne'er-do-wells automatically rises.

"The more people that know (about your information), the greater the possibility of leaks. Leaks happen anyway, but this is a way of perhaps opening up the possibilities."

Helen McDonald, director general, policy development for the task force on electronic commerce at Industry Canada, said the proposals are only proposals, and that reaction such as Kossmann's and Jones' is what the government wants to hear. "There isn't a hidden agenda here", she said. "I would expect that there would be concerns with the government inserting itself in a market, especially such a new market."

McDonald added that the concerns of investigators at the RCMP and CSIS also have to be taken into account.

"It's really a law enforcement argument that takes over", she said. "How do we ensure that we can continue to decript and collect evidence?"

Jones, however, said he thinks it would be very unlikely that a government investigation would be hindered by encryption.

"They seem to be willing to throw away the privacy rights of 30 million Canadians and to jeopardize the financial viability and security of any Canadian business that wants to engage in electronic commerce. It doesn't seem like a fair trade-off."

Privacy infringement would not be the only thing organizations would have to deal with if such changes were introduced, according to Munson.

"Business would always be concerned about the red tape involved. Are there forms to be filled out, are there inspectors coming around, how often are they to be filled out?" he said.

While a policy that would allow such openness in terms of government access to corporate data sounds "Big-Brotherish" to Munson, it also sounds to him like a bad idea for the Canadian economy as a whole.

"(It would be) a turn-off for international business, and a good reason for anybody not to set up a business here, because that sort of a law would be in place here and doubtless would not be set up in other countries."

Kossmann advised anyone concerned to offer their opinion to Ottawa.

Copyright © 1998 by Plesman Publications Ltd. All Rights Reserved. Reprinted with permission.