Panelists call for balance

Security and privacy are often viewed as existing in a zero sum state, with the increase of one coming at the expense of the other – but panelists at the recent Comdex Canada show in Toronto agreed that there is nothing intrinsic to the two that makes them mutually exclusive.

The reality is that you can’t have one without the other, said David Troy, senior project manager of the access control solutions division with EDS Corp. in Washington, D.C.

After 9/11 there was a knee jerk reaction by politicians and the public, said Stephanie Perrin, chief privacy officer with Zero Knowledge Systems Inc. in Montreal. People were willing to give up their privacy for security. They didn’t care about their privacy as long as the terrorists were caught, she said.

“When the flag of national emergency is waved…most citizens in most countries would support invasion of privacy for security,” said George Tomko, chairman of Photonics Research Ontario in Toronto. He spoke at the Canadian National Summit on Biometrics Technology held in Toronto shortly after Comdex.

The U.S. experience aside, Canadians have to start taking the issues of privacy and security more seriously and to educate themselves about the relationship between the two, the panelists said.

“We have to change the paradigm,” said Ann Cavoukian, Privacy Commissioner of Ontario, referring to the view that privacy and security hinder each other.

The storage and access of biometrics data is particularly problematic issue. Unlike PIN and credit card numbers, compromised fingerprints can’t be changed.

One way for privacy and security to work in tandem is for individuals, rather than government agencies or companies, to manage their own biometrics information by storing it on a smart card. A fingerprint reader would be used only toverify that the print scanned agrees with the one on the card.

This way, the scanner is not accessing a database and updating information about you and your whereabouts, said Colin Soutar, CTO of Mississauga, Ont.-based Bioscrypt Inc.

Tomko sees taking biometrics a step further by using fingerprints to encrypt PINs and other data. The fingerprint would be the private key in a public-key infrastructure solution, and the only one with access to the private key would be the individual. Stored data would be unique encrypted PINs, not algorithms of fingerprints.

“With this solution, breaking the encryption is a security issue not a privacy issue,” he said.

But since security strategies are generally out of the hands of the average IT professional, a great deal of the Comdex panel discussion focused on privacy.

In a lively debate, the participants, ranging from privacy advocates to government employees, put the brunt of guaranteeing privacy squarely on the shoulders of individual Canadians. In essence, they agreed that it’s everyone’s job to ensure privacy is protected by controlling the dissemination of personal information.

“Citizens will have to look out for themselves,” said Robert Stevens, ITS chief of staff with the Communications Security Establishment in Ottawa. His federal agency reports to the Minister of National Defence. “There is only so much we (the government) can do.”

Canadians, as it was pointed out on more than one occasion, are willing to give out personal information in order to get something for free. At Comdex, hundreds of attendees willingly let technology vendors swipe their conference badges (full of personal and professional data), often for nothing more in return than a pen.

Peter Hope-Tindall agrees there is a need for Canadians to pay a lot more attention to who gets their personal information. The chief privacy architect with dataPrivacy Partners Ltd., in Oakville, Ont., cited the case of club-goers letting bouncers swipe their driver’s licence, and in doing so giving away their anonymity.

Glen McLeod is doing his part. An IT manager based in Ottawa, he insures that little of his personal information is gathered. He belongs to no loyalty programs and tries to pay for purchases in cash, whenever possible.

Canadians who are worried about the erosion of privacy should note that silence is often perceived as consent, the panelists said. Perrin asked the Comdex audience how many people had written their MP with concerns about privacy. Of the thousand or so in attendance, not a hand was raised.