The e-Government Privacy/Security Continuum

Privacy and security issues have been hearty, if time-consuming, policy dishes at the dinner table of the Lac Carling Congress since its inception. They also figure in the menu of the Public Sector Chief Information Officers Council.

Privacy and security issues have been hearty, if time-consuming, policy dishes at the dinner table of the Lac Carling Congress since its inception. They also figure in the menu of the Public Sector Chief Information Officers Council. Indeed many conferences and learned committees link privacy and security together, and with good reason. Though the two are very different, they have much in common.

But they are different. Listen to Brenda Watkins, co-ordinator of Authentication Services Policy in the Chief Information Officer Branch (CIOB) of Treasury Board Secretariat. Watkins, a long time observer of the privacy/security continuum, says there has been “a tendency to lump privacy and security together. They are very distinct concepts, along with the related concept of confidentiality.

“Security is a process for enabling privacy, countering threats and risks to information whereas privacy is your right to control information about yourself. Security is an operational requirement that can help protect privacy. Unfortunately, things can also be done in the name of security that is not privacy friendly.

“It is important,” Watkins adds, “to differentiate between the two concepts because they can have differing or contradictory objectives. For example, monitoring and logging certain activities in intrusion detection to protect critical system components from being subverted can lead to recording and storing information. That could present an invasion of privacy.”

John Weigelt, director of ITS and PKI Policy at CIOB, clearly identifies the relationship between the two issues.

“What people see in common between privacy and security is the whole idea of confidentiality, making sure that only the intended people get to see the information that is required,” Weigelt says. “That is where some of the confusion comes from as well.

“The Canadian Standards Association Guidelines, the Personal Information Protection and Electronic Documents Act or the OECD Guidelines for Privacy that list 10 privacy principles include only one or two that relate directly to security. Security supports privacy, but privacy is so much more, providing choice, access, the ability for recourse and the ability to change personal information that extends to service delivery and business process.”

Privacy enhancing technology may or may not require special security features, Weigelt says. Simply asking someone to fill in a form may not necessarily require security measures.

“One of the 10 privacy principles is limiting the information that you collect. If you only collect the information you need, you may not need security. If you do use security technology, it must be used in a privacy friendly way. Different services require different degrees of confidence in those you are dealing with.

“If you are simply dealing with online publication of forms, you do not need to know who is receiving the form, but if you are providing benefits to individuals, you want to make sure that you know who is receiving the benefit.”

Watkins, agreeing that identification, certification and authentication are important privacy issues, notes that TBS has been focusing “primarily on Public Key Infrastructure – recognizing that there are privacy concerns in how PKI is implemented. While it can be negative for privacy, if you are aware of those concerns, architecture can be done in such a way as to respect privacy principles. PKI can become a privacy enhancing technology.”

A key consideration is the sharing of information, within, between and outside governments, not least because any one-stop shopping program requires communication and information sharing. Michael Turner, Assistant Deputy Minister, Government Telecommunications and Informatics Services at Public Works and Government Services Canada, does not underestimate the challenge.

“There are major impediments to sharing information electronically within governments, let alone between levels of government and between government and other sectors,” Turner says. “We have overcome the technological impediments in terms of sharing data and information between systems. What we have yet to address are the sociological realities, which have led to administrative and legal instruments that Canadians want to have in place to prevent unauthorized sharing of information.

“We will not overcome those challenges as a society by doing away with privacy – just the opposite. Technologies need to be developed and deployed in ways so as to allow people much more direct control over the information and how it is used or shared. Effectively, from a hand-held device or from the television in the living room, people could, in fact, at each step of a process of doing something with a government department, be asked to authorize sharing of information with another department or authorize a doctor to share files with an insurance company, for example. Making this an expressed and specific authorization would, in my view, help strengthen citizen confidence.

“Privacy can also be enhanced and protected by the new security technologies. In this sense, both public and private sectors are moving through three main phases,” Turner adds. “The first is access control and access management, the ability to actually access a system, sign on to it and use it. We have that pretty well in place in most places now. You cannot just walk up to a computer and use it. You have to have access permission to do so.

“The second is dealing with identification management, knowing that the person at the end of the line is who they claim to be. This is where most of the emphasis is now being placed by governments and private companies planning deployment of PKI infrastructure. The third is permission management. Once the person is identified, they can be permitted to carry out certain transactions, such as filing your tax return, but perhaps not others, such as filing for a benefit. The citizen gives permission on a transaction by transaction basis for the government or the private sector or perhaps authorizes a government agency to do something with their information. I expect that permission management will be the next big wave in the application of privacy and security technologies and Canada may well be on the leading edge in these areas.”

TBS is focusing on the policy instruments that will be needed. Says Brenda Watkins: “We are recommending that there should be a clear framework outlining what type of information is being collected, how it is being shared and for what purpose. An individual would be informed both up front and if there are any changes. That definitely includes express consent from the client.”

New federal privacy legislation “went very well,” Watkins says, “and there is interest is doing something similar for information that is required for delivering government services online. The permission basis of privacy technology will permit people to opt in as opposed to opting out. As long as people understand the implications of what they are accepting or granting access to, permission is clearly a privacy friendly approach. If there are options of information being shared across programs through government online on a permission basis, it will not be a default. It will be based on expressed and informed permission.”

John Weigelt outlines some of the other considerations government must take into account. “One-stop shopping is a privacy challenge. Privacy legislation does not permit omnibus consent. You cannot consent away your privacy. Consent cannot be provided to share information widely across government. It must be done explicitly. That means you may end up with a large checklist. For example, for a change of address, the individual can indicate which departments should receive the notice of change of address.”

“Another concern is on the auditing side. If a transaction goes awry, it must be possible to trace it back to see which component failed. We are paying close attention to permissions, what people are allowed to do, what departments are allowed to do, and we are looking very closely at the privacy act and other legislation to see what programs can share information to provide broad horizontal services to individuals.”

Weigelt also notes a difference between permission for privileges, authentication for what one is authorized to do, and how one identifies oneself.

“We have done a requirements gathering exercise over the last six months, to determine what departments’ needs are for privilege management systems and to have the capability to investigate and deploy privilege management under our Secure Channel contract. We are starting to develop solutions for the permission side, making sure that the policies are there to support it.”

Weigelt adds that identity goes more than one way. “One could choose to have individual instances of your relationship with different programs. For example, there are a lot of online portals through Hotmail, Excite, Netscape, et cetera. You do not need to choose to use the same user name and password across all of them. You can choose to have different personas across those programs.

“Likewise in government, we are relying quite heavily on providing individuals with the choice of dealing with each department or even each program with an individual persona. This provides a choice for the individual beyond going either electronically or analogue.”

As Canadians become more accustomed to Government online their attitude toward privacy and security policy may well change. Turner explains the cultural context:

“The issue of privacy very much depends on the sociological and cultural context of where you live. In North America, we are more concerned about these issues and the protection of privacy, therefore we have to use the technologies in ways that permit people control over their information.

“In most European countries, the context is different. There is much less reluctance to the notion of having an electronic ID. Most people already carry identification cards and are much less concerned about the sharing of information in government if it provides a better service for the citizen.”

Weigelt believes Canadians will adjust well to interacting with governments online. “As people start to use the system, and become familiar with the capabilities of the system, they may come up with different needs, desires or thoughts on what can and cannot be done. That can in turn affect the level of privacy desired. We see the whole environment of privacy and security technology as evolving very rapidly, perhaps the fastest evolving over the last eighteen months. What we need to do – and what we have been doing – is developing processes by which we can continually evolve service delivery and the standards necessary to address those needs.”