Interpretation or wishful thinking? Legal protection from PKI needed Too narrow boundaries for PKI Guidelines Comments on specific Guidelines Draft Guideline 1 - Agency Client Choice on the Use of PKI Applications Draft Guideline 2 - Privacy Impact Assessments (PIAs) Draft Guideline 3 - Identification of Agency Subscribers Draft Guideline 4 - Aggregation of Personal Information Draft Guideline 5 - Single or Multiple Certificates Draft Guideline 6 - Subscriber Generation of Keys Draft Guideline 7 - Security Awareness and Education Draft Guideline 8 - Public Key Directories Draft Guideline 9 - Directory checks Draft Guideline 10 - Pseudonymity and Anonymity
This paper focuses on these fundamental questions, which may also be relevant to other Guidelines by the Commissioner. The Commissioner should address them in his final Guidelines.
(e) to prepare, and to publish in such manner as the Commissioner considers appropriate, guidelines for the avoidance of acts or practices of an agency or an organisation that may or might be interferences with the privacy of individuals or which may otherwise have any adverse effects on the privacy of individuals;The final 'or' gives the Commissioner two bases on which to issue s27(1)(e) guidelines, but they are very different types of guidelines, as different as chalk and cheese.
Guidelines under the first limb of s27(1)(e), to avoid acts or practices 'that may or might be interferences with the privacy of individuals' refer in a very technical way to practices that may breach the Privacy Act 1988 (Cth) and lead to remedies by breaching the s14 Information Privacy Principles (IPPs) or, in the private sector context, the NPPs, or certain other legislative standards concerning TFNs, credit information etc[2]. Only 'an interference with the privacy of the individual' may be the subject of a complaint to the Commissioner under s36, or any of the remedies under the Act. Guidelines issued under this limb of s27(1)(e) are therefore the Commissioner's interpretations of what the IPPs or the NPPs require as a matter of law[3].
Guidelines under the second limb of s27(1)(e), to help avoid acts or practices 'which may otherwise have any adverse effects on the privacy of individuals', are in contrast merely the Commissioner's advice as to what he considers good practices. These guidelines do not interpret the law, do not give a guide as to which acts or practices might breach the law, and can address privacy issues where there is no legislation at all on the subject .
The problem is that the Commissioner simply proposes to issue the PKI Privacy Guidelines under s27(1)(e), without specifying whether any particular Guidelines is made under the first or second limb[4]. He says the Guidelines are intended to give a 'clear indication of the factors the Privacy Commissioner would consider if investigating a complaint about the use of PKI by an agency'[5], which implies they are made under the first limb (interpretation of the IPPs). However, this is thrown into doubt by draft Guidelines such as Draft Guideline 2, which says that agencies should undertake a Privacy Impact Assessment (PIA) before implementing PKI. This is no doubt good policy and sensible advice (as allowed under s27(1)(e) second leg), but it is hard to see that the IPPs require PIAs as a matter of law.
Only one of the ten[6] Draft PKI Privacy Guidelines give any indication as to which one or more of the eleven IPPs they act as guidelines, suggesting they are not really guidelines to the IPPs at all.
This deficiency, which the Commissioner's Draft NPP Guidelines also share (but to lesser degree)[7], makes it impossible to know what the Commissioner's guidelines are supposed to mean. Are they really his view of what the Guidelines mean as a matter of law (ie what the Courts will or would decide they mean)? Or are they merely his view of what would be good practice, perhaps in keeping with the spirit of the IPPs or NPPs? In short, are they a possible interpretation of the law, or wishful thinking? Their status as guidelines is ambiguous.
This is very important, not only for agencies or businesses that are deciding which of their practices must be changed, or complainants trying to decided whether they should pursue their complaint. The interested public, and policymakers, who are trying to decide whether Australia's privacy laws provide sufficient protection, or need amendment, will naturally turn to the Commissioner's various Guidelines for guidance. Failure by the Commissioner to distinguish between the first and second legs of s27(1)(e) can easily give a very misleading impression that our laws are stronger than is the reality.
In this case, what we most need to know is the Commissioner's view on the extent to which the s14 IPPs do in fact provide sufficient privacy protection in relation to the development of Public Key Infrastructure and Project Gatekeeper in particular. In other words, we need guidelines under the first leg of s27(1)(e) so that we can see to what extent PKI is already under adequate legislative control. If the Commissioner then added some (clearly marked) 'good practice' guidelines under the second leg of s27(1)(e) that may have a valuable persuasive effective in convincing agencies to protect privacy even better.
The Draft PKI Guidelines are not adequate to meet these needs.
The Commissioner must not ignore the fact that Governments do set up surveillance systems ostensibly for one purpose, with promises of limited scope, and then expand them into other areas once the infrastructure is already in place and individuals are captured as participants in the system. 'Function creep' and 'the boiling frog syndrome' are now in common usage. The clearest example close to home is the Federal Labor government's breach of its explicit promises that the tax file number would only be used for tax purposes when it expropriated the TFN to use it as the basis of the data matching system for welfare, educational and other surveillance. Governments cannot and should not be trusted when it comes to personal information: that is why we have privacy laws and Privacy Commissioners.
The Draft PKI Privacy Guidelines recognise in principle[8] that freedom to choose whether to use PKI should be an 'essential element' of privacy protection. However, the Commissioner does not state that there is any existing legal protection against people being required to use digital signatures if government policy required their use, and he does not recommend the creation of any such legal right.
In the Australian political context the only worthwhile privacy protection (short of constitutional protection) is one that requires legislation passed by both houses of Federal Parliament to remove it.
Unlike the NPPs, the IPPs do not have any explicit 'Anonymity Principle' which could be used to found a legal requirement that government agencies do not require people to use digital signatures in their dealings with government. It is difficult to see how the Collection Principles (IPPs 1-3) could be interpreted to provide such protection, and the Commissioner does not explain how. Gatekeeper Guidelines, or Gatekeeper accreditation requirements are merely matters of government policy or contractual obligations imposed on suppliers, and can be changed overnight as a matter of government fiat. The dangers described above, and the need for a legislative guarantee against compulsory PKI, have been stressed regularly by Australian commentators since 1996[9], and pressed ad nauseam in Gatekeeper committee meetings by public interest representatives[10].
The Commissioner does not even consider the recommendation of legislation as one of the options before him in this PKI exercise[11]. The need for this has been raised at meetings prior to the Draft PKI Privacy Guidelines being issued[12].
Can the Commissioner recommend legislation? The Commissioner's explicit powers to make recommendations concerning the need to for new legislation to protect privacy are stated in s27(1)(b):
(b) to examine (with or without a request from a Minister) a proposed enactment that would require or authorise acts or practices of an agency or organisation that might, in the absence of the enactment, be interferences with the privacy of individuals or which may otherwise have any adverse effects on the privacy of individuals and to ensure that any adverse effects of such proposed enactment on the privacy of individuals are minimised;These powers only refer to recommendations being made in the context of 'a proposed enactment', and no proposed legislation concerning PKI is currently being considered by the Commissioner.
Nevertheless, it is well within the Commissioner's powers to make Guidelines for him to state that any Guidelines he makes will be of limited effect without legislative changes to address other matters that his Guidelines cannot touch. I suggest that it is also his responsibility to do so, because otherwise his Guidelines can give the misleading impression that he considers them adequate to deal with a problem when he knows they are not.
This is a rather narrow approach because many agencies will have such service provision contracts. It also ignores the fact that the same digital signatures are likely to be used by both private sector organisations and agencies, because of initiatives such as the cross-recognition of certificates between agencies and banks under the banks' Project Angus[14]. It is also the case that some agencies, particularly investigative agencies, will disrupt the normal 'trust frameworks' of digital signatures by the exercise of their powers to demand information (eg from CRLs), some of which demands are controlled by the IPPs and NPPs (and therefore subject to Guidelines by the Commissioner).
The Commissioner has powers to issue Guidelines which interpret the whole of the privacy protection currently available in relation to issuing, use and trust frameworks of digital signatures, both in relation to agencies (IPP guidelines) and the private sector (NPP guidelines). While it is difficult for the Commissioner to cover everything at once, PKI is an area where the value of Guidelines merely for use of digital signatures by agencies will give a false sense of security unless they are seen in the context of a full understanding of the privacy implications of the issue of digital signatures and the trust frameworks in which they operate. The Commissioner should at the very least explain this limitation, and propose to issue further guidelines to complete the task.
If freedom of choice to use PKI is essential, why is there no need for it to have legislative guarantees?
The suggestion that 'This Guideline should prevent any development of a single certificate as a national identifier' is a valuable goal, but needs to be backed up with explanation of how the IPPs can require agencies to avoid such a development.
Why doesn't the Commissioner say that (if this is adopted) Gatekeeper should not proceed until there is a subscriber generation product on the Endorsed Products List?
Guidelines should also be firmer that when publication of directories is not necessary, it should not occur.
[1] Federal Privacy Commissioner (Australia) Privacy Issues in the Use of Public Key Infrastructure for Individuals and Possible Guidelines for Handling Privacy Issues in the Use of PKI for Individuals by Commonwealth agencies June 2001 (submissions closed 27 July 2001)
[2] See Privacy Act 1988 (Cth) Pt III Division 1--Interferences with privacy, particularly s13 (re IPPs) and s13A (re NPPs). Section 13F states 'An act or practice that is not covered by section 13 or section 13A is not an interference with the privacy of an individual'.
[3] The Commissioner may be cautious (or, as I have called it, 'robust') in that he may choose to issue Guidelines recommending 'best practices' in order to avoid any doubt whether a Guideline is sufficient to comply with a NPP. This is one way of looking at his 'robust' NPP Guidelines.
[4] Draft PKI Privacy Guidelines, Preface 'Possible Privacy Guidelines'
[5] Draft PKI Privacy Guidelines, Chapter 2
[6] Draft Guidelines 3 - 'consistent with IPP 1'.
[7] See Greenleaf (2001) 8 PLPR 1
[8] Draft PKI Privacy Guidelines, Chapter 2, Introduction
[9] [add citations] Greenleaf and Clarke (1996); Greenleaf (1999); Clarke (2000). These papers are not included in the Commissioner's list of secondary sources (Draft PKI Privacy Guidelines, Appendix 9), and nor is anything else critical of PKI.
[10] Graham Greenleaf in 1998-99, Roger Clarke in 1999-2000, and Tim Dixon since 2001.
[11] Draft PKI Privacy Guidelines, Preface 'Possible Privacy Guidelines'
[12] Meeting between Privacy Commissioner and Privacy Advocates, May 2001
[13] Draft PKI Privacy Guidelines, Preface 'possible Privacy Guidelines'
[14] [Add URL to NEAC documents on Angus]