Commissioner misleads by avoiding hard questions on PKI

Graham Greenleaf[*]
27 July 2001
Submission to the Federal Privacy Commissioner
DRAFT article for Privacy Law & Policy Reporter
  • Interpretation or wishful thinking?
  • Legal protection from PKI needed
  • Too narrow boundaries for PKI Guidelines
  • Comments on specific Guidelines
  • Draft Guideline 1 - Agency Client Choice on the Use of PKI Applications
  • Draft Guideline 2 - Privacy Impact Assessments (PIAs)
  • Draft Guideline 3 - Identification of Agency Subscribers
  • Draft Guideline 4 - Aggregation of Personal Information
  • Draft Guideline 5 - Single or Multiple Certificates
  • Draft Guideline 6 - Subscriber Generation of Keys
  • Draft Guideline 7 - Security Awareness and Education
  • Draft Guideline 8 - Public Key Directories
  • Draft Guideline 9 - Directory checks
  • Draft Guideline 10 - Pseudonymity and Anonymity

  • The Australian Federal Privacy Commissioner's draft Guidelines on the privacy implications for individuals of Public Key Infrastructure ('Draft PKI Privacy Guidelines')[1] contain many pro-privacy sentiments and useful suggestions toward privacy protection in the ten Guidelines. However, they are flawed structurally because the status of the proposed Guidelines in relation to legal obligations remains ambiguous, because they are unrealistically narrow in scope, and because the question of whether Guidelines alone could be sufficient is not addressed. They may be more dangerous than valuable if these matters are not addressed in the final version, because they will give people a false sense of security about the extent of legal protection of privacy in PKI.

     This paper focuses on these fundamental questions, which may also be relevant to other Guidelines by the Commissioner. The Commissioner should address them in his final Guidelines.

    Interpretation or wishful thinking?

    The core of the problem lies in the fact that the Commissioner will issue the Guidelines under s27(1)(e) of the Act, which allows the Privacy Commissioner:
    (e) to prepare, and to publish in such manner as the Commissioner considers appropriate, guidelines for the avoidance of acts or practices of an agency or an organisation that may or might be interferences with the privacy of individuals or which may otherwise have any adverse effects on the privacy of individuals;
    The final 'or' gives the Commissioner two bases on which to issue s27(1)(e) guidelines, but they are very different types of guidelines, as different as chalk and cheese.

    Guidelines under the first limb of s27(1)(e), to avoid acts or practices 'that may or might be interferences with the privacy of individuals' refer in a very technical way to practices that may breach the Privacy Act 1988 (Cth) and lead to remedies by breaching the s14 Information Privacy Principles (IPPs) or, in the private sector context, the NPPs, or certain other legislative standards concerning TFNs, credit information etc[2]. Only 'an interference with the privacy of the individual' may be the subject of a complaint to the Commissioner under s36, or any of the remedies under the Act. Guidelines issued under this limb of s27(1)(e) are therefore the Commissioner's interpretations of what the IPPs or the NPPs require as a matter of law[3].

     Guidelines under the second limb of s27(1)(e), to help avoid acts or practices 'which may otherwise have any adverse effects on the privacy of individuals', are in contrast merely the Commissioner's advice as to what he considers good practices. These guidelines do not interpret the law, do not give a guide as to which acts or practices might breach the law, and can address privacy issues where there is no legislation at all on the subject .

     The problem is that the Commissioner simply proposes to issue the PKI Privacy Guidelines under s27(1)(e), without specifying whether any particular Guidelines is made under the first or second limb[4]. He says the Guidelines are intended to give a 'clear indication of the factors the Privacy Commissioner would consider if investigating a complaint about the use of PKI by an agency'[5], which implies they are made under the first limb (interpretation of the IPPs). However, this is thrown into doubt by draft Guidelines such as Draft Guideline 2, which says that agencies should undertake a Privacy Impact Assessment (PIA) before implementing PKI. This is no doubt good policy and sensible advice (as allowed under s27(1)(e) second leg), but it is hard to see that the IPPs require PIAs as a matter of law.

     Only one of the ten[6] Draft PKI Privacy Guidelines give any indication as to which one or more of the eleven IPPs they act as guidelines, suggesting they are not really guidelines to the IPPs at all.

     This deficiency, which the Commissioner's Draft NPP Guidelines also share (but to lesser degree)[7], makes it impossible to know what the Commissioner's guidelines are supposed to mean. Are they really his view of what the Guidelines mean as a matter of law (ie what the Courts will or would decide they mean)? Or are they merely his view of what would be good practice, perhaps in keeping with the spirit of the IPPs or NPPs? In short, are they a possible interpretation of the law, or wishful thinking? Their status as guidelines is ambiguous.

     This is very important, not only for agencies or businesses that are deciding which of their practices must be changed, or complainants trying to decided whether they should pursue their complaint. The interested public, and policymakers, who are trying to decide whether Australia's privacy laws provide sufficient protection, or need amendment, will naturally turn to the Commissioner's various Guidelines for guidance. Failure by the Commissioner to distinguish between the first and second legs of s27(1)(e) can easily give a very misleading impression that our laws are stronger than is the reality.

     In this case, what we most need to know is the Commissioner's view on the extent to which the s14 IPPs do in fact provide sufficient privacy protection in relation to the development of Public Key Infrastructure and Project Gatekeeper in particular. In other words, we need guidelines under the first leg of s27(1)(e) so that we can see to what extent PKI is already under adequate legislative control. If the Commissioner then added some (clearly marked) 'good practice' guidelines under the second leg of s27(1)(e) that may have a valuable persuasive effective in convincing agencies to protect privacy even better.

    The Draft PKI Guidelines are not adequate to meet these needs.

    Legal protection from PKI needed

    One of the legitimate fears that people have about PKI is that they will be required increasingly to use digital signatures to verify their identity. If such requirements become routine, and people are able (or required, either de jure or de facto) to use the same digital signatures in dealings with numerous agencies and with private sector bodies, then a digital signature could come to resemble a cyberspace ID card.

    The Commissioner must not ignore the fact that Governments do set up surveillance systems ostensibly for one purpose, with promises of limited scope, and then expand them into other areas once the infrastructure is already in place and individuals are captured as participants in the system. 'Function creep' and 'the boiling frog syndrome' are now in common usage. The clearest example close to home is the Federal Labor government's breach of its explicit promises that the tax file number would only be used for tax purposes when it expropriated the TFN to use it as the basis of the data matching system for welfare, educational and other surveillance. Governments cannot and should not be trusted when it comes to personal information: that is why we have privacy laws and Privacy Commissioners.

     The Draft PKI Privacy Guidelines recognise in principle[8] that freedom to choose whether to use PKI should be an 'essential element' of privacy protection. However, the Commissioner does not state that there is any existing legal protection against people being required to use digital signatures if government policy required their use, and he does not recommend the creation of any such legal right.

    In the Australian political context the only worthwhile privacy protection (short of constitutional protection) is one that requires legislation passed by both houses of Federal Parliament to remove it.

     Unlike the NPPs, the IPPs do not have any explicit 'Anonymity Principle' which could be used to found a legal requirement that government agencies do not require people to use digital signatures in their dealings with government. It is difficult to see how the Collection Principles (IPPs 1-3) could be interpreted to provide such protection, and the Commissioner does not explain how. Gatekeeper Guidelines, or Gatekeeper accreditation requirements are merely matters of government policy or contractual obligations imposed on suppliers, and can be changed overnight as a matter of government fiat. The dangers described above, and the need for a legislative guarantee against compulsory PKI, have been stressed regularly by Australian commentators since 1996[9], and pressed ad nauseam in Gatekeeper committee meetings by public interest representatives[10].

    The Commissioner does not even consider the recommendation of legislation as one of the options before him in this PKI exercise[11]. The need for this has been raised at meetings prior to the Draft PKI Privacy Guidelines being issued[12].

    Can the Commissioner recommend legislation? The Commissioner's explicit powers to make recommendations concerning the need to for new legislation to protect privacy are stated in s27(1)(b):

    (b) to examine (with or without a request from a Minister) a proposed enactment that would require or authorise acts or practices of an agency or organisation that might, in the absence of the enactment, be interferences with the privacy of individuals or which may otherwise have any adverse effects on the privacy of individuals and to ensure that any adverse effects of such proposed enactment on the privacy of individuals are minimised;
    These powers only refer to recommendations being made in the context of 'a proposed enactment', and no proposed legislation concerning PKI is currently being considered by the Commissioner.

     Nevertheless, it is well within the Commissioner's powers to make Guidelines for him to state that any Guidelines he makes will be of limited effect without legislative changes to address other matters that his Guidelines cannot touch. I suggest that it is also his responsibility to do so, because otherwise his Guidelines can give the misleading impression that he considers them adequate to deal with a problem when he knows they are not.

    Too narrow boundaries for PKI Guidelines

    The Draft PKI Guidelines focus only on the use of digital signatures by agencies, and not on 'the application and registration processes for digital certificates and the associated trust framework including public key directories and Certificate Revocation Lists'. This is because, the Commissioner says[13], agencies will only be involved in these latter two areas where they act as CAs or RAs or have a contract with for service provision with a CA or RA.

    This is a rather narrow approach because many agencies will have such service provision contracts. It also ignores the fact that the same digital signatures are likely to be used by both private sector organisations and agencies, because of initiatives such as the cross-recognition of certificates between agencies and banks under the banks' Project Angus[14]. It is also the case that some agencies, particularly investigative agencies, will disrupt the normal 'trust frameworks' of digital signatures by the exercise of their powers to demand information (eg from CRLs), some of which demands are controlled by the IPPs and NPPs (and therefore subject to Guidelines by the Commissioner).

    The Commissioner has powers to issue Guidelines which interpret the whole of the privacy protection currently available in relation to issuing, use and trust frameworks of digital signatures, both in relation to agencies (IPP guidelines) and the private sector (NPP guidelines). While it is difficult for the Commissioner to cover everything at once, PKI is an area where the value of Guidelines merely for use of digital signatures by agencies will give a false sense of security unless they are seen in the context of a full understanding of the privacy implications of the issue of digital signatures and the trust frameworks in which they operate. The Commissioner should at the very least explain this limitation, and propose to issue further guidelines to complete the task.

    Comments on specific Guidelines

    These brief comments assume the more fundamental criticisms above.

    Draft Guideline 1 - Agency Client Choice on the Use of PKI Applications

    Although the Commissioner says that 'This Guideline will ensure that agency clients would have a choice over whether to use PKI for their online transactions' and is very strong in supporting this as an 'essential element' of privacy protection, the fact is that this Guideline alone will do nothing. No explanation is given as to how this Guideline could possibly be supportable as an interpretation of the collection principles in the IPPs (which seems the only possible, if completely unlikely, basis of support).

     If freedom of choice to use PKI is essential, why is there no need for it to have legislative guarantees?

    Draft Guideline 2 - Privacy Impact Assessments (PIAs)

    Good policy, but hard to see it has any legislative support.

    Draft Guideline 3 - Identification of Agency Subscribers

    It is hard to see how 'an appropriate level [of identification can] be left entirely to each agency' given IPPs 1-3 requiring minimum collection.

    Draft Guideline 4 - Aggregation of Personal Information

    This valuable prohibition can probably be justified under the IPPs, but this needs explanation.

    Draft Guideline 5 - Single or Multiple Certificates

    Good policy, and if the IPPs justify this requirement, then in some cases this may override an agency's own EOI requirements (if they are excessive) or 'Gatekeeper standards' (if they are excessive). The unresolved question, as usual, is what do the IPPs require?

     The suggestion that 'This Guideline should prevent any development of a single certificate as a national identifier' is a valuable goal, but needs to be backed up with explanation of how the IPPs can require agencies to avoid such a development.

    Draft Guideline 6 - Subscriber Generation of Keys

    When is subscriber generation of keys 'possible and appropriate'? This is what we need guidelines to tell us.

     Why doesn't the Commissioner say that (if this is adopted) Gatekeeper should not proceed until there is a subscriber generation product on the Endorsed Products List?

    Draft Guideline 7 - Security Awareness and Education

    It is not enough for the Commissioner to say that 'subscriber agreements should specify who bears the privacy risk' as this gives agencies all control over risk allocation. The Commissioner's job is to define fair risk allocation in relation to privacy.

    Draft Guideline 8 - Public Key Directories

    The Commissioner should consider opt-in not just opt-out by consumers in relation to publication, and at least explain why opt-out is appropriate here.

     Guidelines should also be firmer that when publication of directories is not necessary, it should not occur.

    Draft Guideline 9 - Directory checks

    This Guideline merely poses the question, whereas it should give the answer (in general terms) as to when 'logging is required for system maintenance or evidentiary purposes' .

    Draft Guideline 10 - Pseudonymity and Anonymity

    Similarly, this Guideline merely poses the question, rather than giving some general guidance as to when it is 'appropriate' for agencies to provide pseudonymous or anonymous means of PKI.

    [*] Distinguished Visiting Professor, University of Hong Kong Faculty of Law; Co-Director, Baker & McKenzie Cyberspace Law & Policy Centre (UNSW)

    [1] Federal Privacy Commissioner (Australia) Privacy Issues in the Use of Public Key Infrastructure for Individuals and Possible Guidelines for Handling Privacy Issues in the Use of PKI for Individuals by Commonwealth agencies June 2001 (submissions closed 27 July 2001)

    [2] See Privacy Act 1988 (Cth) Pt III Division 1--Interferences with privacy, particularly s13 (re IPPs) and s13A (re NPPs). Section 13F states 'An act or practice that is not covered by section 13 or section 13A is not an interference with the privacy of an individual'.

    [3] The Commissioner may be cautious (or, as I have called it, 'robust') in that he may choose to issue Guidelines recommending 'best practices' in order to avoid any doubt whether a Guideline is sufficient to comply with a NPP. This is one way of looking at his 'robust' NPP Guidelines.

    [4] Draft PKI Privacy Guidelines, Preface 'Possible Privacy Guidelines'

    [5] Draft PKI Privacy Guidelines, Chapter 2

    [6] Draft Guidelines 3 - 'consistent with IPP 1'.

    [7] See Greenleaf (2001) 8 PLPR 1

    [8] Draft PKI Privacy Guidelines, Chapter 2, Introduction

    [9] [add citations] Greenleaf and Clarke (1996); Greenleaf (1999); Clarke (2000). These papers are not included in the Commissioner's list of secondary sources (Draft PKI Privacy Guidelines, Appendix 9), and nor is anything else critical of PKI.

    [10] Graham Greenleaf in 1998-99, Roger Clarke in 1999-2000, and Tim Dixon since 2001.

    [11] Draft PKI Privacy Guidelines, Preface 'Possible Privacy Guidelines'

    [12] Meeting between Privacy Commissioner and Privacy Advocates, May 2001

    [13] Draft PKI Privacy Guidelines, Preface 'possible Privacy Guidelines'

    [14] [Add URL to NEAC documents on Angus]