Electronic Authentication: An Element of Canada’s Trust Agenda

Comments on Electronic Authentication: An Element of Canada’s Trust Agenda

Public Interest Advocacy Centre
1204 – 1 Nicholas Street
Ottawa, Ontario
K1N 7B7
Contact:
Angie Barrados, Researcher
barrados@web.net

General

To date, issuing authoritative forms of personal identification has been the exclusive prerogative of government. Similarly, it has been governments alone that have traditionally made rules about who can use infrastructure, particularly infrastructure that is important to its citizens’ standard of living. In public key infrastructure (PKI), it is proposed that private certification authorities (CAs) will both issue identification and potentially control access to the information highway. Implementing this proposal would transfer powers that have historically been the realm of governments to private entities. Electronic Authentication: An Element of Canada’s Trust Agenda does not acknowledge this fundamental shift in power, and does not meaningfully consider what it means for individual citizens.
The proposed transfer of traditionally public power to the private sector could have very important implications for individuals. For instance, it is quite possible that the main CAs will be major banks, and that the certificates they issue would be used by consumers to communicate with many other companies on-line. Banks will certainly want to limit who they issue certificates to; perhaps they will issue certificates only to consumers who keep a certain balance in their bank accounts. In this way, banks’ policies could become a limitation on who has access to the information highway. Those consumers who are disadvantaged by bank policies will have little power to change them. In contrast, when government limits access to certain benefits, such as determining who is permitted to drive, or to own a dog, it is democratically accountable for these limitations, and citizens can potentially change them through the democratic process.
The power imbalances between corporations, such as banks, and private individuals are immense, and for this reason, governments set ground rules for how corporations must deal with individuals in the private sector. There are, as yet, few ground rules for the transactions between individuals and CAs. CAs may well be part of or associated with established corporate interests. How individuals’ interests will be protected in a digital environment dominated by corporate interests is a very important issue, but the discussion paper does not address it.
The goals of the proposed approach to authentication services focus on the need to build up trust in authentication schemes, and the need to ensure that businesses are not subject to conflicting requirements. What the discussion paper does not state is that individuals will only trust authentication schemes if their rights to privacy and consumer protection are respected in the context of authentication The discussion paper does not deal with how either privacy rights, or consumer rights embodied in hard-won consumer protection rules, would be protected in this context. For instance, the discussion paper does not deal with the danger that certificates could become universal identifiers, and the privacy implications of this. Also, it does not consider the consumer protections embodied in physical signatures, and how to maintain these for digital signatures. Nor does it mention the goal of ensuring universal access to important public infrastructure, a longstanding Canadian value in many fields.
The protection of individual rights in the context of digital authentication has not been fully covered by other government initiatives related to the information highway. The Personal Information and Electronic Documents Act will likely apply to CAs, and be important for ensuring that CAs follow good data protection practices. However, the new law will not determine whether PKI overall is privacy-respectful or privacy-invasive. Also, the consumer protection issues raised by setting up CAs go far beyond the Principles of Consumer Protection for Electronic Commerce. These principles address the relationship between retailers and customers, not the one between individuals and CAs.
Ensuring that privacy is protected, consumer protection rules are maintained and that universal access to new digital systems is promoted should be the most important of the government’s goals in developing PKI.
It is hard to know what the future digital world will be like, but it is clear that the potential widespread introduction of public key digital authentication systems raises many new concerns for individuals that have not previously been encountered. These new concerns should be better understood, and taken into account as PKI is developed. Our preliminary understanding of the major concerns for individual consumers is provided below(1). However, it is clear to us that far more work needs to be done to study some of the emerging issues in this area.

Certification Authority Power

The discussion paper mentions that CAs will potentially assume powerful social roles but does not explore the implications of this. CAs could have a great deal of power over individuals by virtue of their function in issuing/withholding certificates, and revoking certificates. In particular, a CA will probably be able to record everyone with whom an individual transacts using a particular digital signature(2). In creating PKI, careful attention needs to be paid to limiting the power of CAs, both through the structure of the system, and through consumer protection rules. In terms of PKI structure, the following factors that will determine the extent of CAs’ power over individuals:

  • whether individuals must obtain a certificate in order to engage in important or essential transactions;
  • whether individuals have a choice as to which CA they deal with;
  • whether CAs create a diversity of services that respond to consumers’ needs;
  • whether eligibility requirements for certificates are determined by the certificate authority, or are regulated in some way;
  • whether identification requirements and criteria used to judge applications for certificates are publicly disclosed.

In terms of consumer protection, the most important rules will involve assigning liability to parties in a transaction. This is especially true in the area of security and potential misuse of certificates. Only if CAs bear the liability for misuse of certificates will they have the incentive to take all possible precautions against such misuse. This assignment of liability would be analogous to the liability banks have for misuse of ATM cards. Banks bear the liability for misuse of ATM cards provided customers take reasonable security precautions, so they use good security methods at ATM machines.
Consumer will also potentially need protection from unreasonable restrictions in obtaining certificates, and from being pressured to obtain certificates with privacy-invasive features. In the future, consumers may be pressured to obtain certain certificates in a number of ways: important or essential transactions may require a certain certificate, there may be mandated use of certificates, and/or there may be cost differentials among certificates (with privacy-respecting certificates being unaffordable for some consumers). Certificates will be more privacy invasive if they identify someone by a universal or near-universal identifier (which facilitates data matching), and if they disclose personal information in the certificate itself.

Competition

On several occasions, the discussion paper repeats the following statement:
There are compelling arguments to allow the market, through its competitive forces, to determine how CAs and their services will evolve.
Yet, there is little evidence that competition alone will produce good outcomes for consumers. CA services would form part of the infrastructure for the information highway; competition to provide CA services would therefore be analogous to competition for the provision of other utility services. Competitive utility markets usually benefit business more than individual consumers, and often suffer from weak competition(3). Even in utility markets in which workable competition develops, an array of regulatory safeguards are still required to protect consumers. Careful thought needs to be given to how real competition could be fostered among CAs, and to the limitations of market forces in providing full protection for consumers. This is especially true if CA functions are taken on by companies, such as banks, that already dominate other retail markets.

Will PKI be Privacy Respecting or Privacy Invading?

The development of electronic systems that use public key authentication could lead to unprecedented centralization of individuals’ personal information, both in the hands of those that run the systems, and in hands of CAs. In this context, there are two main ways to make sure that PKI does not become an instrument for privacy invasion:

  • Ensure that CAs have good information management practices (i.e. that they conform to the Personal Information and Electronic Documents Act);
  • Ensure that individuals maintain control over their personal information.

Ensuring that individuals maintain control over their personal information is the most important way of protecting individuals privacy. Individual control over personal information could be maintained in the context of PKI by:

  • Providing consumers with adequate information to be able to choose amongst service providers;
  • Ensuring that consumers are not forced to opt into using digital signatures and the like, but can opt in when they have confidence that the system offers adequate consumer protection;
  • Setting up the system so that individuals will tend to have a number of certificates for different purposes rather than one multipurpose one. If it becomes the norm to use a digital signature for all transactions, that signature would become a de facto universal identifier, and there would be a very real potential for privacy-invasive data matching;
  • De-linking identification from authentication. To protect individuals’ privacy, individuals should only be identified in digital transactions when it is necessary to do so. This will require the development of blind signatures, or signatures that convey eligibility or attributes rather than identity.

Principles

Principles for the development of authentication services in Canada should address the issues of limiting CA power and designing a privacy-respectful PKI. To develop the principles, there needs to be a broader discussion that includes more public input, and that clearly addresses the ways that widespread use of digital authentication will change the way in which many consumer transactions are conducted. Clearly there is a need for a “balanced and neutral process” in establishing the principles, but public sector involvement should not be limited to facilitating the process. Government should also ensure that individual’s rights are adequately protected in any principles and standards generated by the process. In other words, the government should be preparing for its role as the “competent authority” (regulator) of PKI.
The principles should not focus on the use of authentication for identity purposes as the discussion paper suggests, since this type of authentication is potentially the most privacy invasive. Instead, the principles should reflect a balance between the need for consumers to identify themselves in digital transactions and the need of consumers to control their personal information. The principles should ensure that PKI allows consumers to obtain certificates that do not identify them, and that consumers are not forced to identify themselves unnecessarily.
The concept of CAs cooperatively registering users as suggested in the discussion paper needs to be treated with caution. Cooperative registration would centralize personal information more than a system in which CAs have separate registration systems. This kind of centralization increases potential privacy concerns. Also, such cooperative registering suggests a system in which individuals would have one certificate for all purposes. As mentioned above, a “one certificate” system is more privacy invasive than a system that allows for many certificates to be used for different purposes.

Standards

If standards are to be developed to operationalize the principles, common standards should apply to all CAs that deal with individual consumers. Ideally, regulated standard contracts between CAs and consumers would be developed. The distinction between open and closed models would appear to be more relevant for business-to-business transactions than business-to-consumer transactions. Individual consumers always face a power imbalance in dealing with major corporations and thus need some protection whether the model is open or closed.
Standards are only effective if they include an adequate compliance component. A recent Industry Canada sponsored publication stated this quite clearly:
For fairness and credibility, the parties themselves and the greater affected community must have information about the state of compliance with code provisions and how non-compliance is being addressed. The code’s information-related provisions should include some combination of self-reporting obligations for adherents, powers of monitoring, compliance verification or auditing, impact assessments and the ability to publicize data on compliance on non-compliance(4).

Government PKI

Public key authentication could become very important for government services delivery in the future. The computerization of health records, for instance, may require public key methods of authentication. In fact, large-scale use of public key authentication may emerge for government services before it does in private sector e-commerce, given the preponderant use of credit cards in the latter (since consumers will have little reason to acquire digital signatures if they can use credit cards). Therefore, the government should consider developing CA standards for CAs involved in citizen-to-government transactions, which could the be used as a model for private-sector PKI.

Raising Consumer Awareness and Use

The questions posed by the discussion paper on how to promote the use of “strong” authentication techniques among individual users are premature, since it is far from clear that public key authentication will actually benefit individual consumers. Public key authentication can only be meaningfully promoted to consumers in the context of some assurance that the new systems will not be privacy invasive, and will not involve significant new liabilities for consumers.

Next Steps

More work needs to be done to study the implications of large-scale use of public key authentication in consumer-to-business and citizen-to-government transactions. How individual interests will be affected by implementation of public key authentication needs to be well understood before principles for authentication are developed. Also, there is a need to develop a clear, non-technical explanation of digital authentication and PKI so that a wider audience can participate in discussions about it.
1. Our paper Digital Authentication and Consumers’ Privacy provides more commentary on this subject based on the proceedings of the Tenth Conference on Computers, Freedom and Privacy held in Toronto from April 4-7, 2000. It is available on our web site at www.piac.ca.
2. This potential arises from the CAs management of the revocation lists. Anyone relying on digital signatures would have to check the revocation list each time they accept a signature. In the process of checking the revocation list, a data trail would be created that would show every inquiry about a particular certificate.
3. See PIAC’s paper on residential long distance service, Still A Long Distance to Go, or our paper on energy deregulation, Utility Shopping: Are Consumers Ready?
4. Government of Canada, Voluntary Codes: A Guide for Their Development and Use, March, p.22.