Identification

Identity is an important issue for citizens and governments, as well as private sector organizations and individuals. It is important for organizations to identify individuals so that they can provide appropriate services, track individuals’ histories (e.g. health history, previous purchases) or target new services to specific individuals. Whether it is a public or private service organization, individual profiling is a growing trend.

Identity is formed through the combination of disparate attribute information, which can include:

• How an individual is known to other individuals (e.g. name, appearance, membership in a group)
• How an individual is known to an employer (e.g. full name, employee identification number)
• How an individual is known to the government (e.g. name, SIN/Social Insurance Number, health card number)

Each attribute is unique, since the individual in question is the only one to have that attribute. For instance, no two people share the same SIN or health card number. Attributes are context-dependent. While an attribute may serve as an identifier in one social sphere, it may not have any meaning in another context. For instance, a person’s full name may be a unique identifier in his/her workplace, but it may not be a unique identifier in his/her city, as a number of other people may also share that name.

Constant identification limits individual privacy and creates an environment of surveillance and monitoring of activities. One important component of privacy is the ability to carry out daily activities anonymously. Another threat to privacy takes place when there are inappropriate or inadequate safeguards for personal information. Lack of security may facilitate identity theft and impersonation.

Identity Systems Management

A well-structured and responsibly managed identity system can reinforce and defend privacy rights. An identity system recognizes the necessity of effective identification mechanisms in order to fulfill the goals of government and businesses, while still upholding the privacy rights of individuals. Identity management refers to the concept of managing any personally identifying information throughout its lifecycle. For instance, this might involve the passing of attribute data, or the identification of an individual. Identity systems became a significant issue for discussion, especially in terms of improving security after the attacks of September 11, 2001.

The OPC, along with the National Academy of Science of the United States, has suggested a list of criteria that must be well defined before the introduction of new identity systems:

• System purpose
• Scope of population affected by the system
• Means of identity authentication
• Scope of data collected from the individuals
• Users of the system who would have access to the data and their scope of powers (e.g. contributors, viewers, editors)
• Types of use, circumstances of use
• Type of participation/identification (i.e. voluntary or mandatory)
• Level of consent involved
• Legal structures governing the system, data subject’s privacy, due process rights, liability for system misuse/failure

Large-scale, nationwide identity systems are especially of interest, given the security threats posed by terrorists. The implementation of such an identity system would involve policies and procedures regarding account security, privacy considerations, scalability and other management factors. It would require an infrastructure of databases, communications networks, card readers as well as the physical identification cards themselves. There would need to be a system that registers individual identities; stores, updates, searches identities; and issues credentials. It is arguable whether such a system is feasible, desirable or effective at responding to security issues.

Limitations of Authentication

The process of authentication establishes confidence in an identity claim. In order to authenticate their evidence, individuals can present different types of evidence, or authenticators (e.g. passport, ID card, health card or birth certificate).

In most situations, authentication, rather than identification, is what an organization is really after. For instance, a retail clerk wants to know that the customer is authorized to use a credit card. The clerk is not actually interested in the individual’s identity. Likewise, a peace officer checks driver’s licenses in order to determine that the person is entitled to drive. In this case, it would be irrelevant to know the person’s name, age or address.

One of the arguments made by proponents of a national identity card is that it can better prove someone’s identity. While this may be true, the card cannot indicate whether or not the person is trustworthy. However, if identifying information is cross-checked with a criminal database, it can then establish the person’s trustworthiness.

National Identity Cards

Discussion about Canadian National Identity system began after the terrorist attacks on September 11, 2001. This would broadly be defined as an all-purpose identification document, similar to an internal passport, issued to all Canadian citizens by federal or provincial governments. The identification card would be used in numerous situations, including matters with government agencies as well as private entities. Proponents support the replacement of many identification documents with an ID card that would be standardized, recognized and widely accepted in Canada.

According to the Minister of Immigration & Citizenship, this document would likely take the form of a tamper-resistant card that contains a computer chip recording the individual’s name, date, birth place, gender and serial number. It may also include physical attributes (e.g. height, eye color) and other information, such as current address or a sample signature. It would also capture some sort of biometric information from the card holder, for instance, a fingerprint or retinal pattern. This was the most controversial factor.

Countries such as Belgium, Germany, Greece, Italy, Poland and Spain have already implemented national ID card systems, similar to what is being proposed in Canada. The UK is currently looking at means to introduce voluntary or mandatory ID cards, while Australia is debating a national identification plan.

Opponents of the national identity cards argue that it is an inadequate security solution. According to the PIAC, the proposed card scheme fails to meet the three broad goals set out in Canada’s Security Policy, as outlined below:

1. Ensuring public safety in Canada.
2. Preventing the use of Canada as a launching pad for terrorist attacks.
3. Contributing to international security.

To address the first goal, the connection between national identity cards and anti-terrorist initiatives is largely intuitive; there is no evidence to suggest that national documentation would effectively deter terrorist activity. Establishing an individual’s identity in no way reveals that individual’s intentions.

Regarding the second goal, it is arguably more productive to allocate resources to terrorist prevention strategies and intelligence gathering initiatives, rather than to a costly identity system that would only be useful for linking names to faces. The PIAC suggests that the national identity card scheme would be ineffective at identifying terrorists before attacks are committed.

Thirdly, national identity cards may contribute very little to international security. The countries that have already implemented a national identification system have not produced results demonstrating that the cards are actually effective. There is no demonstrable connection between terrorism and the presence of a national identity system.

The development of a national identification card system may be prone to fraud and counterfeit, as much as any other forms of identification. The OPC also argues that such a system may even increase national security risks, as it could give citizens a false sense of security. By contrast, effective security requires depth, or multiple angles of protection. A national ID card provides only one level of security.

Furthermore, the likelihood that the card would serve other purposes is high. The national ID may see a type of “function creep,” which is when information collected for one purpose is used for another. This is certainly the case with the Social Insurance Number (SIN), which branched out into new and unrelated uses. This could raise profound privacy implications for card holders.

Summary

This article explores the concepts of identity, identity systems and identity management in Canada. It looks at the shortcomings of identification methods alone, as they are often meaningless without some form of authentication. The article also explores the debate surrounding national identity cards, which were proposed after the September 11, 2001 attacks in the US. It examines the purported objectives of the ID cards as well as the arguments against the introduction of such a system.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

• Types of Personal Information (I.B.a.)
• Commissioner Expectations (III.B.g.i.)
• User Access & Redress (V.C.d.)

Encryption/Decryption

Cryptography is used to protect the confidentiality of data. When original data (referred to as plaintext) is transformed cryptographically, it is encrypted, or disguised. The process of encryption produces ciphertext, or cipher. The ciphertext is not readable until it is converted back into plaintext through a process called decryption. The process of decryption can only be initiated by the designated recipient through the use of a key. Examples of ciphertext include substituting letters for numbers, rotating letters of the alphabet, scrambling voice signals, or using computer algorithms to rearrange data bits in digital signals.

The most secure encryption methods rely on mathematical algorithms and a key (or password) for decryption. The key is a variable value, often a random character string, which is necessary for transforming the ciphertext back into plaintext. The key is known only by authorized individuals and should not be shared with other parties.

Encryption and decryption are crucial elements in a number of other processes, including:

• Authentication: this process verifies or establishes the identity of an entity or of the data. User authentication verifies if a user is authorized to enter a system. This is based on three factors of identification: something the user knows (e.g. PIN, password); something the user has (e.g. ID card, smart card, token); or something the user is or does (e.g. biometric identifiers). Data authentication establishes both data integrity and data origin authentication.
• Data confidentiality: this ensures that sensitive data is kept secure. Data confidentiality may involve data that is transmitted between two parties, through intermediaries, or data that is kept in repositories. Ensuring data confidentiality means that sensitive information is not accessed by attackers or other unauthorized parties.
• Data origin authentication: this confirms that the sender of the data is the originator of the data, rather than someone claiming to be the originator.
• Data integrity: a high level of data integrity assures users that the information is trustworthy, complete and untampered with. Data integrity ensures that data is accessible, correct and consistent.

There are a number of different levels of encryption, which depend on the key space. The key space refers to the number of possible keys that may be used to initialize an algorithm. Organizations can choose from different levels, depending on their requirements:

1. File-Level Encryption: this encrypts data at the individual file level. Users can decide which files to encrypt, depending on the sensitivity of their contents. This method is also referred to as folder encryption, since entire folders can be encrypted in a similar fashion. Files are encrypted and decrypted by users who have been authenticated.
2. Full-Drive Encryption: this method encrypts all the data that is on the disk drive. This is done through software on the hard disk driver, or by the hardware in the disk drive. Users must be authenticated when the disk drive is powered on, before they can gain access to the data.
3. Field-Level Encryption: this method encrypts only designated fields in a document. The non-encrypted fields are then able to appear in plaintext when viewed.

Non-Repudiation & Digital Signatures

Cryptography influences non-repudiation, which proves that the integrity and origin of data is genuine. Repudiation is when one party involved in a communication denies involvement in some or all of the communication. Users need to have evidence that messages were sent. This prevents a sender from later denying having sent a message. Non-repudiation falls under two categories:

1. Proof of Origin: Non-repudiation with proof of origin establishes the origin of the data, protecting the recipient in case the sender should deny sending the data. This ensures accountability from the originating party. Often, the term “non-repudiation” is used interchangeably with non-repudiation with proof of origin.
2. Proof of Receipt: Non-repudiation with proof of receipt proves that the data was received as it was originally addressed. This protects the sender in case the recipient should deny receipt of the data.

There are a number of ways to ensure non-repudiation. For instance, a data hash can establish, to a reasonable degree, that the data was not manipulated without detection. Data hashes, or hash functions, convert large amounts of data into single integers. However, data hashes cannot prevent data from being manipulated during the transmission process.

Another way to ensure non-repudiation is to use digital certificates. Digital certificates confirm that information transmitted electronically is authentic. For instance, digital certificates may be used for e-commerce, online banking and other sensitive online services. In these situations, encryption is insufficient; certificates are necessary as evidence of the sender of the encrypted information.

Digital certificates associate an identity to a pair of electronic keys for encryption of digital information. They make it possible to verify a claim to identity and prevent impersonation. Digital certificates usually contain the following:

• Owner’s public key
• Owner’s name
• Expiration date of the public key
• Name of issuer – this is the certification authority that issued the certificate
• Serial number of the certificate
• Digital signature of the issuer

Symmetric & Asymmetric Encryption

There are two types of encryption schemes: symmetric encryption and asymmetric encryption.

Symmetric key cryptography refers to using the same key for encrypting as well as decrypting. It is also referred to as shared secret, secret-key or private key. This key is not distributed, rather is kept secret by the sending and receiving parties. With symmetric encryption, the sender encrypts a plaintext message with a symmetric encryption algorithm and a shared key. This process results in a ciphertext message that is sent to the recipient. The recipient then decrypts this message back as a plaintext with a shared key. With this form of encryption, the two parties must share the key over a secure channel before communications.

Asymmetric cryptography is also referred to as public-key cryptography. Public key depends on a key pair for the processes of encryption and decryption. Unlike private keys, public keys are distributed freely and publicly. Data that has been encrypted with a public key can only be decrypted with a private key.

Asymmetric cryptography is the most recent cryptographic technique. With asymmetric cryptography, the sender encrypts a plaintext message with an asymmetric encryption algorithm and the recipient’s public key. The result is a ciphertext message, which is sent to the recipient. The recipient then decrypts this message back as plaintext, by using the private key corresponding to the public key the sender used to encrypt the message.

Compared to asymmetric cryptography, symmetric cryptography is much simpler, as the same key is shared between sender and receiver. Asymmetric encryption needs more processing resources to encrypt a message then asymmetrically encrypt the shared key. However, asymmetric encryption offers a number of advantages over symmetric encryption, including:

• Simplified key distribution
• Digital signature
• Long-term encryption

Strong Encryption

Strong encryption refers to ciphers that are virtually unbreakable without the decryption keys. This method of encryption relies on a very large number (256 bits) as a cryptographic key. However, the practice of strong encryption is controversial. While most companies and consumers believe it is a security measure, governments tend to view strong encryption as a potential means by which criminal activity or harassment could be concealed. The concern is that stalkers, predators or terrorists could disguise their identities through encryption, essentially becoming untraceable to authorities.

Certain governments, including that of the United States, are pushing for key escrow systems for strong encryption. Key escrow systems involve a trusted third party, who holds the encryption key on behalf of the government. This third party may be a bank or new federal office created by Congress. Everyone who uses a strong encryption would essentially be required to provide the government with a copy of the key. Decryption keys would then be stored securely and only used by authorities with the appropriate court orders. A significant concern about the key escrow system is that the keys are held in a single, central location, which would present a risk for hacker attacks. It is possible for criminals to hack into the key database and steal or modify the keys.

Summary

This article discusses cryptography, the practice of encrypting and decrypting data in order to ensure confidentiality and integrity. The article explores various levels of encryption, including field-level, file-level and full-drive encryption. It also explores cryptography in relation to associated concepts, such as authentication, confidentiality, integrity and non-repudiation. The article then compares two types of encryption schemes: symmetric encryption (also called private key encryption) and asymmetric encryption (also called public key encryption). Finally, it discusses the controversy surrounding strong encryption, which may inadvertently disguise criminal activity.

Foundations Exam Preparation

In preparation for the Foundations exam, a privacy professional should be comfortable with topics related to this post, including:

• Cryptography (II.C.a.iii.)
• Digital signatures (II.C.b.vi.5.)
• Non-repudiation (II.C.b.vi.6.)

Preventative, Detective & Corrective Controls

Controls function as safety valves which prevent accidental disclosure of information. They may take the form of human processes, automated processes, or human work flows that are aided by technology. Controls may be physical, technical or administrative and are grouped into three main categories of controls: preventive, detective and corrective.

Preventive controls are implemented in order to avoid unwanted situations. They prevent errors or irregularities from happening. Examples of preventative controls include:

• Access Control Software: this controls data and program sharing between users. It controls access to a system by allowing access only to registered users with the appropriate ID and password. After users have logged on, the control software manages access to data and programs in the system.
• Anti-Virus Software: this software identifies, detects, isolates and removes viruses. This should be kept active on a system to ensure continual detection and interception of new viruses.
• Policies/Procedures: to identify the ways in which processes must be performed. This must go hand in hand with training, detective controls and audits.
• System Design: appropriate system design enables controls to be more effective. System engineering with an eye to the control requirements can result in a better system.
• Standards: using standards as sources of process information can help to prevent problems from occurring. Standards may be drawn from the BSI (British Standards Institute), NIST (US National Institute of Standards), or the ISO (International Standards Organization), among others.
• Passwords: this is combined with an ID to verify the identity of users. Password-ID log-on also ensures that users are accountable for their actions within the system. There are a number of different types of passwords, including fixed, dynamic and one-time passwords.
• Smart Cards: these contain chips that can be read by remote terminals. Smart cards specify user’s authorization and privileges in the system. These are often combined with another form of identity authentication (e.g. password, PIN number, biometrics) before the user can be allowed access to the system.
• Encryption: this protects data from unintended discloser when it is transmitted through the network. The process of encryption changes readable data, or plain text, into unreadable data, or ciphertext. Data can be encrypted through hardware or software.
• Access Systems: for instance, preventing access to a specific port or service that is vulnerable to exploitation.

However, preventative controls are insufficient, as policies, standards and procedures are often misinterpreted or ignored for a number of reasons. This is why other types of controls are necessary.

Detective controls spot errors or irregularities that may have taken place. Although detective controls cannot stop unauthorized access to data, they can send alerts to monitoring parties when unintended events take place. Some examples of detective controls include:

• Audit Trails: record system activities in order to reconstruct and examine events, produce violation reports.
• Intrusion Detection: track users during usage of the system to ensure activities are authorized. Useful in situations where intruders are using authorized accounts, or when legitimate users are engaged in unauthorized activities.

Corrective controls are implemented to correct errors or irregularities that have been detected. Such controls correct the circumstances that allowed unauthorized activity to take place, or they restore the system’s original conditions. Corrective controls may make changes to existing physical, technical or administrative controls. Examples of this type of control include backup configuration files, hard drive images and response plans for specific incidents.

What do they do?

Access controls can help to maintain the CIA triad (confidentiality, integrity, availability) in information system security. The triad represents the core principles of the information security field.

Confidentiality in a system indicates that the privacy of individuals is protected and that information is not disclosed to unauthorized users. A strong access control system can ensure that information is accessed through a case-by-case basis, ensuring that the information is kept confidential and preventing exposure to unauthorized individuals.

Controls can also maintain the integrity of information, meaning that the data are safeguarded from modification without authorization. Strong access controls protect data integrity in the following ways:

1. Protect data from accidental modification – ensure that data cannot be easily edited or modified
2. Protect data from deliberate modification – control access to sensitive information, preventing deliberate or malicious changes to data
3. Maintain external database consistency – compare external data with local data to check for inconsistencies
4. Maintain internal database consistency – compare local data with external data to check for inconsistencies

Finally, control systems allow authorized users to access the minimum data required to complete their tasks. This ensures that the element of availability is protected. Availability not only ensures that data are available, but also that the necessary procedures required to access that data is reasonable for users.

Types of Controls

Control strategies must be designed to address risks that have been identified as unacceptable. The design of control systems and strategies must take into account threats, vulnerabilities and risks that may potentially be faced by the system or network.

The control system design process also takes into account three layers of controls: policies, models and mechanisms. These three layers are discussed below:

1. Access control policies refer to how access can be managed; who is authorized to access the information; and under which circumstances the information can be accessed. Policies may be based on resource use, competence, obligation, need-to-know or conflict-of-interest factors.
2. Models describe the security policy of the system. As such, models can help identify theoretical vulnerabilities and limitations of a system. Models can connect policy and mechanisms.
3. Control policies are manifested through a mechanism that carries out a user’s request. The mechanism functions within the structure defined by the system. Mechanisms may or may not be direct implementations of control policy.

Controls also function at a number of different levels in a system, from the hardware, to the operating system, to the middleware, to the application. At the hardware level, access controls are provided by the processor, which controls which information a process can access. The middleware level creates resources (e.g. files, communications ports) and has the responsibility for allowing or limiting access to these resources. Applications enforce a number of different protection properties and may be written on top of the middleware. Finally, at the application level, the user may interact with a rich, complex security policy. Preventative, detective and corrective controls appear at each level of the system and build upon each other to mitigate and manage risks.

Summary

Access controls may be comprised of processes, tools and people and are necessary for ensuring the confidentiality, integrity and availability of information. The article looks at the three main categories of access controls: preventative, detective and corrective. It defines each category of control, provides examples and discusses the ways in which these controls function to uphold the CIA triad for information security. Finally, the article looks at the ways in which the controls operate and interact at different levels of the system.

Foundations Exam Preparation

In preparation for the Foundations exam, a privacy professional should be comfortable with topics related to this post, including:

• Access controls: preventative, corrective, detective (II.B.c.ii.)

What is RFID?

RFID is a term for a group of technologies that enable machines to identify objects. This may include bar codes, smart cards, optical character readers, biometric technologies and more. RFID uses radio waves to identify items. Its first application was the identification of aircraft during WWII. Since then, developments in technology have reduced the cost and increased potential applications of RFID technology. The automatic identification offered by RFID is attractive to many organizations and retail stores, as it reduces the time and labor necessary to manually input data and to improve data accuracy.

There are three components in an RFID system:

1. Tag: this is usually made up of a microchip unit, antenna and encapsulating material. Microchips can store up to two kB of data. This may be information about a certain product, such as its destination or sell-by date. An RFID system may include multiple tags.

Tags are also referred to as transponders. They can be read-only or read-write tags. “Read-only” means that the information on the tags cannot be changed in any way. Read-write tags can have the information modified or erased multiple times. Since they offer greater functionality, their price is much higher than read-only tags.

1. Reader: this is a device that has at least one antenna to communicate with the RFID tag. It emits radio waves and receives signals back from the tag. The reader passes digital information to a computer system. Readers are also known as interrogators. They can be portable, handheld devices or fixed terminals positioned in strategic places, such as loading bays or doorways.
2. Infrastructure: this includes the necessary hardware and software for supporting the RFID system. The RFID software translates the data from the tag into the information about the goods and orders. This information is transmitted into other databases and applications for processing.

How can RFID be used?

RFID technology has and will be applied in a variety of public and private sector organizations. Uses include:

• Product Integrity – to ensure that products are authentic and untampered with
• Supply Chain Management – to monitor and control the flow of goods through the supply chain (i.e. from raw material to finished product to consumer)
• Warranty Services – goods with tags incorporated into the materials, in order to facilitate warranty services
• ID, Travel & Ticketing – to verify the identity of the traveller; to ensure that travel documents are genuine
• Baggage Tracking – to monitor and control the movement of baggage (e.g. from check-in to loading)
• Patient Care & Management – to rapidly, accurately verify patient information (e.g. allergies, prescription, health history, etc.)

Privacy Issues

According to the Canadian PIAC (Public Interest Advocacy Center), RFID technology presents a challenge to Canadian privacy legislation. The basic surveillance capabilities of RFID are unlikely to violate privacy, though the PIPEDA significantly limits the use of RFID for consumer surveillance purposes.

However, later Office of the Privacy Commissioner of Canada (OPC) research indicated that there were significant concerns regarding the use of RFID in the workplace. Through a number of public consultations, the OPC was able to establish the perspectives of academics, RFID vendors, industry groups and private citizens. Numerous privacy threats were identified:

Repeated collection of information

• Since RFID tags are very small, they can easily be embedded on/in objects or documents without the individual’s knowledge. It is possible to read RFID tags through fabric, plastic and other materials, as radio waves are not restricted to line of sight. Tags can also be read from a distance. These factors render it impossible for individuals to know if/when he/she is being scanned.

Tracking Movements

• If there is a sufficient network of RFID readers, the tags can be tracked in time and space. This is possible through a combination of GPS (Global Positioning Systems) and RIFD technologies.

Profiling Individuals

• RFID technology means that each object has its own unique identification. This contrasts bar code technology, which gives the same identification to all similar objects (e.g. in a grocery store, all orange juice cartons of the same brand have the same bar code). If unique identifiers are associated with individuals, then profiles of purchasing habits can be compiled.

Secondary Use

• Creating profiles and tracking individual movement can be linked to other information which the individual may not want revealed.

Massive Data Aggregation

• RFID records may be linked with personally identifying data, which may facilitate any of the other privacy threats listed previously.

OPC Responses

The OPC recommends that the ten principles of the CSA Model Code, as well as the PIPEDA form the basis for an RFID privacy management framework. OPC research responds to each of the ten CSA principles, with respect to RFID technologies:

1. Accountability – Who has access to and who is accountable for the data generated by RFID systems, as well as other data collection systems in the workplace?
2. Identifying Purposes – RFID systems that are used for legitimate business purposes (e.g. supply chain management) are more likely to be supported than RFID systems used for secondary purposes or surveillance (e.g. employee surveillance, workforce management). The OPC identified that industry standards, policies or guidelines can help to ensure that the data collected through these systems are used and disclosed for identified purposes.
3. Consent – Meaningful consent must be secured before an RFID system is implemented. However, there is the challenge of securing meaningful and completely voluntary consent in a workplace setting.
4. Limiting Collection – Reasonable expectations of privacy must be balanced with reasonable management of RFID systems. While reasonable expectations of employees are important, the reasonable management of the RFID system is the employer’s responsibility. This involves the protection of employee privacy.
5. Limiting Use, Disclosure & Retention – The issue of RFID implants was a significant concern for OPC and other groups who were consulted, as implants present significant privacy and security issues. For instance, employee conduct might be monitored during and after work hours, at lunch, during vacation, and for tracking physical movements and conduct. This may pose a serious security issue.

Employers should limit the collection of personally identifiable information, including RFID-related data. Data from RFID systems should not be linked to other databases, unless there is a proven need.

1. Accuracy – It is the responsibility of the employer to ensure that personal information is accurate, complete and up to date for the purposes for which it is to be used. An audit trail might be established and maintained regarding the lifecycle of the RFID data.
2. Safeguards – RFID systems that contain personal information must be protected in a way that is proportionate to its sensitivity. Employers should be made accountable for any breach of RIFD technology. Protecting data in each distinct part of the system is an effective approach to safeguarding employee privacy.
3. Openness – For instance, hidden tags or readers should not be implemented. Clients, employees and/or unions should be consulted before RFID systems are installed. Tags and readers ought to be in plain sight, never used for covert surveillance.
4. Individual Access – Individuals (e.g. clients, employees, union leaders) should be guaranteed access to any personally identifiable data generated by RFID systems.
5. Challenging Compliance – Individuals ought to be able to challenge compliance with other principles. This may be the ability to make inquiries or lodge a complaint if necessary.

After examining each principle individually, the OPC stated some guiding applications for the implementation of RFID technology in a way that respects Fair Information Practices:

• If the RIFD chip has an individual’s personal information contained on it, then it is defined as a repository of personal information.
• If the tag is unique, it can be associated with an individual. The tag becomes a unique identifier for that individual.
• Personal information includes information about possessions, purchases or behaviors that can be processed to create a profile.

Summary

This article provides a brief introduction to RFID (radio frequency identification) technology. It explores some uses of this technology in consumer and work settings. Privacy concerns regarding RFID systems are raised. The article also offers some responses and recommendations made by the Privacy Commissioner of Canada regarding implementation of RFID technology.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

• CSA Model Code for the Protection of Personal Information (II.A.a.i.)
• Radio Frequency Identification (RFID) (V.A.a.5.)
• Security threats and vulnerabilities (V.A.b.)
• Information management (V.c.i.)

Bills C-46 & C-47

In June 2009, the Canadian federal government tabled two significant pieces of legislation: the Investigative Powers for the 21^st Century Act (Bill C-46) and the Technical Assistance for Law Enforcement in the 21^st Century Act (Bill C-47).

Bill C-46 allows police and other authorities to collect digital evidence amongst numerous devices and computer networks. These may be interprovincial or even international. A motivating factor for this bill is to ensure that multiple avenues are examined, in a timely manner, especially since digital data often has a short life span. Some important issues in the Bill C-46 legislation include:

Transmission Data

• This includes the data from telephone and internet communications. However, this does not include the content.
• This ensures that communications can be traced back to the original service provider. This allows police to trace domestic and international cybercrime.
• Determining the origin of transmission can help identify the jurisdiction of telecommunications.

Preservation Order

• A preservation order is a temporary order that requires a telecommunications service provider to safeguard and store data (e.g. usage and location) related to a specific communication. It is also known as a “quick freeze” order.
• This is restricted only to the data that is related to a particular investigation.

Tracking Warrants

• This allows police to remotely activate tracking devices found in some technologies (e.g. cell phones, car tracking devices).
• This may permit police to install new devices to enable tracking.
• Authorities can have special orders for tracing mobile communications devices as well as their owners.

International Considerations

• International cooperation is crucial for many cybercrime investigations.
• The proposals in this bill strengthen the instruments that enable broad-based international cooperation in investigation as well as prosecution of computer-related crimes.

Bill C-47 does not provide police or other law enforcement authorities with additional powers, but it does mandate that authorities have a technical solution in place to actually intercept telecommunications. At this point, Canada does not require companies to build interception capability into their telecommunications networks. This means that when warrants are issued, they cannot be acted upon, since the service provider’s network cannot be intercepted. This may create a safe haven for criminal activity.

In response, Bill C-47 requires companies to create intercept-capable infrastructures, which includes paying for the new equipment and software involved. The government will provide compensation for any required retrofits. The intention is to introduce intercept solutions as flexibly and gradually as possible. This will ensure that telecommunication services are able to build and maintain interception capability without creating undue burdens on the company. Eventually, Bill C-47 will allow authorities to obtain individual information such as name, phone number, address, IP address, and other mobile phone identifiers.

Perspectives

Some proponents of the Bills have argued that the legislation is not too different from other criminal legislation affecting privacy interests. They argue that Canada is far behind the curve in terms of lawful access legislation. For instance, both the US and Australia have implemented such legislation for more than ten years. Introducing such measures will enable Canadian companies to comply with international obligations, facilitating international competition.

However, others have cautioned that these measures should not simply be implemented because of the choices of other countries. It is important to note that in a number of countries interception and surveillance measures were passed, in spite of public opposition.

Opponents of the bills argue that while the proposals are presented as security measures, they may lead to a “chilling effect.” This means that citizens may become nervous about the monitoring of their online activities. Lawful surveillance may silence debates and shut down the development of legal online activities.

Other observers commented on the fact that there is increased collaboration between government and private actors to track citizens’ actions and activities in the digital world. Surveillance and interception is largely justified based on user agreements. These contain provisions which allow the telecommunications service providers to monitor and transmit the information to authorities. However, many users do not read or understand these agreements. They are also unable to negotiate the terms with the service providers. Arguably, users have no choice but to hand over their constitutional rights, if they want to have access to such necessities as telephone and internet services.

OPC Concerns

The Office of the Privacy Commissioner of Canada (OPC) recommends that Parliament remain cautious about surveillance and interception legislation, which will often have repercussions on other jurisdictions as well as a significant impact upon the privacy rights of Canadians. In a joint resolution issued by the federal Privacy Commissioner as well as provincial commissioners and ombudspersons, there must be a clear and demonstrable need for acquiring before expanding investigative powers of law enforcement and other national security agencies. According to the Commissioners and ombudspersons, the federal government has not provided satisfactory evidence that supports the need for the new powers outlined in the proposed legislations.

The joint resolution argues that the proposed legislations allow authorities to access personal information, such as unlisted telephone numbers, email addresses and IP addresses. However, Canadians consider this information extremely sensitive and expect it to remain confidential. The use of computers and other remote devices should also remain private. Arguably, the proposed legislation does not only target serious criminal offenses, but it might also be applied to investigations of minor infractions and non-criminal matters.

While the OPC and the ombudspersons are not completely opposed to legislation regarding the monitoring of digital data, it must take into account individual privacy rights and the legitimate needs of law enforcement authorities. The following outlines the OPC’s recommendations regarding Bill C-46 and Bill C-47:

• The federal government needs to demonstrate that the expanded surveillance is actually essential and justified.
• The federal government should explore alternatives to the proposed Bills.
• The Bills should be limited to only specific, serious crimes and life-threatening emergencies.

If there are any legislative proposals on surveillance, they should embody the following characteristics:

• Minimally intrusive
• Have well-defined limits on the use of the new powers.
• Have appropriate legal thresholds for court authorization.
• Require draft regulations to be publicly reviewed before being enforced.
• Provide effective oversight.
• Publicly report the use of powers.
• Have a five-year Parliamentary review.

In taking these recommendations into account, Parliament will be able to update surveillance and investigation legislation appropriately to meet the needs of law enforcement.

Summary

This article examines the proposals in Bill C-46 and Bill C-47, which are the Investigative powers for the 21^st Century Act and the Technical Assistance for Law Enforcement in the 21^st Century Act, respectively. It looks at the new powers that may be afforded to police and other law enforcement bodies across Canada. It introduces a number of different perspectives on the Bills. For some, the Bills do not present an issue for concern, as many other countries have introduced similar legislation and Canada is simply catching up with these obligations. But for others, those who are opposed to the Bills point out the repercussions in varied contexts. Finally, the article examines the OPC’s response and recommendations to surveillance legislation.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

• Privacy policy, legal requirements (V.C.b.b.)
• End user expectations (V.C.c.a.i.)
• Vendor and contract management (V.C.e.)

What is authentication?

Authentication in this context refers to the verification of user identities in an electronic information system. Authentication can be discussed in terms of three factors, or authenticators:

1. Something that is known by the individual (e.g. a password, personal identification number, account number, etc.)
2. Something that the individual has (e.g. a bankcard, token, identity card, digital certification, etc.)
3. Something that the individual is or does (e.g. a biometric, such as a facial image, retinal scan, voice print; or a person’s signature)

Single-factor authentication is the traditional security process. In this type of authentication, the user must provide an authenticator in one of the above categories. For instance, before a user has access to an account, he/she must provide a username and a password. Single-factor authentication is more likely to result in compromised privacy or security.

Two-factor, or multi-factor authentication requires authenticators from two or more of the above categories. For instance, before accessing a system, a user must provide a physical token, such as an identity card and a security code. Authentication that is based on more than one authenticator from the same category is known as multi-layer authentication.

Electronic Authentication in Canada

A 2008 study conducted by the Public Interest Advocacy Center (PIAC) focused on electronic authentication of consumer financial transactions. It established that Canadian consumers were particularly attentive to electronic authentication methods in their daily transactions, which included banking and financial services, airport check-in and online shopping. While many online banking services required two-factor authentication, the most common online authentication is single-factor authentication with a username and password.

A 2004 study revealed consumer frustration with the lack of security provided by online banking services and online retailers. A later 2005 study showed that Canadian consumers were more concerned about security and privacy than their American counterparts; 40% of Canadians avoided online shopping due to security issues, compared to 24% of Americans. The Privacy Commissioner of Canada continues to note concerns with the increasing trend of collection, use and retention of personal data.

Authentication Principles

In May 2004, Industry Canada released the Principles for Electronic Authentication to provide guidance for the development, implementation and use of authentication services and produces in Canada. The Principles complement existing authentication governance through establishing benchmarks for products and services. They also ensure compatibility with international developments in authentication.

The Principles for Electronic Authentication are outlined below:

1. Responsibilities of Participants

Participants in authentication processes should be aware of their functions and responsibilities. Responsibilities should be proportional to the degree of knowledge and control they can reasonably be expected to have. Functions may include: administration, specification, end use, standards development, compliance assessment and infrastructure provision.

2. Risk Management

Any risks associated with authentication processes should be identified, assessed and managed in a reasonable, fair and efficient manner. Risks may include financial risks, loss of confidentiality or privacy, damages to reputation or identity theft. Assessment should be done in the context of the six functions listed in the previous principle.

3. Security

Participants in authentication processes should be responsible and accountable for security. A security incident that only affects a single participant may have implications for all participants. Participants have a responsibility to mitigate risks through sound security practices, but most of this responsibility lies with infrastructure providers and authentication administrators. Review and assessment is essential in ensuring the ongoing efficacy of security programs.

4. Privacy

Organizations involved in the design or operation of authentication processes should comply with data protection regulations set out in privacy legislation. The collection, use and disclosure of personal information in the context of authentication should be minimized. For instance, the authentication of a business should be focused on business attributes, rather than personal attributes of individual employees.

5. Disclosure Requirements

Organizations offering authentication services should disclose information, such as policies, practices and procedures, to other participants. This will ensure that all participants are aware of the risks and responsibilities associated with participation. Disclosure should not include any information that would introduce vulnerabilities or increase risk. The extent and nature of the information disclosed may vary, depending on whether the end user happens to be an individual or an organization.

6. Complaints Handling

Organizations that implement authentication processes should establish a complaints-handling process in order to enable participants to effectively resolve complaints and respond appropriately to non-compliance issues. Adequate complaints-handling processes should reflect the following characteristics: visibility; accessibility; responsiveness; fairness and objectivity; free of charge; confidentiality and privacy; accountability; continual improvement; and third-party dispute resolution processes for unresolved complaints.

Authentication Initiatives Since 2004

Since the publishing of the Authentication Principles, governments and consumer groups have been involved in several electronic authentication initiatives:

• The Data Protection Working Party adopted a working document on online authentication services. It studies the efficacy of the Microsoft .NET passport, which reduces the number of accounts a user needs to create and makes more services accessible through a single authentication process.
• In June 2007, the OECD released their Recommendation on Electronic Authentication as well as the OECD Guidance for Electronic Authentication, which lists a number of foundational principles for authentication.
• In September 2007, the Department of Finance began discussions regarding the expansion of the Debit Card Code to cover a broader array of electronic payments.

Authentication Principles, Revisited

In October, 2008, the PIAC released a report calling for a substantial overhaul to Industry Canada’s Authentication Principles. The report cited the Principles’ widespread failure to provide adequate protection when conducting online business transactions. While consumers are becoming increasingly careful around security and privacy risks online, the report urges federal and provincial governments to play a greater role in the regulatory process.

The following is an outline of some of the criticisms and recommendations made by the PIAC regarding the Authentication Principles:

• Criticism: The Authentication Principles provide insufficient assurance of consumer security. Principle #3 is based on security, but it is too vague to be meaningful as it does not indicate how an organization might achieve appropriate security.

Recommendation: Authentication should move beyond multi-layer single-factor techniques. Two-factor authentication provides only minimal security for highly sensitive transactions. One-time-passwords can be provided to the consumer through the financial institution or retailer. This strategy has been implemented internationally, but has yet to be introduced in Canada.

• Criticism: The Principles do not clarify who is liable for losses. Consumers should not be held liable.

Recommendation: Standard form contracts must make clear who bears the liability for losses. Banks and retailers should bear the burden of responsibility for unpreventable losses.

• Criticism: The Principles fail to adequately protect consumer privacy, especially in light of continually evolving security breaches.

Recommendation: Prioritizing consumer privacy would help to minimize the harm that results from security breaches related to authentication. The Principles should tie in corresponding sections of the Personal Information Protection and Electronic Documents Act (PIPEDA) fair information practices. Sensitive personal information should be used as authenticators only in very limited situations. Consumers should be able to choose the pieces of personal information they use as authenticators.

• Criticism: The Principles must mandate full public disclosure and consumer education.

Recommendation: Implementation of authentication processes should be transparent. This includes notifying consumers if the authentication system has changed; making information available before the user creates an account; providing full public disclosure of audits and compliance reviews; providing security breach notification; and providing consumer education.

• Criticism: Consumers are not guaranteed protection in a voluntary framework. Consumers need a better regulatory framework to address electronic authentication.

Recommendation: Regulate authentication through sectoral regulation. Strengthen online authentication through implementing two-factor authentication. Regulate authentication in the retail sector. The Privacy Commissioner of Canada should oversee authentication practices.

Summary

This article examines the concept of electronic authentication in a consumer context. Single-factor, two-factor and multi-factor authentication are explored. Industry Canada’s Principles for Electronic Authentication are defined and later criticisms and recommendations are raised. The article also looks at other authentication initiatives that have developed in Canada since 2004.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

• Security Controls: Authentication (V.A.a.i.)

The ISO standards work to facilitate trade; provide a basis for development, production and assessment of products; and to safeguard consumers who use products and services. The ISO produces standards for a wide range of industrial and commercial subjects. This article explores two ISO standards that are especially relevant to privacy professionals.

ISO 27000 Series & ISMS

The ISO 27000 standards series refers to information security matters. Since October 2005, the ISO has published six of these standards:

• ISO 27001: this is a model for creating information security management systems (ISMS).
• ISO 27002: this is a code of practices governing information security.
• ISO 27003: this focuses on the PDCA (plan-do-check-act) problem solving method for ISMS. It has been proposed, but not yet published.
• ISO 27004: this standard guides the development and assessment of ISMS, in alignment with the ISO 27002.
• ISO 27005: this soon to be published standard discusses information security risk management.
• ISO 27006: this regulates the accreditation of organizations that certify and register ISMS.

The ISO 27000 series is closely linked to other standards, including:

• ISO 17021: this standard discusses the requirements for auditing and certifying management systems of various types. It is closely related to the ISO 27006.
• ISO 13335: this discusses the management of information and communications technology security.  It is closely linked to the ISO 27005.
• ISO 24760: when it is published, this standard will offer a framework for identity management. It is most related to the ISO 27002.

Together, the ISO 27000 series of standards are used to plan, implement, certify and operate an ISMS. An ISMS, or information security management system, is a term unique to the ISO 27000 series. The term refers to a systematic approach for managing an organization’s sensitive information. An ISMS includes people, processes and information systems. Developing an ISMS ensures the following:

• The organization’s information assets are listed and secured.
• Information security risks are managed and mitigated.
• The organization’s security policies are implemented.
• The organization is regularly assessed to ensure adherence to security measures.

Information security involves three main components: confidentiality, integrity and availability. Confidentiality refers to the level to which information is accessible to authorized individuals only. Integrity refers to the level of accuracy and completion of information. Integrity of information also ensures that it is not modified without knowledge and authorization. Availability or accessibility of information to authorized individuals is also necessary for information security.

ISO 27001

The ISO 27001, formally referred to as “Information Technology – Security Techniques – Information Security Management Systems – Requirements,” was published in October 2005. It replaces the former BS7799-2 standard. The previous standard was created in 1995 by the BSI (British Standards Institute), which helped to ensure that information security measures were effective. The BS7799-2 standard was developed as a technology-neutral and vendor-neutral system. This standard was taken as a Code of Practice, rather than as specific standards.

The standard outlines the specific requirements involved in establishing, implementing, monitoring, reviewing and improving a management system. It does not discuss information security-specific requirements, but offers a framework for management systems in various types of organizations, from commercial enterprises, to public service agencies and non-profit groups. The ISO 27001 uses the OECD principles which govern security of information and other network systems.

The ISO 27001 standard demands that an organization’s management carry out the following:

1. Examine information security risks, paying attention especially to threats, vulnerabilities and impacts.
2. Develop and implement a complete set of information security controls and other protocols for dealing with risk.
3. Commit to an overarching management process to ensure that the information security controls adapt and grow with the organization.

The ISO 27001 involves a number of PDCA cycles. The PDCA cycle is a statistical process for problem solving. It is applied within improvement programs to ensure that action is effective. The cycle involves:

1. PLAN: identify the problems that are being faced. Brainstorm solutions to these problems.
2. DO: test problem-solving actions on a limited, experimental scale first. This will ensure that disruptions to regular operations are kept at a minimum.
3. CHECK: determine if the experimental actions are achieving a desired result. Monitor the quality of output continually to ensure that new problems are identified immediately.
4. ACT: once experimental actions are deemed effective, the changes should be implemented on a larger scale. This may mean that the new actions are integrated into daily routines and/or expanded to involve other individuals or departments in the organization.

In order for an organization to be certified compliant with the ISO 27001, it must go through the following process. Initially, the organization must decide to start the certification process. During this stage, management must commit to the project and delegate responsibilities. Management would then develop and publish an organizational policy regarding the standards certification.

The organization then undertakes a scoping process, in which specific parts of the organization are covered by the ISMS. This determines which locations, assets or technologies will be included in the certification.

After the scoping process, the organization must carry out a risk assessment to identify strengths and means of addressing weaknesses, in terms of risk exposure. As a result, the organization produces a document outlining the method for managing risks. The procedures and policies are then implemented throughout the organization. Auditors from certification or registration bodies then carry out the verification of compliance.

ISO 27002

The ISO 27002, formally referred to as “Information Technology – Security Techniques – Code of Practice for Information Security Management,” was published in 2005. The standard is based on the UK standard, BS7799. The ISO 27002 and ISO 27001 are meant to be used together.

The objective of the ISO 27002 standard is to establish requirements and basic principles for implementing or changing an ISMS within an organization. The contents of this standard address the requirements of a risk assessment. It represents more of an advisory document, rather than a standard or formal specification. As such, any organization that adopts the ISO 27002 must identify their own information security risks and create appropriate controls, using the document as a framework.

The standard outlines thirty-nine control objectives that specify functional requirements. These control objectives form a basis for an organization to create principles for its own information security policies. The main sections or categories under which the control objectives fall are as follows:

1. Risk management
2. Policy
3. Organization
4. Asset management
5. Human resources security
6. Physical and environmental security
7. Communications and operations management
8. Access control
9. Software development
10. Incident management
11. Business continuity
12. Compliance

While the ISO 27003 offers some guidance for implementation, a number of critiques regarding the ISO 27002 standard have surfaced since its publication. A few potential areas for revision include:

• The standard does not adequately address risk assessment. It ought to suggest more risk assessment activities.
• The standard does not clearly define what an organization’s security policy should be.
• The standard should assist organizations in ensuring business continuity, for instance facilitating recovery or planning to cope with incidents that may arise.
• The standard should be more in depth in terms of its section on IT auditing. It may want to cover the value of auditing and improvement.

Increasing Certification

There are a number of reasons for increasing certification to ISO 27000 series standards. Two important causes are the increase of threats to information and the increase of regulatory and statutory requirements for information protection. Over the past decade, formal ISMS are seen as necessities for organizational best practices.

According to international reports, ISO 27001 certifications have steadily been increasing by approximately one thousand organizations per year. Concurrently, global information security threats are becoming more and more visible. These threats target any organization or individual who relies on the use of electronic information. At the same time, personal data may also be at risk of natural disasters, external attack, internal corruption or theft. This has led to increasing demand for compliance from suppliers, business partners and consumers.

Summary

This article introduces the ISO 27001 and the ISO 27002 standards. It discusses the ISO 27000 series of standards, which regulate information systems management from a privacy perspective. The ISO 27001 aims to help organizations to improve their ISMS (information security management system) by providing a model for design and implementation. The ISO 27002 lists some guidelines for managing the life cycle of information security within an organization. It is comprised of a number of control objectives. The article finally discusses the important role of ISO standards in an organizational ISMS context.

Foundations Exam Preparation

In preparation for the Certification Foundation exam, a privacy professional should be comfortable with topics related to this post, including:

• Business risk management (I.C.a.)
• Information security standards (II.A.d.)
• Information security management (II.C.a.)