Building Confidence: Security, Privacy and User Empowerment

Archived Information

Archived information is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

A discussion paper prepared for the Canada Roundtable on the Future of the Internet Economy
Ottawa, October 2, 2007

Michael Geist
Canada Research Chair in Internet and E-commerce Law
University of Ottawa, Faculty of Law

The views expressed in this paper are those of the author, and do not necessarily represent the views of Industry Canada or the Government of Canada.

PDF Version (40 KB - 8 pages)

Time Magazine's selection last year of "You" (a reference to the people behind user-generated content on the Internet) as the person of the year was mocked by critics as a poor choice that by-passed several notable political leaders. Yet the choice may ultimately be viewed as the tipping point when the remarkable outbreak of Internet participation that encompasses millions of bloggers, music remixers, amateur video creators, citizen journalists, wikipedians, and Flickr photographers broke into the mainstream.

The choice may also cause government leaders and policy makers to contemplate how they fit into the world of a participatory Internet and blossoming online commercial opportunities. Their initial reaction might well be to remain firmly on the sidelines as the speed of development and enormous creative energy appear to be at odds with painfully slow government policy processes. While a strong regulatory response is indeed unnecessary and likely harmful, it would be a mistake to completely ignore the issue. In the mid-1990s, the emergence of the Internet and e-commerce elicited an engaged approach from government, which balanced the need for a private sector-led, self-regulatory model with e-commerce and privacy legislation that built consumer and business confidence in the new medium.

Canada As a Participant in Global Policymaking

Canada has long been viewed as an important participant in global policymaking, frequently serving as a bridge between divergent views from North America, Europe, and Asia. Building confidence in the online environment is unquestionably a global challenge – regardless of the source, the concerns associated with privacy, security, and cybercrime touch consumers and businesses around the world. Indeed, a 2002 survey of Chinese Internet users found that 94 percent were concerned with their privacy and 65 percent were concerned about the online safety of their financial information, mirroring outcomes found in Canada.

Solving these challenging issues will require active participation in the range of global fora including the OECD, Council of Europe, APEC, OAS, and the ITU. Moreover, cross-border enforcement issues should figure prominently in Canada's international strategy. These includes developing effective international mechanisms to facilitate cross-border privacy law enforcement co-operation as well as providing mutual assistance to one another in the enforcement of laws protecting privacy, including through notification, complaint referral, investigative assistance and information sharing, subject to appropriate safeguards.

In addition to its contribution on the global stage, Canada's domestic agenda has the potential to serve as a role model for other countries grappling with these issues. Canada's national privacy legislation is frequently cited as a model for business-friendly, European Union-compliant privacy legislation. Similarly, the recommendations of the National Task Force on Spam played an integral role in developing an international toolkit to combat spam and the Principles for Electronic Authentication served as a primary reference for the recently published OECD Council Recommendation and Guidance document on authentication. These experiences illustrate that the benefits of sound, pro-active policymaking at home extend well beyond the domestic arena as they have the potential to serve as the basis for similar laws and policies around the world.

The Canadian Context

Many of these policies – both domestic and international - have served Canadians well. Statistics Canada's 2005 Canadian Internet Use Survey demonstrates that a significant percentage of Canadians now regularly use the Internet for an increasingly diverse range of activities. The survey found that nearly 17 million Canadians – 68 percent of the adult population – use the Internet for personal non-business reasons. Moreover, almost two-thirds of Canadian adults access the Internet from home each day. This represents a remarkable societal shift with ten million Canadians reserving some of their at home leisure time for the Internet.

Once online, more than half of Canadian Internet users use the network for email (the highest ranked activity with 92 percent indicating that they used email), web browsing, viewing news and sports, electronic banking and bill payment, as well as accessing information on weather, travel, health, and government services. Moreover, over 40 percent of Internet users indicated that they engaged in e-commerce, education, and community events. An noteworthy group of Canadian business success stories have also developed in recent years. Category leaders such as Flickr, StumbleUpon, Club Penguin, and Webkinz all got their start in Canada and there are dozens of new companies waiting in the wings.

Notwithstanding this impressive decade of achievement, there remains the sense that we are still at the early stages of development with universal access, faster broadband deployment, better computing power, and a broader array of content all leading to a more vibrant network as well as new commercial, social, and educational opportunities.

Building Confidence: A Broad-Based Agenda

A critical part of realizing that potential lies in building business and consumer confidence in the online medium. In the late 1990s, the "confidence agenda" focused on issues such as e-commerce certainty, privacy, and consumer protection. Today, facilitating confidence is as relevant as ever. Indeed, Statistics Canada data indicates that Canadians remain fearful of the security and privacy risks associated with the Internet as almost three-quarters of survey respondents indicated that they were either concerned or very concerned about security and privacy. These concerns likely encompass security breaches, personal data misuse, as well as the proliferation of spam and spyware. Moreover, the data provides convincing evidence that privacy and security concerns have a bottom line impact on e-commerce. Fifty-seven percent of Internet users engaged in "online window shopping" in 2005, yet only 43 percent actually ordered personal goods or services. This suggests that many Canadians use the Internet to research potential purchases, but remain reluctant to provide credit card data or other personal information to complete the transaction.

In many respects, concerns around consumer and business confidence have expanded well beyond the more narrow confines of privacy and security. Other critical issues include:

  • network neutrality and consumer concerns about the lack of transparency and competition in the broadband marketplace. Despite the promises of fast speeds and large file sharing capabilities, there are growing concerns among many consumers that some services deliver far less than advertised as some ISPs actively engage in "traffic shaping", a process that limits the amount of bandwidth available for certain applications.

  • pricing and competition concerns for mobile data, diminishing consumer confidence in using mobile applications and developer confidence in bringing such products and services to the Canadian market. Canadian carriers have treated mobile Internet use as a business product, establishing pricing plans that force most consumers to frugally conserve their time online.

  • the use of digital rights management (DRM) and the lack of interoperability with content purchased online. For example, the Sony Rootkit controversy, in which the world's second largest record label rendered hundreds of thousands of personal computers vulnerable to hacker attack by inserting faulty copy-protection software into dozens of CDs, caused an erosion of consumer confidence in the music market.

  • restrictive copyright rules that mistake flexibility for piracy. The absence of a fair use provision in Canada has garnered the support of stakeholders from across the copyright spectrum seeking greater confidence in Canada's copyright law framework. Many groups have expressed fear that the current law is a barrier to innovation that places Canadians at a disadvantage in comparison to their U.S. competitors.

  • free speech concerns associated with online libel chill as many Canadians lack the confidence to post comments online for fear of facing lawsuits. Given the recent spate of lawsuits, it is likely that many sites will simply drop the ability to post comments since the challenge of monitoring and verifying every comment will be too onerous. Alternatively, many sites may abandon Canada altogether by establishing their online presence in the United States.

Given the importance of these issues, it may be tempting to shift policy attention away from privacy and security concerns. That would be a mistake, however, as both remain crucial issues with much work yet to be done. During the summer of 2007, Canadian media regularly reported on Internet privacy and security concerns, including:

  • a security breach at, a leading online jobs site, that resulted in the theft of personal information for more than 1.3 million people.

  • physical threats against Ujjal Dosanjh, a Member of Parliament, on Facebook, Canada's leading social networking site.

  • privacy concerns associated with the posting of personal videos on YouTube without permission.

  • the continuing growth of spam, including the use of PDF attachments and image-based spam to by-pass anti-spam filters. In fact, an outbreak of spam that spoofed the online greeting card market threatened to destroy an otherwise successful industry.

  • repeated warnings to millions of Canadians from major banks, including the Royal Bank of Canada and the Toronto-Dominion Bank, about the dangers of responding to phishing emails purporting to come from legitimate sources.

  • a massive denial of service attack against Estonia, one of the world's most electronically-advanced countries, that is described by some analysts as the first case of "cyberwar".

These incidents highlight the fact that the current privacy and security framework may be unable to adequately address the next-generation Internet issues. Statistics Canada data shows that Canadians gravitate toward "higher value" Internet activities – e-government, e-commerce, and more active participation – as they become more experienced and comfortable with the online environment. In other words, there is a direct correlation between Internet confidence and the willingness to utilize the network for a broader range of activities. As millions of Canadians navigate through this learning curve, government must work with private sector groups and international partners to develop a domestic and global legal and policy framework that enhances confidence in the online medium.

Privacy: Empowering Canadians' Control over their Personal Information

Canada's private sector privacy legislation is generally consistent with international standards, however, Canadians still have concerns about the protection of their privacy. Identity theft has emerged as a major criminal activity, cross-border transfers of personal information have generated heated debated in the House of Commons, and even the federal privacy commissioner has found herself victimized by "pre-texters", who use impersonation techniques to capture personal information.

Although addressing these issues will require more than just domestic reform, the federal privacy law is a good place to start. Creating a mandatory security breach disclosure requirement, consistent with the approach of dozens of U.S. states that have mandated the disclosure of security breaches to individuals whose personal information has been placed at risk, is one obvious reform. Breach notification legislation provides individuals with the notice they need to mitigate the potential damage from identity theft, while simultaneously creating incentives for organizational privacy and security compliance.

Canada must also begin to address the growing concern over the outsourcing of personal information to non-Canadian organizations, particularly cross-border data flows to the United States. The result of such outsourcing is that Canadians' personal information is potentially subject to secret disclosure under U.S. laws, including the USA Patriot Act. Several provinces, including British Columbia, Quebec, and Nova Scotia, have taken steps to reduce the ability of U.S. authorities to compel secret disclosure. The federal government has yet to adopt similar statutory protections, fuelling concern that Canadian privacy law could be rendered meaningless in the face of U.S. law enforcement powers.

Canadian policy makers must also begin to consider whether our current legal framework can adequately address emerging technologies that may be ill-suited to the conventional opt-in/consent model. The widespread use of radio frequency identification devices, nanotechnology, and massive data warehouses that support new Web 2.0 services raise serious questions about the effectiveness of Canadian privacy legislation.

Governments also needs to work with the private sector to develop identity management solutions that provide individuals with greater control over their personal information and online identities. As a rapidly growing medium for trade, commerce and communication, the Internet presents challenges that are less prevalent in the offline world, particularly in the domain of identity management. As a result, Canadian policy makers have focused on developing principles for electronic authentication, while many different systems have been developed to try and address the difficulty of securely identifying parties online. Leading initiatives include Microsoft's CardSpace system, which allows users to create their own identity profile with 15 different fields of identity related information. The system also allows for a managed identity to be issued by a trusted provider such as a financial institution or employer for other types of transactions.

Open ID, a lightweight ID management system geared towards bloggers and other online discussion forums is an open source solution with an estimated 75 million users on popular sites such as Technorati and LiveJournal. It provides a relatively seamless mechanism to manage personal identity in online environments without the need to create and use multiple login profiles for various sites. The need for Open ID-type solutions has been highlighted by the lack of interoperability between popular social networking sites which means that Internet users are repeatedly required to re-enter their personal information for each new network they join and find that each network is effectively a "walled garden", where the benefits of the network are artificially limited by the inability to link a friend in Facebook with one in MySpace.

Some governments also play an active role in developing identity management solutions. For example, the South Korean government has created the i-Pin, which serves as a substitute for disclosing national ID information. Users typically may receive one after they are authenticated via credit card number, SMS message or appearing in a government office. This number facilitates transactions online by authenticating a person's citizenship status without disclosing identifiers such as name, date of birth or gender.

Confronting Internet Harms: Spam, Phishing, Spyware, and Malware

More than two years ago, Canada's National Task Force on Spam presented then-Industry Minister David Emerson with its report on how Ottawa could assist in the fight against spam (I was a member of the Task Force). At that time, Canada was without a national anti-spam law and was considered to be among the top six sources of spam worldwide. Moreover, the divergent response from Canada's Internet service providers -- some adopted aggressive action to block and filter spam, while others did little to stem the growing tide of spam leaving their networks – constituted an additional cause for concern. Observers can almost be forgiven for believing that the spam problem has largely disappeared. Spam filters have become increasingly effective in limiting the amount of spam that lands in users' inboxes, while Canadian ISPs have become so good at blocking spam messages before they leave their networks, that Canada is no longer featured on the "dirty dozen" list of top spamming countries.

Despite the successes on the technical front, first impressions can be deceiving. Global spam volume continues to increase, with recent surveys indicating that 80 percent of all e-mail is now spam. Spam has also become far more dangerous as many messages secretly contain viruses or other hidden programs that can unwittingly turn ordinary Internet users with broadband connections into large-scale spammers. Spammers have compounded the problem by branching out beyond traditional unsolicited commercial email. Millions of blogs have been hit with spam postings known as "splog", Internet telephony is facing a growing spam problem referred to as "spit", and phishing emails, which deceptively send users to phony websites in order to extract personal information, are credited with being responsible for hundreds of incidents of identity theft.

The cumulative effect of this activity can be devastating to consumer and business confidence as doubts grow about the legitimacy of online commerce and promised economic efficiencies are eroded by bandwidth clogged with unwanted email traffic. For example, a 2005 Gartner study found that 80 percent of those surveyed said online attacks have affected their trust in e-mail from companies or individuals they don't know personally. Of these consumers, more than 85 percent delete suspect e-mail without opening it, a practice that has serious implications for banks and companies that want to use the e-mail channel to communicate more cost-effectively with customers. Moreover, there are significant costs involved as ISPs face mounting fees – many presumably passed along to consumers – to handle growing spam volumes and to deploy anti-spam filtering technologies.

Unfortunately the Canadian legal framework has failed to keep pace with the new spam-related concerns. While Canada stands pat, many countries, including New Zealand, Hong Kong, and Japan have introduced new anti-spam laws that address spam, phishing, and spyware. The need for such laws has become particularly important in light of the growing emphasis on cross-border Internet harm enforcement. Spammers and phishers regularly use computers in several countries to send their email and attempt to hide their tracks by routing their profits through multiple jurisdictions. While Canada has participated in the global dialogue on enforcement, the absence of a comprehensive law could hamper authorities' ability to pursue spamming, phishing, and spyware activity that features a Canadian component.

Toward An Effective Cyber-Security Framework

In the aftermath of the events of 9-11, all governments moved rapidly to assess their national security needs. The Canadian assessment led to a report entitled Securing an Open Society: Canada's National Security Policy. Touted as the first document of its kind, it featured a detailed plan for addressing future security threats. The report specifically identified cyber-security as a critical infrastructure issue, noting that "the threat of cyber-attacks is real, and the consequences of such attacks can be severe." The report committed to substantially improving Canada's analysis of the vulnerability of Internet infrastructures as well as to strengthen its ability to defend its networks and to respond to cyber-attacks.

The concerns associated with cyber-attacks were heightened by the recent Estonian incident, which paralyzed the country's online banking and information infrastructure. Moreover, Google recently estimated that out of the 4.5 million web pages, 700,000 contain malicious code that could compromise an information system and there are 450,000 of these sites are capable of launching malicious downloads. Many countries have responded to these threats with new legislation. For example, Germany has enacted anti-cybercrime legislation that defines hacking as penetrating a computer security system and gaining access to secure data, without necessarily stealing it. Offenders are defined as any individual or group that intentionally creates, spreads, or purchases hacker tools designed for illegal purposes.

It is clearly essential that the development of a cyber-security infrastructure generate confidence from all stakeholders by including representation from both privacy and civil liberties groups. Security is a critical value, yet it must be imbued with full respect for the privacy and civil liberty rights of all Canadians. Indeed, revelations of widespread telephone communications surveillance in the United States – frequently with the active, secret participation of telecommunications companies – has provided ample evidence of the danger of focusing on security without counterbalancing with a privacy and civil liberties perspective.

Moreover, prioritizing cyber-security should not be viewed as an easy mechanism to promote the "lawful access" agenda, which may include requiring Internet service providers to install new interception capabilities into their systems with capabilities of capturing data and identifying specific subscriber activities. Provisions that increase surveillance activities may actually undermine Canadians' confidence by leading to fears of unwanted snooping without appropriate oversight.