IP: notes from international data protection meeting

[David Farber <farber () cis upenn edu>]

Date: Sat, 05 Apr 1997 16:50:03 -0500
To: farber () central cis upenn edu
From: Lorrie Faith Cranor <lorrie () research att com>


Dave,


Here are some notes on a meeting of data privacy commisssioners I attended
that may be of interest to your IP readers... note esp. the parts
on the crypto statement and on the system China is building.


Lorrie Cranor






IWGDP21 NOTES


I am in Paris, having attended the 21st meeting of the International
Working Group on Data Protection in Telecommunications earlier this
week.  The Working Group meetings are held twice each year and are
attended by data protection commissioners (or officials with similar
responsibilities) from around the world.  Other people are
periodically invited to give presentations and attend the meetings as
guests.  About 30 people attended this week's meeting.  Joel
Reidenberg and I were the only guests.  We had been invited to talk
about privacy enhancing applications of PICS.  Joel also gave the US
"country report" on recent developments in the US of interest to the
group, as the US had not sent a government representative (I believe
the US has sent a representative once in the history of the group).


I found the entire meeting fascinating.  Among the most interesting
things for me (besides the feedback from my own presentation) was the
discussion about and subsequent tabling of a draft statement AGAINST
ANY GOVERNMENTAL REGULATION OF ENCRYPTION.  Also, a presentation by
the Hong Kong commissioner, including an explanation of China's plans
to prevent cultural contamination from leaking in through the
Internet, was quite interesting.  I was also impressed with the vigor
with which the European representatives defended data privacy as a
fundamental human right.  At lunch I sat with several Europeans and
expressed skepticism that their countries would ever limit trade with
the US as a result of our almost non-existent data protection laws.
They were surprised that I was skeptical and responded that the US
sanctions countries that violate human rights, so we should not be
surprised to find ourselves sanctioned for such violations.  By the
end of the meeting I was left with the feeling that unless things
change soon in the US, the Europeans will eventually stand their
ground and make good on their threats -- even if it means limiting
trade with the US.  The Hong Kong commissioner also mentioned that he
has to compile a list of countries that comply with his country's data
protection laws -- the US is not likely to be on that list.  


More details on reaction to privacy-enhancing technologies, crypto,
and China below....






On Privacy-Enhancing Technologies:


The reaction to my presentation on privacy applications of PICS --
focusing on the Internet Privacy Working Group's efforts to develop a
Platform for Privacy Preferences (P3) -- was mostly positive.  Some
commissioners were very excited about the prospects of using
technology to help solve these sorts of problems.  Others remained
somewhat skeptical that the technology would actually work.  I don't
think any of the commissioners commented that it was a bad idea
(although some did not comment at all).  Some of the
concerns/suggestions/points raised:


- If the P3 vocabulary is to be useful globally, there needs to be
  input from outside the US.  Although PICS allows for the coexistence
  of many vocabularies, the feeling was that one global vocabulary would
  be preferable to independent US and non-US vocabularies.  In
  particular, in order to make the vocabulary useful outside the US, it
  must be able to express enough information for a person in a country
  with data protection laws to determine whether a Website complies with
  their country's laws.


- The European commissioners discussed the need for third parties who
  could vouch for the accuracy of self-labels about privacy, vouch for
  compliance with European laws, make sure that no information is
  transferred from a browser to a Website until a privacy negotiation
  has taken place and a mutually acceptable agreement is reached, etc.
  These parties need not be governmental organizations... any European
  company would do, as they would be bound by the European data
  protection laws themselves.  There was some enthusiasm expressed for
  proxy servers like the Anonymizer that would also help serve this role.


- Technical solutions also need some means of verification and
  accountability to back them up.  Privacy auditing is a step in the
  right direction, but one representative (I believe from the
  Netherlands) said that his experience has been that financial auditors
  don't know a thing about privacy and that if they are to be employed
  as privacy auditors they need to be properly trained.  (Question to
  the eTRUST folks... what sort of training are you doing for your
  financial auditors turned privacy auditors?)






On Crypto:


The Secretariat (from Berlin) presented a draft "Common Statement on
Cryptography" to the group.  Excerpts from the statement: 


"The International Working Group on Data Protection in
Telecommunications confirms its demand that for guaranteeing
confidentiality users of electronic telecommunications services should
have the opportunity to encrypt their messages on a level of their own
free choice.


"The prohibition of encrypting messages that is being discussed in
some countries goes against this principle.  It would not only hinder
citizens in looking after their human right to unobservable
communications, but also foster the abuse of telecommunications for
illegal purposes.  It could be bypassed at any time by those having
the technical and financial means, so that a prohibition would only
affect unsuspecting citizens.


"The [IWGDPT] doubts that a regulation of encryption facilities in
favour of the law enforcement agencies can contribute adequately to
fighting serious crimes.  An intrusion on telecommunications secrecy
for fighting less serious offences would be excessive anyway.  All the
measures that have been discussed (licensing of software, regulation
of import and export, deposit of keys, hardware back-doors like the
"clipper chip") would lead to a weaker protection, as these solutions
could also be used illegally.  They can be bypassed with sufficient
technical and financial means and could therefore be seen as a
contribution in favour of organized crime rather than to the fight
against it.


"Therefore Data Protection Commissioners in their respective countries
should take a stand against any governmental regulation of encryption."


Let me emphasize that this rather strong statement is a draft that will
not likely be approved in its current form.  While the Germans seemed
to be very supportive of it, representatives from several other
countries expressed concerns about signing onto such a strong
statement.  (And the French representatives refused to comment all
together on the grounds that encryption policy is outside of the
domain of the French privacy commission.)  The discussion was tabled
and the commissioners were asked to think about the statement and
draft alternative statements that they are more comfortable with for
discussion at the IWGDPT's September meeting.






On Hong Kong and China:


The Hong Kong Privacy Commissioner for Personal Data, Stephen Lau,
presented a very optimistic picture of continued data protection in
Hong Kong.  He also mentioned that the Hong Kong government has
decided for now not to regulate Internet content in any way, but will
encourage self-regulatory and labeling approaches.  He noted that the
government does not view obscene materials on the Internet as a
serious problem because it is easily avoided by those who aren't
interested in it (and to date only 3 official complaints about obscene
content have been filed in Hong Kong).  He then went on to contrast
Hong Kong's policies with China's policies.  An article he distributed
from the IT Magazine contains an interesting description of the future
Chinese Internet (author is James Chu, CEO, China Internet
Corporation (Hong Kong) Ltd ... the article appears in both English
and Chinese... my copy seems to be missing the beginning of the
English version, including part of the title... the end of the title is
"in a borderless cyberspace").  Here are some excerpts from the
article that explain the plan marvelously.  You will have no problem
reading between the lines.


"Is it possible, then, to use the power of the Internet yet at the
same time avoid the bad side effects [cultural contamination] that
come with it?  I think so.


"All we need to do is to re-establish a border inside this borderless
cyberspace.  Or more specifically, create a "closed network" following
the model of CompuServe, America Online, or any one of the "on-line"
services.  The only difference is, our closed network will still use
the Internet technology and not a proprietary one.


"We will establish a "CICNet" inside China that is not connected to
the Internet except through designated gateways in Hong Kong or any
one of the major cities in China.  This CICNet does not necessarily
have to be just one network, but could be a combination of many
networks overlapping each other.


"The only distinction is, it is not connected to the Internet.  They
could definitely be connected to each other inside China.  Then the
question is, how can we pass information to and from the world?  The
answer is simple.  We will put all the information from China that is
needed by the world into a giant database in Hong Kong, which is
connected to the Internet.  We can set up the database in English so
that the world community can understand the content.


"At the same time, we can collect all the information that is needed
by China from the world community and put them into our giant database
in Beijing, in Chinese language so that all the users in China can
also understand the content.  ... Of course, all e-mail message can
go through our gateway in Hong Kong region unrestricted....


"By this design, we also solve the language barrier problem, and make
our network useful for all Chinese inside China.  If necessary, we can
even provide translation service for e-mails."




-----------------------------------------------------------------------
Lorrie Faith Cranor                             lorrie () research att com
Public Policy Research, AT&T Labs-Research                 908-582-7914
600 Mountain Ave., Room 2C-430A                        FAX 908-582-4113
Murray Hill, NJ 07974              http://www.research.att.com/~lorrie/