6th CACR Information Security Workshop
1st Annual Privacy and Security Workshop
Mike Gurski, Information & Privacy Commission, Ontario
Conference Chair Bio
Mike Gurski is the Senior Policy and Technology Advisor for the Information
Privacy Commission of Ontario. Mike has published articles on e-mail
encryption and P3P (Platform for Privacy Preferences), a privacy specification
for the Web, as well as papers on Privacy Design Principles and Privacy
Impact Assessments for Integrated Justice Technology Systems. This was done
in partnership with the United States Justice Department's Office of Justice
Programs. Mike also consults with the Ontario Government on their Enterprise
Information Architecture, Public Key Infrastructure Initiatives and Smart Card
Project. Mike is also a member of the Policy Outreach Group, the World Wide
Consortium that is implementing P3P initiative.
Mike is a frequent speaker on privacy issues and most recently developed and
gave privacy lectures to the Ivey Business School at Western.
Before joining the Information and Privacy Commission he held senior policy
positions in Management Board Secretariat and community and Social Services
wehre he developed government policy for Young Offenders and natives. Most
recently Mike managed technology projects, including software design and data
base development and management, for Ontario Works, teh government's Welfare
program. Mike holds degrees in English and Architecture and enjoys cycling
through France or exploring pre-Celtic megalithic Architecture in Ireland.
Welcome and Thank-you
I would like to thank the Center for Applied Cryptography, especially Alfred
Menenzes, Frances Hannigan, and Sherry Shannon, from SVI Consulting for making
this conference possible. I would also like to thank the Speakers, who have
donated their time, energy and expertise to lead us in a series of involved
discussions. I would like to thank the team, Mike Knowles, Karen Spector and
Pasha Peroff who worked with me to organize this event as well as Ann Cavoukian,
the Information and Privacy Commissioner, for her on-going support. Lastly, I
would like to thank all the attendees, for your interest and your participation.
After all, this day is about learning and the sharing of ideas, so thank you for
taking the time out of your busy schedules to join us here today.
What this conference hopes to achieve
A few years ago now Doris Lessing, noted author and social critic gave a series
of lectures here at the University of Toronto that was broadcast on the CBC
Radio show Ideas. Lessing's Massey Lecture series entitled, The Prisons we
Choose to Live Inside, explored our capacity to doublethink around difficult
truths, the universality of gravity to pull most things down to the lowest
common denominator and society's penchant for acceptance. Haunting tales of
racism, totalitarianism and our desire to, at times, act as apologists for these
inhumanities, or worse, choose to live within them, sprinkle her lecture series.
Her predominantly dark work stands in stark contrast with the happy acolytes of
the Internet and e-commerce boosters. This is a world holding to the truth that
technology can and will solve the problem or at least create an IPO opportunity.
Yet the early warm glow of the Internet has been dowsed. The days when the
magazine Internet World had articles on online museums and libraries have
vanished. The Internet, once a government and academic tool, continues to shift
to becoming a business apparatchik. The early rally cry that 'Information wants
to be free,' is all but laughable today. FreeNets have all but disappeared.
Getting online costs money, getting information costs money, getting goods or
services costs personal information. The emerging model of the Internet, if
current trends are pushed to an extreme, will see a preponderance of Intranet
sites with restricted access that require some form of digital identification to
enter and cost money and personal information to gain service. The rest of the
net will remain a public medium littered with DoubleClick clones that suck every
piece of personal information possible from a person's activities on the
Internet in return for low value service. A few Internet oxbows will remain that
echo the early Internet days but will be increasingly difficult to find through
search engines. Why? Nullus Pretii.
It doesn't have to be that way. As Lessing suggests in her lectures, we can
choose. That choice comes down to the code we write and the policies we adopt.
It comes down to the choices we make. But it is not that simple. Individuals
acting alone take on the tragic character of Sisyphus, repeatedly pushing the
boulder up the hill and making no progress against much greater and often unseen
forces. Those unseen forces are the critical mass of code development, which has
been centralized into code building powerhouses like Microsoft. The hardware
developers have consolidated as well into powerhouses like Intel, Cisco and
Nortel. Then there are the content providers and carriers like AOL/Time/Warner
and AT&T. Granted many of these organizations are placing privacy on their radar
screen as an issue to be managed, but to believe that this critical mass of self
-defined 'solution providers' has privacy at its heart would surely stretch
However, there is a light at the end of the tunnel. And holding that light are
consumers, consumers skittish about doing business on-line, consumers voicing
their privacy concerns in survey after survey. But consumers are not willing to
pay to protect their privacy. Thus, the power of that light, in terms of
privacy, remains a critical question.
Consumer privacy concerns have been likened to a lake a hundred miles wide and
an inch deep. Witness Zero Knowledge's attempt to sell an Internet
pseudonymiser. Forget that a number of countries banned access to Web surfers
emanating from a Freedom server. According to recent media articles people are
just not willing to spend $49.95 (a year) for the privilege of privacy. The cost
is too high. Part of the problem is that pseudonymity is a personal add-on not a
default method of doing business on the Internet. The default architecture of
the Internet is not privacy protective. This gets back to the critical mass, the
powerhouses that strongly influence the standards of cyberspace and create the
A second problem is that the 21st century business model is shifting from
selling goods to giving the goods away and selling the service. In other words
the light at the end of the tunnel might be shining the wrong way. Soon we will
no longer buy anything, we will rent the experience (whether a driving
experience, a vacation experience or a sitting experience) and return the goods
when we are done. Turning privacy and personal information into a commodity
might be a laudable tactic to get the private sector to address privacy issues
but it might also be doomed in a service-centric world.
So that is the challenge. In Doris Lessing's words, 'how can we change the
prison?' First, Lessing would say, we need to become aware of the prison, how
our vocabulary shapes our reality. Think of a person talking about sharing data
as opposed to limits of data use and disclosure. They are two totally different
discussions. We need to be aware of the inherent structure of our technology and
the privacy implications.
Next comes taking action. Each of us in our respective organizations has
opportunities to reach out and educate our colleagues and senior executives, to
form or join associations to address privacy issues, to present solutions that
protect privacy whether in biometrics, wireless technology, or public key
infrastructures. This conference is an example of what can be done as a first
step. We must also develop and use privacy enhancing tools, whether privacy
impact assessments or privacy design principles or technology products like Zero
Finally we must be strategic in our efforts. As Buckminster Fuller was fond of
saying, if you try to change the course of a supertanker by pushing at the bow
you will not see any change. If you push on the rudder your chances of changing
the course of the supertanker are guaranteed, but the amount of energy needed is
still prohibitive. To be the most effective we need to push on the trim tabs,
those small fins on the end of the rudder, by moving them, the rudder in turn
moves and the tanker makes its turn. To find the trim tabs of the technology
environment we choose to live in, is our task and the task of this conference.
It must be our goal to move the trim tabs in the right direction in order to
Enjoy the Conference.