6th CACR Information Security Workshop
1st Annual Privacy and Security Workshop

Conference Chair
Mike Gurski, Information & Privacy Commission, Ontario

Conference Chair Bio
Mike Gurski is the Senior Policy and Technology Advisor for the Information Privacy Commission of Ontario. Mike has published articles on e-mail encryption and P3P (Platform for Privacy Preferences), a privacy specification for the Web, as well as papers on Privacy Design Principles and Privacy Impact Assessments for Integrated Justice Technology Systems. This was done in partnership with the United States Justice Department's Office of Justice Programs. Mike also consults with the Ontario Government on their Enterprise Information Architecture, Public Key Infrastructure Initiatives and Smart Card Project. Mike is also a member of the Policy Outreach Group, the World Wide Consortium that is implementing P3P initiative.

Mike is a frequent speaker on privacy issues and most recently developed and gave privacy lectures to the Ivey Business School at Western.

Before joining the Information and Privacy Commission he held senior policy positions in Management Board Secretariat and community and Social Services wehre he developed government policy for Young Offenders and natives. Most recently Mike managed technology projects, including software design and data base development and management, for Ontario Works, teh government's Welfare program. Mike holds degrees in English and Architecture and enjoys cycling through France or exploring pre-Celtic megalithic Architecture in Ireland.

Opening Remarks

Welcome and Thank-you

I would like to thank the Center for Applied Cryptography, especially Alfred Menenzes, Frances Hannigan, and Sherry Shannon, from SVI Consulting for making this conference possible. I would also like to thank the Speakers, who have donated their time, energy and expertise to lead us in a series of involved discussions. I would like to thank the team, Mike Knowles, Karen Spector and Pasha Peroff who worked with me to organize this event as well as Ann Cavoukian, the Information and Privacy Commissioner, for her on-going support. Lastly, I would like to thank all the attendees, for your interest and your participation. After all, this day is about learning and the sharing of ideas, so thank you for taking the time out of your busy schedules to join us here today.

What this conference hopes to achieve

A few years ago now Doris Lessing, noted author and social critic gave a series of lectures here at the University of Toronto that was broadcast on the CBC Radio show Ideas. Lessing's Massey Lecture series entitled, The Prisons we Choose to Live Inside, explored our capacity to doublethink around difficult truths, the universality of gravity to pull most things down to the lowest common denominator and society's penchant for acceptance. Haunting tales of racism, totalitarianism and our desire to, at times, act as apologists for these inhumanities, or worse, choose to live within them, sprinkle her lecture series. Her predominantly dark work stands in stark contrast with the happy acolytes of the Internet and e-commerce boosters. This is a world holding to the truth that technology can and will solve the problem or at least create an IPO opportunity.

Yet the early warm glow of the Internet has been dowsed. The days when the magazine Internet World had articles on online museums and libraries have vanished. The Internet, once a government and academic tool, continues to shift to becoming a business apparatchik. The early rally cry that 'Information wants to be free,' is all but laughable today. FreeNets have all but disappeared. Getting online costs money, getting information costs money, getting goods or services costs personal information. The emerging model of the Internet, if current trends are pushed to an extreme, will see a preponderance of Intranet sites with restricted access that require some form of digital identification to enter and cost money and personal information to gain service. The rest of the net will remain a public medium littered with DoubleClick clones that suck every piece of personal information possible from a person's activities on the Internet in return for low value service. A few Internet oxbows will remain that echo the early Internet days but will be increasingly difficult to find through search engines. Why? Nullus Pretii.

It doesn't have to be that way. As Lessing suggests in her lectures, we can choose. That choice comes down to the code we write and the policies we adopt. It comes down to the choices we make. But it is not that simple. Individuals acting alone take on the tragic character of Sisyphus, repeatedly pushing the boulder up the hill and making no progress against much greater and often unseen forces. Those unseen forces are the critical mass of code development, which has been centralized into code building powerhouses like Microsoft. The hardware developers have consolidated as well into powerhouses like Intel, Cisco and Nortel. Then there are the content providers and carriers like AOL/Time/Warner and AT&T. Granted many of these organizations are placing privacy on their radar screen as an issue to be managed, but to believe that this critical mass of self -defined 'solution providers' has privacy at its heart would surely stretch one's imagination.

However, there is a light at the end of the tunnel. And holding that light are consumers, consumers skittish about doing business on-line, consumers voicing their privacy concerns in survey after survey. But consumers are not willing to pay to protect their privacy. Thus, the power of that light, in terms of privacy, remains a critical question.

Consumer privacy concerns have been likened to a lake a hundred miles wide and an inch deep. Witness Zero Knowledge's attempt to sell an Internet pseudonymiser. Forget that a number of countries banned access to Web surfers emanating from a Freedom server. According to recent media articles people are just not willing to spend $49.95 (a year) for the privilege of privacy. The cost is too high. Part of the problem is that pseudonymity is a personal add-on not a default method of doing business on the Internet. The default architecture of the Internet is not privacy protective. This gets back to the critical mass, the powerhouses that strongly influence the standards of cyberspace and create the code.

A second problem is that the 21st century business model is shifting from selling goods to giving the goods away and selling the service. In other words the light at the end of the tunnel might be shining the wrong way. Soon we will no longer buy anything, we will rent the experience (whether a driving experience, a vacation experience or a sitting experience) and return the goods when we are done. Turning privacy and personal information into a commodity might be a laudable tactic to get the private sector to address privacy issues but it might also be doomed in a service-centric world.

So that is the challenge. In Doris Lessing's words, 'how can we change the prison?' First, Lessing would say, we need to become aware of the prison, how our vocabulary shapes our reality. Think of a person talking about sharing data as opposed to limits of data use and disclosure. They are two totally different discussions. We need to be aware of the inherent structure of our technology and the privacy implications.

Next comes taking action. Each of us in our respective organizations has opportunities to reach out and educate our colleagues and senior executives, to form or join associations to address privacy issues, to present solutions that protect privacy whether in biometrics, wireless technology, or public key infrastructures. This conference is an example of what can be done as a first step. We must also develop and use privacy enhancing tools, whether privacy impact assessments or privacy design principles or technology products like Zero Knowledge's pseudonymiser.

Finally we must be strategic in our efforts. As Buckminster Fuller was fond of saying, if you try to change the course of a supertanker by pushing at the bow you will not see any change. If you push on the rudder your chances of changing the course of the supertanker are guaranteed, but the amount of energy needed is still prohibitive. To be the most effective we need to push on the trim tabs, those small fins on the end of the rudder, by moving them, the rudder in turn moves and the tanker makes its turn. To find the trim tabs of the technology environment we choose to live in, is our task and the task of this conference. It must be our goal to move the trim tabs in the right direction in order to protect privacy.

Enjoy the Conference.