IWGDPT21 Notes

Lorrie Faith Cranor (lorrie@research.att.com)
4 April 1997

I am in Paris, having attended the 21st meeting of the International Working Group on Data Protection in Telecommunications earlier this week. The Working Group meetings are held twice each year and are attended by data protection commissioners (or officials with similar responsibilities) from around the world. Other people are periodically invited to give presentations and attend the meetings as guests. About 30 people attended this week's meeting. Joel Reidenberg and I were the only guests. We had been invited to talk about privacy enhancing applications of PICS. Joel also gave the US "country report" on recent developments in the US of interest to the group, as the US had not sent a government representative (I believe the US has sent a representative once in the history of the group).

I found the entire meeting fascinating. Among the most interesting things for me (besides the feedback from my own presentation) was the discussion about and subsequent tabling of a draft statement AGAINST ANY GOVERNMENTAL REGULATION OF ENCRYPTION. Also, a presentation by the Hong Kong commissioner, including an explanation of China's plans to prevent cultural contamination from leaking in through the Internet, was quite interesting. I was also impressed with the vigor with which the European representatives defended data privacy as a fundamental human right. At lunch I sat with several Europeans and expressed skepticism that their countries would ever limit trade with the US as a result of our almost non-existent data protection laws. They were surprised that I was skeptical and responded that the US sanctions countries that violate human rights, so we should not be surprised to find ourselves sanctioned for such violations. By the end of the meeting I was left with the feeling that unless things change soon in the US, the Europeans will eventually stand their ground and make good on their threats -- even if it means limiting trade with the US. The Hong Kong commissioner also mentioned that he has to compile a list of countries that comply with his country's data protection laws -- the US is not likely to be on that list.

More details on reaction to privacy-enhancing technologies, crypto, and China below....

On Privacy-Enhancing Technologies:

The reaction to my presentation on privacy applications of PICS -- focusing on the Internet Privacy Working Group's efforts to develop a Platform for Privacy Preferences (P3) -- was mostly positive. Some commissioners were very excited about the prospects of using technology to help solve these sorts of problems. Others remained somewhat skeptical that the technology would actually work. I don't think any of the commissioners commented that it was a bad idea (although some did not comment at all). Some of the concerns/suggestions/points raised:

• If the P3 vocabulary is to be useful globally, there needs to be input from outside the US. Although PICS allows for the coexistence of many vocabularies, the feeling was that one global vocabulary would be preferable to independent US and non-US vocabularies. In particular, in order to make the vocabulary useful outside the US, it must be able to express enough information for a person in a country with data protection laws to determine whether a Website complies with their country's laws.

• The European commissioners discussed the need for third parties who could vouch for the accuracy of self-labels about privacy, vouch for compliance with European laws, make sure that no information is transferred from a browser to a Website until a privacy negotiation has taken place and a mutually acceptable agreement is reached, etc. These parties need not be governmental organizations... any European company would do, as they would be bound by the European data protection laws themselves. There was some enthusiasm expressed for proxy servers like the Anonymizer that would also help serve this role.

• Technical solutions also need some means of verification and accountability to back them up. Privacy auditing is a step in the right direction, but one representative (I believe from the Netherlands) said that his experience has been that financial auditors don't know a thing about privacy and that if they are to be employed as privacy auditors they need to be properly trained. (Question to the eTRUST folks... what sort of training are you doing for your financial auditors turned privacy auditors?)

On Crypto:

The Secretariat (from Berlin) presented a draft "Common Statement on Cryptography" to the group. Excerpts from the statement:

"The International Working Group on Data Protection in Telecommunications confirms its demand that for guaranteeing confidentiality users of electronic telecommunications services should have the opportunity to encrypt their messages on a level of their own free choice.

"The prohibition of encrypting messages that is being discussed in some countries goes against this principle. It would not only hinder citizens in looking after their human right to unobservable communications, but also foster the abuse of telecommunications for illegal purposes. It could be bypassed at any time by those having the technical and financial means, so that a prohibition would only affect unsuspecting citizens.

"The [IWGDPT] doubts that a regulation of encryption facilities in favour of the law enforcement agencies can contribute adequately to fighting serious crimes. An intrusion on telecommunications secrecy for fighting less serious offences would be excessive anyway. All the measures that have been discussed (licensing of software, regulation of import and export, deposit of keys, hardware back-doors like the "clipper chip") would lead to a weaker protection, as these solutions could also be used illegally. They can be bypassed with sufficient technical and financial means and could therefore be seen as a contribution in favour of organized crime rather than to the fight against it.

"Therefore Data Protection Commissioners in their respective countries should take a stand against any governmental regulation of encryption."

Let me emphasize that this rather strong statement is a draft that will not likely be approved in its current form. While the Germans seemed to be very supportive of it, representatives from several other countries expressed concerns about signing onto such a strong statement. (And the French representatives refused to comment all together on the grounds that encryption policy is outside of the domain of the French privacy commission.) The discussion was tabled and the commissioners were asked to think about the statement and draft alternative statements that they are more comfortable with for discussion at the IWGDPT's September meeting.

On Hong Kong and China:

The Hong Kong Privacy Commissioner for Personal Data, Stephen Lau, presented a very optimistic picture of continued data protection in Hong Kong. He also mentioned that the Hong Kong government has decided for now not to regulate Internet content in any way, but will encourage self-regulatory and labeling approaches. He noted that the government does not view obscene materials on the Internet as a serious problem because it is easily avoided by those who aren't interested in it (and to date only 3 official complaints about obscene content have been filed in Hong Kong). He then went on to contrast Hong Kong's policies with China's policies. An article he distributed from the IT Magazine contains an interesting description of the future Chinese Internet (author is James Chu, CEO, China Internet Corporation (Hong Kong) Ltd ... the article appears in both English and Chinese... my copy seems to be missing the beginning of the English version, including part of the title... the end of the title is "in a borderless cyberspace"). Here are some excerpts from the article that explain the plan marvelously. You will have no problem reading between the lines.

"Is it possible, then, to use the power of the Internet yet at the same time avoid the bad side effects [cultural contamination] that come with it? I think so.

"All we need to do is to re-establish a border inside this borderless cyberspace. Or more specifically, create a "closed network" following the model of CompuServe, America Online, or any one of the "on-line" services. The only difference is, our closed network will still use the Internet technology and not a proprietary one.

"We will establish a "CICNet" inside China that is not connected to the Internet except through designated gateways in Hong Kong or any one of the major cities in China. This CICNet does not necessarily have to be just one network, but could be a combination of many networks overlapping each other.

"The only distinction is, it is not connected to the Internet. They could definitely be connected to each other inside China. Then the question is, how can we pass information to and from the world? The answer is simple. We will put all the information from China that is needed by the world into a giant database in Hong Kong, which is connected to the Internet. We can set up the database in English so that the world community can understand the content.

"At the same time, we can collect all the information that is needed by China from the world community and put them into our giant database in Beijing, in Chinese language so that all the users in China can also understand the content. ... Of course, all e-mail message can go through our gateway in Hong Kong region unrestricted....

"By this design, we also solve the language barrier problem, and make our network useful for all Chinese inside China. If necessary, we can even provide translation service for e-mails."