Privacy Law and Policy Reporter
The Australian Federal Privacy Commissioner has drafted Guidelines on the privacy implications for individuals of public key infrastructure (PKI). The ‘Draft PKI Privacy Guidelines’ contain many pro-privacy sentiments and useful suggestions toward privacy protection. However, they are flawed structurally as the status of the proposed Guidelines in relation to legal obligations remains ambiguous, because they are unrealistically narrow in scope and because the question of whether Guidelines alone could be sufficient is not addressed. They may be more dangerous than valuable if these matters are not addressed in the final version, because they will give people a false sense of security about the extent of legal protection of privacy in PKI.
This paper focuses on these fundamental questions, which may also be relevant to other Guidelines by the Commissioner. The Commissioner has not, at the time of writing, issued his final Guidelines and needs to address these fundamental issues.
The core of the problem lies in the fact that the Commissioner will issue the Guidelines under s 27(1)(e) of the Act, which allows the Privacy Commissioner:
(e) to prepare, and to publish in such manner as the Commissioner considers appropriate, guidelines for the avoidance of acts or practices of an agency or an organisation that may or might be interferences with the privacy of individuals or which may otherwise have any adverse effects on the privacy of individuals ...
The final ‘or’ gives the Commissioner two bases on which to issue s 27(1)(e) guidelines, but they are very different types of guidelines — as different as chalk and cheese.
Guidelines under the first limb of s 27(1)(e), to avoid acts or practices ‘that may or might be interferences with the privacy of individuals’, refer in a very technical way to practices that may breach the Privacy Act 1988 (Cth) and lead to remedies by breaching the s 14 Information Privacy Principles (IPPs) or, in the private sector context, the NPPs, or certain other legislative standards concerning tax file numbers (TFNs), credit information and so on. Only ‘an interference with the privacy of the individual’ may be the subject of a complaint to the Commissioner under s 36, or any of the remedies under the Act. Guidelines issued under this limb of s 27(1)(e) are therefore the Commissioner’s interpretations of what the IPPs or the NPPs require as a matter of law.
In contrast, Guidelines under the second limb of s 27(1)(e), to help avoid acts or practices ‘which may otherwise have any adverse effects on the privacy of individuals’, are merely the Com-missioner’s advice as to what he considers good practices. These Guidelines do not interpret the law, do not give a guide as to which acts or practices might breach the law, and can address privacy issues where there is no legislation at all on the subject.
The problem is that the Commissioner simply proposes to issue the PKI Privacy Guidelines under s 27(1)(e), without specifying whether any particular Guidelines is made under the first or second limb. He says the Guidelines are intended to give a ‘clear indication of the factors the Privacy Commissioner would consider if investigating a complaint about the use of PKI by an agency’, which implies they are made under the first limb (interpretation of the IPPs). However, this is thrown into doubt, for instance, by draft Guidelines such as Draft Guideline 2 which says that agencies should undertake a privacy impact assessment (PIA) before implementing PKI. This is no doubt good policy and sensible advice (as allowed under s 27(1)(e) second limb), but it is hard to see that the IPPs require PIAs as a matter of law.
Only one of the 10 Draft PKI Privacy Guidelines gives any indication as to which one or more of the 11 IPPs acts as a guideline, suggesting they are not really guidelines to the IPPs at all.
This deficiency, which the Commissioner’s Guidelines to the National Privacy Principles (NPPs) also share (but to lesser degree), makes it impossible to know what the Commissioner’s Guidelines are supposed to mean. Are they really his view of what the Guidelines mean as a matter of law (that is, what the courts will or would decide they mean)? Or are they merely his view of what would be good practice — perhaps in keeping with the spirit of the IPPs or NPPs? In short, are they a possible interpretation of the law, or wishful thinking? Their status as guidelines is ambiguous.
This is very important both for agencies or businesses that are deciding which of their practices must be changed, and for complainants trying to decide whether they should pursue their complaint. The interested public and policymakers, who are trying to decide whether Australia’s privacy laws provide sufficient protection or need amendment, will naturally turn to the Commissioner’s various Guidelines for guidance. Failure by the Commissioner to distinguish between the first and second limbs of s 27(1)(e) can easily give a very misleading impression that our laws are stronger than is the reality.
In this case, what we most need to know is the Commissioner’s view on the extent to which the s 14 IPPs do in fact provide sufficient privacy protection in relation to the development of public key infrastructure and Project Gatekeeper in particular. In other words, we need guidelines under the first limb of s 27(1)(e) so that we can see to what extent PKI is already under adequate legislative control. If the Commissioner then added some (clearly marked) ‘good practice’ guidelines under the second limb of s 27(1)(e), that may have a valuable persuasive effect in convincing agencies to protect privacy even more.
The Draft PKI Guidelines are not adequate to meet these needs.
One of the legitimate fears that people have about PKI is that they will be increasingly required to use digital signatures to verify their identity. If such requirements become routine, and people are able (or required, either de jure or de facto) to use the same digital signatures in dealings with numerous agencies and with private sector bodies, then a digital signature could come to resemble a cyberspace ID card.
The Commissioner must not ignore the fact that governments do set up surveillance systems ostensibly for one purpose with promises of limited scope, and then expand them into other areas once the infrastructure is already in place and individuals are captured as participants in the system. ‘Function creep’ and ‘the boiling frog syndrome’ are now terms in common usage. The clearest example close to home is the Federal Labor Government’s breach of its explicit promises that the TFN would only be used for tax purposes when it expropriated the TFN to use it as the basis of the data matching system for welfare, educational and other surveillance. Governments cannot and should not be trusted when it comes to personal information: that is why we have privacy laws and Privacy Commissioners.
The Draft PKI Privacy Guidelines recognise in principle that freedom to choose whether to use PKI should be an ‘essential element’ of privacy protection. However, the Commissioner does not state that there is any existing legal protection against people being required to use digital signatures if government policy required their use, and he does not recommend the creation of any such legal right.
In the Australian political context the only worthwhile privacy protection (short of constitutional protection) is one that requires legislation passed by both houses of Federal Parliament to remove it.
Unlike the NPPs, the IPPs do not have any explicit ‘anonymity principle’ which could be used to found a legal requirement that government agencies do not require people to use digital signatures in their dealings with government. It is difficult to see how the Collection Principles (IPPs 1-3) could be interpreted to provide such protection, and the Commissioner does not explain how. Gatekeeper Guidelines, or Gatekeeper accreditation requirements, are merely matters of government policy or contractual obligations imposed on suppliers, and can be changed overnight as a matter of government fiat. The dangers described above, and the need for a legislative guarantee against compulsory PKI, have been stressed regularly by Australian commentators since 1996, and pressed ad nauseam in Gatekeeper committee meetings by public interest representatives.
The Commissioner does not even consider the recommendation of legislation as one of the options before him in this PKI exercise. The need for this has been raised at meetings prior to the Draft PKI Privacy Guidelines being issued.
Can the Commissioner recommend legislation? The Commissioner’s explicit powers to make recommendations concerning the need for new legislation to protect privacy are stated in s 27(1)(b):
(b) to examine (with or without a request from a Minister) a proposed enactment that would require or authorise acts or practices of an agency or organisation that might, in the absence of the enactment, be interferences with the privacy of individuals or which may otherwise have any adverse effects on the privacy of individuals and to ensure that any adverse effects of such proposed enactment on the privacy of individuals are minimised ...
These powers only refer to recommendations being made in the context of ‘a proposed enactment’, and no proposed legislation concerning PKI is currently being considered by the Commissioner.
Nevertheless, it is well within the Commissioner’s powers to make Guidelines for him to state that any Guidelines he makes will be of limited effect without legislative changes to address other matters that his Guidelines cannot touch. I suggest that it is also his responsibility to do so, because otherwise his Guidelines can give the misleading impression that he considers them adequate to deal with a problem when he knows they are not.
The Draft PKI Guidelines focus only on the use of digital signatures by agencies, and not on ‘the application and registration processes for digital certificates and the associated trust framework including public key directories and Certificate Revocation Lists (CRLs)’. This is because, the Commissioner says, agencies will only be involved in these latter two areas where they act as certification authorities (CAs) or registration authorities (RAs) or have a contract for service provision with a CA or RA.
This is a rather narrow approach because many agencies will have such service provision contracts. It also ignores the fact that the same digital signatures are likely to be used by both private sector organisations and agencies, because of initiatives such as the cross-recognition of certificates between agencies and banks under the banks’ Project Angus. It is also the case that some agencies, particularly investigative agencies, will disrupt the normal ‘trust frameworks’ of digital signatures by the exercise of their powers to demand information (for example from CRLs), some of which demands are controlled by the IPPs and NPPs (and therefore subject to Guidelines by the Commissioner).
The Commissioner has powers to issue Guidelines which interpret the whole of the privacy protection currently available in relation to issuing, use and trust frameworks of digital signatures, both in relation to agencies (IPP guidelines) and the private sector (NPP guidelines). While it is difficult for the Commissioner to cover everything at once, PKI is an area where the value of Guidelines merely for use of digital signatures by agencies will give a false sense of security unless they are seen in the context of a full understanding of the privacy implications of the issue of digital signatures and the trust frameworks in which they operate. The Commissioner should, at the very least, explain this limitation and propose to issue further guidelines to complete the task.
These brief comments assume the more fundamental criticisms above. The Commissioner’s 10 Draft Guidelines are contained in the table opposite.
Although the Commissioner says that ‘[T]his Guideline will ensure that agency clients would have a choice over whether to use PKI for their online transactions’ and is very strong in supporting this as an ‘essential element’ of privacy protection, the fact is that this Guideline alone will do nothing. No explanation is given as to how this Guideline could possibly be supportable as an interpretation of the collection principles in the IPPs (which seems the only possible, if completely unlikely, basis of support).
If freedom of choice to use PKI is essential, why is there no need for it to have legislative guarantees?
Good policy, but hard to see it has any legislative support.
It is hard to see how ‘an appropriate level [of identification can] be left entirely to each agency’ given IPPs 1-3 requiring minimum collection.
This valuable prohibition can probably be justified under the IPPs, but this needs explanation.
Good policy, and if the IPPs justify this requirement, then in some cases this may override an agency’s own evidence of identity (EOI) requirements (if they are excessive) or ‘Gatekeeper standards’ (if they are excessive). The unresolved question, as usual, is what do the IPPs require?
The suggestion that ‘[T]his Guideline should prevent any development of a single certificate as a national identifier’ is a valuable goal, but needs to be backed up with explanation of how the IPPs can require agencies to avoid such a development.
When is subscriber generation of keys ‘possible and appropriate’? This is what we need guidelines to tell us.
Why doesn’t the Commissioner say that (if this is adopted) Gatekeeper should not proceed until there is a subscriber generation product on the endorsed products list?
It is not enough for the Commissioner to say that ‘subscriber agreements should specify who bears the privacy risk’ as this gives agencies all control over risk allocation. The Commissioner’s job is to define fair risk allocation in relation to privacy.
The Commissioner should consider ‘opt in’ not just ‘opt out’ by consumers in relation to publication, and at least explain why opt out is appropriate here.
Guidelines should also be firmer that when publication of directories is not necessary, it should not occur.
This Guideline merely poses the question, whereas it should give the answer (in general terms) as to when ‘logging is required for system maintenance or evidentiary purposes’.
Similarly, this Guideline merely poses the question, rather than giving some general guidance as to when it is ‘appropriate’ for agencies to provide pseudonymous or anonymous means of PKI. v
Graham Greenleaf, General Editor.
 Federal Privacy Commissioner (Australia) Privacy Issues in the Use of Public Key Infrastructure for Individuals and Possible Guidelines for Handling Privacy Issues in the Use of PKI for Individuals by Commonwealth agencies June 2001 (submissions closed 27 July 2001).
 This paper was originally a submission to the Commissioner in July 2001.
 See Privacy Act 1988 (Cth) Pt III Div 1 — Interferences with privacy, particularly s 13 (regarding IPPs) and s 13A (regarding NPPs). Section 13F states ‘[a]n act or practice that is not covered by s 13 or s 13A is not an interference with the privacy of an individual’.
 The Commissioner may be cautious (or, as I have called it, ‘robust’) in that he may choose to issue Guidelines recommending ‘best practices’ in order to avoid any doubt whether a Guideline is sufficient to comply with a NPP. This is one way of looking at his ‘robust’ NPP Guidelines.
 Draft PKI Privacy Guidelines, Preface ‘Possible privacy guidelines’.
 Draft PKI Privacy Guidelines, Chapter 2.
 Draft Guidelines 3 — ‘consistent with IPP 1’.
 Since the original version of this paper was submitted to the Commissioner in July 2001, the Commissioner’s Guidelines to the NPPs have gone from being a draft to a final version (September 2001), but the Guidelines are still simply stated to be ‘issued under s27(1)(e)’ with no further indication of what is meant.
 See Greenleaf G (2001) 8(1) PLPR 1.
 Draft PKI Privacy Guidelines, Chapter 2, Introduction.
 Clarke R ‘Conventional public key infrastructure: an artefact ill-fitted to the needs of the information society’ (2000) Euro Conf in Inf Syst (ECIS 2001) Bled Slovenia 27-29 June 2001, available at <www.anu.edu.au/people/Roger.Clarke/II/PKIMisFit.html>. Greenleaf G ‘Gatekeeper leaves the door ajar on privacy’ (1998) 5(1) PLPR. Greenleaf G and Clarke R ‘Privacy implications of digital signatures’ (1997) IBC Conference on digital signatures, Sydney March 1997, available at <www.anu.edu.au/people/Roger.Clarke/DV/DigSig.html>. These papers are not included in the Commissioner’s list of secondary sources (Draft PKI Privacy Guidelines, Appendix 9), and nor is anything else critical of PKI.
 Graham Greenleaf in 1998-99, Roger Clarke in 1999-2000, and Tim Dixon since 2001.
 Draft PKI Privacy Guidelines, Preface ‘Possible privacy guidelines’.
 Meeting between Privacy Commissioner and Privacy Advocates, May 2001.
 Draft PKI Privacy Guidelines, Preface ‘Possible Privacy Guidelines’.
 See <www.govonline.gov.au/projects/publickey/abn%2Ddsc%2Dangus.htm>.