Ontario's privacy commissioner to geeks: design for privacy!

Here's a one-hour video of a magnificent lecture from Canada's Ontario's Information and Privacy Commissioner, Dr Ann Cavoukian, to the University of Waterloo's Computer Science Club. The talk is called "Privacy by Design," and it charges technologists to build tools that minimize the collection and retention of personally identifying information, and to consider a complete, end-to-end, comprehensive framework for protecting user privacy. As Mitch Kapor said when he founded EFF, "architecture is politics" -- when you design tools that have wiretappable elements, you invite wiretapping. When you design tools that retain user data, you invite identity thieves and overreaching subpoenas.

Cavoukian argues that privacy and security are not zero-sum, that privacy is just as important in the "post-9/11 world" as it was before, and that you don't need to give up one to get the other. She addresses specific privacy-protection computer science techniques, and cites Kim Cameron's wonderful Seven Laws of Identity (I wish Kim would approach trusted computing with the same skepticism that he brought to identity issues, but that doesn't take away from his excellent work there).

There's something incredibly refreshing about hearing a high-ranking government official say things like, "Privacy is integral to freedom. You cannot have a free and democratic society without privacy. When a state morphs from a democracy into a totalitarian regime, the first thread to unravel is privacy." Link (via /.)


  1. Just a clarification, dr. cavoukian is Ontario’s privacy commissioner, not Canada’s.

    it’s great to hear public servants talking good stuff, and lets hope we hear some of this talk at the national level, not just the provincial level.

  2. Technological determinism is a two way street. I can be careful and mediate all of my communications with SSH, GPG, I2P, and other 3-letter strong cryptography tools, but then someone at last night’s party puts my picture all over Facebook and I’m screwed. Not to mention everyone either using Gmail or forwarding their other email addresses to Gmail unbeknownst to me. You have to be the Unabomber or Amish to stay off the grid of mass-surveillance these days.

    FOAF had its window of opportunity in the gap between the decline of Friendster and the rise of MyFace. Instead it suffers the same fate as Jabber and Ogg Vorbis: not cool/easy enough to persuade the AOLers to value privacy and freedom.

    “Give me convenience or give me death!”, I guess.

  3. All communication privacy is based on systems of trust, and 1hr into this lecture I see scant mention (nevermind justification) for why we should trust IBM and Microsoft to administer the keys to our identities. No explicit mention of how this relates to TCPA (Trusted Computing) especially Remote Attestation. No mention of VeriSign turning into a “lawful intercept” contractor for the NSA.

    At 1:01:48 the slide “Implications for users” is worrisome, as she seems to be pushing intrinsic “embedded” TC-like capabilities that make decisions about il/legitimate transmissions for us. “It’s already in Windows Vista…” IOW, you should only use computing technology that decides for you whether those shiny Citibank and QVC logos on your screen are real. Because that’s where all this is heading… preserving the automatic responses people have toward professional-looking trademarks and the gravitas of all the old shiny-shiny graphic art. Click on the pretty pictures in your email and don’t worry, because the big-league criminals are taking back junk mail from those faceless, PR-less, petty thieves.

    She admits that the process “started with Microsoft” (and now bringing in IBM), a prime TCPA mover. How cozy.

    I get the impression this woman isn’t even trying to do basic consumer education. What is so hard about teaching the following (has she or anyone reading this ever tried this with users?)…

    1) Learn the address bar and status bar! Mouseover and check links in web and email before clicking on them.

    2) Learn what a URL is, and pay particular attention the domain name and SSL ‘lock’ status during any sensitive transaction. Is it the domain name that you want to talk with?; Is it spelled correctly?

    3) Learn what a certificate represents, and how to handle a certificate warning. A locked page that is warning-free cannot be spoofed by a fourth-party.

    All phishing and farming exploits are based on the assumption that the user will either A) click ‘OK’ on a certificate warning, or B) not scrutinize the address they are accessing. If the user is vigilant on only these TWO points, then data breach or spoofing is absolutely limited to the second party (e.g. Citibank) or the trusted third party (VeriSign).

    Dealing with the VeriSign’s of the world adds ONE more step for the end-user (switching your browser’s CA setting). The CA question

    The “Privacy-Embedded 7 Laws” phrase seems like an oblique reference to the Three Laws of Asimovian robots.

    The biometrics advocacy is creepy, but ‘OK’ as long as it has unique passphrases and its not centralized by the government. How naive can one get? Having biometric info spread out amoung an array of Haliburtons, Carlisles, Blackwaters and Exxons is not the least bit encouraging. Private corporations are chartered by their host government and readily regurgitate and “EMBED” their databases whenever war is declared.

    OK, so those are all of my off-the-cuff concerns about Dr. Cavoukian’s presentation. OTOH, she mentioned a couple of security schemes and books that seem like they are worth reading time; That she wasn’t confident enough to chart or summarize their workings I take as a bad sign however. And the suggestion to encrypt data and store identities (physically?) apart from the details is refreshing. Solidifying concepts like “secondary uses” and “information self-determination” is also a positive aspect of her speech. The brief history of privacy laws is nice.

    No hint of empowering citizens through extremely simple education is ominous coming from a privacy czar. It speaks of a reflexive preference not for privacy, but for corporate services.

  4. Burz, your thinking about “all you need to know” to prevent phishing is really naive. I guarantee there are many attacks which not even the most savvy user can detect.

    In terms of your other comments, I hope you’ll look further into what we are proposing. There is NO attempt by Microsoft or IBM to control your identity. In my work we are talking about a technology, sort of like http or tcp/ip, which allows you to control YOUR OWN identity – get identity from any place you want, including making it up just as you do when using user names and passwords.

    Further, we’ve put a lot of work into ensuring that “anonymous” identity is used unless there is some compelling reason to reveal anything.

    I’ve described what I’m trying to do here: http://www.identityblog.com in the Laws of Identity at the bottom right of the page. Please read the paper.

    I think you have Ann completely wrong, and it’s a shame. She’s a spunky fighter for your rights – and mine. Take a look at her record – what she’s actually accomplished. I really hope you are able to do as much.

    On the question of consumer DRM, I’m not a supporter of the type of thing we see today at all.

    I’ve been very frustrated – especially in having my downloads locked in one ghetto or another (e.g. itunes).

    I think this technology is just in its earliest phases, and is still pretty goofy.

    I think I would accept it if it could model what happens in the physical world better.

    For example, if I buy a CD, I can move it around, use it anywhere I want, lend it to my friends, resell it and so on. Any reasonable DRM would have to let us do the same things.

    If we could develop this kind of technology, with ZERO risk of invading privacy, I think it would balance out the rights of the artists better than is currently the case, and that they deserve that balance.

  5. Kim Cameron,

    I have provided a specific real-world regimen for end-user security (which admittedly addresses only Internet transmission). Please address the points of the regimen (as originally proscribed by the likes of W3C) or kindly keep your characterizations to yourself. If you have a valid technical critique/example (or even a social argument that explicitly shows the existing system to be unlearnable) then your labels like ‘naive’ may have some merit.

    OTOH if you cannot provide anything more than vague statements about supposed SSL exploitability, then I must start to consider whether the premise or motivation for the rest of your project is faulty or suspect. Your employer, Microsoft, desperately needs to justify its Windows business model by pushing Vista upgrades and reinforcing the fealty of PC OEMs by making massive hardware upgrades an endemic part of PC culture. That you did not disclose here your employment at MS doesn’t help that suspicion.

    As for Ann, I could well have her wrong. My original post was only a first impression from the hour+ that I watched her. Actually, I Googled and read a couple of items about her past work going back to the 90s: I still have not seen one case where user education (remember, empowerment) was on her agenda. Her ideal purveyor of privacy in the home would seem to be an ‘A+’ GeekSquad tech purveying shrinkwrapped active measures that keep the user passive, the natural extension of virus-scanner and DRM culture. Rights-management mirrors Privacy-management here, and your stated belief in an eventually-mature DRM kind of makes me wonder if Ann believes in DRM too?

    Where transmission security (anti-phishing and pharming) is concerned, there is no sexy angle, buzzword or entrenching self-interest for IT pros and enthusiasts in teaching people about the address bar, the certificate and the status bar. No status brands to pin our names to; No corporate appeal or resale commissions from all the stuff that ‘has’ to be (needlessly) replaced. So we generally don’t even think about passing on this basic info, and instead bloviate about MS, IBM, firewalls, anti-spyware, blacklists, whitelists, WPA, ECC, and hopefully for you Vista… a very mixed bag that all relies on dramatic acronyms and PR-reinforced buzzwords. MS feeds this culture of ignorance and reliance on boutique services, or “open” standards that are actually patent-encumbered. Push the ‘Vista technologies’ of your employer all you like, but I am not hopping on that ultimately disastrous bandwagon.

    The whole transmission side of this issue suffers from acute IT trade neurosis. Almost all of the MS-certified techs and about half of the computer science people I know cannot state how a user employs browser security except to say “look for the lock”. They don’t quite know what certificates are, or that they authenticate domains (not the proprietor or their level of ethics or legality… the domain; the other stuff are fundamentally personal ad-hoc decisions). Steve Jobs had the status bar turned off by default in Safari, while Negroponte had the address bar removed from XO Sugar… these bona-fide geniuses are sadly web-browser idiots and share in the neurosis. Their users either don’t know where they’re going, or don’t know where they are, and the icon-extremism of their browsers translates into a semantic brokenness/vulnerability. (We are all becoming adled in the environment of profound software market failure embodied by your monopolist employer.) Is it too much to ask that a user has to discern the difference between the cafepress.com store and something called thecoffeepress.com or even cofepress.com? You CAN’T protect people from having to discern URLs, or deciding just what personal info to give out on a case-by-case basis.

    Additionaly, browsers already have integration with OS-administered keyrings. Make the keyring format portable, promote more enforcement of strong passwords and the argument for a special new identity protocol disappears.

    I have given your Ontario patron almost 1 hr. 15 min. IMO she is a humanities-based “expert” who exemplifies our failure in constant self-promoting buzztalk while rejecting an education + KISS philosophy. Neither you nor she can point out the supposed weakness of the existing tools except to strongly imply that users ought not to be bothered one iota learning extremely basic guidelines. Please reread your response’s first paragraph and realize it is YOUR burden to succinctly state what is wrong with the design of the existing (and largely unused) tools.

    Quite seriously: Prove your claim that a “human ceremony” (as you say in your paper) of user-checked domain + a passing certificate is in ANY way insecure outside of tangential issues like a compromised certificate authority or malware-infested (Windows) PC. Prove it.

    I think you cannot prove your security claims, and therefore your identity claims are suspect.

    As for the prospect of curing the IT neurosis, I must thank Cory Doctorow here. Every article and speech about the futility of DRM plants the seeds of awareness about other automatic systems that fundamentally misuse cryptography, based on absurd assumptions of what qualitative decisions can be made for us by a stew of automation + cultivated user ignorance. It is the main reason why I am drawn to his non-fiction writing.

    I wish I could be more positive about this. The datacenter proposals largely sound quite good. More secondary-storage encryption; Best practices for sanitary handling of identifying info get a thumbs up. The neoliberal cant about self-regulating industry, about individuals being physically branded onto their keys while letting organizations (corps, govt etc) off the meathook…not so good. And lets be honest, your questionable suggestions about SSL while pushing Vista functionality (for your undislosed employer) is show-stoppingly crass: I await your answer on that.

  6. Here is an excerpt from a recent Steve Ballmer speech where he describes how Silverlight will be more-equal on Windows than on other platforms:

    “Mark’s gonna to show you… is gonna focus some on a couple of these themes. Is gonna show you a little bit of Silverlight, which talks to some of
    the next generation presentation and programming capabilities that we think we can do in a reach way, that is consistent, runs everywhere on the internet.
    It’ll be further enhanced… can be further enhanced if you wanna marry yourself to a… t..to Windows, which will provide a superset of Silverlight.”


    Lo and behold, we have MS systems architect Kim Cameron with yet another MS replacement for a another common browsing fixture… this one having to do with authentication. Read Cameron’s website which basically states what is being sold here is Passport v2 (Vista CardSpace).

    Observe, we have Ballmer in the same speech above saying that Redhat will be made to pay for infringement of (undisclosed) MS patents, and hinting that patent trolls “like Eolas” ought to be encouraged to do the same to Linux vendors.

    Observe also, that Cameron is making an unsupported claim against the security of SSL certificates.


  7. Hi Burtz

    Where do I start? Well, Ann Cavoukian actually referred to me in the videa as being from Microsoft. I thought you had watched the video. Cory Doctorow drove that point home implicitly in his comment about me. Finally, when I read peoples’ comments I often check for them in a search engine. I gave my name, and come up in google on the first page whether you type Kim, Kim Cameron, or Cameron, so I’m not actually travelling incognito.

    I’d like you to read the Laws of Identity, which I wrote specifically so we could talk about things deeply, before getting into much more detail. If you still want to take the arguments made there apart, even after understanding them, I would find that interesting.

    Regarding your suggestion that I shouldn’t call your recipe for protection naive, let’s look at it.

    1) Learn the address bar and status bar! Mouseover and check links in web and email before clicking on them.

    —> there are techniques through which the evil site can overwrite the address bar and the status bar, so you have no idea what is going on beneath the pixels.

    2) Learn what a URL is, and pay particular attention the domain name and SSL ‘lock’ status during any sensitive transaction. Is it the domain name that you want to talk with?; Is it spelled correctly?

    —> there are all kinds of tricks that can be played with the URL. Even when it is intact, your DNS-to-ip mapping be distorted by an attacker. Client Side Java script can cause all kinds of nice visual effects I will leave to your imagination; cross-site scripting attacks mean even if you use a certificate and land at the right site, buried frames may continue to be able to do nefarious things under your identity, and so on. These are all attacks that are seen regularly. Your recipe would leave you totally vulnerable.

    3) Learn what a certificate represents, and how to handle a certificate warning. A locked page that is warning-free cannot be spoofed by a fourth-party.

    Burz, the lock symbol can be painted on your screen by a sufficiently cogent attacker. The certificate dialog can be faked – how would you know the difference?

    You are passionate and that is great, but you need to look more deeply at these things. I don’t say that in a condescending way – I’m inviting you to get more involved.

    The user interfaces are still confusing enough that very capable engineers can be tricked into doing things like installing rogue certificates, in which case all bets are off.

    Basically, if you look into my Laws paper, you’ll see a discussion of the fact that we need to have a clearer and more “noise-free” connection with the thought processes of the user before all the fine security properties of SSL matter one iota – currently we protect the 4000 miles between a computer and a distant server, but don’t protect the last two feet between the user and his computer. This requires new ways of thinking, new metaphors. That’s what my work is about, with the proviso that nothing we do to solve these problems should diminish user control or decrease the privacy of the user.

    Anyway, I’ve got to go on to other issues, but invite you to look into this further.



  8. Your apparent lack of understanding with regard to the basic (though admittedly widely misunderstood) Internet precept of SSL encryption is troubling.

    “there are techniques through which the evil site can overwrite the address bar and the status bar, so you have no idea what is going on beneath the pixels.”

    So your argument relies on in-browser implementation bugs? But that argument leaves your approach in the same boat, doesn’t it? Well, nice try.

    Tell me Kim, can you even cite a known exploit?

    How can an attacker ‘distort’ an IP mapping if the user follows the basic security steps I outlined? I have dug around for information on this, and all the exploits I found relied on the user dismissing the certificate warning that would necessarily appear. Arp cache poisoning and MITM simply do not work against users that heed both certificate warnings and the domain.

    How can the certificate dialog be “faked” when it
    isn’t even in the interest of an attacker to display one?! As for fake certificates, those appear as warning dialogs and the best that attackers have been able to do is issue the certificate to themselves… clearly visible to the user.

    You still have not addressed the burden of proof I laid out earlier with regard to your quite serious claim. There must be some sort of studies an expert like you would have at hand…

  9. Burtz, your “scummy” line speaks even more badly of you than your lack of understanding of the issues.

    I’ve tried to get through to you. Perhaps time will help.

  10. The ‘issues’ being only what you have framed in your paper, apparently.

    Look, you’ve had several chances to back up your claim. But I seem to have caught you in a fundamental error (or lie), spreading FUD about essential web infrastructure.

    I don’t see why anyone should take your identity proposals seriously if your statements about SSL are incorrect.

Comments are closed.