34
Government of Canada's
Legal and Policy Framework for
Government On-Line
Rhonda Lazarus[1]
It seems to be the goal of every government to be the "most connected" in the world, and the Government of Canada is no exception. The federal Government's intention to become the country the most electronically connected to its citizens was announced by the Prime Minister in 1999,[2] giving departments their marching orders and a target date of 2004. The December 2001 Budget continued to support the Government On-Line (GOL) initiative and extended the deadline to 2005.
GOL is being implemented through an iterative, staged approach. The first stage obliged departments to establish a presence on the Internet. As most departments already had a web-site of some sort, this objective was quickly accomplished and just as quickly declared a success.
The second and third stages are of a more interactive nature, and are proving to be more of a challenge. Departments are directed to make their key services available on-line, going beyond simply making Government forms available on-line, to making it possible to complete and submit them on-line, as well as to facilitating on-line inquiries.
The third stage involves collaborating and co-ordinating with others, including with other departments and programs within the Government of Canada, with other governments in Canada, other countries, and the private sector.
The overall objective of GOL is a "service vision" - the Government must use information and communications technology to enhance Canadians' access to improved citizen-centred, integrated services, "anytime, anywhere, and in the official language of their choice". This means that the Government needs to enhance its ability to provide services to citizens across different communications channels, and across programs, departments, jurisdictions, and sectors. It also means that work needs to be done across the Government to achieve those objectives, making federal services more available, accessible, and easier to find, while building public trust and confidence in federal electronic-service delivery.
This work is being led by the President of the Treasury Board, who has been declared champion of Government On-Line. The Government On-Line Project Management Office was established under the Chief Information Officer Branch, and has responsibility for co-ordinating the implementation, monitoring and reporting of GOL. It is responsible for "leading the development of horizontal enablers, consolidating the departments' and agencies' progress, issues, and successes, as well as reporting these to Ministers... ."
The work on GOL involves all departments and many disciplines within those departments, from the techies, to the lawyers, the policy-wonks, and ultimately to the decision-makers. Older work on electronic service-delivery has had to be revisited to determine its continued applicability and relevance, and new work is underway, as evident in the proliferation of policies, papers, programs, and laws that relate in some way to citizen-centric services in general, and to GOL in particular.
This paper is intended to describe that framework of laws, policy, and technology, in relation to a couple of GOL endeavours. The first relates to the security of electronic transactions with the Government; the second relates to the concept of "collaborations".
The Government of Canada is committed to public key encryption to secure electronic transactions where that level of security is required. The Government of Canada Public Key Infrastructure (PKI) is being implemented through the Secure Channel, which is a single secure channel for electronic communications being operated by Public Works and Government Services Canada though a contract with a consortium of service-providers. The Secure Channel project, and the first application to use it, is scheduled for launch this fall. It demonstrates the iterative and evolutionary nature of PKI and of the processes for developing PKI-enabled applications, all in a framework of law, policy and technology that must continually evolve and shift to meet the sometimes conflicting, and sometimes shifting, goals of the various stakeholders.
Similarly, the Government of Canada is seeking ways to collaborate and cluster with others which, in an on-line environment, challenges and tests existing governance and policy frameworks.
There is no "Government On-Line Act" of Canada. GOL is situated within a complex and sometimes confusing framework of laws of general application, including the Personal Information Protection and Electronic Documents Act; departmental and program-specific legislation; Treasury Board policies - of which there are many; common law and jurisprudence; and other legal arrangements and Department of Justice legal opinions. It is hoped that this paper will give some guidance through that maze.
Contents:
A. Public Key Infrastructure
GoC PKI Update
Interoperation -internal cross-certification
-external cross-certification
-the future
Secure Channel - the first app
-Secure Channel and Epass
-Privacy Impact Assessment
B. Personal Information Protection and Electronic Documents Act Update
C. On-Line Collaborations with the GoC
-some types of internet collaborations
-applicable laws and policies
D. Other - a Few Loose Threads
- Government On-Line Procurement Strategy
- GOL Checklist of Legal Issues
- Retention of Digitally Signed and Encrypted Documents
E. Acronyms
A. Public Key Infrastructure[3]
Much has been said about the complexity and difficulty of implementing public key technology. It is all true. The GoC PKI project has been under development for over 5 years, involving over 300 people across the Government of Canada. Progress has been made over the years, with directions and strategies undergoing several re-alignments.
GoC PKI Update
New GOL Certificate Policies[4]:
The Policy on Public Key Infrastructure Management in the Government of Canada, called the "PKI Policy", [5] was approved by the Treasury Board in May of 1999, and the Policy Management Authority (the PMA) approved the Government of Canada Certificate Policies.[6](GoC CPs). Those Certificate Policies were "model" CPs, drafted with the hope that departments and others would adopt them and, in fact, they have done so.
This year, the PMA has for approval a new set of Certificate Policies designed specifically for Government On-Line and Secure Channel. These new CPs reflect three facets in the evolution of the GoC PKI. The first is simply the fact that departments have acquired some experience in implementing PKI for their programs, and have identified some things that they perceived as interfering with that implementation, as well as with the take-up of PKI by citizens and businesses outside of the Government.
The second is the decision to offer GOL services through a single central Certification Authority offered by the Secure Channel.
The third is the acquisition of a license for a new PKI technology which has features different from the technology upon which the earlier CPs were drafted.
i. Single Central Certification Authority. The old GoC CPs were drafted to be adopted by the Canadian Central Facility (the GoC Bridge CA) and to act as the baseline against which other CPs would be measured for purposes of cross-certification. Departments generally adopted them with some variations to accommodate specific program requirements. The GOL CPs, on the other hand, were drafted for a Certification Authority "tasked with the provision of CA services for the Government of Canada". At present, the Secure Channel Certification Authority is the only Certification Authority that has been named.
ii. Two types of Certificates. The GoC CPs created four levels of certificates based on a scale of strength of assurance ranging from "rudimentary" to "high assurance". The level of assurance increased according to the rigour of the authentication processes required, as well as to the strength of the encryption used. Liability limits and recommended uses were established accordingly, ranging from $5,000 for "basic assurance", to $1,000,000 for "high assurance".
The GOL CPs create two types of certificates:
i. General Purpose certificates - these are digital signature and confidentiality certificates intended for use where a program does not require assurance that the subscriber (i.e. a citizen or a business) has a secure information technology environment; and
ii. Limited Purpose certificates - these are digital signature and confidentiality certificates intended for use where a program does require assurance that the subscriber has a secure information technology environment.
What constitutes a secure technology environment is defined in the GOL CPs. It includes an obligation on certificate holders, or "subscribers", to certify that they have taken appropriate measures to maintain anti-virus mechanisms, implement security patches and software updates, maintain security policies, and adopt strong password policies. It is expected that large organizations with sophisticated information technology security would most likely be eligible for the use of Limited Purpose certificates.
The decision of which "level of assurance" is appropriate is to be made by program managers and is based upon threat-risk assessments. In reality, most programs offered for individual citizens, as opposed to businesses, will likely rely on General Purpose certificates.
iii. Authentication: The GoC CPs did not contemplate on-line authentication. For basic or medium assurance certificates, a citizen had to submit two pieces of identification; for high assurance, the subscriber had to present himself in person for authentication. Authentication processes are time-consuming and expensive, particularly when dealing with large numbers of citizens from across the country. Accordingly, other options were considered.
The GOL CPs, then, are more permissive in nature - they require only that a subscriber's identity "be authenticated in any manner sufficient to satisfy the CA or an RA [a Registration Authority] that the individual has the identity he or she claims to possess." [s. 3.2.3] Identification and authentication can be done electronically, on-line, where a department already has some private information about the citizen, that only that citizen and the department should know, (often called "shared secrets") on file in its program legacy databases. The shared secrets are submitted on-line and validated or verified against the legacy database. If there is a match, then there is assurance that the citizen is the person with whom those secrets are linked in the program database. It is up to the program manager to determine whether the shared secrets are sufficiently secret, and therefore the strength of the authentication sufficiently strong, for the requirements of a particular program, based on a threat-risk analysis.
iv. Liability: In the GoC CPs, the federal Crown's liability for the issuance and management of public key certificates was capped at amounts which varied according to the assurance level of the certificate. These amounts were established on the basis of commonly used financial authorities for Government officials, but were largely arbitrarily defined. Program managers found them difficult to reconcile with the estimated damages predicted in the event of losses relating to their particular programs.
The GOL CPs take a different approach - they do not establish caps on liability; nor do they mandate program managers to do so. The decision of whether or not to cap or otherwise limit the federal Crown's liability to subscribers is left to program managers, to be determined on a program-by-program basis.
However, within the Government of Canada itself, the financial responsibility of the Certification Authority for any PKI-related losses in relation to a program is established by the GOL CPs. In other words, if the Crown is found liable for a loss suffered by a citizen, the loss will be paid out of the Consolidated Revenue Fund, but is allocated to the budgets of the departments involved. The allocation to the CA is limited and capped in the CPs, and this cap is imposed on departments by Memorandum of Understanding. Program managers, then, need to take that cap into consideration in their decision to limit their own department's liability or not.
v. Organizational Certificates: Under the GoC CPs, everyone to whom a certificate was issued, or who was made responsible for a private key given to a device, was required to sign a subscriber agreement with the Crown. This meant that departments were obliged to identify and authenticate each and every such employee in a business, and to convince them to sign a contract with the Crown. Needless to say, departments encountered resistance. Employees of businesses were unwilling to sign user agreements containing indemnities and limits on liability, and were uncomfortable with authentication processes being done by the Government. Departments, at the same time, found the process burdensome.
The GOL CPs attempt to alleviate the burden while maintaining the safeguards. For certain qualified organizations, the CA issues certificates to their employees on the direction of their employer organization. The organization itself is made responsible, in a master subscriber agreement, for the identification and authentication of its own employees. Employees are not required to sign agreements with the Crown. Organizations are encouraged to have internal policies governing the use by employees of their certificates, but it is not a condition of the master agreement. The Crown does not ask for the names of the employees to whom these certificates are allocated, but the organization is obliged to keep records and to provide them on demand. In order to ensure that the organization takes its responsibilities seriously, it is required to assume full responsibility for the use of the certificates by employees, and is bound by their digital signatures.
vi. Devices, roles and groups: Like the GoC CPs, the GOL CPs permit digital certificates to be issued to devices and roles if there are individuals who will assume responsibility for their use. Those individuals must be authenticated by a qualified organization or by the CA or department.
There seems to be some demand for certificates to be assigned to "groups". There may be circumstances in which a certificate is used for purposes other than "signature", where it is not necessary to know the identity of the certificate-holder. For example, a group certificate could be shared by more than one individual if it was to be used for controlling access to information or for the additional security features provided by a digital signature.
Where a certificate is shared, though, it is not likely that it would constitute a "signature" within the common law meaning of the word. Nor would it necessarily constitute a "secure electronic signature" within the meaning of section 48 of the Personal Information Protection and Electronic Documents Act[7] which requires, among other things, that the certificate be used "by a person"; be "unique to the person"; and "under the sole control of the person". The risk, then, is that a certificate would be used by a group with the expectation that it would be creating a legally valid and enforceable signature binding on the group when that may not, in fact, be the case.