CDT Policy Post 4.10 - CDT/PIRG URGE CONSIDERATION OF PRIVACY AND CONSUMER CONCERNS IN DIGITAL SIGNATURE BILL



    _____ _____ _______
   / ____|  __ \__   __|   ____        ___               ____             __
  | |    | |  | | | |     / __ \____  / (_)______  __   / __ \____  _____/ /_
  | |    | |  | | | |    / /_/ / __ \/ / / ___/ / / /  / /_/ / __ \/ ___/ __/
  | |____| |__| | | |   / ____/ /_/ / / / /__/ /_/ /  / ____/ /_/ (__  ) /_
   \_____|_____/  |_|  /_/    \____/_/_/\___/\__, /  /_/    \____/____/\__/
   The Center for Democracy and Technology  /____/     Volume 4, Number 10

      A briefing on public policy issues affecting civil liberties online
CDT POLICY POST Volume 4, Number 10                         May 8, 1998

                                CONTENTS:
(1) CDT/PIRG Urge Consideration of Privacy and Consumer Concerns in Digital
    Signature Bill
(2) How to Subscribe/Unsubscribe
(3) About CDT, Contacting us

** This document may be redistributed freely with this banner intact
**Excerpts may be re-posted with permission of gbrowning@cdt.org

      |PLEASE SEE END OF THIS DOCUMENT FOR INFORMATION ABOUT HOW TO
                SUBSCRIBE, AND HOW TO UN-SUBSCRIBE|
_____________________________________________________________________________

(1) CDT and US PIRG Urge Consideration of Privacy and Consumer Concerns in
Digital Signature Bill The Center for Democracy and Technology (CDT) and
the U.S. Public Interest Research Group (PIRG) took the Senate Banking,
Housing and Urban Affairs Committee to task May 1 over a bill establishing
a legal framework for banks and other financial institutions to use
'digital signature' systems. The bill raises important privacy and consumer
concerns, CDT and PIRG argued

The full text of the CDT/PIRG letter can be found online at:
http://www.cdt.org/digsig/bennett.html  Several consumer groups
also wrote a letter raising concerns about the bill. That letter can be
found at: http://www.cdt.org/digsig/damoto.html  S. 1594, the
Digital Signature and Electronic Authentication Law of 1998 (known by the
acronym SEAL), was proposed recently by Senate Banking Committee member
Robert Bennett (R-Utah). It deals with technologies that are expected to
become an essential part of doing business via the Internet

Based on a range of encryption techniques, digital signature systems allow
people and organizations to certify electronically such features as their
identity, their ability to pay, or the authenticity of an electronic
document

CDT and PIRG believe that policies governing the collection of information
for digital signatures, and the architecture and legal liabilities
associated with these technologies, must include distinct privacy and
consumer protections. The CDT/PIRG letter argues that the framework
proposed by the SEAL bill raises important concerns that should be
addressed before the Committee marks up the bill -- i.e., sends it to the
Senate Rules Committee for consideration on the Senate floor

 Digital signature systems are currently the subject of over a dozen state
laws, and the SEAL bill would preempt much of the emerging state law to the
extent that it governs financial institutions, CDT and PIRG argued. The two
groups also told the Senate Banking Committee that a system using digital
signatures should be designed to enhance, or at least maintain, privacy and
consumer protections. To do this, they said, a system must meet the
following three criteria: * Consumer Choice through a Decentralized
Infrastructure. Any legislation should allow for and encourage a variety of
certificate authorities

 * Multiple Certificates for Multiple Purposes. Various kinds of
certificates will be needed to verify identity in the online world, just as
various kinds of certificates -- in the form of credit cards, 'loyalty
cards' (i.e., frequent flyer cards), and identification cards -- are needed
to serve different purposes in the regular world

 * Fair Information Practices. Commerce in the regular world operates
according to fair information practices. Those same practices should also
be required for online commerce. They should include: 1. Collection
Limitation - Information collected should be limited to the information
needed for a given transaction, and should be obtained with the knowledge
and consent of the subject. A system that meets these goals would have to
use different certificates in order to complete different transactions

 2. Purpose Specification - The purpose of the collection should be
specified at the time that the data is collected and should not exceed the
amount of information necessary to complete the transaction. By specifying
a purpose it becomes clear that identity is not needed in all transactions

 3. Use Limitation - Personal data should not be disclosed, made available,
or used for purposes beyond those specified. This includes the sharing of
data with third parties as well as unnecessarily tying personal
identification to transactional records

 4. Regular Destruction of Data - By periodically destroying data, or
removing personally-identifiable features, we can limit abuses of the
system and inappropriate cross-referencing

The consequences of neglecting these privacy concerns could be grave, CDT
and PIRG warned. Those consequences include: ** Unauthorized access and
identity fraud. The Social Security Number (SSN) offers a useful example of
these problems. Social Security numbers are used in many ways and are so
widely available, through driver's licenses, credit-report headers and
other public and private records, that systems that rely on it to certify
identity have become vulnerable, and individual privacy has been placed at
risk. With an SSN, a deceitful person can gain access to systems, duplicate
or "spoof" another's identity, and access another's personal information

** Centralization of personal information collection. A single certifying
term -- such as a string of letters and numbers -- used for many different
purposes risks creating a vast warehouse of data about an individual's
activities. In today's world various record-keepers have information that
reflects different aspects of a person's life. The bank has banking
records; doctors have medical records; and credit card companies have
records of credit transactions. Keeping records or certificate systems
separate protects individual privacy by limiting the damage that can occur
through either internal misuse or unauthorized access. Separate records or
certificate systems also curtail the surveillance and monitoring that could
be carried out on each system

** Greater collection and use of personal information. Time-tested fair
information practice principles -- such as limiting the collection of data
to only what is needed -- are jeopardized when a single certifying term is
given a wide variety of uses. If a single means of certifying is used
across all transactions, it will become a certifying term based on personal
identification. Even though only certain marketplace transactions now
require personal identification a single certifying term will result in a
great deal of data being collected -- more data, in fact,than is needed to
support a large number of marketplace and individual-to-government
interactions. In essence, using a single certifying term for every purpose
creates an electronic trail of all of a person's interactions

The CDT/PIRG letter apparently had an impact, because the SEAL bill's
markup, which had been scheduled for May 6, was cancelled. The markup was
recently postponed indefinitely. Senate staff have indicated to CDT that
the bill has slowed down because of privacy and consumer concerns

_____________________________________________________________________________

(2) SUBSCRIPTION INFORMATION Be sure you are up to date on the latest
public policy issues affecting civil liberties online and how they will
affect you! Subscribe to the CDT Policy Post news distribution list. CDT
Policy Posts, the regular news publication of the Center For Democracy and
Technology, are received by more than 13,000 Internet users, industry
leaders, policy makers and activists, and have become the leading source
for information about critical free speech and privacy issues affecting the
Internet and other interactive communications media

To subscribe to CDT's Policy Post list, send mail to majordomo@cdt.org in
the BODY of the message (leave the SUBJECT LINE BLANK), type subscribe
policy-posts If you ever wish to remove yourself from the list, send mail
to the above address with NOTHING IN THE SUBJECT LINE AND a BODY TEXT of:
unsubscribe policy-posts
_____________________________________________________________________________

(3) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US The Center
for Democracy and Technology is a non-profit public interest organization
based in Washington, DC. The Center's mission is to develop and advocate
public policies that advance democratic values and constitutional civil
liberties in new computer and communications technologies

Contacting us: General information: info@cdt.org 
World Wide Web: http://www.cdt.org/ 

Snail Mail: The Center for Democracy and Technology
1634 Eye Street NW, Suite 1100
Washington, DC 20006 
(v) +1.202.637.9800
(f) +1.202.637.0968

Policy Post 4.10 5/8/98